Re: [WIRELESS-LAN] Wireless Design
We have two ACS 4.2 servers behind load balancer(ACE) and we do not see any issues with wireless PEAP authentications. We are going to upgrade these servers to ACS 5.3 soon. Has Cisco confirmed the problem is related with LB? What if the ACS servers are not load balanced, will the problem still exist? Thanks. --- Dennis Xu Network Analyst, Computing and Communication Services University of Guelph 5198244120 x 56217 - Original Message - From: Bruce Boardman board...@syr.edu To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Tuesday, October 23, 2012 11:55:31 AM Subject: Re: [WIRELESS-LAN] Wireless Design We are having this exact issue and have been working with TAC for a month. We have clients that are mis -configured pounding the RADIUS servers, and one by one we are identifying and blacklisting devices that have never been on the network. This is only a couple days in the works, but seems to have helped and TAC thinks it's the issue. Per Tac Hi Bruce, Good Morning. After discussing the your scenario with the collaboration team, they suggest we track down the EAP -session timeouts and remove those clients or block them before reaching the ACS. “Clients sending malformed requests, or not compliant with the access-challenge that ACS sends after a failure can tie up threads for up to 120 seconds.” And “120” seconds is a lot of time. We have also add a third server for logging. So far so good |Bruce Boardman, Network Engineer, Syracuse University - 315 889-1667 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Chris Toth [ct...@bgsu.edu] Sent: Tuesday, October 23, 2012 11:32 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wireless Design We are having authentication issues with our wireless network and I was wondering if any other universities are running a similar design without issue. We have 17 wireless controllers each providing both an unsecured web auth and a secured WPA/WPA2 access using radius. The secured access points to a load balancer using radius stickiness for 2 virtual cisco ACS servers running version 5.3. We have approximately 10k associated authenticated wireless users during peak hours. Our authentications servers don’t appear to be working very hard; however, they are having issues. We are working with the vendor to resolve these issues but I am curious if other universities run their auth servers behind a load balancer and how many auth servers are running / per authenticated clients. Any information you could provide would be helpful. Thank you, Chris Toth S enior N etwork T echnician Bowling Green State University Phone: (419) 372-8462 Email: ct...@bgsu.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Wireless Design
TAC has confirmed the problem and has not yet offered a work around to LB. The LB is manually pointing controllers to one of the two RADIUS servers, which helps, but of course is not really a solution. The ACE is RADIUS session aware I take it? |Bruce Boardman, Network Engineer, Syracuse University - 315 889-1667 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Dennis Xu [d...@uoguelph.ca] Sent: Tuesday, October 23, 2012 12:11 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless Design We have two ACS 4.2 servers behind load balancer(ACE) and we do not see any issues with wireless PEAP authentications. We are going to upgrade these servers to ACS 5.3 soon. Has Cisco confirmed the problem is related with LB? What if the ACS servers are not load balanced, will the problem still exist? Thanks. --- Dennis Xu Network Analyst, Computing and Communication Services University of Guelph 5198244120 x 56217 - Original Message - From: Bruce Boardman board...@syr.edu To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Tuesday, October 23, 2012 11:55:31 AM Subject: Re: [WIRELESS-LAN] Wireless Design We are having this exact issue and have been working with TAC for a month. We have clients that are mis -configured pounding the RADIUS servers, and one by one we are identifying and blacklisting devices that have never been on the network. This is only a couple days in the works, but seems to have helped and TAC thinks it's the issue. Per Tac Hi Bruce, Good Morning. After discussing the your scenario with the collaboration team, they suggest we track down the EAP -session timeouts and remove those clients or block them before reaching the ACS. “Clients sending malformed requests, or not compliant with the access-challenge that ACS sends after a failure can tie up threads for up to 120 seconds.” And “120” seconds is a lot of time. We have also add a third server for logging. So far so good |Bruce Boardman, Network Engineer, Syracuse University - 315 889-1667 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Chris Toth [ct...@bgsu.edu] Sent: Tuesday, October 23, 2012 11:32 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wireless Design We are having authentication issues with our wireless network and I was wondering if any other universities are running a similar design without issue. We have 17 wireless controllers each providing both an unsecured web auth and a secured WPA/WPA2 access using radius. The secured access points to a load balancer using radius stickiness for 2 virtual cisco ACS servers running version 5.3. We have approximately 10k associated authenticated wireless users during peak hours. Our authentications servers don’t appear to be working very hard; however, they are having issues. We are working with the vendor to resolve these issues but I am curious if other universities run their auth servers behind a load balancer and how many auth servers are running / per authenticated clients. Any information you could provide would be helpful. Thank you, Chris Toth S enior N etwork T echnician Bowling Green State University Phone: (419) 372-8462 Email: ct...@bgsu.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless Design
Yes ACE is radius session aware. Radius stickiness has been configured for ACS servers. --- Dennis Xu Network Analyst, Computing and Communication Services University of Guelph 5198244120 x 56217 - Original Message - From: Bruce Boardman board...@syr.edu To: d...@uoguelph.ca, WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Tuesday, October 23, 2012 12:15:13 PM Subject: RE: [WIRELESS-LAN] Wireless Design TAC has confirmed the problem and has not yet offered a work around to LB. The LB is manually pointing controllers to one of the two RADIUS servers, which helps, but of course is not really a solution. The ACE is RADIUS session aware I take it? |Bruce Boardman, Network Engineer, Syracuse University - 315 889-1667 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Dennis Xu [d...@uoguelph.ca] Sent: Tuesday, October 23, 2012 12:11 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless Design We have two ACS 4.2 servers behind load balancer(ACE) and we do not see any issues with wireless PEAP authentications. We are going to upgrade these servers to ACS 5.3 soon. Has Cisco confirmed the problem is related with LB? What if the ACS servers are not load balanced, will the problem still exist? Thanks. --- Dennis Xu Network Analyst, Computing and Communication Services University of Guelph 5198244120 x 56217 - Original Message - From: Bruce Boardman board...@syr.edu To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Tuesday, October 23, 2012 11:55:31 AM Subject: Re: [WIRELESS-LAN] Wireless Design We are having this exact issue and have been working with TAC for a month. We have clients that are mis -configured pounding the RADIUS servers, and one by one we are identifying and blacklisting devices that have never been on the network. This is only a couple days in the works, but seems to have helped and TAC thinks it's the issue. Per Tac Hi Bruce, Good Morning. After discussing the your scenario with the collaboration team, they suggest we track down the EAP -session timeouts and remove those clients or block them before reaching the ACS. “Clients sending malformed requests, or not compliant with the access-challenge that ACS sends after a failure can tie up threads for up to 120 seconds.” And “120” seconds is a lot of time. We have also add a third server for logging. So far so good |Bruce Boardman, Network Engineer, Syracuse University - 315 889-1667 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Chris Toth [ct...@bgsu.edu] Sent: Tuesday, October 23, 2012 11:32 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wireless Design We are having authentication issues with our wireless network and I was wondering if any other universities are running a similar design without issue. We have 17 wireless controllers each providing both an unsecured web auth and a secured WPA/WPA2 access using radius. The secured access points to a load balancer using radius stickiness for 2 virtual cisco ACS servers running version 5.3. We have approximately 10k associated authenticated wireless users during peak hours. Our authentications servers don’t appear to be working very hard; however, they are having issues. We are working with the vendor to resolve these issues but I am curious if other universities run their auth servers behind a load balancer and how many auth servers are running / per authenticated clients. Any information you could provide would be helpful. Thank you, Chris Toth S enior N etwork T echnician Bowling Green State University Phone: (419) 372-8462 Email: ct...@bgsu.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Wireless Design
Just to add to Bruce's narrative- I estimate that a couple of dozen errant clients (frequently Blackberry for some reason) add RADIUS transactional volume of thousands more clients to the servers by the way they act. Using client exclusion, or manually disabling the worst of the worst, seems to have knocked the problem down. Lee H. Badman Network Architect/Wireless TME Information Technology and Services (ITS) Syracuse University 315 443-3003 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dennis Xu Sent: Tuesday, October 23, 2012 12:24 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless Design Yes ACE is radius session aware. Radius stickiness has been configured for ACS servers. --- Dennis Xu Network Analyst, Computing and Communication Services University of Guelph 5198244120 x 56217 - Original Message - From: Bruce Boardman board...@syr.edu To: d...@uoguelph.ca, WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Tuesday, October 23, 2012 12:15:13 PM Subject: RE: [WIRELESS-LAN] Wireless Design TAC has confirmed the problem and has not yet offered a work around to LB. The LB is manually pointing controllers to one of the two RADIUS servers, which helps, but of course is not really a solution. The ACE is RADIUS session aware I take it? |Bruce Boardman, Network Engineer, Syracuse University - 315 889-1667 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Dennis Xu [d...@uoguelph.ca] Sent: Tuesday, October 23, 2012 12:11 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless Design We have two ACS 4.2 servers behind load balancer(ACE) and we do not see any issues with wireless PEAP authentications. We are going to upgrade these servers to ACS 5.3 soon. Has Cisco confirmed the problem is related with LB? What if the ACS servers are not load balanced, will the problem still exist? Thanks. --- Dennis Xu Network Analyst, Computing and Communication Services University of Guelph 5198244120 x 56217 - Original Message - From: Bruce Boardman board...@syr.edu To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Tuesday, October 23, 2012 11:55:31 AM Subject: Re: [WIRELESS-LAN] Wireless Design We are having this exact issue and have been working with TAC for a month. We have clients that are mis -configured pounding the RADIUS servers, and one by one we are identifying and blacklisting devices that have never been on the network. This is only a couple days in the works, but seems to have helped and TAC thinks it's the issue. Per Tac Hi Bruce, Good Morning. After discussing the your scenario with the collaboration team, they suggest we track down the EAP -session timeouts and remove those clients or block them before reaching the ACS. “Clients sending malformed requests, or not compliant with the access-challenge that ACS sends after a failure can tie up threads for up to 120 seconds.” And “120” seconds is a lot of time. We have also add a third server for logging. So far so good |Bruce Boardman, Network Engineer, Syracuse University - 315 889-1667 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Chris Toth [ct...@bgsu.edu] Sent: Tuesday, October 23, 2012 11:32 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wireless Design We are having authentication issues with our wireless network and I was wondering if any other universities are running a similar design without issue. We have 17 wireless controllers each providing both an unsecured web auth and a secured WPA/WPA2 access using radius. The secured access points to a load balancer using radius stickiness for 2 virtual cisco ACS servers running version 5.3. We have approximately 10k associated authenticated wireless users during peak hours. Our authentications servers don’t appear to be working very hard; however, they are having issues. We are working with the vendor to resolve these issues but I am curious if other universities run their auth servers behind a load balancer and how many auth servers are running / per authenticated clients. Any information you could provide would be helpful. Thank you, Chris Toth S enior N etwork T echnician Bowling Green State University Phone: (419) 372-8462 Email: ct...@bgsu.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found
Re: [WIRELESS-LAN] Wireless design
We use several separate subnets for wireless clients and use some RADIUS custom hooks (We use a combination of RADIATOR and SBR) to dynamically assign clients to the subnets. Our AP's themselves our addressed using RFC1918 space on a separate VLAN routed out each routing hub. -Neil -- Neil Johnson Network Engineer The University of Iowa Phone: 319 384-0938 Fax: 319 335-2951 Mobile: 319 540-2081 E-Mail: neil-john...@uiowa.edu From: Lee H Badman lhbad...@syr.edumailto:lhbad...@syr.edu Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Date: Fri, 10 Jun 2011 12:27:48 -0400 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless design Just to chime in the topic of restricting traffic- bear in mind that applications like Facetime and synching things like Documents to Go between iPads and PCs do get impacted by what my seem like otherwise good segregation methodology. This can be the source of much consternation. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W Sent: Friday, June 10, 2011 7:39 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless design John, 1. I believe most (all?) wireless systems can bridge at the AP. If you are using 802.1X, you would need to find some way to whitelist the AP traffic, though. I know that Aruba APs can run in bridged mode, but you lose some features because all enforcement occurs within the limited resources of the thin AP. It is generally preferred to tunnel the traffic back to the controller, when possible. 2. Whether you can block clients talking to each other depends on your wireless system. I know Aruba has a built-in firewall and you can block this traffic. I believe Cisco depends on the network infrastructure for firewalls. One challenge for the system is blocking peers talking to the same AP. 3. Roaming between APS and between buildings is very dependent on your wireless system. We here at Liberty University have not yet designed our mobility approach. Our current focus is implementing 802.1X (finally!) and replacing our NAC system. Regards, Bruce Osborne Wireless Network Engineer IT Network Services (434) 592-4229 LIBERTY UNIVERSITY 40 Years of Training Champions for Christ: 1971-2011 From: John Kaftan [mailto:jkaf...@utica.edu] Sent: Thursday, June 09, 2011 12:35 AM Subject: Re: Wireless design Can that system bridge at the AP? We are going to have a secure network and an open one. The secure network will be configured with 802.1x and will just dump people on the local VLAN of the building. Once we have the network fully secure we will be fine with this. I like this for performance reasons. The APs just become secure hubs. We will also make sure that no clients can talk to each other on thesenetworks. We will try to drive all users to the secure network. The secure network will also be NAC enabled. The open network will tunnel back to the controller and bridge there which is required due to the captive portal. The only possible snag here is roaming between buildings and between 802.1xAPs. I have not tested and tweaked that yet. John - Original Message - From: Mike King m...@mpking.commailto:m...@mpking.com Date: Wednesday, June 8, 2011 9:29 pm Subject: Re: [WIRELESS-LAN] Wireless design To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU The real short answer is that it does not matter what the IP address of the AP is, as long as it has good stable communications with the controller. What I personally try to do is what you are proposing, put the APs for each building/floor it's own subnet. Good luck Mike On Wed, Jun 8, 2011 at 6:54 PM, Entwistle, Bruce bruce_entwis...@redlands.edujavascript:main.compose('new','t=bruce_entwis...@redlands.edu') wrote: We will soon be migrating our wireless network from Cisco autonomous 1231 APs to a combination of Cisco 3502i along with some of the existing 1231 APs converted to lightweight. As we prepare for this we are looking at how to best architect the new network.The new network will cover theentire campus which consists of approx 50 buildings, with each building having its’ own VLAN. The initial idea was to install the APs so the IP address of the AP would be a part of the local building VLAN. This is the IP the AP would use to talk back to the controller. For user connections there would be two VLANs created which would be accessed through a single SSID. The users would then be dynamically assigned to one of the two VLANs based on their logon credentials. Currently all users are placed on the same VLAN after authentication, as our current installation
Re: [WIRELESS-LAN] Wireless design
Bruce, We install our APs in the same subnet as our users (for reasons mentioned by others as well: it seems that rogue detection works better on the wire side that way), but with private IP addresses. The gateway as two subnets (one primary and one secondary). Primary is for users, secondary is for APs and switches. Since our APs do DHCP, we have a rule in our DHCP server that hands specific leases to our APs based on the OUI of our AP vendor. That way we don't consume publicly addressable IP addresses for 2500 APs! This said in the near future the concept of locating APs in the user subnet (when I mention subnet , I mean the layer two domain, not the strict IP subnet), will become difficult since we plan to have something like 3-5 user's subnets per building (based on the of user classification that we end up with). When it comes to Wireless users subnets, we completely rely on GRE tunnels that go back to the controllers and we do the Aruba VLAN pooling for each SSID. The MAC address based SSID doesn't let users access sensitive apps, the 802.1x SSID does. In the future, we plan to go to a more Role based networking approach, where user's Attributes decide what they can do more than IP addresses. (IP addresses will always be involved of course, but in a more dynamic way) Best, Philippe Hanset Univ. of TN www.eduroamus.orghttp://www.eduroamus.org On Jun 8, 2011, at 6:54 PM, Entwistle, Bruce wrote: We will soon be migrating our wireless network from Cisco autonomous 1231 APs to a combination of Cisco 3502i along with some of the existing 1231 APs converted to lightweight. As we prepare for this we are looking at how to best architect the new network.The new network will cover the entire campus which consists of approx 50 buildings, with each building having its’ own VLAN. The initial idea was to install the APs so the IP address of the AP would be a part of the local building VLAN. This is the IP the AP would use to talk back to the controller. For user connections there would be two VLANs created which would be accessed through a single SSID. The users would then be dynamically assigned to one of the two VLANs based on their logon credentials. Currently all users are placed on the same VLAN after authentication, as our current installation is not capable of dynamic VLAN assignment. There is currently only a single SSID in place. I would be interested to know what other have done and how successful it was. Thank you Bruce Entwistle Network Manager University of Redlands ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless design
Bruce, For administrative reasons, we find it very helpful to have all our wireless users contained to wireless only IP ranges. This way, we can configure our IPS/IDS sensors, packet inspectors, etc to keep a more suspicious eye on wireless users (ie unmanaged, potentially dirty laptops) . We also don't have to worry about ensuring there are enough free IP addresses in each particular location to handle any potential transient surges (like during a large conference for example). Regards, Craig SFU SIMON FRASER UNIVERSITY Network Services Craig Simons Network and Systems Administrator Phone: 778-782-8036 Cell: 604-649-7977 Email: craigsim...@sfu.ca Twitter: simonscraig - Original Message - From: Mike King m...@mpking.com To: WIRELESS-LAN@listserv.educause.edu Sent: Wednesday, 8 June, 2011 18:15:06 Subject: Re: [WIRELESS-LAN] Wireless design The real short answer is that it does not matter what the IP address of the AP is, as long as it has good stable communications with the controller. What I personally try to do is what you are proposing, put the APs for each building/floor it's own subnet. Good luck Mike On Wed, Jun 8, 2011 at 6:54 PM, Entwistle, Bruce bruce_entwis...@redlands.edu wrote: We will soon be migrating our wireless network from Cisco autonomous 1231 APs to a combination of Cisco 3502i along with some of the existing 1231 APs converted to lightweight. As we prepare for this we are looking at how to best architect the new network. The new network will cover the entire campus which consists of approx 50 buildings, with each building having its’ own VLAN. The initial idea was to install the APs so the IP address of the AP would be a part of the local building VLAN. This is the IP the AP would use to talk back to the controller. For user connections there would be two VLANs created which would be accessed through a single SSID. The users would then be dynamically assigned to one of the two VLANs based on their logon credentials. Currently all users are placed on the same VLAN after authentication, as our current installation is not capable of dynamic VLAN assignment. There is currently only a single SSID in place. I would be interested to know what other have done and how successful it was. Thank you Bruce Entwistle Network Manager University of Redlands ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless design
We keep our APs on separate vlan/ip space and users on subnets that are wireless traffic only. If there are issues with a particular user I know from ip address right away if they are wired or wireless. Plus having the wired and wireless users share the same IP space allows them to poke around and cause havoc on each other. Many of our wired user vlans are behind firewalls and VRFs which can be troublesome to troubleshoot if APs are down of can't tunnel back to the controller and since I don't have access to the firewalls (diff team) I'd rather not have to traverse them. Ken Connell Intermediate Network Engineer Computer Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 -Original Message- From: Craig Simons craigsim...@sfu.ca Sender: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Date: Thu, 09 Jun 2011 14:30:50 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Reply-to: Craig Simons craigsim...@sfu.ca Subject: Re: [WIRELESS-LAN] Wireless design Bruce, For administrative reasons, we find it very helpful to have all our wireless users contained to wireless only IP ranges. This way, we can configure our IPS/IDS sensors, packet inspectors, etc to keep a more suspicious eye on wireless users (ie unmanaged, potentially dirty laptops) . We also don't have to worry about ensuring there are enough free IP addresses in each particular location to handle any potential transient surges (like during a large conference for example). Regards, Craig SFU SIMON FRASER UNIVERSITY Network Services Craig Simons Network and Systems Administrator Phone: 778-782-8036 Cell: 604-649-7977 Email: craigsim...@sfu.ca Twitter: simonscraig - Original Message - From: Mike King m...@mpking.com To: WIRELESS-LAN@listserv.educause.edu Sent: Wednesday, 8 June, 2011 18:15:06 Subject: Re: [WIRELESS-LAN] Wireless design The real short answer is that it does not matter what the IP address of the AP is, as long as it has good stable communications with the controller. What I personally try to do is what you are proposing, put the APs for each building/floor it's own subnet. Good luck Mike On Wed, Jun 8, 2011 at 6:54 PM, Entwistle, Bruce bruce_entwis...@redlands.edu wrote: We will soon be migrating our wireless network from Cisco autonomous 1231 APs to a combination of Cisco 3502i along with some of the existing 1231 APs converted to lightweight. As we prepare for this we are looking at how to best architect the new network. The new network will cover the entire campus which consists of approx 50 buildings, with each building having its’ own VLAN. The initial idea was to install the APs so the IP address of the AP would be a part of the local building VLAN. This is the IP the AP would use to talk back to the controller. For user connections there would be two VLANs created which would be accessed through a single SSID. The users would then be dynamically assigned to one of the two VLANs based on their logon credentials. Currently all users are placed on the same VLAN after authentication, as our current installation is not capable of dynamic VLAN assignment. There is currently only a single SSID in place. I would be interested to know what other have done and how successful it was. Thank you Bruce Entwistle Network Manager University of Redlands ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless design
The real short answer is that it does not matter what the IP address of the AP is, as long as it has good stable communications with the controller. What I personally try to do is what you are proposing, put the APs for each building/floor it's own subnet. Good luck Mike On Wed, Jun 8, 2011 at 6:54 PM, Entwistle, Bruce bruce_entwis...@redlands.edu wrote: We will soon be migrating our wireless network from Cisco autonomous 1231 APs to a combination of Cisco 3502i along with some of the existing 1231 APs converted to lightweight. As we prepare for this we are looking at how to best architect the new network.The new network will cover the entire campus which consists of approx 50 buildings, with each building having its’ own VLAN. The initial idea was to install the APs so the IP address of the AP would be a part of the local building VLAN. This is the IP the AP would use to talk back to the controller. For user connections there would be two VLANs created which would be accessed through a single SSID. The users would then be dynamically assigned to one of the two VLANs based on their logon credentials. Currently all users are placed on the same VLAN after authentication, as our current installation is not capable of dynamic VLAN assignment. There is currently only a single SSID in place. I would be interested to know what other have done and how successful it was. Thank you Bruce Entwistle Network Manager University of Redlands ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless design
Can that system bridge at the AP? We are going to have a secure network and an open one. The secure network will be configured with 802.1x and will just dump people on the local VLANof the building. Once we have the network fully secure we will be fine with this. I like this for performance reasons. The APsjust become secure hubs. We will also make sure thatno clients can talk to each other on these networks. We will try to drive all users to thesecure network.The secure network will also be NACenabled.The open network will tunnel back to the controller and bridge there which is required due to the captive portal.The only possible snag here is roaming between buildings and between 802.1x APs. I have nottested and tweaked thatyet.John- Original Message -From: Mike King m...@mpking.comDate: Wednesday, June 8, 2011 9:29 pmSubject: Re: [WIRELESS-LAN] Wireless designTo: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU The real short answer is that it does not matter what the IPaddress of the APis, as long as it has good stable communications with the controller. What I personally try to do is what you are proposing, put the APsfor each building/floor it's own subnet. Good luck Mike On Wed, Jun8, 2011 at 6:54 PM, Entwistle, Bruce bruce_entwis...@redlands.edu wrote: We will soon be migrating our wireless network from Cisco autonomous 1231 APs to a combination of Cisco 3502i along with some of the existing 1231 APs converted to lightweight. As we prepare for this we are looking at how to best architect the new network. The new network will cover the entire campus which consists of approx 50 buildings, with each building having its’ own VLAN. The initial idea was to install the APs so the IP address of the AP would be a part of the local building VLAN. This is the IP the AP would use to talk back to the controller. For user connections there would be two VLANs created which would be accessed through a single SSID. The users would then be dynamically assigned to one of the two VLANs based on their logon credentials. Currently all users are placed on the same VLAN after authentication, as our current installation is not capable of dynamic VLAN assignment. There is currently only a single SSID in place. I would be interested to know what other have done and how successful it was. Thank you Bruce Entwistle Network Manager University of Redlands ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless Design for Arenas
You could also no broadcast the SSIDs, but this could cause problems depending on the client devices and has fallen out of favor as control mechanism. Heath Barnhart Asst. Sys/Net Administrator Informations Systems and Services Washburn University - Original Message - From: Jason Appah jason.ap...@oit.edu Date: Wednesday, December 10, 2008 5:34 pm Subject: Re: [WIRELESS-LAN] Wireless Design for Arenas To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 802.1x or MAC filtering, or both... In a previous life I supported wirelessfor a large manufacturer with myriad dumb devices (thatis devices that couldn¹t do 802.1x) so we did a mix an SSID that did MAC filtering for DUMB devices and a SSID for 802.1x On 12/10/08 3:30 PM, John Duran jvdu...@unm.edu wrote: Scenario: RF Design for an Arena area. We can easily design for the known devices we are anticipating will connect to the Wi-Fi. Challenge: How are others restricting connectivity to the Wi-Fi for those devices (e.g. Dual mode cell phones and other Wi-Fi enabled personal devices) that do not have a business need for connecting to the Enterprise wireless network? This number is only expected to grow exponentially in the near future. We are certain no one wants to provide IP addresses for all these devices and accept any potential security risks. Essentially how are you preventing these devices from obtaining IP addresses and associating to the wireless network? This will also create a degradation of service to those that do have a business need during sporting events. We can see the potential number of devices exceeding the APs load threshold very quickly. John V. Duran Network Engineer University of New Mexico Information Technology Services Ph: (505) 249-7890 Fax: (505) 277-8101 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. begin:vcard n:Barnhart;Heath fn:Heath Barnhart org:Washburn University;ISS SysNet version:2.1 email;internet:heath.barnh...@washburn.edu title:Mr. end:vcard
Re: [WIRELESS-LAN] Wireless Design for Arenas
802.1x or MAC filtering, or both... In a previous life I supported wireless for a large manufacturer with myriad dumb devices (thatis devices that couldn¹t do 802.1x) so we did a mix an SSID that did MAC filtering for DUMB devices and a SSID for 802.1x On 12/10/08 3:30 PM, John Duran [EMAIL PROTECTED] wrote: Scenario: RF Design for an Arena area. We can easily design for the known devices we are anticipating will connect to the Wi-Fi. Challenge: How are others restricting connectivity to the Wi-Fi for those devices (e.g. Dual mode cell phones and other Wi-Fi enabled personal devices) that do not have a business need for connecting to the Enterprise wireless network? This number is only expected to grow exponentially in the near future. We are certain no one wants to provide IP addresses for all these devices and accept any potential security risks. Essentially how are you preventing these devices from obtaining IP addresses and associating to the wireless network? This will also create a degradation of service to those that do have a business need during sporting events. We can see the potential number of devices exceeding the APs load threshold very quickly. John V. Duran Network Engineer University of New Mexico Information Technology Services Ph: (505) 249-7890 Fax: (505) 277-8101 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.