Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing any issues in the fall with large classrooms and delayed connection times (Aruba 8.5.0.13)

[Turner, Ryan H]

We actually are allowing MORE ARPs. Apparently when policing kicks in, all 
connections are affecting. It can cause clients to freeze/not connect.  So we 
actually turned the knob in the opposite direction.  We were seeing counters to 
what amounts to large quantities of controllers pauses when the ARPs went over 
an arbitrarily set number.  Our wireless architect can reply with the details.

Ryan Turner
Head of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

On Sep 11, 2021, at 12:32 PM, Enfield, Chuck  wrote:


HI Ryan,

When you say that you detuned ARP policing, do you mean that the ARP policing 
on the underpinning network is now more aggressive (aka, dropping more ARP?)  I 
ask because I’ve been wondering why we aren’t seeing this problem when other 
schools that made the same changes we did still are.  We upgraded our 
underpinning network over the summer, and we’re dropping way more ARP than we 
were on the old network.  Your post just made me realize that may be protecting 
our controllers.  We’ve been considering changes, but we switched to an 
EVPN/VxLAN architecture.  We’re not completely sure what the consequences of 
this ARP policing is, so we’ve been holding off any changes.  If you had to 
police more aggressively to solve your problem, then we won’t start 
experimenting with out policers.

Thanks,

Chuck

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Turner, Ryan H
Sent: Saturday, September 11, 2021 10:12 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing 
any issues in the fall with large classrooms and delayed connection times 
(Aruba 8.5.0.13)

We had to make major changes to bring stability to Khrushchev environment.  I 
think we have at this point.

We had to significantly detune the ARP policing policies.

We had to block virtually every SNMP poller.

We had to reboot our controllers.

We had to put in place an ACL to block communication from the Mobility masters.

A ridiculous amount of work to basically get us where we were 2 years ago and 
we probably have 15% lower connections compared to then.  I am hoping that the 
upcoming firmware fix will allow us to at least reverse the ACL and SNMP 
pollers. At this point we are pretty blind into information on individual 
connections.

Ryan Turner
Head of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office


On Sep 10, 2021, at 4:25 PM, Johnson, Christopher 
mailto:cbjo...@ilstu.edu>> wrote:

I haven’t heard anything as of yet. Although interestingly while doing a 
packet-capture to monitor arp/dhcp rates – noticed one client sending 
DHCPRequests about 3-4-5 times a minutes – and disassociating/re-associating 
constantly – and from the received signal strength of the client – there didn’t 
appear to be any reason for this iPhone – 14.7.X – to behave in such a matter. 
So I’m wondering if that’s not an isolated behavior.

Christopher Johnson
Wireless Network Engineer
Office of Technology Solutions | Illinois State University
(309) 438-8444

Stay connected with ISU IT news and tips with @ISU IT Help on 
Facebook<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2FISUITHelp%2F=04%7C01%7Ccae104%40PSU.EDU%7C3e82d4d6e9524db4270a08d9752e3652%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637669663621408058%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=BGYNDoJo6qpi83pjd9pMIP7EO9lv0sl4L4S4AkNKLfk%3D=0>
 and 
Twitter<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FISUITHelp=04%7C01%7Ccae104%40PSU.EDU%7C3e82d4d6e9524db4270a08d9752e3652%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637669663621418052%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=wl8cYjmkPpNkBgtwT7j6IlVr0mOlFkLMIKo6knZ82fM%3D=0>

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Viou, Robert
Sent: Friday, September 10, 2021 10:28 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing 
any issues in the fall with large classrooms and delayed connection times 
(Aruba 8.5.0.13)

Some people who received this message don't often get email from 
robert.v...@ndsu.edu<mailto:robert.v...@ndsu.edu>. Learn why this is 
important<http://aka.ms/LearnAboutSenderIdentification>
[This message came from an external source. If suspicious, report to 
ab...@ilstu.edu<mailto:ab...@ilstu.edu>]
In regards to:
> Aruba believes this is the cause of the new iOS operating system.  Our 
> environment is extremely heavy iOS.  We are talking to them now and will 
> assess the change.

Has Aruba menti

RE: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing any issues in the fall with large classrooms and delayed connection times (Aruba 8.5.0.13)

[Turner, Ryan H]

Glad I brought this up.  Is it possible that Cisco environments have evaded 
this?  Seems as though the ARP flooding via iOS 14 would be something that 
would menace all the manufacturers.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Street, Chad A
Sent: Wednesday, September 1, 2021 5:01 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing 
any issues in the fall with large classrooms and delayed connection times 
(Aruba 8.5.0.13)


Cody and all...

We are also seeing STM spikes that are impacting associations.

We have also disabled all our polling ( Airwave, Orion, etc ) and reduced the 
client load balancing thresholds so that we have around 4K clients per 
controller.  This seemed to help a great deal.  After working with Aruba today, 
my understanding of the primary cause of the STM spikes is due to the MM 
polling the MCs.  With large client loads on the MCs ( combined with all the 
other SNMP polling going on ), this seems to take longer and sometimes does not 
work.  When it does not work, it bootstraps which spikes the STM process.

The suggested band-aid is to block the GUI polling traffic between the MM and 
MC.  You will lose the GUI information from your MM, but all the MC information 
is still present.  We have applied this to our lab and we are going to push to 
production tonight to see if it helps.  If it does help, we plan on turning 
back up our monitoring tools ( Airwave ).

fingers crossed

here is how to block the traffic:
cd /md/yourrootlocation
firewall-cp
 ipv4 deny any proto 6 ports 15260 15261 position 1
!

Chad
chad.str...@emory.edu<mailto:chad.str...@emory.edu>

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Cody Ensanian mailto:censa...@uccs.edu>>
Sent: Wednesday, September 1, 2021 11:41 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [External] Re: [WIRELESS-LAN] Anyone else seeing any issues in the 
fall with large classrooms and delayed connection times (Aruba 8.5.0.13)


I'm hearing issues of high cpu utilization for STM on the controllers causing 
issues. Maybe check your controllers and see if you are seeing the high cpu use 
for STM. Heard earlier today from our SE that Aruba has "identified the issue 
and is working on a fix." I suggest opening the TAC case so they can track it 
better, and help them hone in on a fix better. We're seeing the high cpu use on 
one of our controllers (but this controller also has higher client load). 
However, we have not had a flood of calls to our help desk for wireless issues 
(not saying they aren't happening). Our SE also said if you're experiencing the 
issue, disabling any system or process level debugging as helped, as well as 
disabling any SNMP polling.

[cid:image001.png@01D79F54.94BB2180]



-Cody

UCCS





From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Turner, Ryan H
Sent: Wednesday, September 1, 2021 9:27 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Anyone else seeing any issues in the fall with large 
classrooms and delayed connection times (Aruba 8.5.0.13)



This is a stab in the dark.  With the University mostly shutdown since the 
Spring of 2020 (=not operating in standard mode and most people work from 
home), we got campus upgraded from 6.X to 8.X code base.  We've also installed 
many 515 series APs.  We are getting a large number of complaints in large 
classrooms that connecting to things like eduroam takes a long time.  Looking 
into the connection, we see many incomplete RADIUS challenges.  The general 
complaints are 'we come into the classroom, and for some folks it can take up 
to 5 minutes to get connected'.  The odd thing is that our RADIUS 
infrastructure is very large, polished and load shared, and we can see no 
performance issues with any of the RADIUS servers.  We have begun reducing 
power in the large classrooms to make association issues better, but so far 
that hasn't changed much.  We anticipate opening a ticket with Aruba, soon.  We 
do seem to see the most complaints in the big classrooms.  But I do keep going 
back to the RADIUS Challenges incomplete.  I know if no reason for those not to 
complete unless the connection is broken midway.



Has anyone else seen something like this?



Ryan Turner

Head of Networking

Communication Technologies | Information Technology Services

r...@unc.edu<mailto:r...@unc.edu>

+1 919 445 0113 (Office)

+1 919 274 7926 (Mobile)



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent th

RE: [WIRELESS-LAN] Anyone else seeing any issues in the fall with large classrooms and delayed connection times (Aruba 8.5.0.13)

[Turner, Ryan H]

In our situation, we actually measure the packets over the wire to judge RADIUS 
response.  I know precisely when I get a RADIUS timeout and what the average 
RTT as well as average response time for MAC and 802.1X authentications.  So I 
believe out environment is clean.  With that said, I am going to get for the 
timeouts on the controllers.  Thank you.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Enfield, Chuck
Sent: Wednesday, September 1, 2021 11:42 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Anyone else seeing any issues in the fall with 
large classrooms and delayed connection times (Aruba 8.5.0.13)

We're not having any unusual problems now, but we have in the past.  Two 
suggestions I can offer are:


  *   Search your controller syslog for "Authentication server request 
timeout".  This will tell you if the controllers are sending auth requests and 
not getting replies back.  We've had this happen when RDAIUS servers report 
being fat and happy.  Best explanation I can offer is that VMs sometimes lie.
  *   Check the controller 802.1X counters to make sure they're not throttling 
authentications.  
https://community.arubanetworks.com/blogs/ssasi1/2020/10/28/how-does-auth-throttling-feature-work-and-what-are-the-associated-cli-commands.
  If this does occur, it tends to happen at times of high user mobility.
Good luck.

Chuck

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Turner, Ryan H
Sent: Wednesday, September 1, 2021 11:27 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Anyone else seeing any issues in the fall with large 
classrooms and delayed connection times (Aruba 8.5.0.13)

This is a stab in the dark.  With the University mostly shutdown since the 
Spring of 2020 (=not operating in standard mode and most people work from 
home), we got campus upgraded from 6.X to 8.X code base.  We've also installed 
many 515 series APs.  We are getting a large number of complaints in large 
classrooms that connecting to things like eduroam takes a long time.  Looking 
into the connection, we see many incomplete RADIUS challenges.  The general 
complaints are 'we come into the classroom, and for some folks it can take up 
to 5 minutes to get connected'.  The odd thing is that our RADIUS 
infrastructure is very large, polished and load shared, and we can see no 
performance issues with any of the RADIUS servers.  We have begun reducing 
power in the large classrooms to make association issues better, but so far 
that hasn't changed much.  We anticipate opening a ticket with Aruba, soon.  We 
do seem to see the most complaints in the big classrooms.  But I do keep going 
back to the RADIUS Challenges incomplete.  I know if no reason for those not to 
complete unless the connection is broken midway.

Has anyone else seen something like this?

Ryan Turner
Head of Networking
Communication Technologies | Information Technology Services
r...@unc.edu<mailto:r...@unc.edu>
+1 919 445 0113 (Office)
+1 919 274 7926 (Mobile)


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Ccae104%40PSU.EDU%7Cbf80edde3d5a412daf6108d96d5cfb72%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637661068387237277%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=HBe5V3IJtEi%2FhbE4qSWswW3PQepfmQCI1Hn1Q%2Fi%2BCm8%3D=0>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] Anyone else seeing any issues in the fall with large classrooms and delayed connection times (Aruba 8.5.0.13)

[Turner, Ryan H]

Its been a while since I look at that.  Would be a good path to check  Thank 
you.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Michael Davis
Sent: Wednesday, September 1, 2021 11:37 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Anyone else seeing any issues in the fall with 
large classrooms and delayed connection times (Aruba 8.5.0.13)

Is your backend (controllers - Radius) all jumbo frame clean?  We've seen issues
with large EAP-TLS packets getting fragmented.

We also had a specific OS8 release bug affecting AP-515s specifically, but it 
seems
like we're in perpetual bug-chasing mode so I can't recall what version that 
was.
(Probably 8.5 something)

(edit: I just saw the 8.5.0.13 in the subject.   You may have to move away from 
that..)


On 9/1/21 11:27 AM, Turner, Ryan H wrote:
This is a stab in the dark.  With the University mostly shutdown since the 
Spring of 2020 (=not operating in standard mode and most people work from 
home), we got campus upgraded from 6.X to 8.X code base.  We've also installed 
many 515 series APs.  We are getting a large number of complaints in large 
classrooms that connecting to things like eduroam takes a long time.  Looking 
into the connection, we see many incomplete RADIUS challenges.  The general 
complaints are 'we come into the classroom, and for some folks it can take up 
to 5 minutes to get connected'.  The odd thing is that our RADIUS 
infrastructure is very large, polished and load shared, and we can see no 
performance issues with any of the RADIUS servers.  We have begun reducing 
power in the large classrooms to make association issues better, but so far 
that hasn't changed much.  We anticipate opening a ticket with Aruba, soon.  We 
do seem to see the most complaints in the big classrooms.  But I do keep going 
back to the RADIUS Challenges incomplete.  I know if no reason for those not to 
complete unless the connection is broken midway.

Has anyone else seen something like this?

Ryan Turner
Head of Networking
Communication Technologies | Information Technology Services
r...@unc.edu<mailto:r...@unc.edu>
+1 919 445 0113 (Office)
+1 919 274 7926 (Mobile)


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community




--

 Mike Davis

 IT - University of Delaware - 302.831.8756

 Newark, DE 19716  Email da...@udel.edu<mailto:da...@udel.edu>



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] [External] [WIRELESS-LAN] Anyone else seeing any issues in the fall with large classrooms and delayed connection times (Aruba 8.5.0.13)

[Turner, Ryan H]

So I should say that while I dropped the 515, most of these classrooms have 300 
series.  So that part isn’t generally related (or consistent to one model type).

Ryan

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Norton, Thomas (Network 
Operations)
Sent: Wednesday, September 1, 2021 11:36 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External] [WIRELESS-LAN] Anyone else seeing any 
issues in the fall with large classrooms and delayed connection times (Aruba 
8.5.0.13)

We’re on 8.6.0.11 and not seeing any issues currently, but also running 
225/325s in the majority of our class rooms.

We just purchased our first round 5xx access points and two of our LPVs are 
rung 535, 577, and 534s without issue on 8.7.0.4

Do you guys have the HE bit disabled?

I know the 515s also have quite few bugs still in play right now.
T.J. Norton
Wireless Network Architect
Network Operations

Office: (434) 592-6552

[cid:~WRD0001.jpg]

Liberty University  |  Training Champions for Christ since 1971


On Sep 1, 2021, at 11:27 AM, Turner, Ryan H  wrote:



[ EXTERNAL EMAIL: Do not click any links or open attachments unless you know 
the sender and trust the content. ]


This is a stab in the dark.  With the University mostly shutdown since the 
Spring of 2020 (=not operating in standard mode and most people work from 
home), we got campus upgraded from 6.X to 8.X code base.  We’ve also installed 
many 515 series APs.  We are getting a large number of complaints in large 
classrooms that connecting to things like eduroam takes a long time.  Looking 
into the connection, we see many incomplete RADIUS challenges.  The general 
complaints are ‘we come into the classroom, and for some folks it can take up 
to 5 minutes to get connected’.  The odd thing is that our RADIUS 
infrastructure is very large, polished and load shared, and we can see no 
performance issues with any of the RADIUS servers.  We have begun reducing 
power in the large classrooms to make association issues better, but so far 
that hasn’t changed much.  We anticipate opening a ticket with Aruba, soon.  We 
do seem to see the most complaints in the big classrooms.  But I do keep going 
back to the RADIUS Challenges incomplete.  I know if no reason for those not to 
complete unless the connection is broken midway.

Has anyone else seen something like this?

Ryan Turner
Head of Networking
Communication Technologies | Information Technology Services
r...@unc.edu<mailto:r...@unc.edu>
+1 919 445 0113 (Office)
+1 919 274 7926 (Mobile)


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Ctnorton7%40LIBERTY.EDU%7Caee2f6f05756443b246b08d96d5cfb63%7Cbaf8218eb3024465a9934a39c97251b2%7C0%7C0%7C637661068386827653%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=P2Cf3gTkKGGk0cUQO6Mcc%2FbVtHDYRnuaNXrodogXQD8%3D=0>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Anyone else seeing any issues in the fall with large classrooms and delayed connection times (Aruba 8.5.0.13)

[Turner, Ryan H]

This is a stab in the dark.  With the University mostly shutdown since the 
Spring of 2020 (=not operating in standard mode and most people work from 
home), we got campus upgraded from 6.X to 8.X code base.  We've also installed 
many 515 series APs.  We are getting a large number of complaints in large 
classrooms that connecting to things like eduroam takes a long time.  Looking 
into the connection, we see many incomplete RADIUS challenges.  The general 
complaints are 'we come into the classroom, and for some folks it can take up 
to 5 minutes to get connected'.  The odd thing is that our RADIUS 
infrastructure is very large, polished and load shared, and we can see no 
performance issues with any of the RADIUS servers.  We have begun reducing 
power in the large classrooms to make association issues better, but so far 
that hasn't changed much.  We anticipate opening a ticket with Aruba, soon.  We 
do seem to see the most complaints in the big classrooms.  But I do keep going 
back to the RADIUS Challenges incomplete.  I know if no reason for those not to 
complete unless the connection is broken midway.

Has anyone else seen something like this?

Ryan Turner
Head of Networking
Communication Technologies | Information Technology Services
r...@unc.edu
+1 919 445 0113 (Office)
+1 919 274 7926 (Mobile)


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Onboarding woes with OS X and SecureW2

[Turner, Ryan H]

Well, we’ve actually been testing this.  It works for the one person but 
doesn’t appear to working for others.

Ryan Turner
Head of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

On Aug 14, 2021, at 3:04 PM, Laramie Combs  wrote:


Thanks Ryan,

I'll relay this to our support folks as a potential solution, as well as 
solicit feedback.

-Laramie

On Sat, Aug 14, 2021 at 2:01 PM Turner, Ryan H 
mailto:rhtur...@email.unc.edu>> wrote:
I think I may have made progress on this and it is worth sharing.  I have not 
confirmed this fix.

Apparently launching the securew2 app from downloads can have some permissions 
issue.  I have been told that if you move the application out of the downloads 
folder on to the desktop, then LAUCH IT FROM FINDER, it will work.

Ryan Turner
Head of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

On Aug 14, 2021, at 1:18 PM, Turner, Ryan H 
mailto:rhtur...@email.unc.edu>> wrote:


All,

We’ve been playing wack a mole with onboarding issues, but as students are 
starting to move in, we are seeing a situation where the OSX agent gets to the 
‘configuring’ screen and then just stays there.  The certificate gets installed 
but the profile is not.  The problem appears to be something corrupted in the 
user account.  If we have the user log into a different account, they can 
onboard.  I haven’t figured out what is blocking the initial onboard.  I just 
had one report at the end of the week so I didn’t look to hard into it, but now 
I am up to 6.

Has anyone else seen this and resolved it?

Thanks,
Ryan

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


--
Laramie Combs
Network Infrastructure and Control Systems
(office) 828-262-6945
(email) combslm - at - appstate.edu<http://appstate.edu> (*)


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Onboarding woes with OS X and SecureW2

[Turner, Ryan H]

I think I may have made progress on this and it is worth sharing.  I have not 
confirmed this fix.

Apparently launching the securew2 app from downloads can have some permissions 
issue.  I have been told that if you move the application out of the downloads 
folder on to the desktop, then LAUCH IT FROM FINDER, it will work.

Ryan Turner
Head of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

On Aug 14, 2021, at 1:18 PM, Turner, Ryan H  wrote:


All,

We’ve been playing wack a mole with onboarding issues, but as students are 
starting to move in, we are seeing a situation where the OSX agent gets to the 
‘configuring’ screen and then just stays there.  The certificate gets installed 
but the profile is not.  The problem appears to be something corrupted in the 
user account.  If we have the user log into a different account, they can 
onboard.  I haven’t figured out what is blocking the initial onboard.  I just 
had one report at the end of the week so I didn’t look to hard into it, but now 
I am up to 6.

Has anyone else seen this and resolved it?

Thanks,
Ryan

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Onboarding woes with OS X and SecureW2

[Turner, Ryan H]

All,

We’ve been playing wack a mole with onboarding issues, but as students are 
starting to move in, we are seeing a situation where the OSX agent gets to the 
‘configuring’ screen and then just stays there.  The certificate gets installed 
but the profile is not.  The problem appears to be something corrupted in the 
user account.  If we have the user log into a different account, they can 
onboard.  I haven’t figured out what is blocking the initial onboard.  I just 
had one report at the end of the week so I didn’t look to hard into it, but now 
I am up to 6.

Has anyone else seen this and resolved it?

Thanks,
Ryan

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: Securew2 users with new iPad Pro 5th generation

[Turner, Ryan H]

I had this anecdotally reported to me today but was waiting to report it until 
I got some more information.  I will forward this on.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Hurt,Trenton W.
Sent: Tuesday, August 10, 2021 2:44 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Securew2 users with new iPad Pro 5th generation

I'm seeing the latest iPad Pro gen 5 not getting detected correctly with 
securew2 in any browser I tried.  I've updated to latest 14.7.1 but saw this on 
14.6 as well.  The device is getting detected as OS X Catalina or above and 
even if I try manually selecting iPad from drop down on the webpage it goes 
back to Catalina device.I have the latest joinnow deployed from admin page 
as well for my onboard profile and still having this issue.  Has anyone seen 
this and or reported to securew2?

Sent from my mobile device.

Trent Hurt

5028521513

University of Louisville







**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] OSX | Big Sur | EAP-TLS Apocalypse

[Turner, Ryan H]

Yes.  I meant to reply to this.  They came out with a new release that pretty 
much brought it back to where it was, but there is still some work to do to 
help the folks get to the profile section and install the profile.  But at 
least the process is now tolerable.  They turn things around very quickly at 
SecureW2.

Ryan

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Matt Mills
Sent: Wednesday, June 30, 2021 12:52 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] OSX | Big Sur | EAP-TLS Apocalypse

It looks like the most recent SW2 update is supposed to help with password 
prompts.

macOS Big Sur - Multiple Password Prompts Displayed During Onboarding

During the onboarding process in Big Sur, multiple password prompts were 
observed due to multiple certificates in the Network Profile. The keychain 
password prompts have been reduced for an improved user experience.


MATT MILLS
Senior Wireless Network Engineer
UW-IT: Wireless Design & Architecture
Pronouns: he / him / his
Desk: 206.685.8456




From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Turner, Ryan H 
mailto:rhtur...@email.unc.edu>>
Date: Thursday, June 17, 2021 at 12:54 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] OSX | Big Sur | EAP-TLS Apocalypse
Funny thing is that I have heard nothing about this until the last week.  
Haven’t been on campus.  I don’t know what changed or it was a recent patch 
level.  I had to update a laptop I don’t normally use to see for myself.
Ryan Turner
Head of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

On Jun 17, 2021, at 3:32 PM, Elton, Norman N 
mailto:wne...@wm.edu>> wrote:

And just to confirm, we’re talking about Big Sur? It came out last November, so 
we’ve already seen a pretty substantial migration. I do recall there being a 
few extra steps, but that seems to be par for the course for Apple these days. 
We had a few extra tickets, but it wasn’t quite apocalyptic.

But we haven’t tested Monterey yet…

Norman

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Turner, Ryan H 
mailto:rhtur...@email.unc.edu>>
Date: Thursday, June 17, 2021 at 3:30 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] OSX | Big Sur | EAP-TLS Apocalypse
We were never EAP-PEAP.  It would be TTLS.  I have spoken with SecureW2 and 
hope to have better news tomorrow.
Ryan Turner
Head of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office


On Jun 17, 2021, at 3:16 PM, Elton, Norman N 
mailto:wne...@wm.edu>> wrote:

When you say “stick a fork in this”. You mean … go back to MS-CHAPv2?

Norman


Norman Elton
Director
W IT Infrastructure
wne...@wm.edu<mailto:wne...@wm.edu> / 757-221-7790


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Turner, Ryan H 
mailto:rhtur...@email.unc.edu>>
Date: Thursday, June 17, 2021 at 11:29 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] OSX | Big Sur | EAP-TLS Apocalypse
Will do.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Daniel Wurst
Sent: Thursday, June 17, 2021 11:25 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] OSX | Big Sur | EAP-TLS Apocalypse

Ryan,

We are just deploying SecureW2 this summer and are noticing the exact same 
thing. It is pretty horrible.
Please keep us posted if you make any progress on this issue.

Thanks,

Dan

On Thu, Jun 17, 2021 at 11:17 AM Turner, Ryan H 
mailto:rhtur...@email.unc.edu>> wrote:
Every operating system has its challenges, but those with TLS need to be paying 
attention to Big Sur.  Excluding the SSO sign-on, the local username and 
password has to be entered at least EIGHT TIMES to install all the certs.  I 
have never seen a worse user experience in my life with TLS, and Android had 
some bad ones.  We are working with SecureW2 to see if there can be 
improvements.  However, if this doesn’t get better, I may have to stick a fork 
in this.  Just horrible.

Those of you with TLS shops:  Find a Big Sur machine and run it through the 
process.

Ryan Turner
Head of Networking
Communication Technologies | Information Technology Services
r...@unc.edu<mailto:r...@unc.edu>
+1 919 445 0113 (Office)
+1 919 27

Re: [WIRELESS-LAN] Eap-tls user experience

[Turner, Ryan H]

For us, we always get a message when trying to connect that the ‘SSID is not in 
range’ if the person is onboarding off campus.  But the clients don’t need to 
attempt multiple times.  the devil is in the details.  What operating system 
are you seeing this with?  We are currently in Big Sur hell, but it looks like 
SecureW2 is testing a ‘big fix’ that should be ready next week.

Ryan Turner
Head of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

On Jun 18, 2021, at 5:51 PM, Marsen Nuzi  wrote:



Hello All,
How is the user experience when trying to onboard remotely with securew2? We 
are still in the testing phase and when users try onboarding remotely they get 
a difficult experience. Since it is looking for an SSID that is not available 
at the time of the process the onboarding keeps failing until after a few times 
then it gets to the last step. Looking to make the onboarding process a little 
easier and less painful for the end users.

Thanks
Marsen Nuzi
Information Technology
71 5TH AVE, ROOM 913C,
NEW YORK, NY 10003
nu...@newschool.edu

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] OSX | Big Sur | EAP-TLS Apocalypse

[Turner, Ryan H]

Funny thing is that I have heard nothing about this until the last week.  
Haven’t been on campus.  I don’t know what changed or it was a recent patch 
level.  I had to update a laptop I don’t normally use to see for myself.

Ryan Turner
Head of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

On Jun 17, 2021, at 3:32 PM, Elton, Norman N  wrote:


And just to confirm, we’re talking about Big Sur? It came out last November, so 
we’ve already seen a pretty substantial migration. I do recall there being a 
few extra steps, but that seems to be par for the course for Apple these days. 
We had a few extra tickets, but it wasn’t quite apocalyptic.

But we haven’t tested Monterey yet…

Norman

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Turner, Ryan H 

Date: Thursday, June 17, 2021 at 3:30 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] OSX | Big Sur | EAP-TLS Apocalypse
We were never EAP-PEAP.  It would be TTLS.  I have spoken with SecureW2 and 
hope to have better news tomorrow.
Ryan Turner
Head of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office


On Jun 17, 2021, at 3:16 PM, Elton, Norman N  wrote:

When you say “stick a fork in this”. You mean … go back to MS-CHAPv2?

Norman


Norman Elton
Director
W IT Infrastructure
wne...@wm.edu<mailto:wne...@wm.edu> / 757-221-7790


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Turner, Ryan H 

Date: Thursday, June 17, 2021 at 11:29 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] OSX | Big Sur | EAP-TLS Apocalypse
Will do.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Daniel Wurst
Sent: Thursday, June 17, 2021 11:25 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] OSX | Big Sur | EAP-TLS Apocalypse

Ryan,

We are just deploying SecureW2 this summer and are noticing the exact same 
thing. It is pretty horrible.
Please keep us posted if you make any progress on this issue.

Thanks,

Dan

On Thu, Jun 17, 2021 at 11:17 AM Turner, Ryan H 
mailto:rhtur...@email.unc.edu>> wrote:
Every operating system has its challenges, but those with TLS need to be paying 
attention to Big Sur.  Excluding the SSO sign-on, the local username and 
password has to be entered at least EIGHT TIMES to install all the certs.  I 
have never seen a worse user experience in my life with TLS, and Android had 
some bad ones.  We are working with SecureW2 to see if there can be 
improvements.  However, if this doesn’t get better, I may have to stick a fork 
in this.  Just horrible.

Those of you with TLS shops:  Find a Big Sur machine and run it through the 
process.

Ryan Turner
Head of Networking
Communication Technologies | Information Technology Services
r...@unc.edu<mailto:r...@unc.edu>
+1 919 445 0113 (Office)
+1 919 274 7926 (Mobile)


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Cwnelto%40WM.EDU%7Cd1166fd976414fa0778308d931c65252%7Cb93cbc3e661d40588693a897b924b8d7%7C0%7C0%7C637595550133723629%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=yGNVMRDhHN6coArVJj4P4xKUUiyprWuE28rICsbOMbw%3D=0>


--
Daniel Wurst
Network Engineer II | Information Technology Services
Denison University | 100 West College Street, Granville, OH 43023 | Fellows 003B
740-587-6229 | wur...@denison.edu<mailto:wur...@denison.edu>




**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Cwnelto%40WM.EDU%7Cd1166fd976414fa0778308d931c65252%7Cb93cbc3e661d40588693a897b924b8d7%7C0%7C0%7C637595550133723629%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=yGNVMRDhHN6coArVJj4P4xKUUiyprWuE28rICsbOMbw%3D=0>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.

Re: [WIRELESS-LAN] OSX | Big Sur | EAP-TLS Apocalypse

[Turner, Ryan H]

We were never EAP-PEAP.  It would be TTLS.  I have spoken with SecureW2 and 
hope to have better news tomorrow.

Ryan Turner
Head of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

On Jun 17, 2021, at 3:16 PM, Elton, Norman N  wrote:


When you say “stick a fork in this”. You mean … go back to MS-CHAPv2?

Norman


Norman Elton
Director
W IT Infrastructure
wne...@wm.edu<mailto:wne...@wm.edu> / 757-221-7790


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Turner, Ryan H 

Date: Thursday, June 17, 2021 at 11:29 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] OSX | Big Sur | EAP-TLS Apocalypse
Will do.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Daniel Wurst
Sent: Thursday, June 17, 2021 11:25 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] OSX | Big Sur | EAP-TLS Apocalypse

Ryan,

We are just deploying SecureW2 this summer and are noticing the exact same 
thing. It is pretty horrible.
Please keep us posted if you make any progress on this issue.

Thanks,

Dan

On Thu, Jun 17, 2021 at 11:17 AM Turner, Ryan H 
mailto:rhtur...@email.unc.edu>> wrote:
Every operating system has its challenges, but those with TLS need to be paying 
attention to Big Sur.  Excluding the SSO sign-on, the local username and 
password has to be entered at least EIGHT TIMES to install all the certs.  I 
have never seen a worse user experience in my life with TLS, and Android had 
some bad ones.  We are working with SecureW2 to see if there can be 
improvements.  However, if this doesn’t get better, I may have to stick a fork 
in this.  Just horrible.

Those of you with TLS shops:  Find a Big Sur machine and run it through the 
process.

Ryan Turner
Head of Networking
Communication Technologies | Information Technology Services
r...@unc.edu<mailto:r...@unc.edu>
+1 919 445 0113 (Office)
+1 919 274 7926 (Mobile)


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Cwnelto%40WM.EDU%7Cebee53586da54518167308d931a4c263%7Cb93cbc3e661d40588693a897b924b8d7%7C0%7C0%7C637595405982200537%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=ND1B9GXRfNmO4FiVAfhvfvSkAcS2WfZ7R0VoXn30VKc%3D=0>


--
Daniel Wurst
Network Engineer II | Information Technology Services
Denison University | 100 West College Street, Granville, OH 43023 | Fellows 003B
740-587-6229 | wur...@denison.edu<mailto:wur...@denison.edu>




**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Cwnelto%40WM.EDU%7Cebee53586da54518167308d931a4c263%7Cb93cbc3e661d40588693a897b924b8d7%7C0%7C0%7C637595405982200537%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=ND1B9GXRfNmO4FiVAfhvfvSkAcS2WfZ7R0VoXn30VKc%3D=0>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Cwnelto%40WM.EDU%7Cebee53586da54518167308d931a4c263%7Cb93cbc3e661d40588693a897b924b8d7%7C0%7C0%7C637595405982210493%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=plZCRP%2BjKeW9wuYl7C458FTiP4kN2iY1MaHdaY%2BD4Pc%3D=0>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] OSX | Big Sur | EAP-TLS Apocalypse

[Turner, Ryan H]

Will do.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Daniel Wurst
Sent: Thursday, June 17, 2021 11:25 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] OSX | Big Sur | EAP-TLS Apocalypse

Ryan,

We are just deploying SecureW2 this summer and are noticing the exact same 
thing. It is pretty horrible.
Please keep us posted if you make any progress on this issue.

Thanks,

Dan

On Thu, Jun 17, 2021 at 11:17 AM Turner, Ryan H 
mailto:rhtur...@email.unc.edu>> wrote:
Every operating system has its challenges, but those with TLS need to be paying 
attention to Big Sur.  Excluding the SSO sign-on, the local username and 
password has to be entered at least EIGHT TIMES to install all the certs.  I 
have never seen a worse user experience in my life with TLS, and Android had 
some bad ones.  We are working with SecureW2 to see if there can be 
improvements.  However, if this doesn’t get better, I may have to stick a fork 
in this.  Just horrible.

Those of you with TLS shops:  Find a Big Sur machine and run it through the 
process.

Ryan Turner
Head of Networking
Communication Technologies | Information Technology Services
r...@unc.edu<mailto:r...@unc.edu>
+1 919 445 0113 (Office)
+1 919 274 7926 (Mobile)


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


--
Daniel Wurst
Network Engineer II | Information Technology Services
Denison University | 100 West College Street, Granville, OH 43023 | Fellows 003B
740-587-6229 | wur...@denison.edu<mailto:wur...@denison.edu>

[Image removed by sender.][Image removed by sender.]

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

OSX | Big Sur | EAP-TLS Apocalypse

[Turner, Ryan H]

Every operating system has its challenges, but those with TLS need to be paying 
attention to Big Sur.  Excluding the SSO sign-on, the local username and 
password has to be entered at least EIGHT TIMES to install all the certs.  I 
have never seen a worse user experience in my life with TLS, and Android had 
some bad ones.  We are working with SecureW2 to see if there can be 
improvements.  However, if this doesn't get better, I may have to stick a fork 
in this.  Just horrible.

Those of you with TLS shops:  Find a Big Sur machine and run it through the 
process.

Ryan Turner
Head of Networking
Communication Technologies | Information Technology Services
r...@unc.edu
+1 919 445 0113 (Office)
+1 919 274 7926 (Mobile)


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Wireless Architect for UNC Chapel Hill position has been posted

[Turner, Ryan H]

All,

Please see the link below to apply for the Wireless Architect position at the 
University of North Carolina at Chapel Hill.  The position will close June 16, 
2021.

https://unc.peopleadmin.com/postings/193543

Thank you,
Ryan Turner

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: 802.1X, onboarders, continued

[Turner, Ryan H]

To answer some of the previous questions.

We have been doing TLS since around 2011.  For years we used Active Directory.  
We switched to a cloud based PKI a couple years ago and haven't looked back.  
Super easy.

SecureW2 is as fast as they come getting you updates, and communicates issues 
very frequently.
We started out purchasing the Cloudpath Enrollment platform and migrated away 
from it due to lack of prompt support by the vendor when we had issues.  Of 
course, this was nearly a decade ago, so things have probably changed.

No on the last question.

Ryan

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Lee H Badman
Sent: Tuesday, April 13, 2021 9:42 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] 802.1X, onboarders, continued

Thanks for the responses to my last email on onboarders. FWIW, after various 
discussions with a number of people, I find myself with a few more questions:


  *   For your onboarder of choice (focusing on CAT Tool, Cloudpath ES, and 
Secure W2) how responsive is the provider to support issues and OS updates?
  *   Are you using, or have you recently used CAT Tool, Cloudpath ES or Secure 
W2 and found yourself dissatisfied with the tool or vender/provider- and why?
  *   Here's the fun one, asked in complete seriousness: has anyone gone down 
the road of robustly securing staff/"company" devices while turning the general 
wireless network into a wide-open WLAN, relying on other controls to provide 
security?


Any and all feedback welcomed, on list or off.


Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu w its.syr.edu
Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems
SYRACUSE UNIVERSITY
syr.edu


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Science DMZ presentation recording

[Turner, Ryan H]

https://unc.zoom.us/rec/share/7Q42zZyxS7C9AIKNfj1-4_dxAu9DUcAICI2yy_S_dVVALTEpznOa3WRBr4A34uqF.nz9W7DPjTitx5X19
 (Access Passcode: y91=vJE1)

I’ll keep this online for about 6 months, then I’ll likely remove it.

Thanks to everyone!
Ryan Turner


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Science DMZ recording will go out as soon as Zoom is done processing

[Turner, Ryan H]

Ryan

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [NETMAN] Virtual Session Reminder - Fri, September 25 @3p EST - Science "DMZ" Design

[Turner, Ryan H]

Everyone that has messaged me directly or filled out the form should have 
gotten an email.

Please don't use the form anymore.  Any late stragglers, email me directly.  I 
will send invite requests up to about 10 minutes before the presentations 
tomorrow, and after that, you might miss it.

Ryan

From: The EDUCAUSE Network Management Community Group Listserv 
 On Behalf Of Jeffrey Farese
Sent: Monday, September 21, 2020 3:15 PM
To: net...@listserv.educause.edu
Subject: [NETMAN] Virtual Session Reminder - Fri, September 25 @3p EST - 
Science "DMZ" Design


Just a reminder that our next virtual meetup on Science "DMZ" Design is this 
Friday from 3 to 4:30 pm Eastern.  We've sent Zoom meeting details to those 
that have already registered.  If you're signed up and haven't received the 
invite for some reason, please send an email to 
rhtur...@email.unc.edu with the subject line 
"Science DMZ Invite" and Ryan will make sure to add you to the list.

For those that are still interested in attending, but haven't registered yet, 
please use this link to enter your email address by this Friday before 2 pm 
Eastern:

https://forms.gle/2oejM51UB4HaQ6G78


This month's virtual session, will consist of 3 Science "DMZ" design 
presentations followed by 30 minutes of questions and answers.

Our presenters will be:

  *   Brian Flanagan, Chief Network Architect - Georgia Institute of Technology
  *   Chris Griffin, Network Architect and  Kareem Elkhayat, Senior Network 
Engineer - University of Florida
  *   Barry Weiss, Network Architect - University of Central Florida


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: Science DMZ Update / Calendar invite

[Turner, Ryan H]

So I thought I had figured this out, but then found out google is limiting the 
number of folks I can invite.  So the people that got the invite specifically 
registered for the event.  If you want an invite and did not get one, you need 
to email me.

From: Ryan Turner 
Date: Wednesday, September 16, 2020 at 2:09 PM
To: The EDUCAUSE Network Management Community Group Listserv 

Cc: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Science DMZ Update / Calendar invite

All,

If you responded to a previous doodle poll for the CG Zoom sessions, or 
specifically registered for next week’s ScienceDMZ discussion, you should have 
received an invite from a gmail account I created.  I wanted to hide the 
participants for knowing who signed up, and couldn’t find a way to do this 
through an Exchange invite.

The meeting is between 3PM and 4:30PM next Friday (September 25th).

We are very happy to have three institutions that will be discussing their 
design.  Jeff is going to update you all on the presentations on an email 
tomorrow, but I wanted to warn you about a non .edu calendar invite that will 
be arriving in your inbox.

If you wish to be added to the invite, please send me an email with the 
subject: Science DMZ invite.  I’ll add you.

Ryan

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Science DMZ Update / Calendar invite

[Turner, Ryan H]

All,

If you responded to a previous doodle poll for the CG Zoom sessions, or 
specifically registered for next week’s ScienceDMZ discussion, you should have 
received an invite from a gmail account I created.  I wanted to hide the 
participants for knowing who signed up, and couldn’t find a way to do this 
through an Exchange invite.

The meeting is between 3PM and 4:30PM next Friday (September 25th).

We are very happy to have three institutions that will be discussing their 
design.  Jeff is going to update you all on the presentations on an email 
tomorrow, but I wanted to warn you about a non .edu calendar invite that will 
be arriving in your inbox.

If you wish to be added to the invite, please send me an email with the 
subject: Science DMZ invite.  I’ll add you.

Ryan

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [NETMAN] Upcoming joint CommTech / NetMan / NetWireless virtual sessions | Action required

[Turner, Ryan H]

Hey folks,

I would like to say we’ve been flooded with folks.  But we haven’t received a 
single submission.

Please strongly consider presenting on something you’ve done or a challenge you 
conquered.

Ryan Turner
Head of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

On Sep 8, 2020, at 9:30 AM, Turner, Ryan H  wrote:



Colleagues,



The Network Managers and Wireless CG groups are looking to team up with the 
Communication Technology group to offer three half day sessions in October and 
November to be filled with presentations and discussions from our members.   
This is a parallel virtual community forum that is occurring during the time 
that Educause has their annual conference, but this virtual forum does not 
require any registration with Educause to participate in their annual 
conference.  In short, it is free and something the community will be 
self-generated.



The dates are October 26th, November 12th, and November 16th between noon and 
4PM EST.



In order to make this work, we need your proposals for presentations ASAP.  
Each accepted proposal would be given up to 30 minutes.  If you think you have 
a topic that can be covered in 10 minutes, then great!  You are under no 
obligation to fill up the slot.  Topics can be anything relevant to our CG 
areas.  This is a wonderful opportunity for many of those out there to get a 
chance to present their successes/challenges to their peers.  The Comm Tech 
group is close to filling 2 of the 3 slots with their presentations already.  
So we really need you folks to step up to give us the additional content.



If you are willing to present, please send an email to: 
r...@unc.edu<mailto:r...@unc.edu>; 
jeffrey.far...@uga.edu<mailto:jeffrey.far...@uga.edu>; 
ily...@rollings.edu<mailto:ily...@rollings.edu>; 
eric_ke...@harvard.edu<mailto:eric_ke...@harvard.edu>

Included in the email should be:



  1.  Topic you would like to discuss
  2.  Number of presenters (and names/titles)
  3.  Time needed for presentation



We would like to have all submissions to us by end of September.  If you can 
get the ideas to us sooner, rather than later, that would be great.



Something to keep in mind…  There are all types of individuals in this group, 
and do not feel as though your particular presentation has to be super 
technical.

We will be determining how / if registration will be required for the event and 
will let you know.

Ryan Turner
Head of Networking
Communication Technologies | Information Technology Services
r...@unc.edu<mailto:r...@unc.edu>
+1 919 445 0113 (Office)
+1 919 274 7926 (Mobile)


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Upcoming joint CommTech / NetMan / NetWireless virtual sessions | Action required

[Turner, Ryan H]

Colleagues,



The Network Managers and Wireless CG groups are looking to team up with the 
Communication Technology group to offer three half day sessions in October and 
November to be filled with presentations and discussions from our members.   
This is a parallel virtual community forum that is occurring during the time 
that Educause has their annual conference, but this virtual forum does not 
require any registration with Educause to participate in their annual 
conference.  In short, it is free and something the community will be 
self-generated.



The dates are October 26th, November 12th, and November 16th between noon and 
4PM EST.



In order to make this work, we need your proposals for presentations ASAP.  
Each accepted proposal would be given up to 30 minutes.  If you think you have 
a topic that can be covered in 10 minutes, then great!  You are under no 
obligation to fill up the slot.  Topics can be anything relevant to our CG 
areas.  This is a wonderful opportunity for many of those out there to get a 
chance to present their successes/challenges to their peers.  The Comm Tech 
group is close to filling 2 of the 3 slots with their presentations already.  
So we really need you folks to step up to give us the additional content.



If you are willing to present, please send an email to: 
r...@unc.edu; 
jeffrey.far...@uga.edu; 
ily...@rollings.edu; 
eric_ke...@harvard.edu

Included in the email should be:



  1.  Topic you would like to discuss
  2.  Number of presenters (and names/titles)
  3.  Time needed for presentation



We would like to have all submissions to us by end of September.  If you can 
get the ideas to us sooner, rather than later, that would be great.



Something to keep in mind...  There are all types of individuals in this group, 
and do not feel as though your particular presentation has to be super 
technical.

We will be determining how / if registration will be required for the event and 
will let you know.

Ryan Turner
Head of Networking
Communication Technologies | Information Technology Services
r...@unc.edu
+1 919 445 0113 (Office)
+1 919 274 7926 (Mobile)


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [EXT] Re: [WIRELESS-LAN] Openroaming - anyone connected?

[Turner, Ryan H]

Seconded…  So many other things could be said, but many of them are not very 
nice.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Johnston, Ryan
Sent: Monday, August 17, 2020 1:18 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [EXT] Re: [WIRELESS-LAN] Openroaming - anyone 
connected?

Jeff,

For some of us the Starbucks equivalency statement doesn’t fit.  I’m 
specifically in a situation where I do not want to give anyone and everyone 
easy access to our network.  Half of our campus is situated in downtown Chicago 
amongst all the high-rises and tourist locations.  I do not want our network 
used by the multitude of Chicago tourists or business neighbors that can hear 
my network.  Our fear is that having that many unsolicited users would degrade 
the network quality significantly.  I hope the future of network access still 
leaves room for those that need that control over a guest network.  I would 
have a completely different outlook if I was located in a remote college town.


Ryan

--
Ryan Johnston he/him/his
Associate Director of Infrastructure
DePaul University
55 E Jackson Blvd | Chicago, Illinois 60604
https://www.depaul.edu |  https://helpdesk.depaul.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Jeffrey D. Sessler
Sent: Monday, August 17, 2020 11:46 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [EXT] Re: [WIRELESS-LAN] Openroaming - anyone connected?

I’m not trying to get out of a business, but Internet2 could eventually get out 
of the radius/eduroam business. Unless I’m mistaken, at the point an 
institution federates directly with openroaming, the need for eduroam 
diminishes. Obviously it’s going to take time, but if there is a push to adopt 
openroaming in EDU, then in say five years, does eduroam have a future?

On the identity front… As we march toward a cloud-based future, and our WiFi 
networks transformed into simple gateways to the internet, how much information 
do we need/want? How much information should we collect? After all, if the 
service is no different than at Starbucks, what does the collection of more 
information do for us?

Jeff

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Tim Cappalli
Sent: Monday, August 17, 2020 9:09 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Openroaming - anyone connected?

What business are you trying to get out of specifically? OpenRoaming is a way 
for federations of organizations and/or individual organizations to 
interconnect. Eduroam would start to mean “less” to end users, as they wouldn’t 
see an “eduroam” ESSID anymore, but there is still value in a trust framework 
for educational organizations, especially when it comes to identity.

If you decide not to provision users with your university identity, you will 
likely have no access to that users real identity. I imagine you still want 
access to identity for your own users and devices?

At its core, OR is simply a few extra elements in the profile that gets put on 
the device provisioning. OR itself, also does not provide client provisioning. 
You still need to do that, or pay for a service that will do it.

I think, personally, that there is a major lack of understanding throughout the 
industry of what OR actually is.

tim

From: Jeffrey D. Sessler
Sent: Monday, August 17, 2020 11:56
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Openroaming - anyone connected?

Why not the other way around, and standardize on OpenRoaming, and have 
everything else become a member of it? Do we still need eduroam at that point? 
Do we care if the client device is using their ATT, Spectrum, or college 
credentials?

I’m reminded that in EDU we often fix problems nobody cared much about at the 
time e.g. eduroam, but as the world matures, and there are perhaps better 
alternatives, why not get out of the business?  There are costs to operate 
eduroam, and if it’s no longer strategic or different from other services e.g. 
OpenRoaming, why not put those resources into something that is strategic and a 
differentiator?  Why wouldn’t Internet2 and its members focus on adoption of 
OpenRoaming rather than a new and possibly duplicative service like anyroam?

Jeff



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Philippe Hanset
Sent: Sunday, August 16, 2020 7:20 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Openroaming - anyone connected?

At least for the US, we plan to have an Open-Roaming gateway at ANYROAM.
We became member of the 

Re: [WIRELESS-LAN] MAC Randomization, a step further...

[Turner, Ryan H]

Are you referring to the serial?   Would Chad be willing to post his ulang for 
thr freeRadius config?

Ryan Turner
Head of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

On Aug 6, 2020, at 5:02 PM, Philippe Hanset 
<005cd62f91b7-dmarc-requ...@listserv.educause.edu> wrote:

 About EAP-TLS blocking ...
You do not need to revoke a cert (too painful indeed for operator and user). 
Chad wrote a hook for the Anyroam service that identifies the certificate’s 
fingerprint. So If a device misbehaves, you can just block the device via the 
certificate’s fingerprint. With one certificate per device, you end up with the 
same as a SIM card (or the good ol MAC address :)

Philippe Hanset, CEO
ANYROAM LLC
www.anyroam.net
www.eduroam.us
+1 (865) 236-0770

On Aug 6, 2020, at 11:29 AM, Turner, Ryan H  wrote:


The other issue comes in with blocking devices.  On open networks/PSK networks, 
this will make isolating bad devices really difficult.  We have relied on MAC 
address blocks for over a decade.  They work very well.  Yes, you can get a 
determined individual that can get past/change their MAC address.  But that is 
going to be a tiny fraction of cases, and MAC blocking is an effective way of 
blocking a bad device.

We require registration for our PSK network.  So the private MAC addresses will 
be blocked effectively there.  But we haven’t required registration on eduroam 
(our primary), because we have identity in the certificate.  We chose not to 
use OCSP (but we can), but if we revoke a cert, we have to also block the user 
from getting another certificate (2 steps, instead of one, which is why we have 
stayed with MAC blocking).  We could require folks to register for eduroam, but 
that is such a nasty thing to do to the users.   Gr.  Not an easy fix.

Ryan

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Enfield, Chuck
Sent: Thursday, August 6, 2020 11:14 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

I’ll also add that identity is what makes a private network private.  Yes, you 
can check identity at connection time then throw it away and still remain 
private, but that’s never been an option for us when designing services with 
our risk, legal and info security departments.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Julian Y Koh
Sent: Thursday, August 06, 2020 10:59 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

On Aug 6, 2020, at 09:51, Enfield, Chuck 
mailto:cae...@psu.edu>> wrote:

How can we fulfill DMCA requirements when we can’t even identify a device, let 
alone the user?  If you want to remain anonymous, use a different network.

IANAL, and I don’t even play one on TV, but my admittedly old understanding of 
the DMCA is that it’s not necessarily mandating that you have to be able to 
identify every single device on your network.  Indeed, some institutions’ 
responses to DMCA notices has been that they don’t have the necessary 
information to be able to take action.  So IMO, assuming (which is dangerous) 
that I’m correct, that if MAC randomization puts an undue burden and/or large 
obstacles on your ability to track down a device/user and cut it off from the 
network, the DMCA alone shouldn’t be seen as a mandate to try to disable MAC 
randomization.

--
Julian Y. Koh
Associate Director, Telecommunications and Network Services
Northwestern Information Technology

2020 Ridge Avenue #331
Evanston, IL 60208
+1-847-467-5780
Northwestern IT Web Site: 
<http://www.it.northwestern.edu/<https://nam01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.it.northwestern.edu%2F=02%7C01%7Ccae104%40PSU.EDU%7Cbb94cb7e13a643e92b3c08d83a19517d%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637323227705623251=TnloADAw118uF8UF0WBRnfqL0fOJNgfjLMjQMtrTFKw%3D=0>>
PGP Public Key: 
<https://bt.ittns.northwestern.edu/julian/pgppubkey.html<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbt.ittns.northwestern.edu%2Fjulian%2Fpgppubkey.html=02%7C01%7Ccae104%40PSU.EDU%7Cbb94cb7e13a643e92b3c08d83a19517d%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C637323227705623251=YGp3QvGhzeuy4IA3ZXzhXNJlUJnQ%2FN%2Fl1Nk5tIQSakg%3D=0>>


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7Ccae104%40PSU.EDU%7Cbb94cb7e13a643e92b3c08d83a19517d%7C7cf48d453d

RE: [WIRELESS-LAN] MAC Randomization, a step further...

[Turner, Ryan H]

The other issue comes in with blocking devices.  On open networks/PSK networks, 
this will make isolating bad devices really difficult.  We have relied on MAC 
address blocks for over a decade.  They work very well.  Yes, you can get a 
determined individual that can get past/change their MAC address.  But that is 
going to be a tiny fraction of cases, and MAC blocking is an effective way of 
blocking a bad device.

We require registration for our PSK network.  So the private MAC addresses will 
be blocked effectively there.  But we haven’t required registration on eduroam 
(our primary), because we have identity in the certificate.  We chose not to 
use OCSP (but we can), but if we revoke a cert, we have to also block the user 
from getting another certificate (2 steps, instead of one, which is why we have 
stayed with MAC blocking).  We could require folks to register for eduroam, but 
that is such a nasty thing to do to the users.   Gr.  Not an easy fix.

Ryan

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Enfield, Chuck
Sent: Thursday, August 6, 2020 11:14 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

I’ll also add that identity is what makes a private network private.  Yes, you 
can check identity at connection time then throw it away and still remain 
private, but that’s never been an option for us when designing services with 
our risk, legal and info security departments.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Julian Y Koh
Sent: Thursday, August 06, 2020 10:59 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] MAC Randomization, a step further...

On Aug 6, 2020, at 09:51, Enfield, Chuck 
mailto:cae...@psu.edu>> wrote:

How can we fulfill DMCA requirements when we can’t even identify a device, let 
alone the user?  If you want to remain anonymous, use a different network.

IANAL, and I don’t even play one on TV, but my admittedly old understanding of 
the DMCA is that it’s not necessarily mandating that you have to be able to 
identify every single device on your network.  Indeed, some institutions’ 
responses to DMCA notices has been that they don’t have the necessary 
information to be able to take action.  So IMO, assuming (which is dangerous) 
that I’m correct, that if MAC randomization puts an undue burden and/or large 
obstacles on your ability to track down a device/user and cut it off from the 
network, the DMCA alone shouldn’t be seen as a mandate to try to disable MAC 
randomization.

--
Julian Y. Koh
Associate Director, Telecommunications and Network Services
Northwestern Information Technology

2020 Ridge Avenue #331
Evanston, IL 60208
+1-847-467-5780
Northwestern IT Web Site: 
>
PGP Public Key: 
>


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RESCHEDULED: Virtual Session Reminder - Fri, June 19 - Network Monitoring Tools

[Turner, Ryan H]

All,

Due to tomorrow being a holiday for some, we are going to move this discussion 
to next week.  We will follow-up, soon, with more details.

Thanks,
Ryan Turner


From: The EDUCAUSE Network Management Community Group Listserv 
 on behalf of "Ferguson, Michael" 

Reply-To: The EDUCAUSE Network Management Community Group Listserv 

Date: Wednesday, June 17, 2020 at 3:07 PM
To: "net...@listserv.educause.edu" 
Subject: [NETMAN] Virtual Session Reminder - Fri, June 19 - Network Monitoring 
Tools

Just a reminder that our virtual meetup on Network Monitoring Tools is this 
Friday at 3 pm Eastern.  We’ve sent Zoom meeting details to those that have 
already registered.  If you’re signed up and haven’t received the invite for 
some reason, let me know via email and I’ll make sure to add you to the list.

For those that are still interested in attending, but haven’t registered yet, 
please use this link to enter your email address by this Friday before 2 pm 
Eastern:

https://forms.gle/2oejM51UB4HaQ6G78


If you use your personal email address rather than your school or business 
address email address to register, please send me an email to let me know your 
relationship with Educause.



Our meeting Agenda can be found here:



https://docs.google.com/document/d/17MnTxszO7NWJxPu9u5MctzbcInTr-uxkEzbOUjsC9fA/edit?usp=sharing

For our Lean Coffee Table Discussion Board, the link is here:

https://www.leancoffeetable.com/TaskBoard/View/6612ba72-522e-46a8-aabf-e21094a4ce02?guest=true

Also, here’s a typeable link:  https://educause.chapman.edu

For topics and votes that have been submitted so far, below is a list with a 
one new submissions that people haven’t voted on yet:

12 Votes  -  What tools are you using for Security/Network Analysis – Logging 
to event correlation and analysis as well as flow monitoring/analysis.  
Examples include Splunk, SolarWinds, Cacti, Graylog, Homebuilt ELK stacks, 
NFdump, Flowmon, Flowtraq, etc?

8 Votes   -   What tools are you using for Fault  management (Essentially 
anything that is event(push/pull) driven from tools like SolarWinds to Whats UP 
and Nagios and any other manufacturer specific tool)?


8 Votes   -   What tools are you using for (Performance/Capacity 
Analysis/Forecasting  - Broadly covers all speeds, feeds, benchmarking, 
baselining, trending analysis or related troubleshooting tools. Examples: 
Cacti, WhatsUp, Solarwinds, Iperf, Perfsonar, AKiPS)?

7 Votes   -   What tools are you using for Configuration/Orchestration 
(Encompasses anything from SolarWinds style configuration management to 
orchestration/automation tools like Ansible, Pupet, Chef … etc.)

6 Votes   -   What tools are you using for Accounting/Auditing/Documentation 
-(From TACACS to compliance management to general best practices on 
documentation, diagrams/SOP’s/MOP’s etc.)?

0 Votes   -   Are your DNS zones signed with DNSSEC?  Are your resolvers 
validating?


Looking forward to talking to many of you on Friday.

--
Mike Ferguson
Network Manager
Chapman University
One University Drive, Orange, CA 92866
714-744-7873
chapman.edu

From: Ferguson, Mike
Sent: Friday, May 15, 2020 9:06 AM
To: 'The EDUCAUSE Wireless Issues Community Group Listserv' 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Next Virtual Session - June 19 - Network Monitoring Tools

This message is being cross-posted to the Netman and Wireless-LAN Lists.

For our first virtual meetup on April 17, we had over 100 people attend the 
Zoom meeting.  We covered 7 topics related to our response to handling the 
changes in our campus environments caused by Covid-19.  As CG Leaders, we feel 
the meeting kept a good pace and that there was a lot of great participation 
and valuable sharing of information.   Thank you to everyone that participated 
as we think our first virtual session turned out to be a nice success.   To see 
how broad the participation was, we compiled a geographical summary of those 
that participated:


Geographical Summary of Attendees (April 17 Meetup)
Region  Attended
Canada 3
Europe 1
Mid-Atlantic   9
Mountain West  5
Northeast 14
Pacific Ocean  4
Pacific West  12
Southeast 16
Southwest  6
New York/New Jersey9
Midwest-(Central TZ)  19
Midwest-(Eastern TZ)   8
Total106

To review what topics we covered and some of the comments made on the 
discussion board, here’s a link to our Covid-19 meeting:

Lean Coffee Table Discussion Board – Fri, April 17

RE: [WIRELESS-LAN] securew2 root ca radius server cert change

[Turner, Ryan H]

Good question.  I do not know.  I assume there are plenty of people on this 
list with a lot more PEAP experience than me that can say.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Hurt,Trenton W.
Sent: Wednesday, May 27, 2020 8:20 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change

I was always told to use public signed for peap byod clients.   Will clients 
like windows/idevices prompt to trust a private signed cert? Is it just the 
connect/accept like the behavior with public signed?

Trent Hurt

University of Louisville


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Turner, Ryan H 
mailto:rhtur...@email.unc.edu>>
Sent: Wednesday, May 27, 2020 8:16:24 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change


CAUTION: This email originated from outside of our organization. Do not click 
links, open attachments, or respond unless you recognize the sender's email 
address and know the contents are safe.
My guidance is for properly onboarded TLS devices.   It doesn’t apply to PEAL 
or anything else.  Actually, that does bring a wrinkle into my previous email.  
If PEAP and TLS both exist, I am going to guess there will be more prompts or 
issues with a private CA (perhaps)
Ryan Turner
Head of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office


On May 26, 2020, at 8:21 PM, Hurt,Trenton W. 
mailto:trent.h...@louisville.edu>> wrote:

I’m also doing unmanned eap peap (yes I know all the security reasons against 
this)  if I don’t use public signed ca will byod devices be able to connect via 
eap peap with that private cert?

Trent Hurt

University of Louisville


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Turner, Ryan H 
mailto:rhtur...@email.unc.edu>>
Sent: Tuesday, May 26, 2020 8:10 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change


CAUTION: This email originated from outside of our organization. Do not click 
links, open attachments, or respond unless you recognize the sender's email 
address and know the contents are safe.

You are likely totally hosed.  In fact, you should consider abandoning public 
CAs entirely when you re-do this.   Through-out the years, I’ve counseled a lot 
of schools about TLS deployments, and I cautioned strongly against using public 
CAs for this exact reason.  You have no control, and your CA can totally hose 
you, as you can see.



There is no way around this if the CA will not cooperate.   You should talk to 
your active directory folks.  They should spin up a new offline private CA 
root, then intermediary, then issue your RADIUS servers from the intermediary.  
The expiration should be many years.



OR, you can utilize SecureW2 and their online CA to generate RADIUS server 
certificates.  In any event, get off the public CAs.



Ryan



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Hurt,Trenton W.
Sent: Tuesday, May 26, 2020 5:36 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] securew2 root ca radius server cert change



I have both eap peap and eap tls setup and working.  My radius server cert is 
going to expire soon.  I have received new one from public ca.  It works fine 
for eap peap clients.  But for my existing eap tls clients they all fail auth 
when I switch to this new updated rad cert.  I see that my public ca has issued 
this new cert using different root ca then my old one ()the one that is 
install/config on my securew2 app in the cloud.  Securew2 has told me that 
users will have to onboard again once I change the cert on clearpass and update 
the cloud app since public ca changed root ca on cert chain.  I asked my public 
ca if they could reissue using the other root ca so my eap tls clients will 
still work once I do the change.  They have told me that shouldn’t need reissue 
as the old root ca (one tls clients currently use) because my new cert root ca 
is cross signed by the old root ca.  They told me that I should be able to use 
this new one but I still cant seem to get things working correctly.  Anyone who 
is using securew2 had issues like this with root ca changing and clients forced 
to reonboard?  Im not really pki person so if there is some way I could  chain 
these or something.  Just looking for way to update the rad cert on servers and 

Re: [WIRELESS-LAN] securew2 root ca radius server cert change

[Turner, Ryan H]

My guidance is for properly onboarded TLS devices.   It doesn’t apply to PEAL 
or anything else.  Actually, that does bring a wrinkle into my previous email.  
If PEAP and TLS both exist, I am going to guess there will be more prompts or 
issues with a private CA (perhaps)

Ryan Turner
Head of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

On May 26, 2020, at 8:21 PM, Hurt,Trenton W.  wrote:


I’m also doing unmanned eap peap (yes I know all the security reasons against 
this)  if I don’t use public signed ca will byod devices be able to connect via 
eap peap with that private cert?

Trent Hurt

University of Louisville


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Turner, Ryan H 

Sent: Tuesday, May 26, 2020 8:10 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] securew2 root ca radius server cert change

CAUTION: This email originated from outside of our organization. Do not click 
links, open attachments, or respond unless you recognize the sender's email 
address and know the contents are safe.
You are likely totally hosed.  In fact, you should consider abandoning public 
CAs entirely when you re-do this.   Through-out the years, I’ve counseled a lot 
of schools about TLS deployments, and I cautioned strongly against using public 
CAs for this exact reason.  You have no control, and your CA can totally hose 
you, as you can see.

There is no way around this if the CA will not cooperate.   You should talk to 
your active directory folks.  They should spin up a new offline private CA 
root, then intermediary, then issue your RADIUS servers from the intermediary.  
The expiration should be many years.

OR, you can utilize SecureW2 and their online CA to generate RADIUS server 
certificates.  In any event, get off the public CAs.

Ryan

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Hurt,Trenton W.
Sent: Tuesday, May 26, 2020 5:36 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] securew2 root ca radius server cert change

I have both eap peap and eap tls setup and working.  My radius server cert is 
going to expire soon.  I have received new one from public ca.  It works fine 
for eap peap clients.  But for my existing eap tls clients they all fail auth 
when I switch to this new updated rad cert.  I see that my public ca has issued 
this new cert using different root ca then my old one ()the one that is 
install/config on my securew2 app in the cloud.  Securew2 has told me that 
users will have to onboard again once I change the cert on clearpass and update 
the cloud app since public ca changed root ca on cert chain.  I asked my public 
ca if they could reissue using the other root ca so my eap tls clients will 
still work once I do the change.  They have told me that shouldn’t need reissue 
as the old root ca (one tls clients currently use) because my new cert root ca 
is cross signed by the old root ca.  They told me that I should be able to use 
this new one but I still cant seem to get things working correctly.  Anyone who 
is using securew2 had issues like this with root ca changing and clients forced 
to reonboard?  Im not really pki person so if there is some way I could  chain 
these or something.  Just looking for way to update the rad cert on servers and 
not have to force all my onboard clients to have to go thru that process once I 
make the change.



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7CTrent.hurt%40LOUISVILLE.EDU%7C0ba506eb295d4d38a29608d801d24efc%7Cdd246e4a54344e158ae391ad9797b209%7C0%7C0%7C637261350068304127=1XDQ8k1JY6Ltpvn2dUM0utxTHniGgqCDJQE959Fe%2BoE%3D=0>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7CTrent.hurt%40LOUISVILLE.EDU%7C0ba506eb295d4d38a29608d801d24efc%7Cdd246e4a54344e158ae391ad9797b209%7C0%7C0%7C637261350068314124=SAMZl%2FrGh3O6eNbPriBnyBn7O%2BQz6nq5HpEQBQU7wuY%3D=0>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional p

RE: securew2 root ca radius server cert change

[Turner, Ryan H]

You are likely totally hosed.  In fact, you should consider abandoning public 
CAs entirely when you re-do this.   Through-out the years, I've counseled a lot 
of schools about TLS deployments, and I cautioned strongly against using public 
CAs for this exact reason.  You have no control, and your CA can totally hose 
you, as you can see.

There is no way around this if the CA will not cooperate.   You should talk to 
your active directory folks.  They should spin up a new offline private CA 
root, then intermediary, then issue your RADIUS servers from the intermediary.  
The expiration should be many years.

OR, you can utilize SecureW2 and their online CA to generate RADIUS server 
certificates.  In any event, get off the public CAs.

Ryan

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Hurt,Trenton W.
Sent: Tuesday, May 26, 2020 5:36 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] securew2 root ca radius server cert change

I have both eap peap and eap tls setup and working.  My radius server cert is 
going to expire soon.  I have received new one from public ca.  It works fine 
for eap peap clients.  But for my existing eap tls clients they all fail auth 
when I switch to this new updated rad cert.  I see that my public ca has issued 
this new cert using different root ca then my old one ()the one that is 
install/config on my securew2 app in the cloud.  Securew2 has told me that 
users will have to onboard again once I change the cert on clearpass and update 
the cloud app since public ca changed root ca on cert chain.  I asked my public 
ca if they could reissue using the other root ca so my eap tls clients will 
still work once I do the change.  They have told me that shouldn't need reissue 
as the old root ca (one tls clients currently use) because my new cert root ca 
is cross signed by the old root ca.  They told me that I should be able to use 
this new one but I still cant seem to get things working correctly.  Anyone who 
is using securew2 had issues like this with root ca changing and clients forced 
to reonboard?  Im not really pki person so if there is some way I could  chain 
these or something.  Just looking for way to update the rad cert on servers and 
not have to force all my onboard clients to have to go thru that process once I 
make the change.



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)

[Turner, Ryan H]

I misunderstood your second part.  Thank you very much.  I think we have the 
problem sufficiently narrowed…  I love getting deep into RADIUS stuff.

Ryan

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jake Snyder
Sent: Friday, April 17, 2020 1:50 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

Both of those worked.  Both received ACKs from the WLC.




On Apr 17, 2020, at 11:38 AM, Turner, Ryan H 
mailto:rhtur...@email.unc.edu>> wrote:

Thank you!.  You are getting ACKs on both, and the ‘Disconnect’ that matches 
what we are doing omits the Time Stamp AVP.  The Coa-Reauth has has time time 
stamp.  I am a little confused.  Did the first or second fail?

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Jake Snyder
Sent: Friday, April 17, 2020 1:28 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

Here are some PCAPs for you folks.
https://www.dropbox.com/sh/njdfxt9bfo89xte/AABmaJkT9W2h9RoAirdQ0GV8a?dl=0

One is a COA Disconnect from CPPM and one is a COA Reauth from ISE. (My Reauth 
from CPPM failed).

Also, if you run *debug aaa events enable* on the Cisco WLC it will likely tell 
you which attribute it hates/needs.

Thanks
Jake




On Apr 17, 2020, at 11:06 AM, Jake Snyder 
mailto:jsnyde...@gmail.com>> wrote:

Care to share a link to the doc?




On Apr 17, 2020, at 10:13 AM, Turner, Ryan H 
mailto:rhtur...@email.unc.edu>> wrote:

I really think Felix hit the nail on the head.  I found the documentation with 
the supported attributes for CoA and Cisco.  Type 55 (Event-Timestamp) is NOT a 
supported option.  We are getting NAKs back stating that we are sending an 
‘Unsupported Attribute’.  I am asking Extreme how to strip 55 out of the CoA.  
In the meantime, I have also asked the other institution to look at their 
configs and validate 3799.

Ryan

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Curtis K. Larsen
Sent: Friday, April 17, 2020 12:03 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

We use 1700 as well for our CoA stuff against the Cisco 8540 with PacketFence.


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Turner, Ryan H 
mailto:rhtur...@email.unc.edu>>
Sent: Friday, April 17, 2020 10:01 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

I reversed that.  The standard is 3799, and I know Cisco tends to use 1700.  
But I see plenty of documentation on 3799 for Cisco.  I’ll confirm.

From: Turner, Ryan H
Sent: Friday, April 17, 2020 12:00 PM
To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

So apparently that changed.  If you search on Cisco, you will note that they 
seemed to go away from the default port.  I do not think we would be getting a 
properly formatted NAK if we were sending to the wrong port.  But I am going to 
ask the other institution to validate that.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Abhiramms
Sent: Friday, April 17, 2020 11:25 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

Ryan,

Have you tried UDP port 1700.
As far as I can remember, the default port when adding a radius client for a 
cisco device was 1700.

Also - I usually refer to this link that has the different CoA pcaps captured 
from a cisco perspective:

https://drive.google.com/drive/mobile/folders/1wYJhxkCoessGu03O__77cLWEJokBWJt9?usp=sharing

Source - 
https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/

Thanks

Abhi



On Apr 17, 2020, at 8:07 AM, Turner, Ryan H 
mailto:rhtur...@email.unc.edu>> wrote:

Thank you Felix.  We do have this attribute present.  Let me see if I can get 
it removed.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Felix Windt
Sent: Friday, April 17, 2020 9:52 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE

RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)

[Turner, Ryan H]

So I think we’ve refined the problem to two methods.

Method one is a Radius-Disconnect.  It does not appear that AVP type 55 is 
supported with that method.
Method two is a CoA-Reauth.  Looking at packet captures provided to me from 
ISE, it does appear that AVP type 55 is expected for that form.

I am working with Extreme to figure out how we can either remove type 55 from a 
Disconnect, or force an actual CoA-Reauth instead of a Disconnect.

I think a lot of folks never have to deal with this, because they stick to 
single vendor solutions.  We had to tackle this back with Aruba years ago.

Ryan

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Turner, Ryan H
Sent: Friday, April 17, 2020 1:38 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

Thank you!.  You are getting ACKs on both, and the ‘Disconnect’ that matches 
what we are doing omits the Time Stamp AVP.  The Coa-Reauth has has time time 
stamp.  I am a little confused.  Did the first or second fail?

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jake Snyder
Sent: Friday, April 17, 2020 1:28 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

Here are some PCAPs for you folks.
https://www.dropbox.com/sh/njdfxt9bfo89xte/AABmaJkT9W2h9RoAirdQ0GV8a?dl=0

One is a COA Disconnect from CPPM and one is a COA Reauth from ISE. (My Reauth 
from CPPM failed).

Also, if you run *debug aaa events enable* on the Cisco WLC it will likely tell 
you which attribute it hates/needs.

Thanks
Jake


On Apr 17, 2020, at 11:06 AM, Jake Snyder 
mailto:jsnyde...@gmail.com>> wrote:

Care to share a link to the doc?


On Apr 17, 2020, at 10:13 AM, Turner, Ryan H 
mailto:rhtur...@email.unc.edu>> wrote:

I really think Felix hit the nail on the head.  I found the documentation with 
the supported attributes for CoA and Cisco.  Type 55 (Event-Timestamp) is NOT a 
supported option.  We are getting NAKs back stating that we are sending an 
‘Unsupported Attribute’.  I am asking Extreme how to strip 55 out of the CoA.  
In the meantime, I have also asked the other institution to look at their 
configs and validate 3799.

Ryan

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Curtis K. Larsen
Sent: Friday, April 17, 2020 12:03 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

We use 1700 as well for our CoA stuff against the Cisco 8540 with PacketFence.


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Turner, Ryan H 
mailto:rhtur...@email.unc.edu>>
Sent: Friday, April 17, 2020 10:01 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

I reversed that.  The standard is 3799, and I know Cisco tends to use 1700.  
But I see plenty of documentation on 3799 for Cisco.  I’ll confirm.

From: Turner, Ryan H
Sent: Friday, April 17, 2020 12:00 PM
To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

So apparently that changed.  If you search on Cisco, you will note that they 
seemed to go away from the default port.  I do not think we would be getting a 
properly formatted NAK if we were sending to the wrong port.  But I am going to 
ask the other institution to validate that.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Abhiramms
Sent: Friday, April 17, 2020 11:25 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

Ryan,

Have you tried UDP port 1700.
As far as I can remember, the default port when adding a radius client for a 
cisco device was 1700.

Also - I usually refer to this link that has the different CoA pcaps captured 
from a cisco perspective:

https://drive.google.com/drive/mobile/folders/1wYJhxkCoessGu03O__77cLWEJokBWJt9?usp=sharing

Source - 
https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/

Thanks

Abhi



On Apr 17, 2020, at 8:07 AM, Turner, Ryan H 
mailto:rhtur...@email.unc.edu>> wrote:

Thank you Felix.  We do have this attribute present.  Let me see if I can get 
it removed.

From: The EDUCAUSE Wireless Issues Community Group L

RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)

[Turner, Ryan H]

Thank you!.  You are getting ACKs on both, and the ‘Disconnect’ that matches 
what we are doing omits the Time Stamp AVP.  The Coa-Reauth has has time time 
stamp.  I am a little confused.  Did the first or second fail?

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jake Snyder
Sent: Friday, April 17, 2020 1:28 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

Here are some PCAPs for you folks.
https://www.dropbox.com/sh/njdfxt9bfo89xte/AABmaJkT9W2h9RoAirdQ0GV8a?dl=0

One is a COA Disconnect from CPPM and one is a COA Reauth from ISE. (My Reauth 
from CPPM failed).

Also, if you run *debug aaa events enable* on the Cisco WLC it will likely tell 
you which attribute it hates/needs.

Thanks
Jake



On Apr 17, 2020, at 11:06 AM, Jake Snyder 
mailto:jsnyde...@gmail.com>> wrote:

Care to share a link to the doc?



On Apr 17, 2020, at 10:13 AM, Turner, Ryan H 
mailto:rhtur...@email.unc.edu>> wrote:

I really think Felix hit the nail on the head.  I found the documentation with 
the supported attributes for CoA and Cisco.  Type 55 (Event-Timestamp) is NOT a 
supported option.  We are getting NAKs back stating that we are sending an 
‘Unsupported Attribute’.  I am asking Extreme how to strip 55 out of the CoA.  
In the meantime, I have also asked the other institution to look at their 
configs and validate 3799.

Ryan

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Curtis K. Larsen
Sent: Friday, April 17, 2020 12:03 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

We use 1700 as well for our CoA stuff against the Cisco 8540 with PacketFence.


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Turner, Ryan H 
mailto:rhtur...@email.unc.edu>>
Sent: Friday, April 17, 2020 10:01 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

I reversed that.  The standard is 3799, and I know Cisco tends to use 1700.  
But I see plenty of documentation on 3799 for Cisco.  I’ll confirm.

From: Turner, Ryan H
Sent: Friday, April 17, 2020 12:00 PM
To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

So apparently that changed.  If you search on Cisco, you will note that they 
seemed to go away from the default port.  I do not think we would be getting a 
properly formatted NAK if we were sending to the wrong port.  But I am going to 
ask the other institution to validate that.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Abhiramms
Sent: Friday, April 17, 2020 11:25 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

Ryan,

Have you tried UDP port 1700.
As far as I can remember, the default port when adding a radius client for a 
cisco device was 1700.

Also - I usually refer to this link that has the different CoA pcaps captured 
from a cisco perspective:

https://drive.google.com/drive/mobile/folders/1wYJhxkCoessGu03O__77cLWEJokBWJt9?usp=sharing

Source - 
https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/

Thanks

Abhi



On Apr 17, 2020, at 8:07 AM, Turner, Ryan H 
mailto:rhtur...@email.unc.edu>> wrote:

Thank you Felix.  We do have this attribute present.  Let me see if I can get 
it removed.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Felix Windt
Sent: Friday, April 17, 2020 9:52 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

This is off the cuff, but in the past I’ve had issues with Cisco WLCs taking 
CoAs when the Event-Timestamp attribute was present.

thx,
felix

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Turner, Ryan H" 
mailto:rhtur...@email.unc.edu>>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, April 17, 2020 at 9:26 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LIST

RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)

[Turner, Ryan H]

Thank you!!

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jake Snyder
Sent: Friday, April 17, 2020 1:28 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

Here are some PCAPs for you folks.
https://www.dropbox.com/sh/njdfxt9bfo89xte/AABmaJkT9W2h9RoAirdQ0GV8a?dl=0

One is a COA Disconnect from CPPM and one is a COA Reauth from ISE. (My Reauth 
from CPPM failed).

Also, if you run *debug aaa events enable* on the Cisco WLC it will likely tell 
you which attribute it hates/needs.

Thanks
Jake



On Apr 17, 2020, at 11:06 AM, Jake Snyder 
mailto:jsnyde...@gmail.com>> wrote:

Care to share a link to the doc?



On Apr 17, 2020, at 10:13 AM, Turner, Ryan H 
mailto:rhtur...@email.unc.edu>> wrote:

I really think Felix hit the nail on the head.  I found the documentation with 
the supported attributes for CoA and Cisco.  Type 55 (Event-Timestamp) is NOT a 
supported option.  We are getting NAKs back stating that we are sending an 
‘Unsupported Attribute’.  I am asking Extreme how to strip 55 out of the CoA.  
In the meantime, I have also asked the other institution to look at their 
configs and validate 3799.

Ryan

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Curtis K. Larsen
Sent: Friday, April 17, 2020 12:03 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

We use 1700 as well for our CoA stuff against the Cisco 8540 with PacketFence.


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Turner, Ryan H 
mailto:rhtur...@email.unc.edu>>
Sent: Friday, April 17, 2020 10:01 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

I reversed that.  The standard is 3799, and I know Cisco tends to use 1700.  
But I see plenty of documentation on 3799 for Cisco.  I’ll confirm.

From: Turner, Ryan H
Sent: Friday, April 17, 2020 12:00 PM
To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

So apparently that changed.  If you search on Cisco, you will note that they 
seemed to go away from the default port.  I do not think we would be getting a 
properly formatted NAK if we were sending to the wrong port.  But I am going to 
ask the other institution to validate that.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Abhiramms
Sent: Friday, April 17, 2020 11:25 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

Ryan,

Have you tried UDP port 1700.
As far as I can remember, the default port when adding a radius client for a 
cisco device was 1700.

Also - I usually refer to this link that has the different CoA pcaps captured 
from a cisco perspective:

https://drive.google.com/drive/mobile/folders/1wYJhxkCoessGu03O__77cLWEJokBWJt9?usp=sharing

Source - 
https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/

Thanks

Abhi



On Apr 17, 2020, at 8:07 AM, Turner, Ryan H 
mailto:rhtur...@email.unc.edu>> wrote:

Thank you Felix.  We do have this attribute present.  Let me see if I can get 
it removed.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Felix Windt
Sent: Friday, April 17, 2020 9:52 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

This is off the cuff, but in the past I’ve had issues with Cisco WLCs taking 
CoAs when the Event-Timestamp attribute was present.

thx,
felix

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Turner, Ryan H" 
mailto:rhtur...@email.unc.edu>>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, April 17, 2020 at 9:26 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

We currently use Extreme Network Acc

RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)

[Turner, Ryan H]

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/xe-3se/5700/sec-usr-aaa-xe-3se-5700-book/sec-rad-coa.html

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jake Snyder
Sent: Friday, April 17, 2020 1:06 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

Care to share a link to the doc?



On Apr 17, 2020, at 10:13 AM, Turner, Ryan H 
mailto:rhtur...@email.unc.edu>> wrote:

I really think Felix hit the nail on the head.  I found the documentation with 
the supported attributes for CoA and Cisco.  Type 55 (Event-Timestamp) is NOT a 
supported option.  We are getting NAKs back stating that we are sending an 
‘Unsupported Attribute’.  I am asking Extreme how to strip 55 out of the CoA.  
In the meantime, I have also asked the other institution to look at their 
configs and validate 3799.

Ryan

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Curtis K. Larsen
Sent: Friday, April 17, 2020 12:03 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

We use 1700 as well for our CoA stuff against the Cisco 8540 with PacketFence.


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Turner, Ryan H 
mailto:rhtur...@email.unc.edu>>
Sent: Friday, April 17, 2020 10:01 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

I reversed that.  The standard is 3799, and I know Cisco tends to use 1700.  
But I see plenty of documentation on 3799 for Cisco.  I’ll confirm.

From: Turner, Ryan H
Sent: Friday, April 17, 2020 12:00 PM
To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

So apparently that changed.  If you search on Cisco, you will note that they 
seemed to go away from the default port.  I do not think we would be getting a 
properly formatted NAK if we were sending to the wrong port.  But I am going to 
ask the other institution to validate that.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Abhiramms
Sent: Friday, April 17, 2020 11:25 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

Ryan,

Have you tried UDP port 1700.
As far as I can remember, the default port when adding a radius client for a 
cisco device was 1700.

Also - I usually refer to this link that has the different CoA pcaps captured 
from a cisco perspective:

https://drive.google.com/drive/mobile/folders/1wYJhxkCoessGu03O__77cLWEJokBWJt9?usp=sharing

Source - 
https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/

Thanks

Abhi



On Apr 17, 2020, at 8:07 AM, Turner, Ryan H 
mailto:rhtur...@email.unc.edu>> wrote:

Thank you Felix.  We do have this attribute present.  Let me see if I can get 
it removed.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Felix Windt
Sent: Friday, April 17, 2020 9:52 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

This is off the cuff, but in the past I’ve had issues with Cisco WLCs taking 
CoAs when the Event-Timestamp attribute was present.

thx,
felix

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Turner, Ryan H" 
mailto:rhtur...@email.unc.edu>>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, April 17, 2020 at 9:26 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

We currently use Extreme Network Access Control.  We have had this for 14 years 
and it works very well.  We integrated it with Aruba wireless years ago, and we 
are able to send back filter IDs on the initial authentication to change roles, 
as well as issue disconnects to the user, forcing them to reauthenticate to 
their new policy 

Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)

[Turner, Ryan H]

If someone could please do a packet capture of a reauthenticatjon and give me 
the Radius part with the AVP pairs, this would really help.

Ryan Turner
Head of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

On Apr 17, 2020, at 12:13 PM, Turner, Ryan H  wrote:


I really think Felix hit the nail on the head.  I found the documentation with 
the supported attributes for CoA and Cisco.  Type 55 (Event-Timestamp) is NOT a 
supported option.  We are getting NAKs back stating that we are sending an 
‘Unsupported Attribute’.  I am asking Extreme how to strip 55 out of the CoA.  
In the meantime, I have also asked the other institution to look at their 
configs and validate 3799.

Ryan

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Curtis K. Larsen
Sent: Friday, April 17, 2020 12:03 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

We use 1700 as well for our CoA stuff against the Cisco 8540 with PacketFence.


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Turner, Ryan H 

Sent: Friday, April 17, 2020 10:01 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)


I reversed that.  The standard is 3799, and I know Cisco tends to use 1700.  
But I see plenty of documentation on 3799 for Cisco.  I’ll confirm.



From: Turner, Ryan H
Sent: Friday, April 17, 2020 12:00 PM
To: The EDUCAUSE Wireless Issues Community Group Listserv 

Subject: RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)



So apparently that changed.  If you search on Cisco, you will note that they 
seemed to go away from the default port.  I do not think we would be getting a 
properly formatted NAK if we were sending to the wrong port.  But I am going to 
ask the other institution to validate that.



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Abhiramms
Sent: Friday, April 17, 2020 11:25 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)



Ryan,



Have you tried UDP port 1700.

As far as I can remember, the default port when adding a radius client for a 
cisco device was 1700.



Also - I usually refer to this link that has the different CoA pcaps captured 
from a cisco perspective:



https://drive.google.com/drive/mobile/folders/1wYJhxkCoessGu03O__77cLWEJokBWJt9?usp=sharing



Source - 
https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/



Thanks

Abhi



On Apr 17, 2020, at 8:07 AM, Turner, Ryan H 
mailto:rhtur...@email.unc.edu>> wrote:



Thank you Felix.  We do have this attribute present.  Let me see if I can get 
it removed.



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Felix Windt
Sent: Friday, April 17, 2020 9:52 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)



This is off the cuff, but in the past I’ve had issues with Cisco WLCs taking 
CoAs when the Event-Timestamp attribute was present.



thx,

felix



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Turner, Ryan H" 
mailto:rhtur...@email.unc.edu>>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, April 17, 2020 at 9:26 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)



We currently use Extreme Network Access Control.  We have had this for 14 years 
and it works very well.  We integrated it with Aruba wireless years ago, and we 
are able to send back filter IDs on the initial authentication to change roles, 
as well as issue disconnects to the user, forcing them to reauthenticate to 
their new policy (for example, a user is online and doing something bad, we 
send a disconnect message to the controllers and the user reconnects and 
authenticates with the new role).



We are now having to integrate with another institutions Cisco wireless 
controllers.  We have the authentication stuff working great.  But we are 
unable to get the disconnect/CoA to work.  We believe we have the correct 
format (xx-xx-xx-xx-xx-xx) and we are utilizing the correct port for 3587 (I 
think it is UDP 3799 off the to

RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)

[Turner, Ryan H]

I really think Felix hit the nail on the head.  I found the documentation with 
the supported attributes for CoA and Cisco.  Type 55 (Event-Timestamp) is NOT a 
supported option.  We are getting NAKs back stating that we are sending an 
‘Unsupported Attribute’.  I am asking Extreme how to strip 55 out of the CoA.  
In the meantime, I have also asked the other institution to look at their 
configs and validate 3799.

Ryan

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Curtis K. Larsen
Sent: Friday, April 17, 2020 12:03 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

We use 1700 as well for our CoA stuff against the Cisco 8540 with PacketFence.


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Turner, Ryan H 

Sent: Friday, April 17, 2020 10:01 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)


I reversed that.  The standard is 3799, and I know Cisco tends to use 1700.  
But I see plenty of documentation on 3799 for Cisco.  I’ll confirm.



From: Turner, Ryan H
Sent: Friday, April 17, 2020 12:00 PM
To: The EDUCAUSE Wireless Issues Community Group Listserv 

Subject: RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)



So apparently that changed.  If you search on Cisco, you will note that they 
seemed to go away from the default port.  I do not think we would be getting a 
properly formatted NAK if we were sending to the wrong port.  But I am going to 
ask the other institution to validate that.



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Abhiramms
Sent: Friday, April 17, 2020 11:25 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)



Ryan,



Have you tried UDP port 1700.

As far as I can remember, the default port when adding a radius client for a 
cisco device was 1700.



Also - I usually refer to this link that has the different CoA pcaps captured 
from a cisco perspective:



https://drive.google.com/drive/mobile/folders/1wYJhxkCoessGu03O__77cLWEJokBWJt9?usp=sharing



Source - 
https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/



Thanks

Abhi



On Apr 17, 2020, at 8:07 AM, Turner, Ryan H 
mailto:rhtur...@email.unc.edu>> wrote:



Thank you Felix.  We do have this attribute present.  Let me see if I can get 
it removed.



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Felix Windt
Sent: Friday, April 17, 2020 9:52 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)



This is off the cuff, but in the past I’ve had issues with Cisco WLCs taking 
CoAs when the Event-Timestamp attribute was present.



thx,

felix



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Turner, Ryan H" 
mailto:rhtur...@email.unc.edu>>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, April 17, 2020 at 9:26 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)



We currently use Extreme Network Access Control.  We have had this for 14 years 
and it works very well.  We integrated it with Aruba wireless years ago, and we 
are able to send back filter IDs on the initial authentication to change roles, 
as well as issue disconnects to the user, forcing them to reauthenticate to 
their new policy (for example, a user is online and doing something bad, we 
send a disconnect message to the controllers and the user reconnects and 
authenticates with the new role).



We are now having to integrate with another institutions Cisco wireless 
controllers.  We have the authentication stuff working great.  But we are 
unable to get the disconnect/CoA to work.  We believe we have the correct 
format (xx-xx-xx-xx-xx-xx) and we are utilizing the correct port for 3587 (I 
think it is UDP 3799 off the top of my head).  We are getting back NAKs, and 
the message indicated is ‘invalid attributes’.  We aren’t sure what attributes 
to send back for the disconnect.  Obviously the other third party NACs have to 
do this correctly, but I’ve been unable to find documentation.  Extreme has 
some old documentation, but it appears wrong

RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)

[Turner, Ryan H]

So apparently that changed.  If you search on Cisco, you will note that they 
seemed to go away from the default port.  I do not think we would be getting a 
properly formatted NAK if we were sending to the wrong port.  But I am going to 
ask the other institution to validate that.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Abhiramms
Sent: Friday, April 17, 2020 11:25 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

Ryan,

Have you tried UDP port 1700.
As far as I can remember, the default port when adding a radius client for a 
cisco device was 1700.

Also - I usually refer to this link that has the different CoA pcaps captured 
from a cisco perspective:

https://drive.google.com/drive/mobile/folders/1wYJhxkCoessGu03O__77cLWEJokBWJt9?usp=sharing

Source - 
https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/

Thanks
Abhi


On Apr 17, 2020, at 8:07 AM, Turner, Ryan H 
mailto:rhtur...@email.unc.edu>> wrote:

Thank you Felix.  We do have this attribute present.  Let me see if I can get 
it removed.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Felix Windt
Sent: Friday, April 17, 2020 9:52 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

This is off the cuff, but in the past I’ve had issues with Cisco WLCs taking 
CoAs when the Event-Timestamp attribute was present.

thx,
felix

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Turner, Ryan H" 
mailto:rhtur...@email.unc.edu>>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, April 17, 2020 at 9:26 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

We currently use Extreme Network Access Control.  We have had this for 14 years 
and it works very well.  We integrated it with Aruba wireless years ago, and we 
are able to send back filter IDs on the initial authentication to change roles, 
as well as issue disconnects to the user, forcing them to reauthenticate to 
their new policy (for example, a user is online and doing something bad, we 
send a disconnect message to the controllers and the user reconnects and 
authenticates with the new role).

We are now having to integrate with another institutions Cisco wireless 
controllers.  We have the authentication stuff working great.  But we are 
unable to get the disconnect/CoA to work.  We believe we have the correct 
format (xx-xx-xx-xx-xx-xx) and we are utilizing the correct port for 3587 (I 
think it is UDP 3799 off the top of my head).  We are getting back NAKs, and 
the message indicated is ‘invalid attributes’.  We aren’t sure what attributes 
to send back for the disconnect.  Obviously the other third party NACs have to 
do this correctly, but I’ve been unable to find documentation.  Extreme has 
some old documentation, but it appears wrong.  Any experts out there on this?  
Anyone willing to do a reauthentication from their NAC to their controllers and 
send us the packet trace?  If we know what attributes you are sending, that is 
likely what we need to make this work.

I’ve opened a ticket to Extreme, and I’ve asked the other institution to open a 
ticket with Cisco.  But this may get me results quicker.

Thanks!

Ryan Turner
Head of Networking
Communication Technologies | Information Technology Services
r...@unc.edu<mailto:r...@unc.edu>
+1 919 445 0113 (Office)
+1 919 274 7926 (Mobile)


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7Cfelix.windt%40DARTMOUTH.EDU%7Cc9e908903f6e46cf822108d7e2d2f0fb%7C995b093648d640e5a31ebf689ec9446f%7C0%7C0%7C637227267926747319=WnCm87U42oIY9FHU8F3T0OteowYT3ihSRQQd9h92%2F5Y%3D=0>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails

RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)

[Turner, Ryan H]

I reversed that.  The standard is 3799, and I know Cisco tends to use 1700.  
But I see plenty of documentation on 3799 for Cisco.  I’ll confirm.

From: Turner, Ryan H
Sent: Friday, April 17, 2020 12:00 PM
To: The EDUCAUSE Wireless Issues Community Group Listserv 

Subject: RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

So apparently that changed.  If you search on Cisco, you will note that they 
seemed to go away from the default port.  I do not think we would be getting a 
properly formatted NAK if we were sending to the wrong port.  But I am going to 
ask the other institution to validate that.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Abhiramms
Sent: Friday, April 17, 2020 11:25 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

Ryan,

Have you tried UDP port 1700.
As far as I can remember, the default port when adding a radius client for a 
cisco device was 1700.

Also - I usually refer to this link that has the different CoA pcaps captured 
from a cisco perspective:

https://drive.google.com/drive/mobile/folders/1wYJhxkCoessGu03O__77cLWEJokBWJt9?usp=sharing

Source - 
https://wirelesslywired.com/2018/01/18/deconstructing-the-radius-coa-process/

Thanks
Abhi

On Apr 17, 2020, at 8:07 AM, Turner, Ryan H 
mailto:rhtur...@email.unc.edu>> wrote:

Thank you Felix.  We do have this attribute present.  Let me see if I can get 
it removed.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Felix Windt
Sent: Friday, April 17, 2020 9:52 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

This is off the cuff, but in the past I’ve had issues with Cisco WLCs taking 
CoAs when the Event-Timestamp attribute was present.

thx,
felix

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Turner, Ryan H" 
mailto:rhtur...@email.unc.edu>>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, April 17, 2020 at 9:26 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

We currently use Extreme Network Access Control.  We have had this for 14 years 
and it works very well.  We integrated it with Aruba wireless years ago, and we 
are able to send back filter IDs on the initial authentication to change roles, 
as well as issue disconnects to the user, forcing them to reauthenticate to 
their new policy (for example, a user is online and doing something bad, we 
send a disconnect message to the controllers and the user reconnects and 
authenticates with the new role).

We are now having to integrate with another institutions Cisco wireless 
controllers.  We have the authentication stuff working great.  But we are 
unable to get the disconnect/CoA to work.  We believe we have the correct 
format (xx-xx-xx-xx-xx-xx) and we are utilizing the correct port for 3587 (I 
think it is UDP 3799 off the top of my head).  We are getting back NAKs, and 
the message indicated is ‘invalid attributes’.  We aren’t sure what attributes 
to send back for the disconnect.  Obviously the other third party NACs have to 
do this correctly, but I’ve been unable to find documentation.  Extreme has 
some old documentation, but it appears wrong.  Any experts out there on this?  
Anyone willing to do a reauthentication from their NAC to their controllers and 
send us the packet trace?  If we know what attributes you are sending, that is 
likely what we need to make this work.

I’ve opened a ticket to Extreme, and I’ve asked the other institution to open a 
ticket with Cisco.  But this may get me results quicker.

Thanks!

Ryan Turner
Head of Networking
Communication Technologies | Information Technology Services
r...@unc.edu<mailto:r...@unc.edu>
+1 919 445 0113 (Office)
+1 919 274 7926 (Mobile)


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7Cfelix.windt%40DARTMOUTH.EDU%7Cc9e908903f6e46cf822108d7e2d2f0fb%7C995b093648d640e5a31ebf6

RE: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of Authorization)

[Turner, Ryan H]

Thank you Felix.  We do have this attribute present.  Let me see if I can get 
it removed.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Felix Windt
Sent: Friday, April 17, 2020 9:52 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

This is off the cuff, but in the past I’ve had issues with Cisco WLCs taking 
CoAs when the Event-Timestamp attribute was present.

thx,
felix

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Turner, Ryan H" 
mailto:rhtur...@email.unc.edu>>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, April 17, 2020 at 9:26 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] Advanced NAC question regarding RFC3587 (Change of 
Authorization)

We currently use Extreme Network Access Control.  We have had this for 14 years 
and it works very well.  We integrated it with Aruba wireless years ago, and we 
are able to send back filter IDs on the initial authentication to change roles, 
as well as issue disconnects to the user, forcing them to reauthenticate to 
their new policy (for example, a user is online and doing something bad, we 
send a disconnect message to the controllers and the user reconnects and 
authenticates with the new role).

We are now having to integrate with another institutions Cisco wireless 
controllers.  We have the authentication stuff working great.  But we are 
unable to get the disconnect/CoA to work.  We believe we have the correct 
format (xx-xx-xx-xx-xx-xx) and we are utilizing the correct port for 3587 (I 
think it is UDP 3799 off the top of my head).  We are getting back NAKs, and 
the message indicated is ‘invalid attributes’.  We aren’t sure what attributes 
to send back for the disconnect.  Obviously the other third party NACs have to 
do this correctly, but I’ve been unable to find documentation.  Extreme has 
some old documentation, but it appears wrong.  Any experts out there on this?  
Anyone willing to do a reauthentication from their NAC to their controllers and 
send us the packet trace?  If we know what attributes you are sending, that is 
likely what we need to make this work.

I’ve opened a ticket to Extreme, and I’ve asked the other institution to open a 
ticket with Cisco.  But this may get me results quicker.

Thanks!

Ryan Turner
Head of Networking
Communication Technologies | Information Technology Services
r...@unc.edu<mailto:r...@unc.edu>
+1 919 445 0113 (Office)
+1 919 274 7926 (Mobile)


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=02%7C01%7Cfelix.windt%40DARTMOUTH.EDU%7Cc9e908903f6e46cf822108d7e2d2f0fb%7C995b093648d640e5a31ebf689ec9446f%7C0%7C0%7C637227267926747319=WnCm87U42oIY9FHU8F3T0OteowYT3ihSRQQd9h92%2F5Y%3D=0>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Advanced NAC question regarding RFC3587 (Change of Authorization)

[Turner, Ryan H]

We currently use Extreme Network Access Control.  We have had this for 14 years 
and it works very well.  We integrated it with Aruba wireless years ago, and we 
are able to send back filter IDs on the initial authentication to change roles, 
as well as issue disconnects to the user, forcing them to reauthenticate to 
their new policy (for example, a user is online and doing something bad, we 
send a disconnect message to the controllers and the user reconnects and 
authenticates with the new role).

We are now having to integrate with another institutions Cisco wireless 
controllers.  We have the authentication stuff working great.  But we are 
unable to get the disconnect/CoA to work.  We believe we have the correct 
format (xx-xx-xx-xx-xx-xx) and we are utilizing the correct port for 3587 (I 
think it is UDP 3799 off the top of my head).  We are getting back NAKs, and 
the message indicated is 'invalid attributes'.  We aren't sure what attributes 
to send back for the disconnect.  Obviously the other third party NACs have to 
do this correctly, but I've been unable to find documentation.  Extreme has 
some old documentation, but it appears wrong.  Any experts out there on this?  
Anyone willing to do a reauthentication from their NAC to their controllers and 
send us the packet trace?  If we know what attributes you are sending, that is 
likely what we need to make this work.

I've opened a ticket to Extreme, and I've asked the other institution to open a 
ticket with Cisco.  But this may get me results quicker.

Thanks!

Ryan Turner
Head of Networking
Communication Technologies | Information Technology Services
r...@unc.edu
+1 919 445 0113 (Office)
+1 919 274 7926 (Mobile)


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] ArubaOS 8.5.0.7

[Turner, Ryan H]

8.5.0.7 is the landing code for UNC with the bugs that were worked on with 
Aruba.  We haven’t upgraded to it, yet (under current conditions) but will, 
soon.

Ryan Turner
Head of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

On Mar 30, 2020, at 3:24 PM, Cesar Fernandez  wrote:



Hi Everyone,

We are an Aruba wireless shop currently running ArubaOS 8.5.0.1 on an 
Active/Standby MM pair with 4 MD controllers.  Ever since we upgraded to the 
8.5 code we've encountered several critical issues requiring upgrades, and 
subsequent downgrades, between various 8.5.0.X versions. We have been on 
8.5.0.1 for the better part of the school year as it has been the most stable 
for our environment.  A couple weeks before the COVID-19 crisis, 3 of our 4 MD 
controllers randomly crashed.  TAC is now recommending that we upgrade to 
8.5.0.7, which was released last week.

Are there any universities on this list that have recently upgraded to 8.5.0.7? 
If so, what has been your experience?

I understand most campuses are only seeing a fraction of the normal wireless 
traffic load as most students are currently not on campus - so any feedback 
would be greatly appreciated.


Cesar Fernandez
Sr. Network Engineer
University of San Diego


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] EAP-TLS using ADCS and/or SecureW2

[Turner, Ryan H]

I would suggest using SecureW2s PKI and not AD.  We ran SecureW2 integrated 
with the ADCS for about 5 or 6 years.  It works, but it adds some additional 
complexity that will cause you grief.  For example, let’s say one night the 
integration server that ties to SecureW2 patches and hangs after a reboot…. Or 
the process that handles the certificate request (a SecureW2 process on your AD 
server) dies… The users trying to onboard will get ambiguous errors, and you 
will spend a lot of time trying to figure out if the problem is 1) the user, 2) 
the cloud, 3) your AD integration server, 4) the certificate server.  It really 
helps to have everything in one basket.

We switched to the SecureW2 cloud based PKI in January.  I am going to answer 
your other questions inline below…

From: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU"  
on behalf of "Heavrin, Lynn" 
Reply-To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 

Date: Thursday, February 6, 2020 at 3:23 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: [WIRELESS-LAN] EAP-TLS using ADCS and/or SecureW2

We’re planning to migrate our PEAP MSCHAPv2 wifi to EAP-TLS.  At the 
recommendation of a couple big universities we talked with, we are looking at 
using SecureW2.  We have demoed it and it works great provisioning the clients 
and enrolling user certificates to their cloud PKI.  After bringing it up with 
our AD team, some questions were asked about possibly just using our ADCS.  We 
know we can use the ADCS with or without SecureW2 and will likely leverage 
SecureW2 anyway to point to it for nice features like OS detection and 
provisioning and a good dissolvable agent.  We use Cisco ISE for our RADIUS 
server and I much prefer SecureW2’s agent over ISE.

I was asked a couple questions and I may or may not already know the answer, 
but it’d be great if someone with a little more PKI background could clarify:

Private PKI questions:

  1.  Does every Managed and BYOD device have to trust the full chain of the 
certificate?
I don’t think you can make any assumptions.  As I recall, we install every 
certificate and chain it all the way back to root.

  1.  How do you install the trusted root and intermediate on a BYOD device?
That is what SecureW2 does during the onboarding.

  1.  For a private PKI with a self-signed cert do we need an HSM?  If we use 
incommon root, would we need the HSM?
I think this is extreme overkill.  If you are going to create a new PKI, it 
should only be trusted on the RADIUS servers for campus internet connectivity.  
The certificate shouldn’t give access to any other campus resource, so its 
value it extremely limited.


SecureW2 Questions:

  1.  Does the SecureW2 JoinNow MultiOS dissolvable agent install the root and 
intermediate on a BYOD device during enrollment?  If so then it shouldn’t 
matter if we use a self-signed root or incommon public root right?
  2.  We are also an incommon partner and can get root signed certs from them.  
If we used incommon root but pointed securew2 to our ADCS, would that be an 
unnecessary step rather than just pointing SecureW2 straight to incommon like 
we’re doing in our demo?
  3.  Would you recommend we use an incommon public signed cert even if we’re 
able to have every BYOD client install our self-signed cert?  We have unlimited 
incommon certs.  We may already have been issuing user certs to all our managed 
devices, just not doing anything with them.  One thing I thought was that any 
BYOD could be incommon, and all managed would be self-signed and I could just 
set ISE to trust both.

I’ll make this simple.  While your situation may differ from ours, I do not 
think there will be a compelling reason for you to use InCommon.  A Private PKI 
is simple.  SecureW2 will easily install the chains.  You will not have to 
worry about InCommon.  I’m just going to leave it at that.  While I don’t have 
the precise number, I am fairly confident we’ve devices nearly 1M times on 
SecureW2 (and previously Cloudpath).  When it comes to TLS, your absolute best 
bet is to not complicate.  2048 length certs and SHA256 hash.  Simple.  Works.  
No benefit to complicating.

My 10 cents.

Ryan


Thanks,

Lynn Heavrin
Network Engineer II | Network Engineering
Washington University in St. Louis
4480 Clayton Ave, St. Louis, MO 63110
Mail stop 8218-45-1200
•: 314.935.3877 |  •:lheav...@wustl.edu


The materials in this message are private and may contain Protected Healthcare 
Information or other information of a sensitive nature. If you are not the 
intended recipient, be advised that any unauthorized use, disclosure, copying 
or the taking of any action in reliance on the contents of this information is 
strictly prohibited. If you have received this email in error, please 
immediately notify the sender via telephone or return mail.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the 

Re: Update on our Aruba solution

[Turner, Ryan H]

And for some reason my Apple sent an email before I was done…

Continuing…

We had issues with rebootstrapping of radios on Aps in ResNet.  This is the 
same problem (I believe) that UW faced.  We have turned on CPSec, restored 
timers to normal, and have seen no issues since doing so.  We consider this a 
big win for the moment.

We had issues with failovers not working correctly after a power outage.  We 
were unable to recreate the breakage, so that issue will have to go into the 
bit bucket.

We also have issues of artificial high noise on certain Aps.  This was 
experienced when the team was here, but we have no root cause at this time.

The short of it, I feel as though we’ve managed to get to a work around for 
several of our issues.  Aruba has told us they are committed to using whatever 
resources are necessary to resolve the other issues, but we are going to let 
them (and us) take a little break, and hopefully enjoy the few wins that we 
had.  We have some plans together to work on the other issues, but we need to 
push the ball forward a little bit more before asking them to spend more time 
with us.

Keith Miller can reply to this message with all the things I said wrong.  For 
now, I’m about to take a 2 week vacation and forget about all of this . Thank 
you all for your interest, and we will keep you up to date as we learn more.

Thanks,
Ryan

From: Ryan Turner 
Date: Thursday, January 16, 2020 at 5:10 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Update on our Aruba solution

All,

Since the thread generated significant interest last week, I wanted to let you 
know how Aruba responded.

After hearing of our issues, Aruba sent a tiger team (5 or 6 folks) that came 
in to work on the bugs.  We had a punch list of things to work on.

On the top of the list was the 515 performance issues.  This is where people 
would stay connected, but data wouldn’t flow for a period of time.  The 
symptoms were reproduced many times during the week with everyone present.  
Aruba found a bug in code that does not handle queuing properly in certain 
circumstances.  They produced code to fix this issue, but we cannot confirm at 
this time if this will resolve what we are seeing….  We saw a similar symptom 
immediately after putting the fix on the AP.

After seeing the same symptom immediately after putting on the hotfix, they 
realized that someone on the team has an intel AX adapter which has significant 
issues with OFDMA.  It can essentially wreck the airwaves for other clients.  
The solution is to TURN OFF OFDMA on AX access points until Aruba releases a 
build that can selectively ignore Intel OFDMA (while allowing others).  I have 
a release from Broadcom on January 6 speaking to this issue, so they aren’t 
making that.  I confirmed it with a separate wireless vendor that Broadcom has 
had some issues on the OFDMA front.  I plan on keeping it off for likely the 
next year as we don’t really have a significant quantity of ax clients to make 
it work the hassle at the moment.



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Update on our Aruba solution

[Turner, Ryan H]

All,

Since the thread generated significant interest last week, I wanted to let you 
know how Aruba responded.

After hearing of our issues, Aruba sent a tiger team (5 or 6 folks) that came 
in to work on the bugs.  We had a punch list of things to work on.

On the top of the list was the 515 performance issues.  This is where people 
would stay connected, but data wouldn’t flow for a period of time.  The 
symptoms were reproduced many times during the week with everyone present.  
Aruba found a bug in code that does not handle queuing properly in certain 
circumstances.  They produced code to fix this issue, but we cannot confirm at 
this time if this will resolve what we are seeing….  We saw a similar symptom 
immediately after putting the fix on the AP.

After seeing the same symptom immediately after putting on the hotfix, they 
realized that someone on the team has an intel AX adapter which has significant 
issues with OFDMA.  It can essentially wreck the airwaves for other clients.  
The solution is to TURN OFF OFDMA on AX access points until Aruba releases a 
build that can selectively ignore Intel OFDMA (while allowing others).  I have 
a release from Broadcom on January 6 speaking to this issue, so they aren’t 
making that.  I confirmed it with a separate wireless vendor that Broadcom has 
had some issues on the OFDMA front.  I plan on keeping it off for likely the 
next year as we don’t really have a significant quantity of ax clients to make 
it work the hassle at the moment.



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?

[Turner, Ryan H]

like their business model. Aruba, well, we chose it in part because Microsoft 
use it internally and that prevents them blaming the wireless when we're 
getting them to fix their drivers. Mist I've never used, Ruckus have always had 
great wireless performance and with CloudPath are getting their authentication 
piece in order. Which brings me to another point, consider the vendor's other 
offerings like management systems and RADIUS servers. I've already said my 
piece about DNA-C, and Airwave seems to have barely changed since I last used 
it 8 years ago. Extreme XMC is ok.

I've run out of time today to expound upon the problems with the Surface wifi 
chipset, but it seems there is an underlying problem that then causes different 
high level problems depending on the AP - I've seen three different bad 
behaviours on Extreme, Aruba and Cisco. We've got 200 Surface Pro 7s with Intel 
AX201 chipsets which I'll hopefully

Thanks,

--

James Andrewartha

Network & Projects Engineer

Christ Church Grammar School

Claremont, Western Australia

Ph. (08) 9442 1757

Mob. 0424 160 877
On 10/1/20 12:15 am, Turner, Ryan H wrote:
We've been an Aruba shop for a very long time and have around 10,000 access 
points.  While every relationship with vendors have their ups and downs, my 
frustration with the Aruba is finally peaking to the point that I am 
considering making the enormous move to choose a different vendor.  The biggest 
reason is with the 8.X code train, and bugs that we just don't consider 
appropriate to use in production.  It has been one thing after the other, and 
my extremely talented and qualified Network Architect (Keith Miller) might as 
well be on the Aruba payroll as much work as he has been doing for them to 
solve bugs.  Just when we think we have one fixed, another one crops up.

The big one as of late is with 515s running 8.5 code train.  We have them 
deployed in one of our IT buildings.  Periodically, people that are connected 
to these APs in the 5G band will stop working.  To the user, they are browsing 
a site, then it becomes unresponsive.  If they are on their phone, they will 
disconnect from wifi and everything works fine on cell.  Nothing makes an 
802.11 network look worse than switching to cell and seeing a problem resolve.  
Normally, if the users disconnect then reconnect, their problems will go ahead 
(but I think they end up connecting in the 2.4G band).   We've been working on 
this problem with them for months.  It always seems as though we have to prove 
there is a real issue.  I'm fed up with it.  We are a sophisticated shop.  If 
we have a problem, 9 times out of 10 when we bring it to the vendor, it is a 
real problem.  I'm extra frustrated that due to issues we've seen in ResNet on 
the 8.3X train that we don't want to abandon our 6 train on main campus.  To 
Aruba's credit, we purchased around 1,000 515s last year (I think around 
February).  When they could not get good code to support them on, Aruba bought 
back half of them.  I asked for them to buy back half because I thought for 
sure with the 315s that we would have instead, the issues would be fixed by the 
time the 315s ran out.  Not looking to be the case.

So, with that rant over, we are seriously considering looking to move away from 
Aruba (unless they get their act together really soon).  There are other bugs 
I'm not even mentioning here.  For those of you that made the switch to another 
vendor, I would be curious how long the honeymoon lasted, what were your 
motivators, and were you happy with the overall results?  Of course, this is a 
great opportunity to plug your vendor.  As I see it, we have 3 choices  
Something from Cisco (we had Cisco long ago and dumped them for bugs), 
something from Extreme (we are a huge Extreme shop so this makes sense), 
something from Juniper (Mist).

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?

[Turner, Ryan H]

e hell off of 
> the website so no one else downloads it. Don't leave us in "we need to gather 
> data" status- that's why vendors have million dollar test facilities (and 
> I've seen many of them)- gather your own data and just get us back on the 
> rails. If code is considered "bleeding edge", be honest about that with big 
> red warning labels on the UI and the download links. If HW is defective- same 
> thing. Recall it. Proactively. If HW is "bleeding edge" be brutally honest. 
> Customers should not be part of the QA process or have to play code roulette 
> to find what is "safe". Any vendor who dares charge for a "bug scrub" before 
> recommending a good code version in this Age of Crappy Code should be ashamed 
> of themselves, BTW.
>
>
>
> And finally. any vendor or VAR who can cavalierly say "well the customer 
> bought bleeding edge stuff, what do they expect" has lost touch with what 
> customer service means. If it's that fragile, it shouldn't be on the market, 
> period. Silly Vally needs to slow it down. It ain't Agile if it sucks.
>
>
>
> Sorry for the rant.
>
>
>
> Lee Badman | Network Architect (CWNE#200)
>
> Information Technology Services
> (NDD Group)
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
>
> t 315.443.3003   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
> its.syr.edu<http://its.syr.edu>
>
> SYRACUSE UNIVERSITY
> syr.edu<http://syr.edu>
>
>
>
> From: The EDUCAUSE Wireless Issues Community Group Listserv
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
>  On Behalf Of Michael Davis
> Sent: Friday, January 10, 2020 7:31 AM
> To: 
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?
>
>
>
> FWIW, some of the most bizarre issues I've ran into with Aruba APs have been 
> related to:
>  - MTUs on the path
>  - Reassembly of packets
>  - Out of order fragments
>  - LLDP
>  - tx, beacon, basic radio rates
>
> Some things to look into if the 5GHz radio drop can be
> deterministically recreated and tested, but I know that's usually half the 
> battle..
>
>
> On 1/9/20 3:34 PM, Turner, Ryan H wrote:
>
> We are on 8.5.0.3 for the ITS cluster. We were going to upgrade to 8.0.0.5, 
> but we had a disaster in one of our data centers just before the holidays.  
> Power was tripped for a 13,000 sq foot data center.  For some reason, APs 
> associated to the controller in this building did not fail over to the other 
> site.  We are going to be testing this scenario again next week by yanking 
> the power to confirm if we've hit yet another bug, or if this was a one-off.
>
>
>
> Ryan
>
>
>
>
>
> From: The EDUCAUSE Wireless Issues Community Group Listserv
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
>  On Behalf Of Steve Fletty
> Sent: Thursday, January 9, 2020 1:20 PM
> To: 
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?
>
>
>
> What version of 8.5?
>
>
>
> We saw some issues in our lab prior to 8.5.0.4. We have a mix of 335s and 
> 535s.
>
>
>
> On Thu, Jan 9, 2020 at 10:15 AM Turner, Ryan H 
> mailto:rhtur...@email.unc.edu>> wrote:
>
> All:
>
>
>
> We've been an Aruba shop for a very long time and have around 10,000 access 
> points.  While every relationship with vendors have their ups and downs, my 
> frustration with the Aruba is finally peaking to the point that I am 
> considering making the enormous move to choose a different vendor.  The 
> biggest reason is with the 8.X code train, and bugs that we just don't 
> consider appropriate to use in production.  It has been one thing after the 
> other, and my extremely talented and qualified Network Architect (Keith 
> Miller) might as well be on the Aruba payroll as much work as he has been 
> doing for them to solve bugs.  Just when we think we have one fixed, another 
> one crops up.
>
>
>
> The big one as of late is with 515s running 8.5 code train.  We have them 
> deployed in one of our IT buildings.  Periodically, people that are connected 
> to these APs in the 5G band will stop working.  To the user, they are 
> browsing a site, then it becomes unresponsive.  If they are on their phone, 
> they will disconnect from wifi and everything works fine on cell.  Nothing 
> makes an 802.11 network look worse than switching to cell and seeing a 
> problem resolve.  Normally, if the users disconnect then reconnect, their 
>

RE: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?

[Turner, Ryan H]

The issues we are seeing having nothing to do with a client being ax capable or 
not, so we’re clear.  I don’t think you are saying that, but so we are clear.

Ryan

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Kristijan Jerkan
Sent: Friday, January 10, 2020 12:42 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?


Question: Do those of You who experience this frustration in scale have reason 
to suspect compatibility issues between .ax-Aruba-code/features to be a root 
cause?



We don‘t notice significant .ax client adoption. (being an Aruba shop, but not 
in scale). AFIK even a lage scale event like the 36c3 (>10k peak nerds on ~300 
APs) saw only a dozen of .ax-clients.



From an operationaI standpoint I absolutly feel for You, but I do wonder if You 
had that discussion with the vendor (and if so, how it went).

We probably all agree with Lee on „prod is not suitable for unadequate inhouse 
tests, dear [whatever] vendor“.



Am 09.01.2020 um 21:34 schrieb Turner, Ryan H 
mailto:rhtur...@email.unc.edu>>:

We are on 8.5.0.3 for the ITS cluster. We were going to upgrade to 8.0.0.5, but 
we had a disaster in one of our data centers just before the holidays.  Power 
was tripped for a 13,000 sq foot data center.  For some reason, APs associated 
to the controller in this building did not fail over to the other site.  We are 
going to be testing this scenario again next week by yanking the power to 
confirm if we’ve hit yet another bug, or if this was a one-off.

Ryan


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Steve Fletty
Sent: Thursday, January 9, 2020 1:20 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?

What version of 8.5?

We saw some issues in our lab prior to 8.5.0.4. We have a mix of 335s and 535s.

On Thu, Jan 9, 2020 at 10:15 AM Turner, Ryan H 
mailto:rhtur...@email.unc.edu>> wrote:
All:

We’ve been an Aruba shop for a very long time and have around 10,000 access 
points.  While every relationship with vendors have their ups and downs, my 
frustration with the Aruba is finally peaking to the point that I am 
considering making the enormous move to choose a different vendor.  The biggest 
reason is with the 8.X code train, and bugs that we just don’t consider 
appropriate to use in production.  It has been one thing after the other, and 
my extremely talented and qualified Network Architect (Keith Miller) might as 
well be on the Aruba payroll as much work as he has been doing for them to 
solve bugs.  Just when we think we have one fixed, another one crops up.

The big one as of late is with 515s running 8.5 code train.  We have them 
deployed in one of our IT buildings.  Periodically, people that are connected 
to these APs in the 5G band will stop working.  To the user, they are browsing 
a site, then it becomes unresponsive.  If they are on their phone, they will 
disconnect from wifi and everything works fine on cell.  Nothing makes an 
802.11 network look worse than switching to cell and seeing a problem resolve.  
Normally, if the users disconnect then reconnect, their problems will go ahead 
(but I think they end up connecting in the 2.4G band).   We’ve been working on 
this problem with them for months.  It always seems as though we have to prove 
there is a real issue.  I’m fed up with it.  We are a sophisticated shop.  If 
we have a problem, 9 times out of 10 when we bring it to the vendor, it is a 
real problem.  I’m extra frustrated that due to issues we’ve seen in ResNet on 
the 8.3X train that we don’t want to abandon our 6 train on main campus.  To 
Aruba’s credit, we purchased around 1,000 515s last year (I think around 
February).  When they could not get good code to support them on, Aruba bought 
back half of them.  I asked for them to buy back half because I thought for 
sure with the 315s that we would have instead, the issues would be fixed by the 
time the 315s ran out.  Not looking to be the case.

So, with that rant over, we are seriously considering looking to move away from 
Aruba (unless they get their act together really soon).  There are other bugs 
I’m not even mentioning here.  For those of you that made the switch to another 
vendor, I would be curious how long the honeymoon lasted, what were your 
motivators, and were you happy with the overall results?  Of course, this is a 
great opportunity to plug your vendor.  As I see it, we have 3 choices….  
Something from Cisco (we had Cisco long ago and dumped them for bugs), 
something from Extreme (we are a huge Extreme shop so this makes sense), 
something from Juniper (Mist).

Thanks,
Ryan Turner
Head of Networking
The University of North Carolina at Chapel Hill
+1 919 445 0113 Office
+1 919 274 7926 M

RE: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?

[Turner, Ryan H]

We are on 8.5.0.3 for the ITS cluster. We were going to upgrade to 8.0.0.5, but 
we had a disaster in one of our data centers just before the holidays.  Power 
was tripped for a 13,000 sq foot data center.  For some reason, APs associated 
to the controller in this building did not fail over to the other site.  We are 
going to be testing this scenario again next week by yanking the power to 
confirm if we’ve hit yet another bug, or if this was a one-off.

Ryan


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Steve Fletty
Sent: Thursday, January 9, 2020 1:20 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?

What version of 8.5?

We saw some issues in our lab prior to 8.5.0.4. We have a mix of 335s and 535s.

On Thu, Jan 9, 2020 at 10:15 AM Turner, Ryan H 
mailto:rhtur...@email.unc.edu>> wrote:
All:

We’ve been an Aruba shop for a very long time and have around 10,000 access 
points.  While every relationship with vendors have their ups and downs, my 
frustration with the Aruba is finally peaking to the point that I am 
considering making the enormous move to choose a different vendor.  The biggest 
reason is with the 8.X code train, and bugs that we just don’t consider 
appropriate to use in production.  It has been one thing after the other, and 
my extremely talented and qualified Network Architect (Keith Miller) might as 
well be on the Aruba payroll as much work as he has been doing for them to 
solve bugs.  Just when we think we have one fixed, another one crops up.

The big one as of late is with 515s running 8.5 code train.  We have them 
deployed in one of our IT buildings.  Periodically, people that are connected 
to these APs in the 5G band will stop working.  To the user, they are browsing 
a site, then it becomes unresponsive.  If they are on their phone, they will 
disconnect from wifi and everything works fine on cell.  Nothing makes an 
802.11 network look worse than switching to cell and seeing a problem resolve.  
Normally, if the users disconnect then reconnect, their problems will go ahead 
(but I think they end up connecting in the 2.4G band).   We’ve been working on 
this problem with them for months.  It always seems as though we have to prove 
there is a real issue.  I’m fed up with it.  We are a sophisticated shop.  If 
we have a problem, 9 times out of 10 when we bring it to the vendor, it is a 
real problem.  I’m extra frustrated that due to issues we’ve seen in ResNet on 
the 8.3X train that we don’t want to abandon our 6 train on main campus.  To 
Aruba’s credit, we purchased around 1,000 515s last year (I think around 
February).  When they could not get good code to support them on, Aruba bought 
back half of them.  I asked for them to buy back half because I thought for 
sure with the 315s that we would have instead, the issues would be fixed by the 
time the 315s ran out.  Not looking to be the case.

So, with that rant over, we are seriously considering looking to move away from 
Aruba (unless they get their act together really soon).  There are other bugs 
I’m not even mentioning here.  For those of you that made the switch to another 
vendor, I would be curious how long the honeymoon lasted, what were your 
motivators, and were you happy with the overall results?  Of course, this is a 
great opportunity to plug your vendor.  As I see it, we have 3 choices….  
Something from Cisco (we had Cisco long ago and dumped them for bugs), 
something from Extreme (we are a huge Extreme shop so this makes sense), 
something from Juniper (Mist).

Thanks,
Ryan Turner
Head of Networking
The University of North Carolina at Chapel Hill
+1 919 445 0113 Office
+1 919 274 7926 Mobile
r...@unc.edu<mailto:r...@unc.edu>


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


--
Steve Fletty
Network Engineer
Office of Information Technology (OIT)
University of Minnesota
Phone: 612-625-1048
Email: fle...@umn.edu<mailto:fle...@umn.edu>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?

[Turner, Ryan H]

At this time, this doesn’t appear to bother anything other than the 515s.  We 
have 315s on the same code and have not gotten reports.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Norman Chu
Sent: Thursday, January 9, 2020 12:08 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?

We have been running v8.5.0.4 (clustered controllers off of a mobility master) 
with a little over 4100 AP305’s and AP325’s for a couple of months and things 
have been stable here.  Prior to this, v8.3.0.8 was causing us a few issues.

Norman Chu
Systems Administrator, Network Infrastructure Team
IT Services
T:  514-398-7299
norman@mcgill.ca  |   www.mcgill.ca/it<http://www.mcgill.ca/it>
805 rue Sherbrooke Ouest, Burnside Hall, Montréal, QC. H3A-0B9  Canada
[1501096696117_IITSlogo4email-cleaner-350.png]

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Michael Hulko
Sent: January 9, 2020 11:58 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?

May not be completely related, but we have had issues with newer AX chipsets 
that utilize NDIS 6.3 code set.  Some of the advanced features had to be turned 
off as a work around such as packet coalescing etc.

ALthough we have no 515’s in our environment, we are progressing to 8.6 (as per 
our SE) in the coming weeks and this does not make me comfortable.  Any issues 
with the 300 series APs and 8.5x? May rethink and downgrade to 8.3x as it also 
seems to only support the AP103Hs as well.

M

On Jan 9, 2020, at 11:44 AM, Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu<mailto:00db5b77bd95-dmarc-requ...@listserv.educause.edu>>
 wrote:

No insult meant to anyone’s intelligence, but are you also looking at client 
device drivers etc in the context of these issues? Depending on which client 
NIC is in play, the device makers haven’t been doing us any favors of late. Is 
very possible for example that hundreds of AD-managed laptops may all have same 
bum driver.

Just asking…

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu<http://its.syr.edu>
SYRACUSE UNIVERSITY
syr.edu<http://syr.edu>

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of David Morton
Sent: Thursday, January 9, 2020 11:39 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?

Ryan, we have been experiencing some of the very same issues. Since installing 
515s and resulting 8.5.x code in our offices (always our first step to any 
migration) we too have experienced unexplained periods of no connectivity. In 
most or all the cases I’ve personally experienced, I believe that I remain 
connected at an 802.11 standpoint but will have that 30 seconds to a couple of 
minutes of no IP connectivity. We have now deployed 515s and 8.5.x in one of 
our residence halls so I am concerned about their experience as well. Just 
before the holiday break we had a series of very high-profile outages that 
impacted our students leading up to and during finals week. The issue got so 
bad that our CIO had to issue a letter to students explaining the problem and 
what we are doing about it. This is the first time that this level of 
communication was needed in my 15 years at the UW using Aruba.

We too are a heavy Juniper shop and have recently received a MIST demo kit. We 
haven’t done anything with it yet due to lack of resources, but if things 
continue on the current path we may give it a more serious look.

David


David Morton
Director, Network & Telecom Design/Architecture
University of Washington
dmorton @uw.edu
tel 206.221.7814

PS I am currently on medical leave so if you wish to reply off-list, please 
direct it to Amel Caldwell, amelc@ uw.edu<http://uw.edu/>


On Jan 9, 2020, at 8:15 AM, Turner, Ryan H 
mailto:rhtur...@email.unc.edu>> wrote:

All:

We’ve been an Aruba shop for a very long time and have around 10,000 access 
points.  While every relationship with vendors have their ups and downs, my 
frustration with the Aruba is finally peaking to the point that I am 
considering making the enormous move to choose a different vendor.  The biggest 
reason is with the 8.X code train, and bugs that we just don’t consider 
appropriate to use in production.  It has been one thing after the other, and 
my extremely talented and qualified Network Architect (Keith Miller) might as 
well be on the Aruba payroll as much work as he has been doing for them to 
solve bugs.  Just when we think we have one fixed, another one crops up.

RE: Who has transitioned away from Aruba, and why?

[Turner, Ryan H]

>From my standpoint, it really isn't about having bugs. They will all have 
>them.  Its how the vendor handles the request when it comes in.

Extreme is a very good example of this.  While we have bugs, I know I can 
escalate it all the way to the C level of executives if I don't think an issue 
is getting handled quickly.  If I tell them a bug is critically important, then 
very soon we are on the call with a 10+ developers/coders/executives working to 
fix the problem.  While not everything has been perfect, I know that if I tell 
Extreme something is important, things get resolved.  I feel as though I've had 
to complain so much in the past two years over issues that I've become chicken 
little.  It should be obvious to an executive team monitoring an account that 
when you have significant bugs exceed 2-3 months, the wagons need to be 
circles.  It doesn't seem to be automatic.

So, in short, its not always the existence of bugs that is the problem.  It is 
the company's response to the problem.

Ryan

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jeffrey D. Sessler
Sent: Thursday, January 9, 2020 11:56 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?

Our consortium had both Cisco and Aruba, and about 12-18 months ago the Aruba 
folks tossed in the towel and went Cisco. Various unresolvable problems with 
Aruba AP's, including one that required a weekly reboot of a particular model.

As Lee mentions, the grass isn't always greener, so expect that you're going to 
run into issues with any vendor. As such, it's going to come down to 
support/resolution and your relationship with the vendor.  Startups are great 
as they have a single product with a single code-train, so they tend to be 
pretty responsive at the start. Once they have a few years under their belt, 
and their code base starts to fragment, you'll get to the same point you have 
with the big incumbents i.e. too many code bases to support effectively.

Jeff


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Thursday, January 9, 2020 at 8:15 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?
All:

We've been an Aruba shop for a very long time and have around 10,000 access 
points.  While every relationship with vendors have their ups and downs, my 
frustration with the Aruba is finally peaking to the point that I am 
considering making the enormous move to choose a different vendor.  The biggest 
reason is with the 8.X code train, and bugs that we just don't consider 
appropriate to use in production.  It has been one thing after the other, and 
my extremely talented and qualified Network Architect (Keith Miller) might as 
well be on the Aruba payroll as much work as he has been doing for them to 
solve bugs.  Just when we think we have one fixed, another one crops up.

The big one as of late is with 515s running 8.5 code train.  We have them 
deployed in one of our IT buildings.  Periodically, people that are connected 
to these APs in the 5G band will stop working.  To the user, they are browsing 
a site, then it becomes unresponsive.  If they are on their phone, they will 
disconnect from wifi and everything works fine on cell.  Nothing makes an 
802.11 network look worse than switching to cell and seeing a problem resolve.  
Normally, if the users disconnect then reconnect, their problems will go ahead 
(but I think they end up connecting in the 2.4G band).   We've been working on 
this problem with them for months.  It always seems as though we have to prove 
there is a real issue.  I'm fed up with it.  We are a sophisticated shop.  If 
we have a problem, 9 times out of 10 when we bring it to the vendor, it is a 
real problem.  I'm extra frustrated that due to issues we've seen in ResNet on 
the 8.3X train that we don't want to abandon our 6 train on main campus.  To 
Aruba's credit, we purchased around 1,000 515s last year (I think around 
February).  When they could not get good code to support them on, Aruba bought 
back half of them.  I asked for them to buy back half because I thought for 
sure with the 315s that we would have instead, the issues would be fixed by the 
time the 315s ran out.  Not looking to be the case.

So, with that rant over, we are seriously considering looking to move away from 
Aruba (unless they get their act together really soon).  There are other bugs 
I'm not even mentioning here.  For those of you that made the switch to another 
vendor, I would be curious how long the honeymoon lasted, what were your 
motivators, and were you happy with the overall results?  Of course, this is a 
great opportunity to plug your vendor.  As I see it, we have 3 choices  
Something from Cisco (we had Cisco long ago 

Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?

[Turner, Ryan H]

This isn’t the problem.  The drivers are updated.  Clients see the ssid.  Just 
periodically they stop communicating.

Ryan Turner
Head of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

On Jan 9, 2020, at 11:48 AM, Martin Reynolds  wrote:


Not sure if this could be of help but the issues with the 515 and 535 Aruba APs 
we use was driver related to the 802.11ax code that is on the AP's.  This is 
not an Aruba specific issue but affects other vendors as well.  The following 
link is for the updated Intel drivers.

https://www.intel.com/content/www/us/en/support/articles/54799/network-and-i-o/wireless-networking.html

In our case users could not see the ESSIDs at all where 515 APs were installed 
but could where other model of AP's (2xx and 3xx)were installed.  By using a 
different adapter from what is installed in the hardware (example USB-and not 
Intel) that allowed us to see the ESSIDs

Thanks,
Martin

On Thu, Jan 9, 2020 at 11:40 AM David Morton 
mailto:dmor...@uw.edu>> wrote:
Ryan, we have been experiencing some of the very same issues. Since installing 
515s and resulting 8.5.x code in our offices (always our first step to any 
migration) we too have experienced unexplained periods of no connectivity. In 
most or all the cases I’ve personally experienced, I believe that I remain 
connected at an 802.11 standpoint but will have that 30 seconds to a couple of 
minutes of no IP connectivity. We have now deployed 515s and 8.5.x in one of 
our residence halls so I am concerned about their experience as well. Just 
before the holiday break we had a series of very high-profile outages that 
impacted our students leading up to and during finals week. The issue got so 
bad that our CIO had to issue a letter to students explaining the problem and 
what we are doing about it. This is the first time that this level of 
communication was needed in my 15 years at the UW using Aruba.

We too are a heavy Juniper shop and have recently received a MIST demo kit. We 
haven’t done anything with it yet due to lack of resources, but if things 
continue on the current path we may give it a more serious look.

David


David Morton
Director, Network & Telecom Design/Architecture
University of Washington
dmorton @uw.edu<http://uw.edu>
tel 206.221.7814

PS I am currently on medical leave so if you wish to reply off-list, please 
direct it to Amel Caldwell, amelc@ uw.edu<http://uw.edu>

On Jan 9, 2020, at 8:15 AM, Turner, Ryan H 
mailto:rhtur...@email.unc.edu>> wrote:

All:

We’ve been an Aruba shop for a very long time and have around 10,000 access 
points.  While every relationship with vendors have their ups and downs, my 
frustration with the Aruba is finally peaking to the point that I am 
considering making the enormous move to choose a different vendor.  The biggest 
reason is with the 8.X code train, and bugs that we just don’t consider 
appropriate to use in production.  It has been one thing after the other, and 
my extremely talented and qualified Network Architect (Keith Miller) might as 
well be on the Aruba payroll as much work as he has been doing for them to 
solve bugs.  Just when we think we have one fixed, another one crops up.

The big one as of late is with 515s running 8.5 code train.  We have them 
deployed in one of our IT buildings.  Periodically, people that are connected 
to these APs in the 5G band will stop working.  To the user, they are browsing 
a site, then it becomes unresponsive.  If they are on their phone, they will 
disconnect from wifi and everything works fine on cell.  Nothing makes an 
802.11 network look worse than switching to cell and seeing a problem resolve.  
Normally, if the users disconnect then reconnect, their problems will go ahead 
(but I think they end up connecting in the 2.4G band).   We’ve been working on 
this problem with them for months.  It always seems as though we have to prove 
there is a real issue.  I’m fed up with it.  We are a sophisticated shop.  If 
we have a problem, 9 times out of 10 when we bring it to the vendor, it is a 
real problem.  I’m extra frustrated that due to issues we’ve seen in ResNet on 
the 8.3X train that we don’t want to abandon our 6 train on main campus.  To 
Aruba’s credit, we purchased around 1,000 515s last year (I think around 
February).  When they could not get good code to support them on, Aruba bought 
back half of them.  I asked for them to buy back half because I thought for 
sure with the 315s that we would have instead, the issues would be fixed by the 
time the 315s ran out.  Not looking to be the case.

So, with that rant over, we are seriously considering looking to move away from 
Aruba (unless they get their act together really soon).  There are other bugs 
I’m not even mentioning here.  For those of you that made the switch to another 
vendor, I would be curious how long the honeymoon lasted, what were your 
mo

Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?

[Turner, Ryan H]

These aren’t device driver issues.  We have those two and it’s different.

Ryan Turner
Head of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

On Jan 9, 2020, at 11:45 AM, Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu> wrote:


No insult meant to anyone’s intelligence, but are you also looking at client 
device drivers etc in the context of these issues? Depending on which client 
NIC is in play, the device makers haven’t been doing us any favors of late. Is 
very possible for example that hundreds of AD-managed laptops may all have same 
bum driver.

Just asking…

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of David Morton
Sent: Thursday, January 9, 2020 11:39 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?

Ryan, we have been experiencing some of the very same issues. Since installing 
515s and resulting 8.5.x code in our offices (always our first step to any 
migration) we too have experienced unexplained periods of no connectivity. In 
most or all the cases I’ve personally experienced, I believe that I remain 
connected at an 802.11 standpoint but will have that 30 seconds to a couple of 
minutes of no IP connectivity. We have now deployed 515s and 8.5.x in one of 
our residence halls so I am concerned about their experience as well. Just 
before the holiday break we had a series of very high-profile outages that 
impacted our students leading up to and during finals week. The issue got so 
bad that our CIO had to issue a letter to students explaining the problem and 
what we are doing about it. This is the first time that this level of 
communication was needed in my 15 years at the UW using Aruba.

We too are a heavy Juniper shop and have recently received a MIST demo kit. We 
haven’t done anything with it yet due to lack of resources, but if things 
continue on the current path we may give it a more serious look.

David


David Morton
Director, Network & Telecom Design/Architecture
University of Washington
dmorton @uw.edu
tel 206.221.7814

PS I am currently on medical leave so if you wish to reply off-list, please 
direct it to Amel Caldwell, amelc@ uw.edu<http://uw.edu>


On Jan 9, 2020, at 8:15 AM, Turner, Ryan H 
mailto:rhtur...@email.unc.edu>> wrote:

All:

We’ve been an Aruba shop for a very long time and have around 10,000 access 
points.  While every relationship with vendors have their ups and downs, my 
frustration with the Aruba is finally peaking to the point that I am 
considering making the enormous move to choose a different vendor.  The biggest 
reason is with the 8.X code train, and bugs that we just don’t consider 
appropriate to use in production.  It has been one thing after the other, and 
my extremely talented and qualified Network Architect (Keith Miller) might as 
well be on the Aruba payroll as much work as he has been doing for them to 
solve bugs.  Just when we think we have one fixed, another one crops up.

The big one as of late is with 515s running 8.5 code train.  We have them 
deployed in one of our IT buildings.  Periodically, people that are connected 
to these APs in the 5G band will stop working.  To the user, they are browsing 
a site, then it becomes unresponsive.  If they are on their phone, they will 
disconnect from wifi and everything works fine on cell.  Nothing makes an 
802.11 network look worse than switching to cell and seeing a problem resolve.  
Normally, if the users disconnect then reconnect, their problems will go ahead 
(but I think they end up connecting in the 2.4G band).   We’ve been working on 
this problem with them for months.  It always seems as though we have to prove 
there is a real issue.  I’m fed up with it.  We are a sophisticated shop.  If 
we have a problem, 9 times out of 10 when we bring it to the vendor, it is a 
real problem.  I’m extra frustrated that due to issues we’ve seen in ResNet on 
the 8.3X train that we don’t want to abandon our 6 train on main campus.  To 
Aruba’s credit, we purchased around 1,000 515s last year (I think around 
February).  When they could not get good code to support them on, Aruba bought 
back half of them.  I asked for them to buy back half because I thought for 
sure with the 315s that we would have instead, the issues would be fixed by the 
time the 315s ran out.  Not looking to be the case.

So, with that rant over, we are seriously considering looking to move away from 
Aruba (unless they get their act together really soon).  There are other bugs 
I’m not even mentioning here.  For those of you that made the switch to another 
vendor,

Who has transitioned away from Aruba, and why?

[Turner, Ryan H]

All:

We've been an Aruba shop for a very long time and have around 10,000 access 
points.  While every relationship with vendors have their ups and downs, my 
frustration with the Aruba is finally peaking to the point that I am 
considering making the enormous move to choose a different vendor.  The biggest 
reason is with the 8.X code train, and bugs that we just don't consider 
appropriate to use in production.  It has been one thing after the other, and 
my extremely talented and qualified Network Architect (Keith Miller) might as 
well be on the Aruba payroll as much work as he has been doing for them to 
solve bugs.  Just when we think we have one fixed, another one crops up.

The big one as of late is with 515s running 8.5 code train.  We have them 
deployed in one of our IT buildings.  Periodically, people that are connected 
to these APs in the 5G band will stop working.  To the user, they are browsing 
a site, then it becomes unresponsive.  If they are on their phone, they will 
disconnect from wifi and everything works fine on cell.  Nothing makes an 
802.11 network look worse than switching to cell and seeing a problem resolve.  
Normally, if the users disconnect then reconnect, their problems will go ahead 
(but I think they end up connecting in the 2.4G band).   We've been working on 
this problem with them for months.  It always seems as though we have to prove 
there is a real issue.  I'm fed up with it.  We are a sophisticated shop.  If 
we have a problem, 9 times out of 10 when we bring it to the vendor, it is a 
real problem.  I'm extra frustrated that due to issues we've seen in ResNet on 
the 8.3X train that we don't want to abandon our 6 train on main campus.  To 
Aruba's credit, we purchased around 1,000 515s last year (I think around 
February).  When they could not get good code to support them on, Aruba bought 
back half of them.  I asked for them to buy back half because I thought for 
sure with the 315s that we would have instead, the issues would be fixed by the 
time the 315s ran out.  Not looking to be the case.

So, with that rant over, we are seriously considering looking to move away from 
Aruba (unless they get their act together really soon).  There are other bugs 
I'm not even mentioning here.  For those of you that made the switch to another 
vendor, I would be curious how long the honeymoon lasted, what were your 
motivators, and were you happy with the overall results?  Of course, this is a 
great opportunity to plug your vendor.  As I see it, we have 3 choices  
Something from Cisco (we had Cisco long ago and dumped them for bugs), 
something from Extreme (we are a huge Extreme shop so this makes sense), 
something from Juniper (Mist).

Thanks,
Ryan Turner
Head of Networking
The University of North Carolina at Chapel Hill
+1 919 445 0113 Office
+1 919 274 7926 Mobile
r...@unc.edu


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

We're hiring! Wireless Network Engineer position at UNC Chapel Hill

[Turner, Ryan H]

Network Engineer
University of North Carolina at Chapel Hill
This position primarily provides support, monitoring and maintenance for a 
large enterprise Wi-Fi network infrastructure that consist of over 10,000 
wireless access points and 45,000 concurrent wireless clients. The position 
maintains configurations, makes updates and provides client support for Wi-Fi 
networking services. This position will also provide support for the Network 
Operations group and assist the Network Deployment group with large 
installations. A qualified candidate will have significant experience and 
working knowledge with Aruba wireless networks.

Required Experience:

* Significant experience and working knowledge with 802.11 (wireless 
technologies)
* Must be able to move equipment that may weigh up to 60 lbs.  Some locations 
are difficult to access and may require the use of ladders.
* Valid NC driver's license or ability to obtain license within 30 days of hire

Preferred Experience:

* Experience and working knowledge with Enterasys, Cisco, Extreme and Arista
* Experience in designing, deploying and maintaining a campus wide Wi-Fi 
network solution (specific experience with Aruba wireless networks)
* Experience in Network Management and Monitoring software (specific experience 
with Airwave, Nyansa Voyance, and Ekahau Site Survey/Pro)
* Experience with supporting/engineering/maintaining large networks
* Experience with higher education networks
* Good knowledge of SNMP and Netflow
* Ability to be autonomous and self-directed
* Ability to work well in a team environment
* CWNA / CCNA / CCNP certifications

Master's degree and 1-2 years' experience or Bachelor's degree and 2-4 years of 
experience, or will accept a combination of related education and experience in 
substitution.

Information Technology Services: http://its.unc.edu/

Interested applicants must go to the UNC-CH job search page to apply for this 
position:  http://unc.peopleadmin.com/postings/173005

The University of North Carolina at Chapel Hill is an equal opportunity and 
affirmative action employer. All qualified applicants will receive 
consideration for employment without regard to age, color, disability, gender, 
gender expression, gender identity, genetic information, national origin, race, 
religion, sex, sexual orientation, or status as a protected veteran.


Ryan Turner
Head of Networking
The University of North Carolina at Chapel Hill
+1 919 445 0113 Office
+1 919 274 7926 Mobile
r...@unc.edu


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] My personal training recommendation for Devin Akin's wireless training classes

[Turner, Ryan H]

You’re going to have to reach out directly.  We use things called ‘ESUs’ that 
we get from Extreme every year with our maintenance.  They are basically 
service units that can be used for professional services/training.  I used them 
to get him as an outside trainer, and their value isn’t going to directly port 
into what he might be able to offer you.

Ryan

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Christopher Brizzell
Sent: Monday, October 28, 2019 8:43 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] My personal training recommendation for Devin 
Akin's wireless training classes

How much does he charge per session?

Thanks,


Chris Brizzell
Assistant Director of Network and Technical Services and Network Administrator
Skidmore College
cbriz...@skidmore.edu<mailto:cbriz...@skidmore.edu>
518-580-5994



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of William Cummings
Sent: Monday, October 28, 2019 7:24 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] My personal training recommendation for Devin 
Akin's wireless training classes

I second this as well.  One of the best training sessions I have ever attended.

On Fri, Oct 25, 2019 at 9:08 PM Stephen Belcher 
mailto:steve.belc...@mail.wvu.edu>> wrote:
Thanks Ryan. The suggestion is much appreciated!

Sent from Nine<http://www.9folders.com/>
________
From: "Turner, Ryan H" mailto:rhtur...@email.unc.edu>>
Sent: Friday, October 25, 2019 4:49 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] My personal training recommendation for Devin Akin's 
wireless training classes

All,

For those of you who’ve been looking for extremely deep and informative classes 
on wireless tech, I want to personally pass along my recommendation to consider 
Devin Akin with divdyn.com<http://divdyn.com>.  I’ve now brought him in for 3 
weeks of training (over 2 years) to teach courses on CWNA/CWSP/CWAP/CWDP.  
Devin recently helped out the educause wireless CG on the Wifi6/5G session we 
had.  This is the guy that cofounded the CWNP program.

Ryan Turner
Head of Networking
The University of North Carolina at Chapel Hill
+1 919 445 0113 Office
+1 919 274 7926 Mobile
r...@unc.edu<mailto:r...@unc.edu>


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


--
William Cummings
Senior Wireless Engineer
North Carolina State University
Office of Information Technology
Communication Technologies
919-515-0137
https://www.ncsu.edu



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

My personal training recommendation for Devin Akin's wireless training classes

[Turner, Ryan H]

All,

For those of you who've been looking for extremely deep and informative classes 
on wireless tech, I want to personally pass along my recommendation to consider 
Devin Akin with divdyn.com.  I've now brought him in for 3 weeks of training 
(over 2 years) to teach courses on CWNA/CWSP/CWAP/CWDP.  Devin recently helped 
out the educause wireless CG on the Wifi6/5G session we had.  This is the guy 
that cofounded the CWNP program.

Ryan Turner
Head of Networking
The University of North Carolina at Chapel Hill
+1 919 445 0113 Office
+1 919 274 7926 Mobile
r...@unc.edu


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] [EXT] Re: [WIRELESS-LAN] WiFi failures due to eduroam profiles

[Turner, Ryan H]

Normally the hard stop moments for the client are 1) you change the radius 
server cert to another CA which is not configured on the client as an 
acceptable CA (we lock our clients to only authenticate to our private CA) or 
2) the radius server uses OCSP and the responder is not online (could happen if 
you transitioned from an outsourced CA to a new CA).

We are migrating from a private Microsoft CA (internal to UNC) to the SecureW2 
CA.  Because we don’t check certs for status, it will be transparent (even if 
they blow away the CA at UNC).  We are also going to 4 year client 
certificates, which is super for the customer experience.

Ryan

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of John Crowley
Sent: Monday, October 7, 2019 9:01 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [EXT] Re: [WIRELESS-LAN] WiFi failures due to 
eduroam profiles


Charles, you wrote a while back that you went through the process of moving 
from CloudPath to SecureW2 for EAP-TLS.  I'm curious how that experience went.

Did you change Certificate Authorities or do some kind of CA transfer?  Did you 
avoid any hard stop moments where clients lost access and had to get a new cert?

We are using CloudPath and my primary concern for migrating off of it is making 
sure it is a smooth user experience.

On Fri, Sep 20, 2019 at 5:57 PM Anderson, Charles R 
mailto:c...@wpi.edu>> wrote:
I'm not following either.  We onboard both profiles with the same EAP-TLS 
certs, although we are using SecureW2 (just moved from CloudPath).  It matters 
not which one the user's device connects to locally--they both drop the user on 
the same network.  If we were to eventually drop our branded SSID, we'd just 
reconfigure the onboarding tool to configure only eduroam, but still use the 
same configuration/certs otherwise.

On Fri, Sep 20, 2019 at 04:01:32PM -0400, Michael Davis wrote:
> We onboard EAP-TLS to eduroam.  I'm not following this progression of
> events.
>
> On 9/20/19 3:47 PM, Aaron Abitia wrote:
> >
> > Hello all, Aaron from Cal Poly, San Luis Obispo here...
> >
> >
> > We just went all eduroam and turned off our primary branded dot1x
> > SSID, which featured Aruba Clearpass EAP-TLS Onboarding of devices.
> > Because Onboarding is now gone, my question is about the eduroam CAT
> > tool…I believe reasons for using it would be to mitigate
> > man-in-the-middle attacks, to get rid of the red “Not Verified” iOS
> > message and to otherwise insulate the user from manually accepting our
> > RADIUS certificate.
> >
> >
> > However, I’m wondering about usability once our users leave our
> > campus.  We have seen users here from other universities who are
> > unable to connect to eduroam, and we find that they are running a
> > profile from their home university, though we’re not sure if its the
> > eduroam CAT tool or another installer.  Once we remove their profile,
> > they are able to get on eduroam.  I believe that if an organization is
> > using a profile and that profile lists the RADIUS server(s) from that
> > organization for the eduroam connection, the user may or may not be
> > dead until that profile is removed, depending on what’s in the
> > profile; if all that’s in the profile is the organization’s RADIUS
> > servers, the user should still work here, but if there’s other
> > elements in that profile, the user could fail, which we’ve seen, but
> > I’m trying to identify what precisely in the profile could cause the
> > failure to connect.  Would anyone have any insight into this?
> >
> >
> > We have many other eduroam users from other organizations that work
> > fine here, presumably because no profile is being used and the user
> > has just manually connected at home and here at our school. I would
> > also be interested in hearing about the eduroam CAT tool from anyone
> > using it, or other config tools used by anyone and the reasons for it,
> > beyond what I’ve mentioned above.
> >
> >
> > Many thanks.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: Eduroam Go-Live Verbiage/Notification to Customers

[Turner, Ryan H]

This was the announcement made back in 2014.  We switched to eduroam being the 
primary SSID in 2015.  I didn't check all the links as this is really old (some 
may not work).

https://its.unc.edu/project/eduroam-wi-fi-service-travelling-scholars/


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Michael Butler
Sent: Monday, October 7, 2019 1:54 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Eduroam Go-Live Verbiage/Notification to Customers

Hello,
I would like to see if anyone here has added Eduroam into production in their 
current wireless environment. If so could you please share the verbiage used to 
communicate to the campus community about this implementation? We are going 
live and just want to see if anyone has a template we can go off of.

Thanks!

Respectfully,

Michael N. Butler
Network Engineer
Office - IT 113C
Phone - 410-677-5355
Salisbury University


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: Azure AD and RADIUS - anyone moved this direction?

[Turner, Ryan H]

I know that most times RTT between campus and cloud is low, but I just think 
its something to be fearful of when authentication times matter.  You really 
are going to have no data center footprint to host local services?

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jeffrey D. Sessler
Sent: Wednesday, September 25, 2019 2:10 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Azure AD and RADIUS - anyone moved this direction?

Curious if anyone has moved their RAIDUS to authenticating againstAzure AD, and 
if so, what path did you take? There doesn’t seem to be a clear MS solution 
other than standing up domain services for azure AD and running a NPS VM, and 
I’ve also found a couple of RaaS (radius as a service) offering such as 
Jumpcloud.

Would welcome feedback. We’re just about out of our datacenter for most 
operations, and radius has been one of those important but low-handing items 
that I’m now focused on.

Jeff

--
Jeff Sessler
Executive Director, Information Technology
Scripps College

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [External] [WIRELESS-LAN] Aruba - Going from PEAP to TLS

[Turner, Ryan H]

We don’t use CRLs or OCSP.  If we have a trouble client, we drop the MAC and 
not the certificate.  I don’t like delays in the authentication process, and 
found the gains not worth what I would gain.  However, every institution is 
different.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Norton, Thomas (Network 
Operations)
Sent: Wednesday, September 25, 2019 11:14 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External] [WIRELESS-LAN] Aruba - Going from PEAP 
to TLS

We’re currently going through this process as well, would love to get feedback 
as well. We’re going to be using their windows (WSTEP integration) as well for 
internal clients.

Interesting to see everyone else take. CRL so far has been the biggest caveat 
on the CPPM side.  Aruba really likes to push OCSP, so making sure the update 
times are setup accordingly are important CRL wise.

T.J. Norton
Wireless Network Architect
Network Operations

(434) 592-6552
[cid:image001.jpg@01D573AF.3BF0B740]

Liberty University  |  Training Champions for Christ since



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Christopher Brizzell 
<0113a07d9d59-dmarc-requ...@listserv.educause.edu>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Wednesday, September 25, 2019 at 8:57 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [External] [WIRELESS-LAN] Aruba - Going from PEAP to TLS



[ EXTERNAL EMAIL: Do not click any links or open attachments unless you know 
the sender and trust the content. ]


In what should have been done long ago, we would like to move off of our 
EAP-PEAP and onto EAP-TLS.

Most likely we will be going with SecureW2 to help with that process.

I’d like to hear from anyone who may have done this with Aruba OS and 
Clearpass, so as to avoid any pitfalls and look for advice on the best way to 
proceed.

Thank You.

Chris Brizzell
Assistant Director of Network and Technical Services and Network Administrator
Skidmore College
cbriz...@skidmore.edu
518-580-5994


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: Aruba - Going from PEAP to TLS

[Turner, Ryan H]

I can’t speak to the Clearpass, but you should spend more time validating the 
onboarding process so that it is smooth.  That is going to be your issue.  The 
setup won’t take long, but a poorly designed user experience will hurt you.  I 
am going to assume you will use SecureW2s cloud PKI.  We are going to be 
switching that that from an AD private PKI.  Don’t be silly with certificate 
lengths or hashes.  2048 length with SHA256 works fine.  No need to do anything 
more and risk client support issues (in my opinion).

You should stand up a test onboarding SSID (if you are going to have one) and 
get people to go through the process before production and get feedback.  
Utilize the documentation other schools have built (wifi.unc.edu).  If you 
haven’t used an onboarding SSID to date, then you have a lot of work just to 
make that work well.  Realize that Android devices are going to be 75% of your 
issues.  The other operating systems are pretty easy and straightforward (OSX 
is the second runner for issues).  iOS and windows are a breeze.

Good luck and welcome to the TLS club 


Ryan Turner
Head of Networking
The University of North Carolina at Chapel Hill
+1 919 445 0113 Office
+1 919 274 7926 Mobile
r...@unc.edu



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Christopher Brizzell
Sent: Wednesday, September 25, 2019 8:57 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Aruba - Going from PEAP to TLS

In what should have been done long ago, we would like to move off of our 
EAP-PEAP and onto EAP-TLS.

Most likely we will be going with SecureW2 to help with that process.

I’d like to hear from anyone who may have done this with Aruba OS and 
Clearpass, so as to avoid any pitfalls and look for advice on the best way to 
proceed.

Thank You.

Chris Brizzell
Assistant Director of Network and Technical Services and Network Administrator
Skidmore College
cbriz...@skidmore.edu
518-580-5994


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] InCommon certificate trust chain issues with upgraded Windows Systems

[Turner, Ryan H]

Ditto.  If this is for client certs for authentication for wireless, use a 
private CA.

Ryan Turner
Head of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

On Sep 16, 2019, at 12:10 PM, Cappalli, Tim (Aruba Security) 
mailto:t...@hpe.com>> wrote:

An EAP server certificate from a PKI in your control is always the recommended 
path. A public CA-signed EAP server certificate should be a last resort.

tim

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "McClintic, Thomas" 
mailto:thomas.mcclin...@uth.tmc.edu>>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Monday, September 16, 2019 at 9:49 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] InCommon certificate trust chain issues with 
upgraded Windows Systems

Thank you for this information. We are planning to change our certificate and 
path in the coming months and were not aware of these issues. Can you please 
keep us informed on your progress? I’m also interested in if the private PKI is 
the preferred method. Hopefully we will be off PEAP and on EAP-TLS by late 2020.

Thanks

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Johnson, Neil M
Sent: Saturday, September 14, 2019 1:58 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] InCommon certificate trust chain issues with upgraded 
Windows Systems


 EXTERNAL EMAIL 
This problem has been vexing us for a few weeks, so I’d thought I’d pass along 
my message to Microsoft and Sectigo in case others run into the same issue.

Thanks.

-Neil

The authentication has been temporarily resolved, BUT only temporarily.

The cause of the problem involved many factors:

First, The server certificate issued by Sectigo utilizes cross-signed 
certificates:
https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N00rgSZ

This means that there are two trust chain paths that can be used to validate 
the server certificate:
(see diagram at 
https://docs.google.com/drawings/d/1P6_ZbsbOMeRJEYwX__s9gJWC5IXgnr7LDUrc7ys8oDs/edit?usp=sharing
 )
Second, Since the ADDTrust Root CA certificate used in Path #1 expires May 30th 
of 2020, so I had the RADIUS Server (Aruba ClearPass) configured to send the 
server and intermediate cert for Path #2. This worked for the majority of 
systems on campus.

Third, However, some customers upgrading from previous versions of Windows (7, 
8, and Windows 10 versions previous to 1809) began having authentication issues 
because of this. It appears that the Windows systems are unable to validate the 
certificate chain in Path #2. This was confirmed by system traces and packet 
captures between the client and the RADIUS Server.

Temporary solution: I reconfigured the RADIUS server to send the server and 
intermediate certs for Path #1. This seems to have resolved the issue for the 
majority of our customers.

The long term problem: The AddTrust Root CA certificate expires May 30th, 2020. 
Customers systems will have to validate the server certificate using Path #2. 
My concern is that this will break certificate validation (and thus wireless 
authentication) for many of our customers after the ADDTrust Root CA 
certificate expires.

Action Items:

  *   Microsoft & Sectigo  – Needs to find out what is preventing upgraded 
Windows systems from validating the server certificate via Path #2.
  *   The University of Iowa – Needs to develop a risk mitigation plan prior to 
May 30th, 2020 (Including the possibility of moving to a private PKI over 
winter break).

I’m happy to help collect additional information required to troubleshoot this 
issue.

Thanks for everyone’s efforts in troubleshooting this issue. If you have any 
questions please feel free to contact me.
-Neil


Neil Johnson
Network Engineer
The University of Iowa
+1 319 384-0938


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 

RE: Feasibility of an open SSID for student use

[Turner, Ryan H]

I think your problem is the NAC solution...  I was one of the first to deploy 
campus wide NAC (2006) and then we pushed agents a few years after.  The time 
for NAC agents has come and gone in my mind.  We have removed it from 
practically every place that has it.  There is one large school that still uses 
it, but I am a semester away from telling them I am deprecating the service 
entirely.  In my mind, it is a check the box solution that has stayed way past 
its expiration date.  These agents are clumsy, often fail to find any real 
problems, report false positives, and add a whole lot of headaches to users and 
support staff without any benefit.

I do support a login approach the first time to get the users registered, 
however.  It is a simple process.  But at that point, you should hand them off 
to SecureW2 to onboard for your network.

Strip the NAC agent, push them directly to SecureW2, and see how that works.   
I wouldn't throw out the baby with the bathwater.

Ryan


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Kurtis Olsen
Sent: Thursday, September 12, 2019 12:18 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Feasibility of an open SSID for student use

We have been receiving a lot of complaints about a complicated onboarding 
process and have been asked to look at providing an Open SSID that has little 
to no onboarding.  I see an advantage being the ease of connecting but I have 
some concerns, mainly about providing a secure environment.
Our current onboarding process works like this.  Users connect to our 
Wolverine-WIFI SSID.  They then authenticate through our NAC solution which 
forces laptops to download a client.  This client scans their device for 
Antivirus and OS updates.  If it fails the scan they have access to get these 
updates.  Once it passes they are moved to our wireless production vLan.  There 
are no clients or scans for cellular devices at this time.  Users then of the 
option to join our Wolverine-Secure which authenticates by cert using 
SecureW2's services.

I am curious if anyone else is using a completely open network for their 
general population or any other suggestions of how this can be simplified.

Kurtis Olsen
Director - Network & Telecom
Utah Valley University
800 W University Prkway
Orem, UT 84058
801-863-8000



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] The NetMan/NetWireless CG leaders really need your help for this year's Educause (please read)

[Turner, Ryan H]

Totally understand for the folks that aren’t coming 

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Dan Lauing
Sent: Wednesday, September 11, 2019 11:05 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] The NetMan/NetWireless CG leaders really need your 
help for this year's Educause (please read)

Ryan,

I wish I could help you out, but I won't be at the conference.

On Wed, Sep 11, 2019 at 8:56 AM Turner, Ryan H 
mailto:rhtur...@email.unc.edu>> wrote:
All:

Others have sent a few messages about this, but I’ll be more direct…

There is never a guarantee that we get multiple sessions at national Educause.  
This year we had the opportunity to get two sessions back to back.  We want to 
make our CG sessions special and be able to get the same thing next year as 
well as be an example to the CG community.  We have asked, twice, for folks to 
come forward with something to present in a very short 10 minute segment.  We 
would like to do 4 or 5 of these.  They will stimulate conversation and give 
the technical folks an opportunity to present to their peers (we all know that 
this conference lacks on technical depth).

We have received ZERO offers.

Almost every one of you have faced a challenge in the last year that you have 
solved….  Or had an interesting project that paid dividends.  Some folks stuck 
their neck out and did something really bleeding edge.   All we need is 4 to 5 
of you folks to agree to present something in 10 minutes which should be 4 or 5 
slides.

Please send myself (r...@unc.edu<mailto:r...@unc.edu>) or Eric Kenny 
(eric_ke...@harvard.edu<mailto:eric_ke...@harvard.edu>) an email with the topic 
you would be willing to briefly present on as soon as possible.

Thanks,

Ryan Turner
Head of Networking
The University of North Carolina at Chapel Hill
+1 919 445 0113 Office
+1 919 274 7926 Mobile
r...@unc.edu<mailto:r...@unc.edu>


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


--
[Image removed by sender.]

dan b. lauing ii | CWAP, CWSP, CWDP
Wireless Network Engineer
Mississippi College





CONFIDENTIALITY STATEMENT:

This communication may contain confidential information.  If you are not the 
intended recipient or if you are not authorized to receive this communication, 
please notify and return the message to the sender, then delete this 
communication including any attachments.  Unauthorized reviewing, forwarding, 
copying, distributing or using this information is strictly prohibited.









**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

The NetMan/NetWireless CG leaders really need your help for this year's Educause (please read)

[Turner, Ryan H]

All:

Others have sent a few messages about this, but I'll be more direct...

There is never a guarantee that we get multiple sessions at national Educause.  
This year we had the opportunity to get two sessions back to back.  We want to 
make our CG sessions special and be able to get the same thing next year as 
well as be an example to the CG community.  We have asked, twice, for folks to 
come forward with something to present in a very short 10 minute segment.  We 
would like to do 4 or 5 of these.  They will stimulate conversation and give 
the technical folks an opportunity to present to their peers (we all know that 
this conference lacks on technical depth).

We have received ZERO offers.

Almost every one of you have faced a challenge in the last year that you have 
solved  Or had an interesting project that paid dividends.  Some folks 
stuck their neck out and did something really bleeding edge.   All we need is 4 
to 5 of you folks to agree to present something in 10 minutes which should be 4 
or 5 slides.

Please send myself (r...@unc.edu) or Eric Kenny 
(eric_ke...@harvard.edu) an email with the topic 
you would be willing to briefly present on as soon as possible.

Thanks,

Ryan Turner
Head of Networking
The University of North Carolina at Chapel Hill
+1 919 445 0113 Office
+1 919 274 7926 Mobile
r...@unc.edu


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: Performance improvements from hallway to in-room

[Turner, Ryan H]

We point them to Environmental Health and Safety 

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Christopher Brizzell
Sent: Thursday, September 5, 2019 4:26 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Performance improvements from hallway to in-room

Just be ready for some amount of backlash from an angry/ignorant parent. Every 
year (including yesterday) we have parents contact us saying we needed to 
remove all APs from bedrooms because of the health risk to the students living 
in those spaces.

Thank you for the information, however. Any amount of proof to help solidify 
our decision helps.


Chris Brizzell
Assistant Director of Network and Technical Services and Network Administrator
Skidmore College
cbriz...@skidmore.edu<mailto:cbriz...@skidmore.edu>
518-580-5994



From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Turner, Ryan H
Sent: Thursday, September 5, 2019 1:43 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Performance improvements from hallway to in-room

All:

We all know that moving from hallway deployments to in-room deployments pays 
dividends.  This summer we started doing some re-cabling work on smaller dorms 
to move from hallway to in-room.   We also went away from Aruba higher 
performance APs to the hospitality APs for these locations.  Even though the AP 
cost is significantly less, the cabling costs made this move a premium option.  
Nonetheless, thanks to data provided to us from Nyansa Voyance, we are able to 
clearly demonstrate to Housing that these funds were well spent.  After the 
changes, these dorms went from some of the worst performing locations on campus 
to some of the best.  When you look at the graphs below, the Y axis is 
percentage of users that are affected by poor wifi performance (I believe 
Nyansa measures this as clients that experience a 25% retransmit rate from the 
AP to client).  With Nyansa, it determines behavior on usage level.  So when 
you see the dashed line, it means that usage was below or above the threshold 
during that time frame.  I picked the usage level that would show the most 
complete picture, but going from low/medium/high all show the same improvement 
levels.

Carmichael:

[cid:image001.jpg@01D56409.C8330DD0]

Lewis:
[cid:image002.jpg@01D56409.C8330DD0]

Everett:
[cid:image003.jpg@01D56409.C8330DD0]

Ryan Turner
Head of Networking
The University of North Carolina at Chapel Hill
+1 919 445 0113 Office
+1 919 274 7926 Mobile
r...@unc.edu<mailto:r...@unc.edu>


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] Aruba Wi-Gi 6 APs

[Turner, Ryan H]

We've done a test deployment of Aruba 515s.  There seem to be some driver 
compatibility issues.  We have 2 IT buildings.  I had an induvial able to 
connect and see SSIDs just fine in our building with 315s.  When she came to 
the building with 515s, she saw nothing.  I updated her drivers, and then 
everything worked.  So just be aware you might see more of that.  We were 
running 8.503 code (I think).


Ryan Turner
Head of Networking
The University of North Carolina at Chapel Hill
+1 919 445 0113 Office
+1 919 274 7926 Mobile
r...@unc.edu



-Original Message-
From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Chris Brizzell
Sent: Thursday, September 5, 2019 2:45 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Aruba Wi-Gi 6 APs

Anyone have any Wi-Fi 6 APs deployed yet, and if so any thoughts either good or 
bad. I'm looking at swapping out the APs in our dining hall first, since they 
seem to get the most use.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: Roku clients & 5 GHz DFS channels.

[Turner, Ryan H]

This is far from authoritative, but according to some random person on the roku 
forum:

https://forums.roku.com/viewtopic.php?t=113069

Good to know and really surprising.

Ryan


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Hinojosa,Rafael
Sent: Monday, August 12, 2019 9:41 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Roku clients & 5 GHz DFS channels.

While troubleshooting a support ticket regarding a Roku Player, I’ve come to 
the realization the 5 Ghz Roku capable clients do not appear to support DFS 
channels (UNII-2, UNII-2e bands [channels 52-144]).   I’ve reached this 
conclusion, purely from observing what Roku clients I can see connected @ 5 
GHz, as well as having taken a look at the list on clients.mikealbano.com.  Has 
anyone come across the same realization?  Has anyone been in contact with Roku 
to verify this?

For those of you in charge of Wi-Fi deployments in residence halls, do you do 
anything to address these?  Do you limit your channel plan to UNII-1, UNII-3 
bands?  Or do you simply not bother going out of the way to plan for these 
devices?

TIA,

--Raf

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Network Engineer position at UNC Chapel Hill

[Turner, Ryan H]

https://unc.peopleadmin.com/postings/146765


Position Type

Permanent Staff (EHRA NF)

Department

ITS - Comm Technologies-608000

Working Title

Network Engineer

Appointment Type

EHRA Non-Faculty

Position Posting Category

Information Technology

Salary Range

$95,000 to $97,000

Full Time/Part Time?

Full-Time Permanent

Hours per Week

40

Vacancy ID

NF0003274

Position ID

00035973

Posting Open Date

08/22/2018

Application Deadline

09/05/2018

Open Until Filled

No

Proposed Start Date

10/08/2018

Position Summary


This position primarily provides support, monitoring and maintenance for a 
large enterprise Wi-Fi network infrastructure that consist of over 10,000 
wireless access points and 45,000 concurrent wireless clients. The position 
maintains configurations, makes updates and provides client support for Wi-Fi 
networking services. This position will also provide limited support for the 
Network Operations group and assist the Network Deployment group with large 
installations. A qualified candidate will have significant experience and 
working knowledge with Aruba wireless networks.

Educational Requirements


Bachelor's Degree preferred
- Bachelor's degree in Computer Science, Computer Information systems, Computer 
Engineering, Engineering, Electronics or related technical degree from an 
appropriately accredited institution and three years of progressive networking 
related experience such as network design, analysis or network management;
- Bachelor's degree from an appropriately accredited university and four years 
of progressive networking experience; or
- An Associate's degree in Electronics or Networking Technology and four years 
of progressive networking related experience; or an equivalent combination of 
education and experience
- Journey level requires an additional one year of experience.
- Advanced level requires an additional two years of experience.

Qualifications and Experience


Required Experience:
- Significant experience and working knowledge with 802.11 (wireless 
technologies)
- Must be able to move equipment that may weigh up to 60 lbs. Some locations 
are difficult to access and may require the use of ladders.
- Valid NC driver's license or ability to obtain license within 30 days of hire

Preferred Experience:
- Experience and working knowledge with Enterasys, Cisco, Extreme and Arista
- Experience in designing, deploying and maintaining a campus wide Wi-Fi 
network solution (specific experience with Aruba wireless networks)
- Experience in Network Management and Monitoring software (specific experience 
with Airwave and Voyance Nyansa and Ekahau)
- Experience with supporting/engineering/maintaining large networks
- Experience with higher education networks
- Good knowledge of SNMP and Netflow
- Ability to be autonomous and self-directed
- Ability to work well in a team environment
- CWNA / CCNA / CCNP / certifications

Equal Opportunity Employer


The University of North Carolina at Chapel Hill is an equal opportunity and 
affirmative action employer. All qualified applicants will receive 
consideration for employment without regard to age, color, disability, gender, 
gender expression, gender identity, genetic information, national origin, race, 
religion, sex, sexual orientation, or status as a protected veteran.

Special Instructions

Quick Link

http://unc.peopleadmin.com/postings/146765



Ryan Turner
Senior Manager, Networking
The University of North Carolina at Chapel Hill
+1 919 445 0113 Office
+1 919 274 7926 Mobile
r...@unc.edu


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Onboarding Android devices

[Turner, Ryan H]

That’s the problem with non TLS EAP methods.  You cannot guarantee anyone will 
use the process.  It is a huge security issue as far as I am concerned.  

Ryan Turner
Senior Manager of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

> On Aug 8, 2018, at 9:39 AM, Norman Elton  wrote:
> 
> Thanks all. If you're doing PEAP / MSCHAPv2, are you expecting some
> users to stumble through the process? Or do you somehow encourage all
> users to use the onboarding tool? Obviously the tool would be required
> if you're going down the EAP-TLS path.
> 
> Norman
> On Wed, Aug 8, 2018 at 7:35 AM Osborne, Bruce W (Network Operations)
>  wrote:
>> 
>> We changed onboarding tools for non-AD devices to SecureW2 last September 
>> and have been more than happy with their service & support.
>> 
>> They tend to officially support OS versions before official release, which 
>> can be useful in a Higher-Ed environment.
>> 
>> Bruce Osborne
>> Liberty University
>> 
>> -Original Message-
>> From: Norman Elton [mailto:normel...@gmail.com]
>> Sent: Tuesday, August 7, 2018 3:25 PM
>> Subject: Onboarding Android devices
>> 
>> We've got an encrypted network with the classic PEAP + MSCHAPv2 combo, 
>> allowing users to connect with their domain credentials. We've shied away 
>> from onboarding tools like SecureW2, especially for student devices, as they 
>> seem more cumbersome than just having the user configure the connection 
>> properly the first time.
>> 
>> Preparing for the fall, we've noticed that recent versions of Android make 
>> the process a little more cumbersome. It appears that 8.1 & 9.0 allow the 
>> user to validate the certificate by domain, which is great.
>> Although the steps to get this setup are far from intuitive.
>> 
>> 8.0 doesn't give that option, instead displaying a scary warning, "This 
>> connection will not be secure". The user is forced to go ahead with "do not 
>> validate certificate", leaving them open to leak their credentials to a 
>> rogue AP. Far from ideal.
>> 
>> Theoretically, we could ask the user to trust the CA certificate in advance, 
>> and (hopefully) the warning message would go away. But I haven't gotten this 
>> to work.
>> 
>> Is there a general consensus that these devices are better served with an 
>> onboarding tool that can accommodate the various flavors of Android? Or is 
>> there a recipe for a user to setup 802.1x securely (with some sort of 
>> certificate validation) on Android devices pre-8.1?
>> 
>> Thanks,
>> 
>> Norman Elton
>> 
>> **
>> Participation and subscription information for this EDUCAUSE Constituent 
>> Group discussion list can be found at http://www.educause.edu/discuss.
>> 
>> **
>> Participation and subscription information for this EDUCAUSE Constituent 
>> Group discussion list can be found at http://www.educause.edu/discuss.
>> 
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Integrating 3rd party toolsets into your vendor-specific management platforms

[Turner, Ryan H]

We also run Nyansa and have been incredibly impressed with it.  I consider it a 
‘must have’ tool in our environment, and it has directly lead to many design 
changes.

With regards to other tools you mentioned, we are currently looking at 
NetBrain.  Our POC is expected to end next week, and we have not decided yet if 
this will be the product for us or not.  We run a very different environment of 
mainly NOT Cisco, like Extreme/Enterasys/Arista.  While this too is advertised 
to work with those vendors, we’ve found a lot of little bugs with how the 
product parse these things.  We have a lot of layer 2 in our environment, and 
the product’s forte is layer 3.  With that said, the company has been actively 
engaged and has been fixing almost every little issue we’ve found.  We would 
also like to use their automation platform inside the tool, but haven’t pushed 
that extensively during the test.  The main objective was to get something with 
documentation capabilities that can get us off of a spreadsheet.  I would say 
it is 85% there.  The product, in my mind, is overpriced for the higher 
education market, especially once you get to scale.  However, I think they are 
going to work on that, as well.  So, before you go down the NetBrain road, talk 
to us in about a month.  At that point, we will have either purchased it or 
moved on, and I’ll tell you why in detail.


Ryan Turner
Senior Manager, Networking
ITS Communication Technologies
The University of North Carolina at Chapel Hill
+1 919 445 0113 Office
+1 919 274 7926 Mobile
r...@unc.edu



From: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU"  
on behalf of Jess Walczak 
Reply-To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 

Date: Tuesday, July 24, 2018 at 12:48 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: [WIRELESS-LAN] Integrating 3rd party toolsets into your 
vendor-specific management platforms

TL:DR – I’m trying to learn what other schools are using for third party 
management as I’m feeling heartburn from my vendor’s latest iteration of their 
own management toolset.

I have a question to the group about SDN/SDA/Assurance/CiscoDNA/etc and how 
they integrate with third party tools.  My team just tried to deploy CiscoDNA 
on our campus, but after a disastrous launch we disabled it, then completely 
shut it off, and there it remains.  When it was running, we tried out the 
CiscoDNA toolset and it was unable to do a software upgrade on a newer switch, 
it was unable to do an SDA-style config to a switch, and Assurance pushed code 
to all of our switches causing a repetitive outage until we removed the config 
for Assurance from the affected switches.  I mainly wanted to run it for the 
Assurance data, but the rest of my team has (wisely) put this on pause.  Cisco 
moved customers from WCS to Prime about five years ago, and then to APIC-EM, 
and now there is yet another transition to DNA Center.  It seems to me that I 
require a third party toolset just to manage the pain of the vendor management 
platforms.

I’m wondering what other schools are running for 3rd party 
analytics/management/aggregation/automation platforms?  We currently run Nyansa 
Voyance which I learned about from this very group back in 2016.   A school 
setup a semi-private Q-and-A of their own implementation of this software and 
it turned out to be exactly what we were looking for.  It has since saved our 
bacon several times by either being able to tell us things our vendor-specific 
tools could not, or by validating the data we were getting either anecdotally 
or from our vendor tools (often poorly so).  Are you running Solarwinds?  
LiveAction? NetBrain?  Puppet with Git?  Something else?  Any tools or 
reporting from Internet2?  (We are now getting the eduroam reports and love 
them!)
I guess as an additional twist on my question, I’m also interested in what 
potential integration of third party solutions into the standard vendor 
solutions your school has been able to achieve?  Cisco says that DNA (and thus 
Assurance) is an open architecture, but I’d really be interested in knowing to 
what degree that is true.  I’d really like to see an open ecosystem and more 
potential integration between our Cisco hardware, management platforms, and 
third party apps.  We are just beginning to program wayfinding into our 
school’s ERP app, and we are using their APIs to pull the data from within 
Prime and CMX, but we are interested in going further with this.  I’m not just 
interested in Cisco shops—plenty of the schools on this list are running Aruba 
and talk it up quite a lot!  One of the big schools that we regularly seek 
guidance from just switched to Aruba, so 3rd party integration with those 
toolsets now also interests our shop as well.

Thanks for reading my long-winded post!--JW

Jess Walczak
Senior Network Analyst
Information Technology Services
jwwalc...@stthomas.edu
University of St. Thomas | stthomas.edu

** 

Re: [WIRELESS-LAN] Issues with Windows 10

[Turner, Ryan H]

From SecureW2:

The issue is noticed when the RADIUS server cert is signed by AddTrust External 
CA Root (Cross signed by USERTrust RSA Certification Authority) and with the 
recent windows 10 update. We are looking into this and should be able to 
provide you an update.

Ryan Turner
Senior Manager of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

> On Jul 30, 2018, at 11:31 AM, Enfield, Chuck  wrote:
> 
> We had a cert issue a few years back.  Our intermediate cert authority got a 
> root cert of their own and it started getting deployed with major operating 
> systems.  Devices that had the new root cert wouldn't use the old root cert, 
> so server validation failed.  I don’t see how reinstalling the wireless 
> driver would correct that problem, so I'm not saying you have the same issue. 
>  It's just something to check for.
> 
> Chuck
> 
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>  On Behalf Of Charles Rumford
> Sent: Monday, July 30, 2018 11:25 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Issues with Windows 10
> 
>> On 07/30/2018 11:22 AM, Turner, Ryan H wrote:
>> We aren't running your method, but we also haven't heard of any mass 
>> scale issues (doesn't mean there isn't).  What did SecureW2 say?
> 
> 
> They are telling us that it's an issue with our cert stack, which I'm having 
> a hard time believing.
> 
> We have a call with them this afternoon to try and figure it out before we 
> deploy in the morning.
> 
> 
> --
> Charles Rumford
> Senior Network Engineer
> ISC Tech Services
> University of Pennsylvania
> OpenPGP Key ID: 0x173F5F3A (2018/07/05)
> 
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/discuss.
> 
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/discuss.
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] Issues with Windows 10

[Turner, Ryan H]

We aren't running your method, but we also haven't heard of any mass scale 
issues (doesn't mean there isn't).  What did SecureW2 say?


Ryan Turner
Senior Manager, Networking
The University of North Carolina at Chapel Hill
+1 919 445 0113 Office
+1 919 274 7926 Mobile
r...@unc.edu



-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 On Behalf Of Charles Rumford
Sent: Monday, July 30, 2018 10:01 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Issues with Windows 10

Good morning everyone -

We here at Penn have recently come across a strange issue with Windows 10 and 
our new JoinNow installation.

The run down goes like this:

  1) Connect to onboarding SSID
  2) Run JoinNow
  3) Authentication Loop on Windows 10

Doing some research into it, there are a couple of things we noticed:

  a) If we turn off server validation, the Windows 10 device connects fine.
  b) looking at a packet trace, the device just stops responding to the RADIUS
 server after the server cert has been pasted to the client.
  c) we have to re-install the wireless driver on the device to be able to get
 the device working again.
  d) Our old CloudPath installation appears to be resulting in the same thing.

We are running EAP-TTLS/EAP-PAP here.

I was curious if anyone else was seeing issues with Windows 10 devices 
following the latest patching from Microsoft.

--
Charles Rumford
Senior Network Engineer
ISC Tech Services
University of Pennsylvania
OpenPGP Key ID: 0x173F5F3A (2018/07/05)

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Your eduroam semi-annual report

[Turner, Ryan H]

I am guessing the failures are expired credentials/certs.

Ryan Turner
Senior Manager of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

On Jul 5, 2018, at 9:55 PM, Julian Y Koh 
mailto:kohs...@northwestern.edu>> wrote:

On Jul 5, 2018, at 20:40, Turner, Ryan H 
mailto:rhtur...@email.unc.edu>> wrote:

They created it for us.  I think we started getting them a few weeks ago.

Yeah, we started getting them as well - I think they are very interesting.  Our 
immediate question was whether information was aggregated somewhere or could 
somehow be compared with other institutions like ours, but the response was 
that the types of institutions are very disparate and that it might be 
something they look into for the future.

One thing that I’m really curious about is the authentication success rates.  I 
haven’t seen our semi-annual report that covers all of January-June, but just 
looking at the monthly reports, we’re around 68% success for the NU users who 
are traveling elsewhere (but June had a big dropoff to 55% down from 65% the 
month before) and ~51% for the guests who are visiting our institution.  We 
don’t use eduroam as our primary SSID.

--
Julian Y. Koh
Associate Director, Telecommunications and Network Services
Northwestern Information Technology

2020 Ridge Avenue #331
Evanston, IL 60208
+1-847-467-5780
Northwestern IT Web Site: <http://www.it.northwestern.edu/>
PGP Public Key: <https://bt.ittns.northwestern.edu/julian/pgppubkey.html>

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Fwd: Your eduroam semi-annual report

[Turner, Ryan H]

They created it for us.  I think we started getting them a few weeks ago.

Ryan Turner
Senior Manager of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

On Jul 5, 2018, at 9:11 PM, Joseph Bernard 
mailto:j...@clemson.edu>> wrote:

Did you create this report or did eduroam send it to you?

Thanks,
Joseph B.


On Jul 5, 2018, at 9:06 PM, Turner, Ryan H 
mailto:rhtur...@email.unc.edu>> wrote:

All:

We have run eduroam as our primary SSID for several years.  For those 
institutions that do not, but wonder what it might look like for those that do, 
I’ve included our semi annual report.

Ryan Turner
Senior Manager of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

Begin forwarded message:

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Wireless Options

[Turner, Ryan H]

I agree.   There are times when a big controller code upgrade is consuming 
(like going to 8.x with Aruba), but it is normally configuration tweaks you 
would likely do regardless of if the controllers are on-prem or cloud.  We have 
nearly 10,000 APs.

Ryan Turner
Senior Manager of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

On May 21, 2018, at 11:13 AM, Thomas Carter 
> wrote:


But in the specific case of cloud vs on-prem wireless, what is the case to save 
1 FTE? I would contend the vast majority of day-to-day work in wireless isn't 
affected by the location of the controller.

Thomas Carter​




From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
on behalf of Jeffrey D. Sessler 
>
Sent: Friday, May 18, 2018 12:30 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Options

One of the difficulties in comparing TCO is around staffing. Both estimating 
how much time staff really spend on the current solution, but also taking into 
account base salary with benefits. At many colleges, benefits can add another 
30%+ to the cost of a person. As such, the elimination (or reallocation) of one 
FTE has a huge impact on on-premise vs cloud comparisons. That single FTE could 
be $100K (salary + benefits) per year, saving (or reallocating) $700K over 
those 7 years.

In a lot of our cloud shift, those FTE’s have been re-allocated into more 
important roles such as security.

Jeff

From: 
"wireless-lan@listserv.educause.edu" 
> 
on behalf of Thomas Carter 
>
Reply-To: 
"wireless-lan@listserv.educause.edu" 
>
Date: Friday, May 18, 2018 at 8:43 AM
To: 
"wireless-lan@listserv.educause.edu" 
>
Subject: Re: [WIRELESS-LAN] Wireless Options

For cloud to really take over, the costs need to drop. We just went through a 
similar thing and are of a similar size (~300 APs), and the cloud on-going OpEx 
costs dropped them out of the race. The simplicity of costs budgeting is nice, 
but 7 year TCO is no contest.

Where they currently seem to be the best option is in the >25 to <100 AP market 
(<25 easily fits into Aruba Instant, Ruckus Unleashed, etc) or the small 
business vendor-managed market.

Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
On Behalf Of Jeffrey D. Sessler
Sent: Friday, May 18, 2018 10:07 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Options

Chuck has the right idea here. Our respective college strategic missions don’t 
mention running servers or wireless controllers as strategic to the mission of 
the college. Cloud/SaaS solutions free up folks from the mundane tasks, 
allowing them to focus on those higher-up technology layers that can benefit 
the strategic mission. I think it’s easy today to see the benefits of moving 
on-premise email systems to GAFE or O365, but that comfort level isn’t there 
yet with some other systems such a Wireless.

From a support standpoint, a vendor like Meraki has global visibility of how 
their product is operating, meaning they can correlate/see/react to issues 
faster including patching. For the controller-based solutions, there is the 
isolation factor, capability of the customer to gather support info, and the 
vendor not knowing if other customers are having the issue.

I suspect both options will be with us for years to come, but as more and more 
of our respective data centers move to the cloud, I predict the wireless cloud 
services will become more popular.

Jeff
From: 
"wireless-lan@listserv.educause.edu" 
> 
on behalf of "Enfield III, Charles Albert" 
>
Reply-To: 
"wireless-lan@listserv.educause.edu" 
>
Date: Thursday, May 17, 2018 at 1:38 PM
To: 

Re: [WIRELESS-LAN] Rotating 802.1x RADIUS CA certificate

[Turner, Ryan H]

That is exactly what my last message was talking about 

From: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
on behalf of "Osborne, Bruce W (Network Operations)" <bosbo...@liberty.edu>
Reply-To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Thursday, May 17, 2018 at 7:22 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Rotating 802.1x RADIUS CA certificate

While I agree with Ryan and others about user / client certificates, I believe 
the original topic was RADIUS Server certificates, not user.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Turner, Ryan H [mailto:rhtur...@email.unc.edu]
Sent: Wednesday, May 16, 2018 2:56 PM
Subject: Re: Rotating 802.1x RADIUS CA certificate

I definitely echo the comment about private CAs for your RADIUS.  Control your 
own destiny.  If your users are getting onboarded, then private CA chains 
should get installed as part of the process, as well.  We learned this from a 
swap out from a GoDaddy chain that was being deprecated before we made the 
wholesale switch to TLS.   That was one of the major reasons we went to eduroam 
as our primary SSID.  At the time, we were running people through a branded 
SSID called UNC-Secure.  When we realized we were going to need to swap out 
RADIUS certs, we just stopped onboarding folks to UNC-Secure, and instead 
onboarded them to eduroam.  The eduroam backend RADIUS servers were totally 
different than the UNC-Secure RADIUS servers, and it made the change-out non 
disruptive to our folks.  Otherwise there would have been a date where we had 
to tell everyone to ‘enroll again’ because they would not have trusted the new 
chain.  Twas lots of fun…



Ryan Turner
Senior Manager of Networking
ITS Communication Technologies
The University of North Carolina at Chapel Hill

r...@unc.edu<mailto:r...@unc.edu>
+1 919 445 0113 Office
+1 919 274 7926 Mobile



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Oakes, Carl W
Sent: Wednesday, May 16, 2018 2:27 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Rotating 802.1x RADIUS CA certificate

We did similar stuff but went with SHA512, and it bit us, so I'd go with SHA256.
The SHA512 issue was very subtle, but if a Windows box went from v7 -> v8 -> 
v10, or v7 -> v10, there's a chance it would miss a specific update that 
enabled SHA512.  It was a BEAR to find, but now that we know it and why, 
quickly resolved.  Out of about 90,000 overall (all platforms) devices, we 
ended up with less than 50 in that case.

Other than that, long term self-signed CA's and Certs is the way to go for the 
RADIUS server!   No more embarrassing swap outs. :)

Carl Oakes
Information Resources and Technology
California State University Sacramento



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Matt Freitag
Sent: Wednesday, May 16, 2018 10:28 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Rotating 802.1x RADIUS CA certificate

We went through this not long ago. The root cert in our chain is valid until 
2028, and the one intermediate is valid until 2024, so we were able to maintain 
the same chain and just swap out our server cert with pretty much zero pain. 
Some warnings about how the cert changed but we told our users well ahead of 
time that they needed to expect this and this time it's OK to ignore and OK 
their way through any warnings.

We just use SHA256 with a key length of 4096 bits. We do not use our own CA on 
the server that I'm looking at, our certificate is a GlobalSign one.


Matt Freitag
Network Engineer
Information Technology
Michigan Technological University
(906) 487-3696<tel:%28906%29%20487-3696>
https://www.mtu.edu/
https://www.mtu.edu/it

On Wed, May 16, 2018 at 12:02 PM, Turner, Ryan H 
<rhtur...@email.unc.edu<mailto:rhtur...@email.unc.edu>> wrote:
We still use SHA2 256 bit certificates with a 2048 length.  When I was doing 
research on this a few years ago, I believe there was extra processing power 
required once you went above 256bit (requires an additional computation).  I 
could be completely wrong about that, but we have had mass deployment of user 
certificates for over 5 years with that setup without any issue.  I don't see 
any reason to get cute with hashing algorithms at this point or length at this 
point as it might cause you more grief than it is worth/


Ryan Turner
Senior M

RE: [WIRELESS-LAN] Rotating 802.1x RADIUS CA certificate

[Turner, Ryan H]

I definitely echo the comment about private CAs for your RADIUS.  Control your 
own destiny.  If your users are getting onboarded, then private CA chains 
should get installed as part of the process, as well.  We learned this from a 
swap out from a GoDaddy chain that was being deprecated before we made the 
wholesale switch to TLS.   That was one of the major reasons we went to eduroam 
as our primary SSID.  At the time, we were running people through a branded 
SSID called UNC-Secure.  When we realized we were going to need to swap out 
RADIUS certs, we just stopped onboarding folks to UNC-Secure, and instead 
onboarded them to eduroam.  The eduroam backend RADIUS servers were totally 
different than the UNC-Secure RADIUS servers, and it made the change-out non 
disruptive to our folks.  Otherwise there would have been a date where we had 
to tell everyone to ‘enroll again’ because they would not have trusted the new 
chain.  Twas lots of fun…



Ryan Turner
Senior Manager of Networking
ITS Communication Technologies
The University of North Carolina at Chapel Hill

r...@unc.edu<mailto:r...@unc.edu>
+1 919 445 0113 Office
+1 919 274 7926 Mobile



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Oakes, Carl W
Sent: Wednesday, May 16, 2018 2:27 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Rotating 802.1x RADIUS CA certificate

We did similar stuff but went with SHA512, and it bit us, so I'd go with SHA256.
The SHA512 issue was very subtle, but if a Windows box went from v7 -> v8 -> 
v10, or v7 -> v10, there's a chance it would miss a specific update that 
enabled SHA512.  It was a BEAR to find, but now that we know it and why, 
quickly resolved.  Out of about 90,000 overall (all platforms) devices, we 
ended up with less than 50 in that case.

Other than that, long term self-signed CA's and Certs is the way to go for the 
RADIUS server!   No more embarrassing swap outs. :)

Carl Oakes
Information Resources and Technology
California State University Sacramento



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Matt Freitag
Sent: Wednesday, May 16, 2018 10:28 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Rotating 802.1x RADIUS CA certificate

We went through this not long ago. The root cert in our chain is valid until 
2028, and the one intermediate is valid until 2024, so we were able to maintain 
the same chain and just swap out our server cert with pretty much zero pain. 
Some warnings about how the cert changed but we told our users well ahead of 
time that they needed to expect this and this time it's OK to ignore and OK 
their way through any warnings.

We just use SHA256 with a key length of 4096 bits. We do not use our own CA on 
the server that I'm looking at, our certificate is a GlobalSign one.


Matt Freitag
Network Engineer
Information Technology
Michigan Technological University
(906) 487-3696<tel:%28906%29%20487-3696>
https://www.mtu.edu/
https://www.mtu.edu/it

On Wed, May 16, 2018 at 12:02 PM, Turner, Ryan H 
<rhtur...@email.unc.edu<mailto:rhtur...@email.unc.edu>> wrote:
We still use SHA2 256 bit certificates with a 2048 length.  When I was doing 
research on this a few years ago, I believe there was extra processing power 
required once you went above 256bit (requires an additional computation).  I 
could be completely wrong about that, but we have had mass deployment of user 
certificates for over 5 years with that setup without any issue.  I don't see 
any reason to get cute with hashing algorithms at this point or length at this 
point as it might cause you more grief than it is worth/


Ryan Turner
Senior Manager of Networking
ITS Communication Technologies
The University of North Carolina at Chapel Hill

r...@unc.edu<mailto:r...@unc.edu>
+1 919 445 0113 Office
+1 919 274 7926 Mobile



-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of James Andrewartha
Sent: Tuesday, May 15, 2018 11:24 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Rotating 802.1x RADIUS CA certificate

Hi all,

While debugging another problem (Windows 10 client that lost its certificates 
and some EAP configuration) I noticed that our private CA used for WPA2 
Enterprise RADIUS auth expires in September next year. The certificate used by 
the RADIUS servers is valid until January 2024, but am I correct in thinking 
that if the CA has expired the cert won't be trusted either?

Has anyone rotated their cert and have any tips for managing the flag day? I'm 
going to create a new pri

RE: [WIRELESS-LAN] Rotating 802.1x RADIUS CA certificate

[Turner, Ryan H]

We still use SHA2 256 bit certificates with a 2048 length.  When I was doing 
research on this a few years ago, I believe there was extra processing power 
required once you went above 256bit (requires an additional computation).  I 
could be completely wrong about that, but we have had mass deployment of user 
certificates for over 5 years with that setup without any issue.  I don't see 
any reason to get cute with hashing algorithms at this point or length at this 
point as it might cause you more grief than it is worth/


Ryan Turner
Senior Manager of Networking
ITS Communication Technologies
The University of North Carolina at Chapel Hill

r...@unc.edu
+1 919 445 0113 Office
+1 919 274 7926 Mobile



-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 On Behalf Of James Andrewartha
Sent: Tuesday, May 15, 2018 11:24 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Rotating 802.1x RADIUS CA certificate

Hi all,

While debugging another problem (Windows 10 client that lost its certificates 
and some EAP configuration) I noticed that our private CA used for WPA2 
Enterprise RADIUS auth expires in September next year. The certificate used by 
the RADIUS servers is valid until January 2024, but am I correct in thinking 
that if the CA has expired the cert won't be trusted either?

Has anyone rotated their cert and have any tips for managing the flag day? I'm 
going to create a new private CA, this time with a 30 year lifetime, although I 
imagine it'll be obsolete before then due to increased crypto requirements. 
Speaking of which, what are the best practices for a private CA these days? 
SHA2 (384bit)? SHA3? RSA?
Elliptic Curve?

We are fortunate in that most of our devices are school owned and so we can 
push out wireless configuration. I had a look at the Windows and Mac configs, 
and both of those can trust multiple CAs for a given SSID. On iOS we don't push 
out wireless config, but we were going to reprovision the remaining ones anyway 
at the end of this year so that's fine.

Thanks,

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] ClearPass - not so clear anymore

[Turner, Ryan H]

You should look into pfSense.  It is extremely powerful and open source.  You 
can pay for commercial support.

Ryan

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 On Behalf Of Lee H Badman
Sent: Tuesday, April 3, 2018 8:00 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

This is a hot-button topic for me. The whole guest access thing has gotten 
ridiculously complex in the main players trying to funnel this through a 
behemoth NAC (same could be said for simple RADIUS) or through some other 
convoluted framework. Bluesocket (now Adtran) had a good thing going with a 
gateway that was simple to set up and use on any vendor’s WLAN. They too 
evolved into something chunky and complex. I’d love to see Adtran dust off the 
old code, make it just a wee bit updated on browser friendliness, and 
re-productize it as a cost-effective 3rd party guest solution. The rest of the 
industry has blown it in this regard, says I.

Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
On Behalf Of Trinklein, Jason R
Sent: Monday, April 02, 2018 5:48 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

We are considering clearpass for our guest network captive portal. We have a 
case of sticker shock, however…at a cost of nearly $50K, it seems expensive for 
a captive portal.

What alternative solutions are people using? We are very happy with FreeRADIUS 
for wireless auth, but we need a robust captive portal that allows OAuth/social 
media login or validated email/sms login. We tried packetfence, but in cluster 
mode, it wasn’t reliable.

--
Jason Trinklein
Wireless Engineering Manager
College of Charleston
81 St. Philip Street | Office 311D | Charleston, SC 29403
trinkle...@cofc.edu | (843) 300–8009
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
on behalf of Hector J Rios >
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>
Date: Monday, April 2, 2018 at 5:23 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
>
Subject: [WIRELESS-LAN] ClearPass - not so clear anymore

I’ve got two complaints about this product. One, it seems like with every patch 
or upgrade, this solution is getting worse and worse. This is disappointing 
because when we bought this solution two years ago it was rock solid. Second, 
due to the new licensing scheme, we are now exceeding our licensing capacity. 
How convenient for Aruba, right? As some of you might know, the new licensing 
scheme is based on concurrency. When we purchased the solution the licensing 
scheme was based on rolling averages. Yes, the new licensing scheme is 
attempting to make things simpler, but at a higher cost. Ask your rep how much 
a 25K server costs and you’ll see what I’m talking about.

Hector Rios
Louisiana State University
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Amazon Fire Tablet Line - 802.1x Support Dropped?

[Turner, Ryan H]

You may be missing my point…  It isn’t the fact that they require a password on 
the screen. I totally get it.  It is how they allow the customer to shoot 
themselves in the foot, unknowingly, by removing the password lock without a 
bunch of warnings.  I don’t expect anyone to know that removing a password will 
screw up the certificate store.  I do expect the operating system to warn about 
the consequences.

Ryan

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W 
(Network Operations)
Sent: Monday, February 12, 2018 7:42 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Amazon Fire Tablet Line - 802.1x Support Dropped?

True, but they required it for MSCHAPv2 too, which was an error.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Turner, Ryan H [mailto:rhtur...@email.unc.edu]
Sent: Friday, February 9, 2018 10:01 AM
Subject: Re: Amazon Fire Tablet Line - 802.1x Support Dropped?

For TLS, Android requires a screen lock, and if you remove it post, it breaks 
the certificate store.  That issue isn’t a bug, but another design decision by 
Google (to make TLS more difficult to use when it isn’t that way with almost 
every other operating system).

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W 
(Network Operations)
Sent: Friday, February 9, 2018 8:23 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Amazon Fire Tablet Line - 802.1x Support Dropped?

I know there was a bug corrected in SecureW2 802.1X onboarding where they were 
requiring a screen lock for Android when using PEAP=MSCHAPv2.
They corrected the issue in a later release.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Mike Atkins [mailto:matk...@nd.edu]
Sent: Thursday, February 8, 2018 5:26 PM
Subject: Re: Amazon Fire Tablet Line - 802.1x Support Dropped?

I have seen dot1x issues with Android tablets that do not have the lock enabled 
or have it removed after Wi-Fi is configured and working.  I know our onboard 
utility notifies the user that Screen Lock/Pin is required.  Does the 802.1x 
option show up if screen lock is enabled?






Mike Atkins
Network Engineer
Office of Information Technology
University of Notre Dame

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>]
 On Behalf Of Johnson, Christopher
Sent: Wednesday, February 07, 2018 10:49 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Amazon Fire Tablet Line - 802.1x Support Dropped?

Good Morning,

I was curious if anyone had any of the newer Amazon Fire tablets and could 
confirm something for me? Our support center contacted me in regards to an 
issue with connecting to our secure network (they were only able to see our 
“open network”) which matches with our some newer devices will not even display 
networks that they are unable to connect to – such as WPA2 Enterprise. I had 
suggested that they attempt to manually create the profile and was disappointed 
when they confirmed that “802.1x” was no longer an option on the list of 
security types.

That’s unfortunate that their earlier generations had support, and it appears 
to have been removed. It’s been a few years since I’ve seen one, so no idea 
which generation this occurred (Fire 7 is their 7th generation). I just know 
the 1st and 2nd generation could connect since I got to be the one to figure it 
out all those years ago.

Christopher Johnson
Wireless Network Engineer
AT Infrastructure Operations & Networking (ION)
Illinois State University
(309) 438-8444
Stay connected with ISU IT news and tips with @ISU IT Help on 
Facebook<https://www.facebook.com/ISUITHelp/> and 
Twitter<https://twitter.com/ISUITHelp>


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/

RE: Amazon Fire Tablet Line - 802.1x Support Dropped?

[Turner, Ryan H]

For TLS, Android requires a screen lock, and if you remove it post, it breaks 
the certificate store.  That issue isn’t a bug, but another design decision by 
Google (to make TLS more difficult to use when it isn’t that way with almost 
every other operating system).

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W 
(Network Operations)
Sent: Friday, February 9, 2018 8:23 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Amazon Fire Tablet Line - 802.1x Support Dropped?

I know there was a bug corrected in SecureW2 802.1X onboarding where they were 
requiring a screen lock for Android when using PEAP=MSCHAPv2.
They corrected the issue in a later release.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Mike Atkins [mailto:matk...@nd.edu]
Sent: Thursday, February 8, 2018 5:26 PM
Subject: Re: Amazon Fire Tablet Line - 802.1x Support Dropped?

I have seen dot1x issues with Android tablets that do not have the lock enabled 
or have it removed after Wi-Fi is configured and working.  I know our onboard 
utility notifies the user that Screen Lock/Pin is required.  Does the 802.1x 
option show up if screen lock is enabled?






Mike Atkins
Network Engineer
Office of Information Technology
University of Notre Dame

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Johnson, Christopher
Sent: Wednesday, February 07, 2018 10:49 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Amazon Fire Tablet Line - 802.1x Support Dropped?

Good Morning,

I was curious if anyone had any of the newer Amazon Fire tablets and could 
confirm something for me? Our support center contacted me in regards to an 
issue with connecting to our secure network (they were only able to see our 
“open network”) which matches with our some newer devices will not even display 
networks that they are unable to connect to – such as WPA2 Enterprise. I had 
suggested that they attempt to manually create the profile and was disappointed 
when they confirmed that “802.1x” was no longer an option on the list of 
security types.

That’s unfortunate that their earlier generations had support, and it appears 
to have been removed. It’s been a few years since I’ve seen one, so no idea 
which generation this occurred (Fire 7 is their 7th generation). I just know 
the 1st and 2nd generation could connect since I got to be the one to figure it 
out all those years ago.

Christopher Johnson
Wireless Network Engineer
AT Infrastructure Operations & Networking (ION)
Illinois State University
(309) 438-8444
Stay connected with ISU IT news and tips with @ISU IT Help on 
Facebook and 
Twitter


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] Aruba / HA / And ARP broadcasting during controller losses

[Turner, Ryan H]

In a perfect world…  We can likely do this, but our network design is a lot 
flatter.  However, there are opportunities to carve this up a bit and mitigate 
it.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Fredrik L. Andersen
Sent: Friday, January 5, 2018 1:36 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Aruba / HA / And ARP broadcasting during controller 
losses

Hi,

Agree with you both with better network design, controllers and AP should not 
be on same L2. Use DNS for MC discovery.

You should also check out NG architecture for AOS8 with clustering for HA.

Best regards


Fredrik L. Andersen
+ 47 930 888 15


Sendt fra min iPhone

5. jan. 2018 kl. 19:25 skrev Norton, Thomas (Network Operations) 
<tnort...@liberty.edu<mailto:tnort...@liberty.edu>>:
Hey Ryan,

I agree with Amel, I highly recommend breaking out your aps separate from your 
controller management VLAN and utilizing DHCP for discovery.

We break out our ap management VLANs from our controller management VLAN and 
have the ap VLANs broken up into multiple geographic VTP domains to mitigate 
this.

With that said we have had our own set of challenges from an HA perspective, as 
we have had to tune our ha heartbeat timers, and configuration to meet our 
needs…

-T.J.
Liberty University


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Amel Caldwell <am...@uw.edu<mailto:am...@uw.edu>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, January 5, 2018 at 12:42 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Aruba / HA / And ARP broadcasting during controller 
losses

Hi Ryan—

We have a similar setup, our main campus has around 7,000 APs with one master 
controller.  We have separate AP management VLANs in each of our buildings (we 
don’t span VLANs across multiple buildings here) and use DHCP options for 
master controller discovery.  We still get a ton on pings looking for a lost 
controller but the infrastructure handles the pings better than they do ARPs.  
It may help if you separate the controller management and AP management onto 
separate VLANs and use DHCP options; this would have the effect of changing the 
ARP to ICMP traffic and hopefully that would be enough to weather the event of 
a lost controller.

I do wholeheartedly agree that Aruba implenting a back-off mechanism to lessen 
this impact over time would be great.  I am also not real happy with how Aruba 
implemented the “heartbeat” option for the standby-controller to verify the 
primary is still up and it really does not scale well.

Amel Caldwell
University of Washington UW-IT
Wi-Fi Network Engineer
Wi-Fi Service Manager

am...@uw.edu<mailto:am...@uw.edu>
206-543-2915



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Turner, Ryan H" 
<rhtur...@email.unc.edu<mailto:rhtur...@email.unc.edu>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, January 5, 2018 at 9:14 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] Aruba / HA / And ARP broadcasting during controller 
losses

All:

Based on design recommendations from Aruba, our 10,000 AP network has been 
broken up into a few management domains.  For example, Main Campus has 
approximately 5,000 access points, and the controllers and access points share 
the same VLAN.

What we have noticed is that if we lose a controller (or shut it down for 
maintenance or a move), the access points start ARPing like crazy for the 
downed controller.  We can see in excess of 1,000 ARPs a second in the 
management VLAN.  This has the negative side effect of causing CPU spikes 
across certain models of switches on campus, and we lose management to those 
switches.  User traffic doesn’t generally seem affected, but SNMP monitoring 
ceases.  We are wondering if others have seen this, or designed around 
mitigating this.  This is definitely a scaling issue, and we feel as though 
Aruba could develop back-off mechanisms from allowing High Availability to 
essentially DoS parts of campus with ARP.

Thanks!

Ryan Turner
Manager of Network Operations
ITS Communication Technologie

Aruba / HA / And ARP broadcasting during controller losses

[Turner, Ryan H]

All:

Based on design recommendations from Aruba, our 10,000 AP network has been 
broken up into a few management domains.  For example, Main Campus has 
approximately 5,000 access points, and the controllers and access points share 
the same VLAN.

What we have noticed is that if we lose a controller (or shut it down for 
maintenance or a move), the access points start ARPing like crazy for the 
downed controller.  We can see in excess of 1,000 ARPs a second in the 
management VLAN.  This has the negative side effect of causing CPU spikes 
across certain models of switches on campus, and we lose management to those 
switches.  User traffic doesn't generally seem affected, but SNMP monitoring 
ceases.  We are wondering if others have seen this, or designed around 
mitigating this.  This is definitely a scaling issue, and we feel as though 
Aruba could develop back-off mechanisms from allowing High Availability to 
essentially DoS parts of campus with ARP.

Thanks!

Ryan Turner
Manager of Network Operations
ITS Communication Technologies
The University of North Carolina at Chapel Hill

r...@unc.edu
+1 919 445 0113 Office
+1 919 274 7926 Mobile


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Radius certificate length vs. onboarding opinions

[Turner, Ryan H]

We went option 4 several years ago.  I actually learned the lesson about root 
certificate server changes about 4 years ago.  It is one of the things I have 
mentioned when I gave a presentation in the past about 'Lessons learned with 
Certificate Based Authentications'.


EAP-TLS will require PROPER user onboarding, which means you can install the 
private CA chain.  In my opinion, private is the way to go.  YOU control your 
CA destiny, not some external provider.


Ryan Turner


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Craig Simons 

Sent: Monday, October 30, 2017 2:21:57 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Radius certificate length vs. onboarding opinions

All,

I know the subject has been broached on the list a few times before, but I’m 
looking for informal opinions/survey about how you are deploying your Radius 
EAP certificates for PEAP/TTLS users (non-TLS). We use Cloudpath to onboard 
users, but recently went through a difficult renewal period to replace our 
expiring certificate. As we had configured all of our clients to “verify the 
server certificate” (as you should from a security perspective), we found that 
iOS/MacOS and Android clients did not take kindly to a new certificate being 
presented. This resulted in quite a few disgruntled users who couldn’t connect 
to WiFi as well as a shell-shocked Service Desk. To help prevent this in the 
future (and because we are moving to a new Radius infrastructure), what is the 
consensus on the following strategies:

Option 1: Using a self-signed/private PKI and a 10 year cert. Onboard with 
"verify server certificate" enabled

Option 2: Removing all traces of “verify server certificate” from OnBoard 
configuration and use 2-year certs from CAs

Option 3: Use 2-year CA certificates, enable “verify server certificates” and 
educate/prepare every two years for connection issues.

Option 4 (probably the best long-term answer): Move to private PKI and EAP-TLS.

Opinions?

Craig Simons
Network Operations Manager

Simon Fraser University | Strand Hall
 University Dr., Burnaby, B.C. V5A 1S6
T: 778.782.8036 | M: 604.649.7977 | 
www.sfu.ca/itservices

[http://www.sfu.ca/content/dam/sfu/creative-studio/images/email/sfu-horizontal.png]

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Big flaw in WPA2

[Turner, Ryan H]

https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/

Ryan Turner
Manager of Network Operations, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Major bug in iOS11 for people onboarding with TLS

[Turner, Ryan H]

If users have a preconfigured profile, and they configure for a new 
certificate, when connecting it will prompt them for a username/password.  I 
think clicking OK or cancel (not in a position to test) will allow them on. If 
the users delete the profile and certificates then onboard, all is well. 

SecureW2 has logged a bug with Apple.  This one will be a pain for us TLS 
users.  

Ryan Turner
Manager of Network Operations, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office
**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Defeating Android 8.X Captive Portal detection

[Turner, Ryan H]

So, for the time being, I am adding some very simple javascript to the landing 
page.  If it detects Android 8, it will display a message telling the user that 
after login, they must close the browser and open a new one and goto 
wifi.unc.edu.  I am going to play around with the browser environment variables 
and see if it is possible to discover if they are in the pseudo browser (look 
at the difference in environment variables between the full browser and the 
pseudo browser).  If so, I can just take away the login option until they open 
a browser with full power...

From: Turner, Ryan H
Sent: Wednesday, September 6, 2017 9:54 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: RE: Defeating Android 8.X Captive Portal detection

We haven't had the problem with OSX.  I worked hard to get rid of captive 
portal detection on all browsers.  Everything has been great, until now.

We have a setup like this:

We use a pfSense firewall on an onboarding SSID.  Users have 2 states:  
unauthenticated and authenticated.  Prior to be authorized (which requires 
logging in on a web portal), their connection is extremely limited except with 
whatever holes I have poked through to defeat captive portal detection and make 
things smoother.  One they are authenticated, there is NO ACL on the back-end, 
but I do blackhole a bunch of popular sites (through DNS redirection) so people 
will not use the onboarding SSID for browsing.  For the new Android, with our 
setup, the pseudo browser remains open, even post authentication (which 
probably means one of those black holes sites I have is being checked and still 
doesn't indicate connectivity).

My 'workaround' for the moment is to allow google.com to go through...  which 
is not a good one.  Since google.com is most people's default page, it means 
they will NOT get a wireless redirect to login and authenticate until they 
browse somewhere else.  So I don't think I am going to keep this.  I may just 
have to add some verbage to the login page that educate android users, but it 
will probably only be read 1 out of 10 times.

I really hate how it feels like we are having to constantly work against google 
with this stuff...


Ryan Turner
Manager of Network Operations
ITS Communication Technologies
The University of North Carolina at Chapel Hill

r...@unc.edu<mailto:r...@unc.edu>
+1 919 445 0113 Office
+1 919 274 7926 Mobile



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Wyatt Schill
Sent: Tuesday, September 5, 2017 4:53 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Defeating Android 8.X Captive Portal detection

This is the same problem we have with Mac laptops, the 'pseudo' browser will 
allow the user to run through the whole onboarding process until the final 
download step where it refuses to allow the user to download a config file.

Our only fixes are to continually educate users to close the 'pseudo' browser 
and open a full version of safari, or to add pre-auth acls to allow the device 
to fully access the apple urls it is checking so that the 'pseudo' browser 
never pops up and the user manually opens a standard browser to get the initial 
captive portal.

Looks like android will need something similar.  (although we already have some 
of google open to allow guests to use google credentials to authenticate, so it 
probably won't be much extra to add)

Wyatt Schill
Senior Network Engineer
CCNA-Security, CCNP-R
Green River College
12401 SE 320th St. Auburn, WA 98092
wsch...@greenriver.edu<mailto:wsch...@greenriver.edu>
[Green River new official mascot logoEmail]

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Turner, Ryan H
Sent: Tuesday, September 5, 2017 1:34 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Defeating Android 8.X Captive Portal detection

Even though Android is only 7% of our install base, it amounts to 75% of my 
problems...

It 'appears' on first glance that google has changed the captive portal 
detection on version 8.  It 'appears' (very early into this, so this may 
change) that google now checks for both a generate_204 on both 
connectivitycheck.gstatic.com and a gen_204 on 
www.google.com<http://www.google.com>.  Why is this a problem?

We, as many people do, have a onboarding SSID.  TLS requires proper onboarding. 
  That means that we need to process people through the portal in an orderly 
manner to get them where they need to go.   When Android 8.X detects a captive 
portal, it will prompt the user to 'sign in'.  This process opens a pseudo 
browser (a browser that is limited in what it can do) to the captive portal 
login.  After the user logs in, the user stays inside of the 'pseudo' browser.  
The browser has limited powers, and apparently will not allow the user to 
down

RE: Defeating Android 8.X Captive Portal detection

[Turner, Ryan H]

We haven't had the problem with OSX.  I worked hard to get rid of captive 
portal detection on all browsers.  Everything has been great, until now.

We have a setup like this:

We use a pfSense firewall on an onboarding SSID.  Users have 2 states:  
unauthenticated and authenticated.  Prior to be authorized (which requires 
logging in on a web portal), their connection is extremely limited except with 
whatever holes I have poked through to defeat captive portal detection and make 
things smoother.  One they are authenticated, there is NO ACL on the back-end, 
but I do blackhole a bunch of popular sites (through DNS redirection) so people 
will not use the onboarding SSID for browsing.  For the new Android, with our 
setup, the pseudo browser remains open, even post authentication (which 
probably means one of those black holes sites I have is being checked and still 
doesn't indicate connectivity).

My 'workaround' for the moment is to allow google.com to go through...  which 
is not a good one.  Since google.com is most people's default page, it means 
they will NOT get a wireless redirect to login and authenticate until they 
browse somewhere else.  So I don't think I am going to keep this.  I may just 
have to add some verbage to the login page that educate android users, but it 
will probably only be read 1 out of 10 times.

I really hate how it feels like we are having to constantly work against google 
with this stuff...


Ryan Turner
Manager of Network Operations
ITS Communication Technologies
The University of North Carolina at Chapel Hill

r...@unc.edu<mailto:r...@unc.edu>
+1 919 445 0113 Office
+1 919 274 7926 Mobile



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Wyatt Schill
Sent: Tuesday, September 5, 2017 4:53 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Defeating Android 8.X Captive Portal detection

This is the same problem we have with Mac laptops, the 'pseudo' browser will 
allow the user to run through the whole onboarding process until the final 
download step where it refuses to allow the user to download a config file.

Our only fixes are to continually educate users to close the 'pseudo' browser 
and open a full version of safari, or to add pre-auth acls to allow the device 
to fully access the apple urls it is checking so that the 'pseudo' browser 
never pops up and the user manually opens a standard browser to get the initial 
captive portal.

Looks like android will need something similar.  (although we already have some 
of google open to allow guests to use google credentials to authenticate, so it 
probably won't be much extra to add)

Wyatt Schill
Senior Network Engineer
CCNA-Security, CCNP-R
Green River College
12401 SE 320th St. Auburn, WA 98092
wsch...@greenriver.edu<mailto:wsch...@greenriver.edu>
[Green River new official mascot logoEmail]

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Turner, Ryan H
Sent: Tuesday, September 5, 2017 1:34 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Defeating Android 8.X Captive Portal detection

Even though Android is only 7% of our install base, it amounts to 75% of my 
problems...

It 'appears' on first glance that google has changed the captive portal 
detection on version 8.  It 'appears' (very early into this, so this may 
change) that google now checks for both a generate_204 on both 
connectivitycheck.gstatic.com and a gen_204 on 
www.google.com<http://www.google.com>.  Why is this a problem?

We, as many people do, have a onboarding SSID.  TLS requires proper onboarding. 
  That means that we need to process people through the portal in an orderly 
manner to get them where they need to go.   When Android 8.X detects a captive 
portal, it will prompt the user to 'sign in'.  This process opens a pseudo 
browser (a browser that is limited in what it can do) to the captive portal 
login.  After the user logs in, the user stays inside of the 'pseudo' browser.  
The browser has limited powers, and apparently will not allow the user to 
download or install an agent or configuration files.  You can see the 
problem...  They will get to the onboarding page, and nothing will work.

I've managed to 'by pass' the problem, but it isn't ideal.  Has anyone else 
seen this with commercial portals and figured out ways around it?

It is possible all of this is in error, but I just got done with a bunch of 
packet captures that seems to validate this.  I only have one Oreo user in my 
vicinity, so I will need to get my hands on a few more to see if this really is 
an issue, or just bad luck.

Ryan Turner
Manager of Network Operations
ITS Communication Technologies
The University of North Carolina at Chapel Hill

r...@unc.edu<mailto:r...@unc.edu>
+1 919 445 0113

Defeating Android 8.X Captive Portal detection

[Turner, Ryan H]

Even though Android is only 7% of our install base, it amounts to 75% of my 
problems...

It 'appears' on first glance that google has changed the captive portal 
detection on version 8.  It 'appears' (very early into this, so this may 
change) that google now checks for both a generate_204 on both 
connectivitycheck.gstatic.com and a gen_204 on 
www.google.com.  Why is this a problem?

We, as many people do, have a onboarding SSID.  TLS requires proper onboarding. 
  That means that we need to process people through the portal in an orderly 
manner to get them where they need to go.   When Android 8.X detects a captive 
portal, it will prompt the user to 'sign in'.  This process opens a pseudo 
browser (a browser that is limited in what it can do) to the captive portal 
login.  After the user logs in, the user stays inside of the 'pseudo' browser.  
The browser has limited powers, and apparently will not allow the user to 
download or install an agent or configuration files.  You can see the 
problem...  They will get to the onboarding page, and nothing will work.

I've managed to 'by pass' the problem, but it isn't ideal.  Has anyone else 
seen this with commercial portals and figured out ways around it?

It is possible all of this is in error, but I just got done with a bunch of 
packet captures that seems to validate this.  I only have one Oreo user in my 
vicinity, so I will need to get my hands on a few more to see if this really is 
an issue, or just bad luck.

Ryan Turner
Manager of Network Operations
ITS Communication Technologies
The University of North Carolina at Chapel Hill

r...@unc.edu
+1 919 445 0113 Office
+1 919 274 7926 Mobile


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Wireless onboarding and security posturing

[Turner, Ryan H]

We have been extremely happy with SecureW2.  Outstanding support.  No major 
issues with large amounts of TLS onboardings over several years.  We moved to 
SecureW2 from Cloudpath ES.


Ryan Turner
Manager of Network Operations
ITS Communication Technologies
The University of North Carolina at Chapel Hill

r...@unc.edu
+1 919 445 0113 Office
+1 919 274 7926 Mobile



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W 
(Network Operations)
Sent: Wednesday, August 30, 2017 8:00 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless onboarding and security posturing

A few years ago we worked to move away from NAC (Bradford Campus Manager) to 
801.1X authentication without NAC. We ended up purchasing Aruba ClearPass but 
purchased (& did not use) some OnGuard NAC licenses to appease some management 
that we could deploy NAC if needed. He have not needed that.

We have been onboarding with the deprecated CloudPath Wizard product for 
several years. We are now evaluating onboarding (non-NAC) alternatives. So far 
the best choice appears to be SecureW2 when pricing & features are considered.

I asked CloudPath ES, like Wizard has a one-time onboarding NAC-like feature. 
Apparently, SecureW2 had similar features but removed them due to non-use. 
Pricing appeatrs to be much better than Aruba’s offering.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Curtis L. Parish [mailto:curtis.par...@mtsu.edu]
Sent: Tuesday, August 29, 2017 12:08 PM
Subject: Wireless onboarding and security posturing

Greetings

Looking for philosophy (policy?) as well as what products you are using to 
implement your solutions.

Currently we use a NAC agent as a part of our onboarding procedure for windows 
computers connecting via NAC.   Agents of course add a whole layer of support 
woes to the help desk.  As the percentage (not necessarily number) of windows 
devices on wireless networks decreases, the effectiveness of deploying an agent 
seems to have decreasing returns.   At the same time windows has increased 
their security posture over the years  (nagging you to  do updates and to turn 
on the firewall  and virus protection) other devices have been added to the 
mix, like IOT, that  have little or no protection built in.   Spending so  of 
our  time supporting an agent that only protects a decreasing percentage of the 
devices on the network  may not be the best policy.   There is the argument 
that windows devices can cause the most problems,  but do we spend the time 
focused on the single problem solution (windows agent) as opposed to   
implementing and supporting a more holistic solution that can recognize and 
respond to threats  across platforms.


We have talked to universities that run their wireless networks as wide open 
public access networks  and choose  only to defend with firewalls.   We on the 
other end  are more offensive and require  user registration, NAC agents and  
MAC registration,  along with the separation of the wireless network from the 
campus network.

So, how do you provide and protect your wireless networks?


Curtis


Curtis Parish
 615.494.8861
Senior Network Engineer
[wordmark_web]



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] EAP-TLS

[Turner, Ryan H]

I haven’t heard that.  I’ll forward it on.  I had not seen this reply, so I 
resent my email.  For some reason, I didn’t get a copy of my posting yesterday 
so I thought it had not went through.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jonathan Waldrep
Sent: Wednesday, August 16, 2017 5:15 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS

> This weekend we will onboard probably 50,000 devices for TLS, and for the 
> most part, it is no longer a huge support issue.  The biggest issues are 
> around Android.  Just about every other operating system works very easily 
> (OSX can be a pain, but that revolves around entering a local admin account 
> password multiple times).  So I would say how big of a problem you will have 
> will be impacted, to some degree, by predominant client count.  Android is 
> less than 10% of our wireless user base, but is over half the support calls.  
> When we switched to SecureW2, this got much better, however.

I like android, but it is definitely the worst of the major platforms to 
correctly onboard. Something interesting that is new to the platform is 
"instant apps". This lets you run a full app from a link, without installing 
the app. Onboarding tools are an excellent use case for this.

No more hitting a captive portal to redirect you to the play store, to go back 
to the web page, click a link that opens the apps, blah, blah, blah, forget to 
uninstall the now useless app. (Yes, I know not all the on boarding tools are 
quite that ugly, but they are generally some variant of that). With an instant 
app, you would hit the captive portal, click a link to setup the profile, and 
it would just open the app (which you never had to go to the play store to 
install), and go from there.

So, Ruckus, Aruba, SecureW2, and others, if you are not already looking at 
this, please do. It is only supported on Android 7 (maybe even 7.1) and up, so 
it isn't going to help a lot of people *today*, but is definitely will in the 
future.

--
Jonathan Waldrep
Network Engineer
Network Infrastructure and Services
Virginia Tech
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

[Turner, Ryan H]

Yes, I meant EAP-TTLS with PAP ☺

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Cappalli, Tim (Aruba 
Security)
Sent: Tuesday, July 25, 2017 12:27 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

The problem with this statement:
EAP-PEAP/EAP-TTLS, if properly onboarded, are very secure.  But the 
problem is ‘properly onboarded’.

… is that even having PEAP or EAP-TTLS enabled on the network exposes you to 
risk regardless of the supplicant configuration as anyone can attempt to 
connect using PEAP, putting their creds at risk.

Secure solution = EAP-TLS only.


Also, did you mean EAP-TTLS here? > any institution that is running EAP-TLS 
with PAP



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Turner, Ryan H" 
<rhtur...@email.unc.edu<mailto:rhtur...@email.unc.edu>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Tuesday, July 25, 2017 at 11:53 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

There are flaws with every mechanism.  We are a long time EAP-TLS shop.

In a university environment, access is rarely as difficult thing.  There are 
many buildings and methods for motivated individuals to get access.  Most of us 
actually provide some level of access to guests, already.  In short, university 
defenses for network access are weak, often by design.  For us, the issue 
really isn’t about access to the network.   It is, however, about access to 
credentials.  With all other ‘normal’ widely adopted methods out there, you are 
setting individuals up to expose their credentials to MitM.  With TLS, even if 
someone exports a cert, all that next person has is network access.  They don’t 
have credentials.

Put another way, any institution that is running EAP-TLS with PAP (using this 
configuration because it is the easiest), I would be willing to make a large 
bet that I could drive to your campus, sit outside your main administrative 
building, and I could have some tasty usernames and passwords in short order.  
It requires no hacking (because I’m not a hacker).  Other methods like PEAP are 
definitely much more difficult, but not outside of the range of a hacker IF the 
client didn’t onboard their device properly.  And many people won’t onboard 
properly with a username/password method because it is easier just to punch 
those in upon connection.

EAP-PEAP/EAP-TTLS, if properly onboarded, are very secure.  But the problem is 
‘properly onboarded’.


Ryan Turner
Manager of Network Operations
ITS Communication Technologies
The University of North Carolina at Chapel Hill

r...@unc.edu<mailto:r...@unc.edu>
+1 919 445 0113 Office
+1 919 274 7926 Mobile





From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Thomas Carter
Sent: Wednesday, July 12, 2017 1:20 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

Depending on the setup and purpose, the certs could be exported and shared to 
people/devices not intended; it may be assumed that will not happen.
Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu<http://www.austincollege.edu/>

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Cappalli, Tim (Aruba 
Security)
Sent: Wednesday, July 12, 2017 10:33 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

I’m curious about “…certs may give a false sense of security and identity”. Can 
you elaborate on that?

Tim

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Thomas Carter 
<tcar...@austincollege.edu<mailto:tcar...@austincollege.edu>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Wednesday, July 12, 2017 at 11:22 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>

RE: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

[Turner, Ryan H]

There are flaws with every mechanism.  We are a long time EAP-TLS shop.

In a university environment, access is rarely as difficult thing.  There are 
many buildings and methods for motivated individuals to get access.  Most of us 
actually provide some level of access to guests, already.  In short, university 
defenses for network access are weak, often by design.  For us, the issue 
really isn’t about access to the network.   It is, however, about access to 
credentials.  With all other ‘normal’ widely adopted methods out there, you are 
setting individuals up to expose their credentials to MitM.  With TLS, even if 
someone exports a cert, all that next person has is network access.  They don’t 
have credentials.

Put another way, any institution that is running EAP-TLS with PAP (using this 
configuration because it is the easiest), I would be willing to make a large 
bet that I could drive to your campus, sit outside your main administrative 
building, and I could have some tasty usernames and passwords in short order.  
It requires no hacking (because I’m not a hacker).  Other methods like PEAP are 
definitely much more difficult, but not outside of the range of a hacker IF the 
client didn’t onboard their device properly.  And many people won’t onboard 
properly with a username/password method because it is easier just to punch 
those in upon connection.

EAP-PEAP/EAP-TTLS, if properly onboarded, are very secure.  But the problem is 
‘properly onboarded’.


Ryan Turner
Manager of Network Operations
ITS Communication Technologies
The University of North Carolina at Chapel Hill

r...@unc.edu
+1 919 445 0113 Office
+1 919 274 7926 Mobile





From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Thomas Carter
Sent: Wednesday, July 12, 2017 1:20 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

Depending on the setup and purpose, the certs could be exported and shared to 
people/devices not intended; it may be assumed that will not happen.
Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Cappalli, Tim (Aruba 
Security)
Sent: Wednesday, July 12, 2017 10:33 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

I’m curious about “…certs may give a false sense of security and identity”. Can 
you elaborate on that?

Tim

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
on behalf of Thomas Carter 
>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>
Date: Wednesday, July 12, 2017 at 11:22 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
>
Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

We use mac address auth (using Packetfence) for this reason. On-boarding is 
easy (there’s even a mac self-registration portal for devices that don’t 
understand the captive portal on connecting) through a captive portal, and the 
kids are used to captive portals at Starbucks/Target/McDonalds already . We 
formerly used Bradford Networks (long story, but we had some major issues with 
them) using a certificate based solution, and our opening of school support has 
gone from lines out the door of IT to almost nothing. While mac spoofing is a 
thing, EAP/PEAP/certs may give a false sense of security and identity. In a 
past life in the corporate world we did a PEAP solution with locked down 
certificates, but we tightly controlled all the end-points as well (only 
corporate owned devices allowed on the corp network).

Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Tim Tyler
Sent: Tuesday, July 11, 2017 10:17 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

I think this is an excellent topic that has made me wonder.  Given that so many 
users don’t secure their radius client profile, I have often thought mac 
address authentication might be a better option, but it would require a 
convenient registration method.  If someone uses a man in 

RE: [WIRELESS-LAN] Eduroam adoption (and migration process)

[Turner, Ryan H]

I thought about ways to respond to this, but figure simple is better…

Most of those concerns are either easily mitigated with user education, or are 
issues we haven’t experienced.  Since we’ve had eduroam as primary for 2 years 
with hundreds of thousands of devices onboarded and a lot of traveling from our 
international student base, I would figure I would have seen most issues.  The 
biggest issue that we get, and it is rare, is “I was at X university, and I 
couldn’t connect”.  Most of the time it is the other university’s fault, and I 
have to explain that after looking in our logs.

You are putting a lot of weight into ‘theoretical’ concerns, when it is almost 
a guarantee that if a student or faculty member travels to another university, 
they will have to connect to the ‘Guest’ open SSID, of which they will have no 
protection at all.  We have seen it from neighboring institutions, which 
despite running eduroam, have an extremely low adoption rate because people 
just won’t bother to onboard if it isn’t necessary.


Ryan Turner
Manager of Network Operations
ITS Communication Technologies
The University of North Carolina at Chapel Hill

r...@unc.edu
+1 919 445 0113 Office
+1 919 274 7926 Mobile



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Friday, April 28, 2017 1:18 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

No matter what direction I come at it, “eduroam” is fundamentally a guest 
network with very little intrinsic value, but with many downsides. As such, I 
would be reluctant to make it our default SSID, and I caution those that use it 
as such to explore its shortcomings.

Why do I say this?

  *   Organization - A university can’t assume and/or guarantee that “eduroam” 
is administered at another campus in the same way that it is at home. There is 
no guarantee of privacy, be it the data collected during 
authentication/authorization, or information being sent/received by the client 
while traversing the other organization’s network. There is no guarantee user 
data won’t be sold, studied, or otherwise used as the organization terminating 
the client’s connection sees fit. eduroam is a name only.
  *   User – Assumption that “eduroam” away from their home campus is the same 
as “eduroam” at another organization. Assumption that there is the same level 
of data security, privacy, or other safeguards/guarantees as provided at home. 
Assumption that the same resources are available. Assumption “eduroam’ out in 
the world is superior than connecting to an open network.

Certainly, some of the data privacy pieces could be mitigated by using a 
home-campus VPN while traveling, but now you are creating rules that the 
end-user must remember. These rules become confusing when you are in an area 
with multiple organizations all broadcasting “eduroam”, where to simplify the 
user experience i.e. they can get to the same resources, the default becomes 
using VPN all the time. Once you force the use of a VPN, then is “eduroam” any 
different than using an open/suest network?

I would prefer to see “eduroam” in the same light as say, using Facebook to 
login to other applications i.e. The university advertises that the guest 
wireless SSID supports the “eduroam” authentication service. The visiting 
person connects to your branded guest SSID using their home college credentials 
– understanding that they are bound to your AUP or other local decisions on the 
use of their data. There is no confusion about who owns, administers, or 
otherwise controls the network the client is connected to and no assumptions 
about resource availability.

Jeff


From: 
"wireless-lan@listserv.educause.edu" 
> 
on behalf of Marcelo Maraboli 
>
Organization: UC
Reply-To: 
"wireless-lan@listserv.educause.edu" 
>
Date: Thursday, April 20, 2017 at 2:16 PM
To: 
"wireless-lan@listserv.educause.edu" 
>
Subject: [WIRELESS-LAN] Eduroam adoption (and migration process)

Hello everyone.

We are finally adopting EduROAM in our University and we currently have one
SSID with MAC-based authentication, so moving to EduROAM is also a 802.1x 
upgrade
for us as well.

Would you be so kind to respond a couple of questions?:


If you adopted EduROAM as your primary SSID:
- Did you leave an SSID for legacy devices ? (What AUTH mechanism for this 
SSID?)
- How did you "force-move" your users to EdoROAM from your old SSID ?

If you added EduROAM as 

RE: [WIRELESS-LAN] Eduroam adoption (and migration process)

[Turner, Ryan H]

Me, too.  You can absolutely require your local users to require EAP-TLS while 
supporting other institutions ability to support whatever EAP type they like.  
And when your users are abroad, those requirements are still in force.

We only run eduroam as our 802.1x using EAP-TLS and force non supported devices 
to a ‘branded’ PSK network.  Personally, unless you are in a dense urban area 
where the possibilities exist that you’ll connect to another institutions 
eduroam, I never saw the benefit to branding…

In our case, we have a satellite pharmacy school located at another campus that 
isn’t ours (UNC Chapel Hill pharmacy school located at UNC Asheville campus).  
We actually disconnected our access points, allowed UNC Asheville to install 
their access points in our building (that also had UNC Asheville departments), 
and we bridged our two networks L2 VLANs.  If you are a UNC Asheville person, 
you stay on their network.  If your username ends with @unc.edu, they actually 
tunnel the user into our campus vlan that is connected through a copper 
connection in a closet that contains both institutions equipment.  Really odd 
setup that can lead to some interesting troubleshooting issues, but I have a 
philosophy of solving problems rather than avoiding some complications.


Ryan Turner
Manager of Network Operations
ITS Communication Technologies
The University of North Carolina at Chapel Hill

r...@unc.edu
+1 919 445 0113 Office
+1 919 274 7926 Mobile



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hunter Fuller
Sent: Friday, April 28, 2017 10:52 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

I'm still not sure I follow.

It sounds like, in your current config, you have your constituents use EAP-TLS, 
and cannot use PEAP. Meanwhile your visitors use whatever their home 
institution offers.

If you ran with only the eduroam ESSID, you could run with the same config. 
Your constituents are unable to use PEAP, and must use EAP-TLS home and abroad. 
At the same time, your visitors continue to use whatever their home institution 
offers. This is a viable config.

I understand keeping two ESSIDs for branding though of course. We were lucky as 
we didn't have branded ESSIDs before eduroam either. So it was no loss to move 
to eduroam.

On Fri, Apr 28, 2017 at 09:41 Curtis K. Larsen 
> wrote:
My point is not that eduroam mandates a given EAP type.  My point is that if a 
given EAP type presents a vulnerability to users that will come into my 
institution's property but I allow it anyway so that another institution's 
configuration will be compatible - then I have surrendered a better security 
stance to facilitate that compatibility.  This is because the SSID is the same.

On the other hand, if I have a unique university SSID - I can easily choose the 
EAP type and thus mitigate the vulnerability more fully - this is now easy to 
do with various onboarding tools.  With HS 2.0 the roaming agreements can still 
be in place and we don't care about the SSID.  To me that sounds like the best 
of both worlds.

-Curtis


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
on behalf of Cappalli, Tim (Aruba Security) >
Sent: Friday, April 28, 2017 3:54 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

Can you elaborate on this comment?

“whereas with eduroam we were kind of locked-in to the PEAP model.”

Eduroam is EAP agnostic.




On 4/27/17, 10:57 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Curtis K. Larsen" 
 
on behalf of curtis.k.lar...@utah.edu> wrote:

We also use eduroam and a university SSID and one benefit I've seen is that 
when our CISO decided to deprecate PEAP due to the "fake AP/MITM - exposed 
password" issue and favor EAP-TLS - we could easily control our own destiny 
with our own SSID whereas with eduroam we were kind of locked-in to the PEAP 
model.  Lesser security will often result when universal compatibility is the 
goal.  I mean we could force our own users to use EAP-TLS at home and abroad 
but in my opinion we could not truly say that we've done everything possible to 
mitigate the PEAP vulnerability while still propping up a PEAP SSID org-wide 
even if PEAP only ends up being used by visitors.

We currently offer long-term EAP-TLS connections on our university SSID to 
any guest willing to provide an SMS number (Cloudpath Feature).  It turns out 
that the 

Re: [WIRELESS-LAN] Nyansa Conference Call Poll

[Turner, Ryan H]

LOL autocorrect.   No, I won't tinkle about Nyansa. I will talk about them :)

Ryan Turner
Manager of Network Operations, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

On Feb 21, 2017, at 6:34 PM, Turner, Ryan H 
<rhtur...@email.unc.edu<mailto:rhtur...@email.unc.edu>> wrote:

Sorry I wasn't able to attend. If anyone wants tinkle about our positive 
experience with Nyanja, my contact details are below.

Ryan Turner
Manager of Network Operations, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

On Feb 21, 2017, at 2:32 PM, Johnston, Ryan 
<ryan.johns...@depaul.edu<mailto:ryan.johns...@depaul.edu>> wrote:

Thanks Chuck.  Some folks from DePaul University plan to hop on the call also.


Ryan

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Chuck Enfield
Sent: Friday, February 17, 2017 7:27 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Nyansa Conference Call Poll

Good Morning,

The Nyansa conference call will be on Tuesday, 2/21, from 3:00om to 4:00pm 
Easter Time.  The bridge number is +1 (712) 770-4700, Access Code 846605.

Thanks,

Chuck

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Chuck Enfield
Sent: Wednesday, February 15, 2017 5:29 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Nyansa Conference Call Poll

Sorry folks, but yesterday go away from me. Against all odds, I got a girl to 
marry me, so I have to do something on Valentine’s day to keep her around.

I don’t think there are a lot of days left to do this in the near future.  The 
remainder of this week will be short notice, and a lot of you will be traveling 
for WLPC staring next Wednesday, so I’m only offering times for next Monday and 
Tuesday.  Please respond to the doodle poll at the link below by the end of the 
day tomorrow, 2/16.  The most widely accepted time slot will win.  The bridge 
details appear on the poll page, but I’ll also send them to the list along with 
the winning time slot.  The call will be recorded, so anybody who can’t make it 
live can listen to it later.

Thanks,

Chuck

http://doodle.com/poll/6dvnufgaqb4q9yuy<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdoodle.com%2Fpoll%2F6dvnufgaqb4q9yuy=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7Cccbd8b058597442ee6b108d45a9065d7%7C58b3d54f16c942d3af081fcabd095666%7C1=ppe5sswM9rlXrHbGM9dvaLtNNERuKhtCWFVP%2Br%2B9yh4%3D=0>
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fdiscuss=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7Cccbd8b058597442ee6b108d45a9065d7%7C58b3d54f16c942d3af081fcabd095666%7C1=ioY67aIfDEtneYh5n09VG7ZYWVz5tqcu51jpYSe0BII%3D=0>.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fdiscuss=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7Cccbd8b058597442ee6b108d45a9065d7%7C58b3d54f16c942d3af081fcabd095666%7C1=ioY67aIfDEtneYh5n09VG7ZYWVz5tqcu51jpYSe0BII%3D=0>.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fdiscuss=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7Cccbd8b058597442ee6b108d45a9065d7%7C58b3d54f16c942d3af081fcabd095666%7C1=ioY67aIfDEtneYh5n09VG7ZYWVz5tqcu51jpYSe0BII%3D=0>.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.educause.edu%2Fdiscuss=01%7C01%7Crhturner%40EMAIL.UNC.EDU%7C3ae3b6601ecb4fd719c908d45ab2254e%7C58b3d54f16c942d3af081fcabd095666%7C1=5AMWJyjg%2FWbCd%2FeWuJnL3wiqQnPW9psgPjwOhdEILok%3D=0>.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.