RE: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

2017-08-31 Thread Lee H Badman 
Still happens on newer out-of-box devices as well (at least on my new MBP 
before I properly configured it to disable unused EAP types). Can check timers 
when I’m at a place to access the controller.



Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Thursday, August 31, 2017 2:44 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

Is this something you still see on the client-side, or was it a problem mainly 
with older OS versions that aren’t around now?

What client exclusion timeout are you currently using?

Jeff

From: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "lhbad...@syr.edu<mailto:lhbad...@syr.edu>" 
<lhbad...@syr.edu<mailto:lhbad...@syr.edu>>
Reply-To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Thursday, August 31, 2017 at 11:05 AM
To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

Part of it is your EAP type, and whether users are forced to onboard to get 
configured enough to use the WLAN (like w/ TLS). With PEAP/MS-CHAPv2, I’ve seen 
many out of box, un-onboarded client device “auto connect” situations where OS 
X or Windows does figure out what it needs for EAP type, but first tries a 
couple others which fail. These can land the client in the penalty box if 
things are too tight. That’s where it feels broken to otherwise OK clients. Saw 
a lot of this on the default 60 second timer, when the client exclusion 
threshold was 3 strikes and you’re out. We had a long-running feature request 
to stretch 3 failures out to a selectable value (can now go to 10) which does 
make the longer penalty times more palatable and less likely to ensnare 
unconfigured-but-eventually-get-on-OK clients.



-Lee

Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Thursday, August 31, 2017 1:10 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

Longer client exclusion times coupled with longer session timeouts mean the 
clients most impacted are the troublesome clients i.e.  it only feels broken 
for the already broken clients.

I use a 60 second exclusion timeout with very long user session timeouts. The 
longer exclusion timeouts are necessary to combat those troubling devices that 
create the equivalent of a auth DoS when they have a bad password or other 
misconfiguration. Seldom have I seen this impact a well-behaved client.

The long session timeouts are a realization that disabling a user is a rare 
thing, so why inundate the radius server every ½ hour, hour, etc. with tens of 
thousands of requests just to see if the user is still OK to be connected. If 
immediate action is necessary, use client exclusion.

Been running the above configuration for some eight years and the helpdesk 
phone is very quiet.

Jeff

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Thursday, August 31, 2017 8:12 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

Interesting, hopefully you get some relief. On this document about RADIUS 
timers 
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/118703-technote-wlc-00.html
 I can’t buy in to Client Exclusion being set to 120 seconds as a rule. Even at 
60 it’s too long and makes the network feel broken. I agree 100% that it needs 
to be used on .1X networks, but with a short enough timer that the helpdesk 
phone doesn’t ring off the hook.

Wondering what value others are using here?

-Lee

Lee Badman |

Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

2017-08-31 Thread Jeffrey D. Sessler 
Is this something you still see on the client-side, or was it a problem mainly 
with older OS versions that aren’t around now?

What client exclusion timeout are you currently using?

Jeff

From: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
on behalf of "lhbad...@syr.edu" <lhbad...@syr.edu>
Reply-To: "wireless-lan@listserv.educause.edu" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Thursday, August 31, 2017 at 11:05 AM
To: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

Part of it is your EAP type, and whether users are forced to onboard to get 
configured enough to use the WLAN (like w/ TLS). With PEAP/MS-CHAPv2, I’ve seen 
many out of box, un-onboarded client device “auto connect” situations where OS 
X or Windows does figure out what it needs for EAP type, but first tries a 
couple others which fail. These can land the client in the penalty box if 
things are too tight. That’s where it feels broken to otherwise OK clients. Saw 
a lot of this on the default 60 second timer, when the client exclusion 
threshold was 3 strikes and you’re out. We had a long-running feature request 
to stretch 3 failures out to a selectable value (can now go to 10) which does 
make the longer penalty times more palatable and less likely to ensnare 
unconfigured-but-eventually-get-on-OK clients.



-Lee

Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Thursday, August 31, 2017 1:10 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

Longer client exclusion times coupled with longer session timeouts mean the 
clients most impacted are the troublesome clients i.e.  it only feels broken 
for the already broken clients.

I use a 60 second exclusion timeout with very long user session timeouts. The 
longer exclusion timeouts are necessary to combat those troubling devices that 
create the equivalent of a auth DoS when they have a bad password or other 
misconfiguration. Seldom have I seen this impact a well-behaved client.

The long session timeouts are a realization that disabling a user is a rare 
thing, so why inundate the radius server every ½ hour, hour, etc. with tens of 
thousands of requests just to see if the user is still OK to be connected. If 
immediate action is necessary, use client exclusion.

Been running the above configuration for some eight years and the helpdesk 
phone is very quiet.

Jeff

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Thursday, August 31, 2017 8:12 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

Interesting, hopefully you get some relief. On this document about RADIUS 
timers 
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/118703-technote-wlc-00.html
 I can’t buy in to Client Exclusion being set to 120 seconds as a rule. Even at 
60 it’s too long and makes the network feel broken. I agree 100% that it needs 
to be used on .1X networks, but with a short enough timer that the helpdesk 
phone doesn’t ring off the hook.

Wondering what value others are using here?

-Lee

Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hector J Rios
Sent: Thursday, August 31, 2017 9:32 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

BTW, 8.2.161.0 just came out.

-H

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Wednesday, August 30, 2017 2:50 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

Great information. Thanks, Hector. Now I have some homework too.

-Original Message-
From: Hector J Rios [hr...@lsu.edu]
Received: Wednesday, 30 Aug 2017, 15:41
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto

RE: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

2017-08-31 Thread Lee H Badman 
Part of it is your EAP type, and whether users are forced to onboard to get 
configured enough to use the WLAN (like w/ TLS). With PEAP/MS-CHAPv2, I’ve seen 
many out of box, un-onboarded client device “auto connect” situations where OS 
X or Windows does figure out what it needs for EAP type, but first tries a 
couple others which fail. These can land the client in the penalty box if 
things are too tight. That’s where it feels broken to otherwise OK clients. Saw 
a lot of this on the default 60 second timer, when the client exclusion 
threshold was 3 strikes and you’re out. We had a long-running feature request 
to stretch 3 failures out to a selectable value (can now go to 10) which does 
make the longer penalty times more palatable and less likely to ensnare 
unconfigured-but-eventually-get-on-OK clients.



-Lee

Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Thursday, August 31, 2017 1:10 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

Longer client exclusion times coupled with longer session timeouts mean the 
clients most impacted are the troublesome clients i.e.  it only feels broken 
for the already broken clients.

I use a 60 second exclusion timeout with very long user session timeouts. The 
longer exclusion timeouts are necessary to combat those troubling devices that 
create the equivalent of a auth DoS when they have a bad password or other 
misconfiguration. Seldom have I seen this impact a well-behaved client.

The long session timeouts are a realization that disabling a user is a rare 
thing, so why inundate the radius server every ½ hour, hour, etc. with tens of 
thousands of requests just to see if the user is still OK to be connected. If 
immediate action is necessary, use client exclusion.

Been running the above configuration for some eight years and the helpdesk 
phone is very quiet.

Jeff

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Thursday, August 31, 2017 8:12 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

Interesting, hopefully you get some relief. On this document about RADIUS 
timers 
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/118703-technote-wlc-00.html
 I can’t buy in to Client Exclusion being set to 120 seconds as a rule. Even at 
60 it’s too long and makes the network feel broken. I agree 100% that it needs 
to be used on .1X networks, but with a short enough timer that the helpdesk 
phone doesn’t ring off the hook.

Wondering what value others are using here?

-Lee

Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hector J Rios
Sent: Thursday, August 31, 2017 9:32 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

BTW, 8.2.161.0 just came out.

-H

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Wednesday, August 30, 2017 2:50 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

Great information. Thanks, Hector. Now I have some homework too.

-Original Message-
From: Hector J Rios [hr...@lsu.edu]
Received: Wednesday, 30 Aug 2017, 15:41
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?
Thank you for the good thoughts on the storm. Luckily we are fine.

So far we’ve been told that the issue we experienced was a combination of two 
things: 1) the 8540’s memory queues and buffers reached their maximum capacity. 
This affected both 802.1X and CAPWAP. Thus the AP flapping. 2) RADIUS and EAP 
timers must be EXTRA optimized. I say EXTRA, because we’ve always followed best 
practices and recommendations from TAC.

This is a good document to read: 
https://www.cisco.com/c/en/us/support/docs/wirele

RE: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

2017-08-31 Thread Jeffrey D. Sessler 
Longer client exclusion times coupled with longer session timeouts mean the 
clients most impacted are the troublesome clients i.e.  it only feels broken 
for the already broken clients.

I use a 60 second exclusion timeout with very long user session timeouts. The 
longer exclusion timeouts are necessary to combat those troubling devices that 
create the equivalent of a auth DoS when they have a bad password or other 
misconfiguration. Seldom have I seen this impact a well-behaved client.

The long session timeouts are a realization that disabling a user is a rare 
thing, so why inundate the radius server every ½ hour, hour, etc. with tens of 
thousands of requests just to see if the user is still OK to be connected. If 
immediate action is necessary, use client exclusion.

Been running the above configuration for some eight years and the helpdesk 
phone is very quiet.

Jeff

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Thursday, August 31, 2017 8:12 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

Interesting, hopefully you get some relief. On this document about RADIUS 
timers 
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/118703-technote-wlc-00.html
 I can’t buy in to Client Exclusion being set to 120 seconds as a rule. Even at 
60 it’s too long and makes the network feel broken. I agree 100% that it needs 
to be used on .1X networks, but with a short enough timer that the helpdesk 
phone doesn’t ring off the hook.

Wondering what value others are using here?

-Lee

Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hector J Rios
Sent: Thursday, August 31, 2017 9:32 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

BTW, 8.2.161.0 just came out.

-H

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Wednesday, August 30, 2017 2:50 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

Great information. Thanks, Hector. Now I have some homework too.

-Original Message-
From: Hector J Rios [hr...@lsu.edu]
Received: Wednesday, 30 Aug 2017, 15:41
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?
Thank you for the good thoughts on the storm. Luckily we are fine.

So far we’ve been told that the issue we experienced was a combination of two 
things: 1) the 8540’s memory queues and buffers reached their maximum capacity. 
This affected both 802.1X and CAPWAP. Thus the AP flapping. 2) RADIUS and EAP 
timers must be EXTRA optimized. I say EXTRA, because we’ve always followed best 
practices and recommendations from TAC.

This is a good document to read: 
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/118703-technote-wlc-00.html

Finally, what is most interesting is the fact that even though the 8540 is 
advertised to support 6000 APs and 64000 clients, these numbers do not seem to 
be valid if your environment is mainly 802.1X. So, if your environment is 
mainly 802.1X, and you have an 8540, I would recommend you talk to your Cisco 
SE so they can tell you what the official supported number of APs is. I’ve yet 
to find any official documentation that even hints to this. Miercom performed a 
comparative test in 2015 between Aruba and Cisco, and in the report they did 
test client authentication rate, but only for the Cisco 5520.

https://www.cisco.com/c/dam/en/us/products/collateral/wireless/8540-wireless-controller/miercom-report-wlcs-cisco-aruba.pdf

TAC’s recommendation is for us to use 8.2.160 on the 8540s. We will make all 
necessary config changes and start moving APs in waves of 500 slowly so we can 
watch utilization. Our plan also includes not to exceed the AP capacity of the 
8540s by 50%-60%. If this works, we will have to get an additional pair of 
8540s. I’ll let you know if we are successful.

BTW, we require to have AVC turned on. TAC is very concerned about this. We’ll 
also be watching this.

-Hector

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Wednesday, August 30, 2017 6:43 AM
To: 
WIRELESS-L

RE: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

2017-08-31 Thread Lee H Badman 
Interesting, hopefully you get some relief. On this document about RADIUS 
timers 
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/118703-technote-wlc-00.html
 I can’t buy in to Client Exclusion being set to 120 seconds as a rule. Even at 
60 it’s too long and makes the network feel broken. I agree 100% that it needs 
to be used on .1X networks, but with a short enough timer that the helpdesk 
phone doesn’t ring off the hook.

Wondering what value others are using here?

-Lee

Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hector J Rios
Sent: Thursday, August 31, 2017 9:32 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

BTW, 8.2.161.0 just came out.

-H

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Wednesday, August 30, 2017 2:50 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

Great information. Thanks, Hector. Now I have some homework too.

-Original Message-
From: Hector J Rios [hr...@lsu.edu]
Received: Wednesday, 30 Aug 2017, 15:41
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?
Thank you for the good thoughts on the storm. Luckily we are fine.

So far we’ve been told that the issue we experienced was a combination of two 
things: 1) the 8540’s memory queues and buffers reached their maximum capacity. 
This affected both 802.1X and CAPWAP. Thus the AP flapping. 2) RADIUS and EAP 
timers must be EXTRA optimized. I say EXTRA, because we’ve always followed best 
practices and recommendations from TAC.

This is a good document to read: 
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/118703-technote-wlc-00.html

Finally, what is most interesting is the fact that even though the 8540 is 
advertised to support 6000 APs and 64000 clients, these numbers do not seem to 
be valid if your environment is mainly 802.1X. So, if your environment is 
mainly 802.1X, and you have an 8540, I would recommend you talk to your Cisco 
SE so they can tell you what the official supported number of APs is. I’ve yet 
to find any official documentation that even hints to this. Miercom performed a 
comparative test in 2015 between Aruba and Cisco, and in the report they did 
test client authentication rate, but only for the Cisco 5520.

https://www.cisco.com/c/dam/en/us/products/collateral/wireless/8540-wireless-controller/miercom-report-wlcs-cisco-aruba.pdf

TAC’s recommendation is for us to use 8.2.160 on the 8540s. We will make all 
necessary config changes and start moving APs in waves of 500 slowly so we can 
watch utilization. Our plan also includes not to exceed the AP capacity of the 
8540s by 50%-60%. If this works, we will have to get an additional pair of 
8540s. I’ll let you know if we are successful.

BTW, we require to have AVC turned on. TAC is very concerned about this. We’ll 
also be watching this.

-Hector

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Wednesday, August 30, 2017 6:43 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?


Hi Hector,



I hope the storm is not causing havoc for you down there- good thoughts to you 
on that.



Did you get anywhere with Cisco on your 8540/8.2.160 problems? I'm being told 
we may need to go that same combination and it doesn't inspire confidence.



Evidently my 8.2.151 (you know... one of those STABLE code versions) may be a 
time bomb that caused a spontaneous 8540 reboot. The comment was made that our 
3300 APs on a platform that supposedly supports 6000 somehow equals a dense 
deployment and that we likely are hitting:

___
Regarding the logs, I was able to check the logs, and yes It seems your 
deployment is a high-density deployment with over 3000 APs.

Based on your deployment and the logs I was able to identify this

It seems the WLC is having load process utilization  on the task SpamReceive 
Task and HAConfigSyncTask.

spamApTask15992   ( 53/ 78)0 (  0/  0)%  30   22
 spamApTask05991   ( 72/ 70)0 (  0/  0)%  305
 spamReceiveTask5990   ( 52/ 78)0 (  0/  0)%  990
 spamSocket

RE: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

2017-08-31 Thread Hector J Rios 
BTW, 8.2.161.0 just came out.

-H

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Wednesday, August 30, 2017 2:50 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

Great information. Thanks, Hector. Now I have some homework too.

-Original Message-
From: Hector J Rios [hr...@lsu.edu]
Received: Wednesday, 30 Aug 2017, 15:41
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?
Thank you for the good thoughts on the storm. Luckily we are fine.

So far we’ve been told that the issue we experienced was a combination of two 
things: 1) the 8540’s memory queues and buffers reached their maximum capacity. 
This affected both 802.1X and CAPWAP. Thus the AP flapping. 2) RADIUS and EAP 
timers must be EXTRA optimized. I say EXTRA, because we’ve always followed best 
practices and recommendations from TAC.

This is a good document to read: 
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/118703-technote-wlc-00.html

Finally, what is most interesting is the fact that even though the 8540 is 
advertised to support 6000 APs and 64000 clients, these numbers do not seem to 
be valid if your environment is mainly 802.1X. So, if your environment is 
mainly 802.1X, and you have an 8540, I would recommend you talk to your Cisco 
SE so they can tell you what the official supported number of APs is. I’ve yet 
to find any official documentation that even hints to this. Miercom performed a 
comparative test in 2015 between Aruba and Cisco, and in the report they did 
test client authentication rate, but only for the Cisco 5520.

https://www.cisco.com/c/dam/en/us/products/collateral/wireless/8540-wireless-controller/miercom-report-wlcs-cisco-aruba.pdf

TAC’s recommendation is for us to use 8.2.160 on the 8540s. We will make all 
necessary config changes and start moving APs in waves of 500 slowly so we can 
watch utilization. Our plan also includes not to exceed the AP capacity of the 
8540s by 50%-60%. If this works, we will have to get an additional pair of 
8540s. I’ll let you know if we are successful.

BTW, we require to have AVC turned on. TAC is very concerned about this. We’ll 
also be watching this.

-Hector

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Wednesday, August 30, 2017 6:43 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?


Hi Hector,



I hope the storm is not causing havoc for you down there- good thoughts to you 
on that.



Did you get anywhere with Cisco on your 8540/8.2.160 problems? I'm being told 
we may need to go that same combination and it doesn't inspire confidence.



Evidently my 8.2.151 (you know... one of those STABLE code versions) may be a 
time bomb that caused a spontaneous 8540 reboot. The comment was made that our 
3300 APs on a platform that supposedly supports 6000 somehow equals a dense 
deployment and that we likely are hitting:

___
Regarding the logs, I was able to check the logs, and yes It seems your 
deployment is a high-density deployment with over 3000 APs.

Based on your deployment and the logs I was able to identify this

It seems the WLC is having load process utilization  on the task SpamReceive 
Task and HAConfigSyncTask.

spamApTask15992   ( 53/ 78)0 (  0/  0)%  30   22
 spamApTask05991   ( 72/ 70)0 (  0/  0)%  305
 spamReceiveTask5990   ( 52/ 78)0 (  0/  0)%  990
 spamSocketTask 5989   (175/ 32)0 (  0/  0)%   0   13
 HAPeerToPeerCommTa 5988   ( 90/ 64)0 (  0/  0)%   07
 rmgrPing   5987   ( 80/ 67)0 (  0/  0)%   0   13

HAConfigSyncTask   6204   (240/  7)0 (  0/  0)%  993
​
Based on the symptoms, the WLC version and your WLC density. You may be hitting 
bug.

CSCvd20251 - Data Plane stopped working on Cisco 5508 WLC running 
8.0.140.0<https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd20251/?reffering_site=dumpcr>
 ___
I hope to have confirmation today. I can't imagine what Cisco could have done 
between .151 and .6 to make this sort of thing better, and I am really 
interested in whether they isolated your own .160 problems. There is no way in 
hell I'm moving to that version without seeing case notes on every single issue 
people are having in this continual cycle of trading one set of bugs for 
another.

This game just isn't fun anymore.

Thanks-




Lee Badman | Network Architect | CWNE #200
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325

RE: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

2017-08-30 Thread Lee H Badman 
Great information. Thanks, Hector. Now I have some homework too.

-Original Message-
From: Hector J Rios [hr...@lsu.edu]
Received: Wednesday, 30 Aug 2017, 15:41
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

Thank you for the good thoughts on the storm. Luckily we are fine.

So far we’ve been told that the issue we experienced was a combination of two 
things: 1) the 8540’s memory queues and buffers reached their maximum capacity. 
This affected both 802.1X and CAPWAP. Thus the AP flapping. 2) RADIUS and EAP 
timers must be EXTRA optimized. I say EXTRA, because we’ve always followed best 
practices and recommendations from TAC.

This is a good document to read: 
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/118703-technote-wlc-00.html

Finally, what is most interesting is the fact that even though the 8540 is 
advertised to support 6000 APs and 64000 clients, these numbers do not seem to 
be valid if your environment is mainly 802.1X. So, if your environment is 
mainly 802.1X, and you have an 8540, I would recommend you talk to your Cisco 
SE so they can tell you what the official supported number of APs is. I’ve yet 
to find any official documentation that even hints to this. Miercom performed a 
comparative test in 2015 between Aruba and Cisco, and in the report they did 
test client authentication rate, but only for the Cisco 5520.

https://www.cisco.com/c/dam/en/us/products/collateral/wireless/8540-wireless-controller/miercom-report-wlcs-cisco-aruba.pdf

TAC’s recommendation is for us to use 8.2.160 on the 8540s. We will make all 
necessary config changes and start moving APs in waves of 500 slowly so we can 
watch utilization. Our plan also includes not to exceed the AP capacity of the 
8540s by 50%-60%. If this works, we will have to get an additional pair of 
8540s. I’ll let you know if we are successful.

BTW, we require to have AVC turned on. TAC is very concerned about this. We’ll 
also be watching this.

-Hector

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Wednesday, August 30, 2017 6:43 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?


Hi Hector,



I hope the storm is not causing havoc for you down there- good thoughts to you 
on that.



Did you get anywhere with Cisco on your 8540/8.2.160 problems? I'm being told 
we may need to go that same combination and it doesn't inspire confidence.



Evidently my 8.2.151 (you know... one of those STABLE code versions) may be a 
time bomb that caused a spontaneous 8540 reboot. The comment was made that our 
3300 APs on a platform that supposedly supports 6000 somehow equals a dense 
deployment and that we likely are hitting:

___
Regarding the logs, I was able to check the logs, and yes It seems your 
deployment is a high-density deployment with over 3000 APs.

Based on your deployment and the logs I was able to identify this

It seems the WLC is having load process utilization  on the task SpamReceive 
Task and HAConfigSyncTask.

spamApTask15992   ( 53/ 78)0 (  0/  0)%  30   22
 spamApTask05991   ( 72/ 70)0 (  0/  0)%  305
 spamReceiveTask5990   ( 52/ 78)0 (  0/  0)%  990
 spamSocketTask 5989   (175/ 32)0 (  0/  0)%   0   13
 HAPeerToPeerCommTa 5988   ( 90/ 64)0 (  0/  0)%   07
 rmgrPing   5987   ( 80/ 67)0 (  0/  0)%   0   13

HAConfigSyncTask   6204   (240/  7)0 (  0/  0)%  993
​
Based on the symptoms, the WLC version and your WLC density. You may be hitting 
bug.

CSCvd20251 - Data Plane stopped working on Cisco 5508 WLC running 
8.0.140.0<https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvd20251/?reffering_site=dumpcr>
 ___
I hope to have confirmation today. I can't imagine what Cisco could have done 
between .151 and .6 to make this sort of thing better, and I am really 
interested in whether they isolated your own .160 problems. There is no way in 
hell I'm moving to that version without seeing case notes on every single issue 
people are having in this continual cycle of trading one set of bugs for 
another.

This game just isn't fun anymore.

Thanks-




Lee Badman | Network Architect | CWNE #200
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Hector J Rios <hr...@lsu.edu<mailto:hr...@lsu.edu>>
Sent: Friday, August 25, 2017 3:11 PM
To:

Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

2017-08-27 Thread Cappalli, Tim (Aruba Security) 
ClearPass will auto-generate an internal WebAuth request by default after a 
device registration.

Create a service to accept this request and issue a disconnect message to the 
controller to force a reauthentication.

See these screenshots for the service config, it’s very basic. You only need 
the enforcement profiles for the NADs you’re using.

http://aruba.i.lithium.com/t5/image/serverpage/image-id/30944iE5F3B1A85398D84E/image-size/large?v=1.0=999

http://aruba.i.lithium.com/t5/image/serverpage/image-id/30943i73208ADC98FF1301/image-size/large?v=1.0=999



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of "Sweetser, Frank E" 
<f...@wpi.edu>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Sunday, August 27, 2017 at 2:32 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?


The canonical answer is to set up Clearpass to do a RADIUS COA to proactively 
change the device role when it's registration status gets updated.  That way it 
should happen pretty much immediately, rather than having to wait for a timeout.


Frank Sweetser
Director of Network Operations
Worcester Polytechnic Institute
"For every problem, there is a solution that is simple, elegant, and wrong." - 
HL Mencken


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Michael Davis <da...@udel.edu>
Sent: Sunday, August 27, 2017 9:11 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

Thanks.. I believe it turned out to be devices sticking in the "preauth" role 
that
were not yet registered.  The commonality of all the epsons focused on them 
instead
of the issue.  They're defensive IP policy must have been triggered by the 
locked
down role.

Does anyone know offhand, how to ageout devices quickly from a preauth role 
that's
not the default system preauth role.

thanks
mike

On 8/26/17 4:05 PM, Michael Dickson wrote:
Just a thought but do you have multiple helper addresses configured for that 
vlan/subnet? I'm wondering if maybe the printers aren't expecting that. Another 
random thought, if they're not broadcasting for a lease because they require a 
static could they have maybe all self-assigned themselves the same IP and are 
discovering each other over L2?

Good luck. We're pretty much going down the same CPPM/Airgroup path right now.

Mike

Michael Dickson
Network Engineer
Information Technology
University of Massachusetts Amherst
413-545-9639
michael.dick...@umass.edu<mailto:michael.dick...@umass.edu>
PGP: 0x16777D39

On Aug 26, 2017, at 3:18 PM, Michael Davis 
<da...@udel.edu<mailto:da...@udel.edu>> wrote:
First Semester supporting mDNS in production with Aruba Clearpass Airgroup.

Almost every Epson XP series printer is complaining of duplicate IP addresses
which of course is not the case.  Anyone see anything similar?  There are a few
older web searches about Epson's requiring a static IP, which isn't an option 
right
now unfortunately.

Only Freshmen moving in today (~5K), the bulk (~20K) will arrive tomorrow and
throughout the week.

ArubaOS 6.5.3.2
CPPM 6.6.7.96909
Four 7240 controllers
~3200 APs
Three primary SSIDs: eduroam, Devices, Guest (clearpass)


thanks
mike

On 8/25/17 9:22 AM, Lee H Badman wrote:
It might be beneficial to share notes in case other schools are hitting common 
problems. I’m wondering how everyone who is in the thick of it is faring with 
back-to-school?

On this end, we are doing OK halfway to our expected total daily peak clients 
(we’re at 15K now high water mark).

Our significant WLAN-related changes since end of Spring semester
· Running 8.2.151 on our 8540s
· Significant quantities of Wave 2 APs
· ISE as RADIUS (only, no NAC, no onboarding)

No changes to:
· our guest WLAN (Clearpass/an Aruba controller pair)
· onboarding (Cloudpath Wiz)
· overall topology
· open network in dorms for gadgets
· non-use of AVC, it crapped out and never got solved after hundreds of 
hours with TAC

Fears:
· We haven’t yet hit the scale that will reveal problems with any of 
the newer stuff listed above

Anyone else care to share?

-Lee


Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu<http://its.syr.edu>
SYRACUSE UNIVERSITY
syr.edu<http://syr.edu>



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be foun

Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

2017-08-27 Thread Sweetser, Frank E 
The canonical answer is to set up Clearpass to do a RADIUS COA to proactively 
change the device role when it's registration status gets updated.  That way it 
should happen pretty much immediately, rather than having to wait for a timeout.


Frank Sweetser
Director of Network Operations
Worcester Polytechnic Institute
"For every problem, there is a solution that is simple, elegant, and wrong." - 
HL Mencken



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Michael Davis <da...@udel.edu>
Sent: Sunday, August 27, 2017 9:11 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

Thanks.. I believe it turned out to be devices sticking in the "preauth" role 
that
were not yet registered.  The commonality of all the epsons focused on them 
instead
of the issue.  They're defensive IP policy must have been triggered by the 
locked
down role.

Does anyone know offhand, how to ageout devices quickly from a preauth role 
that's
not the default system preauth role.

thanks
mike

On 8/26/17 4:05 PM, Michael Dickson wrote:
Just a thought but do you have multiple helper addresses configured for that 
vlan/subnet? I'm wondering if maybe the printers aren't expecting that. Another 
random thought, if they're not broadcasting for a lease because they require a 
static could they have maybe all self-assigned themselves the same IP and are 
discovering each other over L2?

Good luck. We're pretty much going down the same CPPM/Airgroup path right now.

Mike

Michael Dickson
Network Engineer
Information Technology
University of Massachusetts Amherst
413-545-9639
michael.dick...@umass.edu<mailto:michael.dick...@umass.edu>
PGP: 0x16777D39

On Aug 26, 2017, at 3:18 PM, Michael Davis 
<da...@udel.edu<mailto:da...@udel.edu>> wrote:

First Semester supporting mDNS in production with Aruba Clearpass Airgroup.

Almost every Epson XP series printer is complaining of duplicate IP addresses
which of course is not the case.  Anyone see anything similar?  There are a few
older web searches about Epson's requiring a static IP, which isn't an option 
right
now unfortunately.

Only Freshmen moving in today (~5K), the bulk (~20K) will arrive tomorrow and
throughout the week.

ArubaOS 6.5.3.2
CPPM 6.6.7.96909
Four 7240 controllers
~3200 APs
Three primary SSIDs: eduroam, Devices, Guest (clearpass)


thanks
mike

On 8/25/17 9:22 AM, Lee H Badman wrote:
It might be beneficial to share notes in case other schools are hitting common 
problems. I’m wondering how everyone who is in the thick of it is faring with 
back-to-school?

On this end, we are doing OK halfway to our expected total daily peak clients 
(we’re at 15K now high water mark).

Our significant WLAN-related changes since end of Spring semester

  *   Running 8.2.151 on our 8540s
  *   Significant quantities of Wave 2 APs
  *   ISE as RADIUS (only, no NAC, no onboarding)


No changes to:

  *   our guest WLAN (Clearpass/an Aruba controller pair)
  *   onboarding (Cloudpath Wiz)
  *   overall topology
  *   open network in dorms for gadgets
  *   non-use of AVC, it crapped out and never got solved after hundreds of 
hours with TAC


Fears:

  *   We haven’t yet hit the scale that will reveal problems with any of the 
newer stuff listed above


Anyone else care to share?

-Lee


Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu<http://its.syr.edu>
SYRACUSE UNIVERSITY
syr.edu<http://syr.edu>



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

2017-08-27 Thread Michael Davis 
Thanks.. I believe it turned out to be devices sticking in the "preauth" 
role that
were not yet registered.  The commonality of all the epsons focused on 
them instead
of the issue.  They're defensive IP policy must have been triggered by 
the locked

down role.

Does anyone know offhand, how to ageout devices quickly from a preauth 
role that's

not the default system preauth role.

thanks
mike

On 8/26/17 4:05 PM, Michael Dickson wrote:
Just a thought but do you have multiple helper addresses configured 
for that vlan/subnet? I'm wondering if maybe the printers aren't 
expecting that. Another random thought, if they're not broadcasting 
for a lease because they require a static could they have maybe all 
self-assigned themselves the same IP and are discovering each other 
over L2?


Good luck. We're pretty much going down the same CPPM/Airgroup path 
right now.


Mike

Michael Dickson
Network Engineer
Information Technology
University of Massachusetts Amherst
413-545-9639 
michael.dick...@umass.edu 
PGP: 0x16777D39

On Aug 26, 2017, at 3:18 PM, Michael Davis > wrote:


First Semester supporting mDNS in production with Aruba Clearpass 
Airgroup.


Almost every Epson XP series printer is complaining of duplicate IP 
addresses
which of course is not the case.  Anyone see anything similar?  There 
are a few
older web searches about Epson's requiring a static IP, which isn't 
an option right

now unfortunately.

Only Freshmen moving in today (~5K), the bulk (~20K) will arrive 
tomorrow and

throughout the week.

ArubaOS 6.5.3.2
CPPM 6.6.7.96909
Four 7240 controllers
~3200 APs
Three primary SSIDs: eduroam, Devices, Guest (clearpass)


thanks
mike

On 8/25/17 9:22 AM, Lee H Badman wrote:
It might be beneficial to share notes in case other schools are 
hitting common problems. I’m wondering how everyone who is in the 
thick of it is faring with back-to-school?
On this end, we are doing OK halfway to our expected total daily 
peak clients (we’re at 15K now high water mark).

Our significant WLAN-related changes since end of Spring semester

  * Running 8.2.151 on our 8540s
  * Significant quantities of Wave 2 APs
  * ISE as RADIUS (only, no NAC, no onboarding)

No changes to:

  * our guest WLAN (Clearpass/an Aruba controller pair)
  * onboarding (Cloudpath Wiz)
  * overall topology
  * open network in dorms for gadgets
  * non-use of AVC, it crapped out and never got solved after
hundreds of hours with TAC

Fears:

  * We haven’t yet hit the scale that will reveal problems with any
of the newer stuff listed above

Anyone else care to share?
-Lee
*Lee Badman*| Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
*t* 315.443.3003 *f* 315.443.4325 *e* _lhbadman@syr.edu_ 
 *w* its.syr.edu 

*SYRACUSE UNIVERSITY
*syr.edu 
** Participation and subscription information for this 
EDUCAUSE Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.




** Participation and subscription information for this 
EDUCAUSE Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.


** Participation and subscription information for this 
EDUCAUSE Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.





**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

2017-08-26 Thread Michael Dickson 
Just a thought but do you have multiple helper addresses configured for that 
vlan/subnet? I'm wondering if maybe the printers aren't expecting that. Another 
random thought, if they're not broadcasting for a lease because they require a 
static could they have maybe all self-assigned themselves the same IP and are 
discovering each other over L2?

Good luck. We're pretty much going down the same CPPM/Airgroup path right now. 

Mike

Michael Dickson
Network Engineer
Information Technology
University of Massachusetts Amherst
413-545-9639
michael.dick...@umass.edu
PGP: 0x16777D39

> On Aug 26, 2017, at 3:18 PM, Michael Davis  wrote:
> 
> First Semester supporting mDNS in production with Aruba Clearpass Airgroup.
> 
> Almost every Epson XP series printer is complaining of duplicate IP addresses
> which of course is not the case.  Anyone see anything similar?  There are a 
> few
> older web searches about Epson's requiring a static IP, which isn't an option 
> right
> now unfortunately.
> 
> Only Freshmen moving in today (~5K), the bulk (~20K) will arrive tomorrow and
> throughout the week.
> 
> ArubaOS 6.5.3.2
> CPPM 6.6.7.96909  
> Four 7240 controllers
> ~3200 APs
> Three primary SSIDs: eduroam, Devices, Guest (clearpass)
> 
> 
> thanks
> mike
> 
>> On 8/25/17 9:22 AM, Lee H Badman wrote:
>> It might be beneficial to share notes in case other schools are hitting 
>> common problems. I’m wondering how everyone who is in the thick of it is 
>> faring with back-to-school?
>>  
>> On this end, we are doing OK halfway to our expected total daily peak 
>> clients (we’re at 15K now high water mark).
>>  
>> Our significant WLAN-related changes since end of Spring semester
>> Running 8.2.151 on our 8540s
>> Significant quantities of Wave 2 APs
>> ISE as RADIUS (only, no NAC, no onboarding)
>>  
>> No changes to:
>> our guest WLAN (Clearpass/an Aruba controller pair)
>> onboarding (Cloudpath Wiz)
>> overall topology
>> open network in dorms for gadgets
>> non-use of AVC, it crapped out and never got solved after hundreds of hours 
>> with TAC
>>  
>> Fears:
>> We haven’t yet hit the scale that will reveal problems with any of the newer 
>> stuff listed above
>>  
>> Anyone else care to share?
>>  
>> -Lee
>>  
>>  
>> Lee Badman | Network Architect 
>> 
>> Certified Wireless Network Expert (#200)
>> Information Technology Services
>> 206 Machinery Hall
>> 120 Smith Drive
>> Syracuse, New York 13244
>> t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu
>> SYRACUSE UNIVERSITY
>> syr.edu
>>  
>>  
>>  
>> ** Participation and subscription information for this EDUCAUSE 
>> Constituent Group discussion list can be found at 
>> http://www.educause.edu/discuss.
> 
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

2017-08-26 Thread Michael Davis 

First Semester supporting mDNS in production with Aruba Clearpass Airgroup.

Almost every Epson XP series printer is complaining of duplicate IP 
addresses
which of course is not the case.  Anyone see anything similar? There are 
a few
older web searches about Epson's requiring a static IP, which isn't an 
option right

now unfortunately.

Only Freshmen moving in today (~5K), the bulk (~20K) will arrive 
tomorrow and

throughout the week.

ArubaOS 6.5.3.2
CPPM 6.6.7.96909
Four 7240 controllers
~3200 APs
Three primary SSIDs: eduroam, Devices, Guest (clearpass)


thanks
mike

On 8/25/17 9:22 AM, Lee H Badman wrote:
It might be beneficial to share notes in case other schools are 
hitting common problems. I’m wondering how everyone who is in the 
thick of it is faring with back-to-school?
On this end, we are doing OK halfway to our expected total daily peak 
clients (we’re at 15K now high water mark).

Our significant WLAN-related changes since end of Spring semester

  * Running 8.2.151 on our 8540s
  * Significant quantities of Wave 2 APs
  * ISE as RADIUS (only, no NAC, no onboarding)

No changes to:

  * our guest WLAN (Clearpass/an Aruba controller pair)
  * onboarding (Cloudpath Wiz)
  * overall topology
  * open network in dorms for gadgets
  * non-use of AVC, it crapped out and never got solved after hundreds
of hours with TAC

Fears:

  * We haven’t yet hit the scale that will reveal problems with any of
the newer stuff listed above

Anyone else care to share?
-Lee
*Lee Badman*| Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
*t* 315.443.3003 *f* 315.443.4325 *e* _lhbadman@syr.edu_ 
 *w* its.syr.edu

*SYRACUSE UNIVERSITY
*syr.edu
** Participation and subscription information for this 
EDUCAUSE Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.





**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

2017-08-25 Thread Davis, Kevin 
Thanks for the thread all, this is helpful.

Interesting to hear of declines in clients/bandwidth in some cases. Crazy 
speculation -- with all four Tier 1 carriers offering unlimited, and the Gen Z 
supposed proclivity for mobile over traditional computing, I wonder if we will 
start to see more cellular first or only use from low intensity or low demand 
users. I suspect we will though I don't think that would account for 20% drop 
levels this quickly.

--
Kevin Davis
Deputy CIO, Davidson College
sent from mobile device

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Bucklaew, Jerry 
<j...@buffalo.edu>
Sent: Friday, August 25, 2017 1:29:44 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

To ALL:


  I think it might be a bit early to report in, our students come back this 
weekend.  This time of year is normally like a “frog in the pot”, every day for 
the next two weeks our counts just keep slowly getting higher and higher.  We 
will see where it ends.



We are an aruba shop with roughly 6,000 access points, we are peaking about 
15,000 clients.  We would expect about 30k so about half way there.  Aruba 
controller code 6.5.2.1, we also have airwave, and clearpass.

This year we completed our Dorm AP install and have about 3,000 205h and 303h 
installed, roughly every other room.  We also have the wired side all connected 
through the controllers to provide the same “experience”.   We started 
converting the campus wired to 802.1x or mac  auth also with about 10 buildings 
done.   We have eduroam, our own 802.1x and a mac auth SSID.  We support guest 
and even allow facebook logins.

We have seen two issues so far,



1.   We have seen the aruba 3xx bug where 5ghz utilization is high if you 
have arm scanning enabled.  We disabled Arm scanning for now.

2.   We have seen clearpass deadlock issues (FDB and replication errors) 
based on the endpoint updates we do.  We have spent all week working on 
removing unnecessary updates to see if it will help.  So far so good.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

2017-08-25 Thread Jeffrey D. Sessler 
James, that’s 600Mbps for the building. LOL!

That said, on all of our 11ac WAPs including the Cisco 3800-series, even in our 
dense areas, the AP’s are auto-picking 80Mhz channel-width. From the client 
stats, many of them are at a tx: rate of 867 to 1300  in the residential halls.

Clients are mostly Apple, and mostly 11ac-cablable. My 1st-gen Macbook Pro 
touch easily does 600Mbps against the 3800-series.

Last year I only had one building on the 3800-series and when compared to a 
similar building using the 3700-series, the 3800-residential hall was 10-30x 
the amount of traffic. I’m seeing similar performance in four others updated to 
the 3800-series this summer. Everything else being equal, the 3800-series 
appear to offer a new level of performance over last generation. I suspect it 
has a lot to do with the new OS underpinning them.

As for the traffic, it’s a general mix of everything you expect to see in a 
residential hall, but given most of the steaming services adjust bases on 
available bandwidth, it looks like most are now getting the highest bit rates 
possible.

Jeff

From: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
on behalf of James Andrewartha <jandrewar...@ccgs.wa.edu.au>
Reply-To: "wireless-lan@listserv.educause.edu" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Friday, August 25, 2017 at 8:47 AM
To: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

600Mbps on a single AP is impressive, is that with a 40MHz or 80MHz channel? 
What sort of client mix is generating that much traffic?

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of "Jeffrey D. Sessler" 
<j...@scrippscollege.edu>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Friday, 25 August 2017 at 11:00 pm
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

Pair of 8540’s running 8.2.160
About half of all WAPs are now 2800/3800. 3800’s on multi-gig
20Gb Internet connection

3800-series equipped 110-bed residence hall, partially filled with a few early 
arrivals, already seeing peaks at over 600Mbps.

No observed problems yet, but our first-years just arrived and returning 
student are due soon.

Interesting stats:
#1 - 70% of devices are Apple, 90% of traffic. On the 1st day our 330 
first-years arrived they did over 12TB of traffic.

Jeff


From: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
on behalf of "lhbad...@syr.edu" <lhbad...@syr.edu>
Reply-To: "wireless-lan@listserv.educause.edu" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Friday, August 25, 2017 at 6:22 AM
To: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

It might be beneficial to share notes in case other schools are hitting common 
problems. I’m wondering how everyone who is in the thick of it is faring with 
back-to-school?

On this end, we are doing OK halfway to our expected total daily peak clients 
(we’re at 15K now high water mark).

Our significant WLAN-related changes since end of Spring semester

  *   Running 8.2.151 on our 8540s
  *   Significant quantities of Wave 2 APs
  *   ISE as RADIUS (only, no NAC, no onboarding)

No changes to:

  *   our guest WLAN (Clearpass/an Aruba controller pair)
  *   onboarding (Cloudpath Wiz)
  *   overall topology
  *   open network in dorms for gadgets
  *   non-use of AVC, it crapped out and never got solved after hundreds of 
hours with TAC

Fears:

  *   We haven’t yet hit the scale that will reveal problems with any of the 
newer stuff listed above

Anyone else care to share?

-Lee


Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

2017-08-25 Thread John Rodkey 
Westmont is a much smaller school than most of yours, with 1200 students on
campus. 280 Meraki access points connected to 65 switches scattered in 58
buildings on about 60 acres of campus.
Yesterday about 400 first year students arrived along with a couple hundred
returning student volunteers for orientation, faculty, staff, and their
parents. We had just shy of 3000 unique clients on the network.
So far, only three reports of wireless problems have come in - but one
refers to essentially all the rooms in a new dorm which is being occupied
despite only barely being finished.  The wireless signal has not been tuned
there yet, and signal levels are low in the rooms.
In the past year we had struggled with reports of devices connecting to
newer access points even if they are more distant than older, nearer APs.
In order to ameliorate this, over the summer we 'homogenized' buildings,
grouping all 802.11N devices separate from 802.11AC .  We'll see how that
affects things.
Our radios are a mix of MR14, MR18, MR33, MR34, MR53, MR58, with the
majority MR14s, which are nearing end of service.

John Rodkey
Director of Servers and Networks
Westmont College, Santa Barbara, CA

On Fri, Aug 25, 2017 at 8:15 AM, Ian Lyons <ily...@rollins.edu> wrote:

> Good Morning
>
>
>
> Big changes from last year, we moved to Aruba
>
> We braced for the onslaught J  armed with
>
>
>
>- 7210 Master Controller
>- 2 7240’s for Local controllers (handling the traffic)
>
>
>
>- Airwave for monitoring
>- Clearpass for Authentication (HA active pair)
>
>
>
>- We have 3 networks
>
> o   802.1x
>
> o   Guest
>
> o   Misc-Device – IOT, TV, Apple TV, Chromecast etc  -and coffee
> pots…cannot forget the coffee pots
>
>
>
>
>
> So far, as we just finished installing the 1200 aps’, we are ~800 303h’s
> (1 in each dorm room) and ~500 325 Ap’s.
>
>
>
> To make things more interesting, we also upgraded our core from 1 gb to
> pure 10gb and changed our Firewall to the Cisco FTD platform.
>
>
>
> So we truly have no benchmarking from last year but a lot of
> expectations!  LOL
>
>
>
> So far, the students are connecting quickly, successfully and getting to
> their movies online.  Which I call success!
>
>
>
> Ian Lyons
>
> Rollins College
>
> Network Engineer
>
> ily...@rollins.edu
>
>
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Jeffrey D. Sessler
> *Sent:* Friday, August 25, 2017 11:01 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?
>
>
>
> Pair of 8540’s running 8.2.160
>
> About half of all WAPs are now 2800/3800. 3800’s on multi-gig
>
> 20Gb Internet connection
>
>
>
> 3800-series equipped 110-bed residence hall, partially filled with a few
> early arrivals, already seeing peaks at over 600Mbps.
>
>
>
> No observed problems yet, but our first-years just arrived and returning
> student are due soon.
>
>
>
> Interesting stats:
>
> #1 - 70% of devices are Apple, 90% of traffic. On the 1st day our 330
> first-years arrived they did over 12TB of traffic.
>
>
>
> Jeff
>
>
>
>
>
> *From: *"wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.
> EDUCAUSE.EDU> on behalf of "lhbad...@syr.edu" <lhbad...@syr.edu>
> *Reply-To: *"wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.
> EDUCAUSE.EDU>
> *Date: *Friday, August 25, 2017 at 6:22 AM
> *To: *"wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.
> EDUCAUSE.EDU>
> *Subject: *[WIRELESS-LAN] Move In/Opening Week- Any Problems?
>
>
>
> It might be beneficial to share notes in case other schools are hitting
> common problems. I’m wondering how everyone who is in the thick of it is
> faring with back-to-school?
>
>
>
> On this end, we are doing OK halfway to our expected total daily peak
> clients (we’re at 15K now high water mark).
>
>
>
> Our significant WLAN-related changes since end of Spring semester
>
> · Running 8.2.151 on our 8540s
>
> · Significant quantities of Wave 2 APs
>
> · ISE as RADIUS (only, no NAC, no onboarding)
>
>
>
> No changes to:
>
> · our guest WLAN (Clearpass/an Aruba controller pair)
>
> · onboarding (Cloudpath Wiz)
>
> · overall topology
>
> · open network in dorms for gadgets
>
> · non-use of AVC, it crapped out and never got solved after
> hundreds of hours with TAC
>
>
>
> Fears:
>
> ·

Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

2017-08-25 Thread James Andrewartha 
600Mbps on a single AP is impressive, is that with a 40MHz or 80MHz channel? 
What sort of client mix is generating that much traffic?

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of "Jeffrey D. Sessler" 
<j...@scrippscollege.edu>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Friday, 25 August 2017 at 11:00 pm
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

Pair of 8540’s running 8.2.160
About half of all WAPs are now 2800/3800. 3800’s on multi-gig
20Gb Internet connection

3800-series equipped 110-bed residence hall, partially filled with a few early 
arrivals, already seeing peaks at over 600Mbps.

No observed problems yet, but our first-years just arrived and returning 
student are due soon.

Interesting stats:
#1 - 70% of devices are Apple, 90% of traffic. On the 1st day our 330 
first-years arrived they did over 12TB of traffic.

Jeff


From: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
on behalf of "lhbad...@syr.edu" <lhbad...@syr.edu>
Reply-To: "wireless-lan@listserv.educause.edu" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Friday, August 25, 2017 at 6:22 AM
To: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

It might be beneficial to share notes in case other schools are hitting common 
problems. I’m wondering how everyone who is in the thick of it is faring with 
back-to-school?

On this end, we are doing OK halfway to our expected total daily peak clients 
(we’re at 15K now high water mark).

Our significant WLAN-related changes since end of Spring semester
· Running 8.2.151 on our 8540s
· Significant quantities of Wave 2 APs
· ISE as RADIUS (only, no NAC, no onboarding)

No changes to:
· our guest WLAN (Clearpass/an Aruba controller pair)
· onboarding (Cloudpath Wiz)
· overall topology
· open network in dorms for gadgets
· non-use of AVC, it crapped out and never got solved after hundreds of 
hours with TAC

Fears:
· We haven’t yet hit the scale that will reveal problems with any of 
the newer stuff listed above

Anyone else care to share?

-Lee


Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

2017-08-25 Thread Ian Lyons 
Good Morning

Big changes from last year, we moved to Aruba
We braced for the onslaught ☺  armed with


  *   7210 Master Controller
  *   2 7240’s for Local controllers (handling the traffic)


  *   Airwave for monitoring
  *   Clearpass for Authentication (HA active pair)


  *   We have 3 networks
o   802.1x
o   Guest
o   Misc-Device – IOT, TV, Apple TV, Chromecast etc  -and coffee pots…cannot 
forget the coffee pots


So far, as we just finished installing the 1200 aps’, we are ~800 303h’s (1 in 
each dorm room) and ~500 325 Ap’s.

To make things more interesting, we also upgraded our core from 1 gb to pure 
10gb and changed our Firewall to the Cisco FTD platform.

So we truly have no benchmarking from last year but a lot of expectations!  LOL

So far, the students are connecting quickly, successfully and getting to their 
movies online.  Which I call success!

Ian Lyons
Rollins College
Network Engineer
ily...@rollins.edu


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Friday, August 25, 2017 11:01 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

Pair of 8540’s running 8.2.160
About half of all WAPs are now 2800/3800. 3800’s on multi-gig
20Gb Internet connection

3800-series equipped 110-bed residence hall, partially filled with a few early 
arrivals, already seeing peaks at over 600Mbps.

No observed problems yet, but our first-years just arrived and returning 
student are due soon.

Interesting stats:
#1 - 70% of devices are Apple, 90% of traffic. On the 1st day our 330 
first-years arrived they did over 12TB of traffic.

Jeff


From: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "lhbad...@syr.edu<mailto:lhbad...@syr.edu>" 
<lhbad...@syr.edu<mailto:lhbad...@syr.edu>>
Reply-To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, August 25, 2017 at 6:22 AM
To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

It might be beneficial to share notes in case other schools are hitting common 
problems. I’m wondering how everyone who is in the thick of it is faring with 
back-to-school?

On this end, we are doing OK halfway to our expected total daily peak clients 
(we’re at 15K now high water mark).

Our significant WLAN-related changes since end of Spring semester
· Running 8.2.151 on our 8540s
· Significant quantities of Wave 2 APs
· ISE as RADIUS (only, no NAC, no onboarding)

No changes to:
· our guest WLAN (Clearpass/an Aruba controller pair)
· onboarding (Cloudpath Wiz)
· overall topology
· open network in dorms for gadgets
· non-use of AVC, it crapped out and never got solved after hundreds of 
hours with TAC

Fears:
· We haven’t yet hit the scale that will reveal problems with any of 
the newer stuff listed above

Anyone else care to share?

-Lee


Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

2017-08-25 Thread Jeffrey D. Sessler 
Pair of 8540’s running 8.2.160
About half of all WAPs are now 2800/3800. 3800’s on multi-gig
20Gb Internet connection

3800-series equipped 110-bed residence hall, partially filled with a few early 
arrivals, already seeing peaks at over 600Mbps.

No observed problems yet, but our first-years just arrived and returning 
student are due soon.

Interesting stats:
#1 - 70% of devices are Apple, 90% of traffic. On the 1st day our 330 
first-years arrived they did over 12TB of traffic.

Jeff


From: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
on behalf of "lhbad...@syr.edu" <lhbad...@syr.edu>
Reply-To: "wireless-lan@listserv.educause.edu" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Friday, August 25, 2017 at 6:22 AM
To: "wireless-lan@listserv.educause.edu" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

It might be beneficial to share notes in case other schools are hitting common 
problems. I’m wondering how everyone who is in the thick of it is faring with 
back-to-school?

On this end, we are doing OK halfway to our expected total daily peak clients 
(we’re at 15K now high water mark).

Our significant WLAN-related changes since end of Spring semester
· Running 8.2.151 on our 8540s
· Significant quantities of Wave 2 APs
· ISE as RADIUS (only, no NAC, no onboarding)

No changes to:
· our guest WLAN (Clearpass/an Aruba controller pair)
· onboarding (Cloudpath Wiz)
· overall topology
· open network in dorms for gadgets
· non-use of AVC, it crapped out and never got solved after hundreds of 
hours with TAC

Fears:
· We haven’t yet hit the scale that will reveal problems with any of 
the newer stuff listed above

Anyone else care to share?

-Lee


Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

2017-08-25 Thread Jason Watts 
That’s more than nothing, thanks.

Jason Watts | Senior Network Administrator

PRATT INSTITUTE
Academic Computing




> On Aug 25, 2017, at 10:19 AM, Lee H Badman <lhbad...@syr.edu> wrote:
> 
> I can only preface it as 3rd hand info:
>  
> 8540s on 8.2.160, some unidentified condition making the APs flap once a 
> certain load of clients was reached. Beyond that, I can’t say much.
> Lee Badman | Network Architect 
> 
> Certified Wireless Network Expert (#200)
> Information Technology Services
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
> 
> t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu 
> <mailto:lhbad...@syr.edu> w its.syr.edu <http://its.syr.edu/>
> SYRACUSE UNIVERSITY
> syr.edu <http://syr.edu/>
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Jason Watts
> Sent: Friday, August 25, 2017 10:11 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?
>  
> Lee,
>  
> Without identifying the school can you give any more detail about what sort 
> of catastrophic issues they are having? What controllers/APs? We just moved 
> to 8.2.160.0 on 5520s and I haven’t noticed anything yet that I would deem 
> catastrophic. We are on a mix of 2802i, 3502i, 1142n APs.
>  
> Jason Watts | Senior Network Administrator
>  
> PRATT INSTITUTE
> Academic Computing
>  
>  
>  
> On Aug 25, 2017, at 9:56 AM, Lee H Badman <lhbad...@syr.edu 
> <mailto:lhbad...@syr.edu>> wrote:
>  
> Not that I advocate it, but there are incredibly easy ways to shut down the 
> wireless side of the printers if you chose to. That’s all I’m saying.
>  
> I have heard in private that another school is having catastrophic issues 
> with 8.2.160.0, so this may emerge as one to watch closer.
> Thanks for sharing- this sort of information is valuable as we all go through 
> this rather unique exercise.
> 
>  
> 
> -Lee
> 
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of T. Shayne Ghere
> Sent: Friday, August 25, 2017 9:42 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?
>  
> Here’s our setup
>  
> Running 8.2.160.0 on a pair of 8540 in HA mode
> 796 1810w
> 472 3802i
> Mix of 1142, 702 totaling 220 that will soon be replace with 3802i
> Total AP’s will be close to 2015 when new wiring is pulled
>  
> Home grown registration for one SSID that’s used for devices that won’t work 
> on secure or web-auth networks
>  
> I’m running Flexconnect on the wireless along with an Rlan for the wired 
> ports for the 1810w’s (dorms) and local switching where applicable.
>  
> So far, we have identified 5 bugs with the 160.0 code which Cisco is working 
> on.  They aren’t service impacting but more of a pain than anything. (Kernel 
> panics and watchdog resets)
>  
> We have identified the Lenovo Yoga series laptops (and other models from Best 
> Buy) having issues with enterprise networks with no solution since the last 
> Windows 10 update.  If the users go an buy a small form factor wifi adapter, 
> everything works.   Without it, they aren’t able to connect to our secure 
> network and open networks are slow.
>  
> Dell laptops seem to be the most stable followed by Macbook Pro’s.
>  
> We have already surpassed most connected clients from last year on the second 
> day of classes this year.  I’m seeing a LOT of wifi enabled TV’s, IoT devices 
> (ugh), tablets, phones, smartwatches and wireless cameras/doorbells for rooms.
>  
> Our biggest concern is the amount of wireless printers that have shown up.  
> We don’t allow wireless printers on our network, but when trying to get the 
> wireless cards shut off for each one is becoming a problem.
>  
> If anyone is handling wireless printers differently, I’d be interested in 
> talking offline with you.
>  
> Thanks
> --
> T. Shayne Ghere
> Bradley University
> Network Engineer/Wireless
> 1501 W. Bradley Ave, Jobst 224A
> (309) 677-3094 (ofc)
> (309) 863-5738 (cell) – Emergency only
> sgh...@fsmail.bradley.edu <mailto:sgh...@fsmail.bradley.edu>
> --
> UPCOMING OUT OF OFFICE
> Wednesday, August 30th – PM (no phone/e-mail access)
>  
>  
> From: The EDUCAUSE W

RE: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

2017-08-25 Thread Lee H Badman 
I can only preface it as 3rd hand info:

8540s on 8.2.160, some unidentified condition making the APs flap once a 
certain load of clients was reached. Beyond that, I can’t say much.
Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jason Watts
Sent: Friday, August 25, 2017 10:11 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

Lee,

Without identifying the school can you give any more detail about what sort of 
catastrophic issues they are having? What controllers/APs? We just moved to 
8.2.160.0 on 5520s and I haven’t noticed anything yet that I would deem 
catastrophic. We are on a mix of 2802i, 3502i, 1142n APs.

Jason Watts | Senior Network Administrator

PRATT INSTITUTE
Academic Computing



On Aug 25, 2017, at 9:56 AM, Lee H Badman 
<lhbad...@syr.edu<mailto:lhbad...@syr.edu>> wrote:

Not that I advocate it, but there are incredibly easy ways to shut down the 
wireless side of the printers if you chose to. That’s all I’m saying.

I have heard in private that another school is having catastrophic issues with 
8.2.160.0, so this may emerge as one to watch closer.
Thanks for sharing- this sort of information is valuable as we all go through 
this rather unique exercise.

-Lee

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of T. Shayne Ghere
Sent: Friday, August 25, 2017 9:42 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

Here’s our setup

Running 8.2.160.0 on a pair of 8540 in HA mode
796 1810w
472 3802i
Mix of 1142, 702 totaling 220 that will soon be replace with 3802i
Total AP’s will be close to 2015 when new wiring is pulled

Home grown registration for one SSID that’s used for devices that won’t work on 
secure or web-auth networks

I’m running Flexconnect on the wireless along with an Rlan for the wired ports 
for the 1810w’s (dorms) and local switching where applicable.

So far, we have identified 5 bugs with the 160.0 code which Cisco is working 
on.  They aren’t service impacting but more of a pain than anything. (Kernel 
panics and watchdog resets)

We have identified the Lenovo Yoga series laptops (and other models from Best 
Buy) having issues with enterprise networks with no solution since the last 
Windows 10 update.  If the users go an buy a small form factor wifi adapter, 
everything works.   Without it, they aren’t able to connect to our secure 
network and open networks are slow.

Dell laptops seem to be the most stable followed by Macbook Pro’s.

We have already surpassed most connected clients from last year on the second 
day of classes this year.  I’m seeing a LOT of wifi enabled TV’s, IoT devices 
(ugh), tablets, phones, smartwatches and wireless cameras/doorbells for rooms.

Our biggest concern is the amount of wireless printers that have shown up.  We 
don’t allow wireless printers on our network, but when trying to get the 
wireless cards shut off for each one is becoming a problem.

If anyone is handling wireless printers differently, I’d be interested in 
talking offline with you.

Thanks
--
T. Shayne Ghere
Bradley University
Network Engineer/Wireless
1501 W. Bradley Ave, Jobst 224A
(309) 677-3094 (ofc)
(309) 863-5738 (cell) – Emergency only
sgh...@fsmail.bradley.edu<mailto:sgh...@fsmail.bradley.edu>
--
UPCOMING OUT OF OFFICE
Wednesday, August 30th – PM (no phone/e-mail access)


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>]
 On Behalf Of Lee H Badman
Sent: Friday, August 25, 2017 8:22 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

It might be beneficial to share notes in case other schools are hitting common 
problems. I’m wondering how everyone who is in the thick of it is faring with 
back-to-school?

On this end, we are doing OK halfway to our expected total daily peak clients 
(we’re at 15K now high water mark).

Our significant WLAN-related changes since end of Spring semester
Running 8.2.151 on our 8540s
Significant quantities of Wave 2 APs
ISE as RADIUS (only, no NAC, no onboarding)

No changes to:
our guest WLAN (Clearpass/an Aruba controller pair)
onboarding (Cloudpath Wiz)
overall topology
open network in dorms for gadgets
non-use of AVC, it crapped out and never got solved af

Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

2017-08-25 Thread Jason Watts 
Lee,

Without identifying the school can you give any more detail about what sort of 
catastrophic issues they are having? What controllers/APs? We just moved to 
8.2.160.0 on 5520s and I haven’t noticed anything yet that I would deem 
catastrophic. We are on a mix of 2802i, 3502i, 1142n APs.

Jason Watts | Senior Network Administrator

PRATT INSTITUTE
Academic Computing



> On Aug 25, 2017, at 9:56 AM, Lee H Badman <lhbad...@syr.edu> wrote:
> 
> Not that I advocate it, but there are incredibly easy ways to shut down the 
> wireless side of the printers if you chose to. That’s all I’m saying.
>  
> I have heard in private that another school is having catastrophic issues 
> with 8.2.160.0, so this may emerge as one to watch closer.
> Thanks for sharing- this sort of information is valuable as we all go through 
> this rather unique exercise.
> 
>  
> 
> -Lee
> 
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of T. Shayne Ghere
> Sent: Friday, August 25, 2017 9:42 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?
>  
> Here’s our setup
>  
> Running 8.2.160.0 on a pair of 8540 in HA mode
> 796 1810w
> 472 3802i
> Mix of 1142, 702 totaling 220 that will soon be replace with 3802i
> Total AP’s will be close to 2015 when new wiring is pulled
>  
> Home grown registration for one SSID that’s used for devices that won’t work 
> on secure or web-auth networks
>  
> I’m running Flexconnect on the wireless along with an Rlan for the wired 
> ports for the 1810w’s (dorms) and local switching where applicable.
>  
> So far, we have identified 5 bugs with the 160.0 code which Cisco is working 
> on.  They aren’t service impacting but more of a pain than anything. (Kernel 
> panics and watchdog resets)
>  
> We have identified the Lenovo Yoga series laptops (and other models from Best 
> Buy) having issues with enterprise networks with no solution since the last 
> Windows 10 update.  If the users go an buy a small form factor wifi adapter, 
> everything works.   Without it, they aren’t able to connect to our secure 
> network and open networks are slow.
>  
> Dell laptops seem to be the most stable followed by Macbook Pro’s.
>  
> We have already surpassed most connected clients from last year on the second 
> day of classes this year.  I’m seeing a LOT of wifi enabled TV’s, IoT devices 
> (ugh), tablets, phones, smartwatches and wireless cameras/doorbells for rooms.
>  
> Our biggest concern is the amount of wireless printers that have shown up.  
> We don’t allow wireless printers on our network, but when trying to get the 
> wireless cards shut off for each one is becoming a problem.
>  
> If anyone is handling wireless printers differently, I’d be interested in 
> talking offline with you.
>  
> Thanks
> --
> T. Shayne Ghere
> Bradley University
> Network Engineer/Wireless
> 1501 W. Bradley Ave, Jobst 224A
> (309) 677-3094 (ofc)
> (309) 863-5738 (cell) – Emergency only
> sgh...@fsmail.bradley.edu <mailto:sgh...@fsmail.bradley.edu>
> --
> UPCOMING OUT OF OFFICE
> Wednesday, August 30th – PM (no phone/e-mail access)
>  
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Lee H Badman
> Sent: Friday, August 25, 2017 8:22 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> Subject: [WIRELESS-LAN] Move In/Opening Week- Any Problems?
>  
> It might be beneficial to share notes in case other schools are hitting 
> common problems. I’m wondering how everyone who is in the thick of it is 
> faring with back-to-school?
>  
> On this end, we are doing OK halfway to our expected total daily peak clients 
> (we’re at 15K now high water mark).
>  
> Our significant WLAN-related changes since end of Spring semester
> Running 8.2.151 on our 8540s
> Significant quantities of Wave 2 APs
> ISE as RADIUS (only, no NAC, no onboarding)
>  
> No changes to:
> our guest WLAN (Clearpass/an Aruba controller pair)
> onboarding (Cloudpath Wiz)
> overall topology
> open network in dorms for gadgets
> non-use of AVC, it crapped out and never got solved after hundreds of hours 
> with TAC
>  
> Fears:
> We haven’t yet hit the scale that will reveal problems with any of the newer 
> stuff listed above
>  
> Anyone else care to share?
>  
&g

Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

2017-08-25 Thread Alan D Wang 
Our setup:
Code: 8.3.121.0
APs: 2602, 3602, 2702, 3702, 2802 (roughly 230 of them), handful of 1810W,
and a couple 1142
Controllers: 2 8540 HA pairs and 1 5520 HA pair

We ended up needing to move to 8.3.121.0 due to a bug TAC was not going to
fix for the 1810W pertaining to the operations of the wired ports and vlan
assignments not actually taking effect.

On Fri, Aug 25, 2017 at 9:56 AM, Lee H Badman <lhbad...@syr.edu> wrote:

> Not that I advocate it, but there are incredibly easy ways to shut down
> the wireless side of the printers if you chose to. That’s all I’m saying.
>
>
>
> I have heard in private that another school is having catastrophic issues
> with 8.2.160.0, so this may emerge as one to watch closer.
>
> Thanks for sharing- this sort of information is valuable as we all go
> through this rather unique exercise.
>
>
>
> -Lee
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *T. Shayne Ghere
> *Sent:* Friday, August 25, 2017 9:42 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?
>
>
>
> Here’s our setup
>
>
>
> Running 8.2.160.0 on a pair of 8540 in HA mode
>
> 796 1810w
>
> 472 3802i
>
> Mix of 1142, 702 totaling 220 that will soon be replace with 3802i
>
> Total AP’s will be close to 2015 when new wiring is pulled
>
>
>
> Home grown registration for one SSID that’s used for devices that won’t
> work on secure or web-auth networks
>
>
>
> I’m running Flexconnect on the wireless along with an Rlan for the wired
> ports for the 1810w’s (dorms) and local switching where applicable.
>
>
>
> So far, we have identified 5 bugs with the 160.0 code which Cisco is
> working on.  They aren’t service impacting but more of a pain than
> anything. (Kernel panics and watchdog resets)
>
>
>
> We have identified the Lenovo Yoga series laptops (and other models from
> Best Buy) having issues with enterprise networks with no solution since the
> last Windows 10 update.  If the users go an buy a small form factor wifi
> adapter, everything works.   Without it, they aren’t able to connect to our
> secure network and open networks are slow.
>
>
>
> Dell laptops seem to be the most stable followed by Macbook Pro’s.
>
>
>
> We have already surpassed most connected clients from last year on the
> second day of classes this year.  I’m seeing a LOT of wifi enabled TV’s,
> IoT devices (ugh), tablets, phones, smartwatches and wireless
> cameras/doorbells for rooms.
>
>
>
> Our biggest concern is the amount of wireless printers that have shown
> up.  We don’t allow wireless printers on our network, but when trying to
> get the wireless cards shut off for each one is becoming a problem.
>
>
>
> If anyone is handling wireless printers differently, I’d be interested in
> talking offline with you.
>
>
>
> Thanks
>
> --
>
> T. Shayne Ghere
>
> Bradley University
>
> Network Engineer/Wireless
>
> 1501 W. Bradley Ave, Jobst 224A
>
> (309) 677-3094 (ofc)
>
> (309) 863-5738 (cell) – Emergency only
>
> sgh...@fsmail.bradley.edu
>
> --
>
> *UPCOMING OUT OF OFFICE*
>
> Wednesday, August 30th – PM (no phone/e-mail access)
>
>
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Lee H Badman
> *Sent:* Friday, August 25, 2017 8:22 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* [WIRELESS-LAN] Move In/Opening Week- Any Problems?
>
>
>
> It might be beneficial to share notes in case other schools are hitting
> common problems. I’m wondering how everyone who is in the thick of it is
> faring with back-to-school?
>
>
>
> On this end, we are doing OK halfway to our expected total daily peak
> clients (we’re at 15K now high water mark).
>
>
>
> Our significant WLAN-related changes since end of Spring semester
>
> Running 8.2.151 on our 8540s
>
> Significant quantities of Wave 2 APs
>
> ISE as RADIUS (only, no NAC, no onboarding)
>
>
>
> No changes to:
>
> our guest WLAN (Clearpass/an Aruba controller pair)
>
> onboarding (Cloudpath Wiz)
>
> overall topology
>
> open network in dorms for gadgets
>
> non-use of AVC, it crapped out and never got solved after hundreds of
> hours with TAC
>
>
>
> Fears:
>
> We haven’t yet hit the scale that will reveal problems with any of the
> newer stuff listed above
>
>
>
> Anyone else care to share?
>
>
&g

RE: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

2017-08-25 Thread Lee H Badman 
Not that I advocate it, but there are incredibly easy ways to shut down the 
wireless side of the printers if you chose to. That’s all I’m saying.

I have heard in private that another school is having catastrophic issues with 
8.2.160.0, so this may emerge as one to watch closer.
Thanks for sharing- this sort of information is valuable as we all go through 
this rather unique exercise.

-Lee

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of T. Shayne Ghere
Sent: Friday, August 25, 2017 9:42 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

Here’s our setup

Running 8.2.160.0 on a pair of 8540 in HA mode
796 1810w
472 3802i
Mix of 1142, 702 totaling 220 that will soon be replace with 3802i
Total AP’s will be close to 2015 when new wiring is pulled

Home grown registration for one SSID that’s used for devices that won’t work on 
secure or web-auth networks

I’m running Flexconnect on the wireless along with an Rlan for the wired ports 
for the 1810w’s (dorms) and local switching where applicable.

So far, we have identified 5 bugs with the 160.0 code which Cisco is working 
on.  They aren’t service impacting but more of a pain than anything. (Kernel 
panics and watchdog resets)

We have identified the Lenovo Yoga series laptops (and other models from Best 
Buy) having issues with enterprise networks with no solution since the last 
Windows 10 update.  If the users go an buy a small form factor wifi adapter, 
everything works.   Without it, they aren’t able to connect to our secure 
network and open networks are slow.

Dell laptops seem to be the most stable followed by Macbook Pro’s.

We have already surpassed most connected clients from last year on the second 
day of classes this year.  I’m seeing a LOT of wifi enabled TV’s, IoT devices 
(ugh), tablets, phones, smartwatches and wireless cameras/doorbells for rooms.

Our biggest concern is the amount of wireless printers that have shown up.  We 
don’t allow wireless printers on our network, but when trying to get the 
wireless cards shut off for each one is becoming a problem.

If anyone is handling wireless printers differently, I’d be interested in 
talking offline with you.

Thanks
--
T. Shayne Ghere
Bradley University
Network Engineer/Wireless
1501 W. Bradley Ave, Jobst 224A
(309) 677-3094 (ofc)
(309) 863-5738 (cell) – Emergency only
sgh...@fsmail.bradley.edu<mailto:sgh...@fsmail.bradley.edu>
--
UPCOMING OUT OF OFFICE
Wednesday, August 30th – PM (no phone/e-mail access)


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>]
 On Behalf Of Lee H Badman
Sent: Friday, August 25, 2017 8:22 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

It might be beneficial to share notes in case other schools are hitting common 
problems. I’m wondering how everyone who is in the thick of it is faring with 
back-to-school?

On this end, we are doing OK halfway to our expected total daily peak clients 
(we’re at 15K now high water mark).

Our significant WLAN-related changes since end of Spring semester
Running 8.2.151 on our 8540s
Significant quantities of Wave 2 APs
ISE as RADIUS (only, no NAC, no onboarding)

No changes to:
our guest WLAN (Clearpass/an Aruba controller pair)
onboarding (Cloudpath Wiz)
overall topology
open network in dorms for gadgets
non-use of AVC, it crapped out and never got solved after hundreds of hours 
with TAC

Fears:
We haven’t yet hit the scale that will reveal problems with any of the newer 
stuff listed above

Anyone else care to share?

-Lee


Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu<http://its.syr.edu>
SYRACUSE UNIVERSITY
syr.edu<http://syr.edu>



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

2017-08-25 Thread T. Shayne Ghere 
Here’s our setup



Running 8.2.160.0 on a pair of 8540 in HA mode

796 1810w

472 3802i

Mix of 1142, 702 totaling 220 that will soon be replace with 3802i

Total AP’s will be close to 2015 when new wiring is pulled



Home grown registration for one SSID that’s used for devices that won’t
work on secure or web-auth networks



I’m running Flexconnect on the wireless along with an Rlan for the wired
ports for the 1810w’s (dorms) and local switching where applicable.



So far, we have identified 5 bugs with the 160.0 code which Cisco is
working on.  They aren’t service impacting but more of a pain than
anything. (Kernel panics and watchdog resets)



We have identified the Lenovo Yoga series laptops (and other models from
Best Buy) having issues with enterprise networks with no solution since the
last Windows 10 update.  If the users go an buy a small form factor wifi
adapter, everything works.   Without it, they aren’t able to connect to our
secure network and open networks are slow.



Dell laptops seem to be the most stable followed by Macbook Pro’s.



We have already surpassed most connected clients from last year on the
second day of classes this year.  I’m seeing a LOT of wifi enabled TV’s,
IoT devices (ugh), tablets, phones, smartwatches and wireless
cameras/doorbells for rooms.



Our biggest concern is the amount of wireless printers that have shown up.
We don’t allow wireless printers on our network, but when trying to get the
wireless cards shut off for each one is becoming a problem.



If anyone is handling wireless printers differently, I’d be interested in
talking offline with you.



Thanks

--

T. Shayne Ghere

Bradley University

Network Engineer/Wireless

1501 W. Bradley Ave, Jobst 224A

(309) 677-3094 (ofc)

(309) 863-5738 (cell) – Emergency only

sgh...@fsmail.bradley.edu

--

*UPCOMING OUT OF OFFICE*

Wednesday, August 30th – PM (no phone/e-mail access)





*From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Lee H Badman
*Sent:* Friday, August 25, 2017 8:22 AM
*To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
*Subject:* [WIRELESS-LAN] Move In/Opening Week- Any Problems?



It might be beneficial to share notes in case other schools are hitting
common problems. I’m wondering how everyone who is in the thick of it is
faring with back-to-school?



On this end, we are doing OK halfway to our expected total daily peak
clients (we’re at 15K now high water mark).



Our significant WLAN-related changes since end of Spring semester

· Running 8.2.151 on our 8540s

· Significant quantities of Wave 2 APs

· ISE as RADIUS (only, no NAC, no onboarding)



No changes to:

· our guest WLAN (Clearpass/an Aruba controller pair)

· onboarding (Cloudpath Wiz)

· overall topology

· open network in dorms for gadgets

· non-use of AVC, it crapped out and never got solved after
hundreds of hours with TAC



Fears:

· We haven’t yet hit the scale that will reveal problems with any
of the newer stuff listed above



Anyone else care to share?



-Lee





*Lee Badman* | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244

*t* 315.443.3003  * f* 315.443.4325   *e* lhbad...@syr.edu *w* its.syr.edu


*SYRACUSE UNIVERSITY*syr.edu







** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.