Network Access Control
Good Morning All, Who is using NAC (Network Access Control) for wireless client authentication and posturing? 1) What solution did you select? 2) How easily did it integrate with you existing infrastructure? 3) What is you existing infrastructure and wireless solution? 4) How well has it performed? 5) If you had to do it again would you select the same product? 6) What were the success and failures of the deployment? 7) What was the impact on your technical staff to prepare for deployment? 8) How well does it scale? 9) How are the management tools and maintenance for the solution? Thank a million, John V. Duran University of New Mexico Network Engineer ITS/Network Communications/Data Services Ph: (505) 249-7890 Fax: (505) 277-8101 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Network Access Control
1) What solution did you select? IDEngines Ignition Server 2) How easily did it integrate with you existing infrastructure? Ignition is totally standards based, basically its a really powerful, easy to configure radius server nothing new, just well thought out RADIUS and TACACS+ server with easy to use, powerful, graphical rules building. 3) What is you existing infrastructure and wireless solution? Aruba , HP Procurve 420 and Proxim 4000 4) How well has it performed? Quite nicely, again its just RADIUS was that we chose to roll it out campus wide using a captive portal to deliver the Auto-connect client over an clear open SSID. After that, the Auto-Connect client made the settings changes to Windows or Mac, and forced the wireless card to the new network. 5) If you had to do it again would you select the same product? yes 6) What were the success and failures of the deployment? We'll let you know in two weeks :) after school starts but with the test cases, its been a total non event. in all honesty I wouldn't do it without Auto- Connect Microsoft has done Admins a huge dis-service by not integrating wired and wireless (I know wireless is) into group policy. 7) What was the impact on your technical staff to prepare for deployment? Minimal but we chose to roll out 802.1x with auto-connect , another product created by IDEngines it automated the choices for the end user. if the user has issues, re apply auto-connect and all is well, very, very few have required additional troubleshooting, provided that the devices are windows XP, Vista, or OSX. and of the problem clients are usually just a driver upgrade away from working. 8) How well does it scale? It appears to scale well, the Ignition server has a HA(high availability) port and Cluster type central management, we only have one server as we're a small school +/- 4000 students so scaling really wasn't an issue; even if all of our student body shows up on campus and demands wireless we would have the daily user base load of some of the larger schools (and we wouldn't have the AP capacity to support them). 9) How are the management tools and maintenance for the solution? Management is great, Support from the vendor was and is phenomenal. Additionally, we chose to roll it (802.1x) out to the wired ports as well lending its own set of issues but i'll not catalog those here. On Thu, 2008-09-11 at 08:53 -0600, John Duran wrote: Good Morning All, Who is using NAC (Network Access Control) for wireless client authentication and posturing? 1) What solution did you select? 2) How easily did it integrate with you existing infrastructure? 3) What is you existing infrastructure and wireless solution? 4) How well has it performed? 5) If you had to do it again would you select the same product? 6) What were the success and failures of the deployment? 7) What was the impact on your technical staff to prepare for deployment? 8) How well does it scale? 9) How are the management tools and maintenance for the solution? Thank a million, John V. Duran University of New Mexico Network Engineer ITS/Network Communications/Data Services Ph: (505) 249-7890 Fax: (505) 277-8101 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Jason Appah Operating Systems/Network Analyst II Oregon Institute of Technology ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. attachment: stock_smiley-1.png
RE: [WIRELESS-LAN] Network Access Control
We had CCA for wired residential (e.g. students) access for a few years and recently applied it to the wireless. We have 3 wireless networks - the one for students now uses CCA. Our guest wireless does not have NAC but does challenge for email address (basically anonymous) but we restrict what can be done over the guest access to minimize risk and eliminate access to on campus resources. See rest below From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of John Duran Sent: Thursday, September 11, 2008 10:54 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Network Access Control Good Morning All, Who is using NAC (Network Access Control) for wireless client authentication and posturing? 1)What solution did you select? a. CCA 2)How easily did it integrate with you existing infrastructure? a. Very easily, just added a corresponding VLan to CCA for the student wireless vlan/ssid 3)What is you existing infrastructure and wireless solution? a. We use Foundry wired and wireless (wireless is rebranded Meru) 4)How well has it performed? a. Very well since it was already in use for a few years on the wired 5)If you had to do it again would you select the same product? a. Yes - from the perspective of using the same solution for wired and wireless - but if/when we move from CCA it would be for both wired and wireless to keep them the same 6)What were the success and failures of the deployment? a. success - simplicity/familiarity, failure - nothing - see 4 5 above 7)What was the impact on your technical staff to prepare for deployment? a. Nearly nothing - see 4, 5, 6 above 8)How well does it scale? a. As well as CCA scales which is why we are considering moving from CCA for all our nac 9) How are the management tools and maintenance for the solution? Thank a million, John V. Duran University of New Mexico Network Engineer ITS/Network Communications/Data Services Ph: (505) 249-7890 Fax: (505) 277-8101 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Network Access Control
We have been using Bradford Campus manager on our wired network for a little over a year and have just implemented it on our wireless network over the summer.Currently we are registering clients which means that they only are nagged once (our re-registration period is 6 months) for their credentials. Then after they are registered the system will recognize their client and put them on the appropriate network. Bradford can also do authentication as well which we will be rolling out in public spaces on computers that are owned by the University. All in all it is a very diverse and flexible system that can implemented many different ways. See responses below. Chris Chamberlain Oakland University Network Engineer On Sep 11, 2008, at 10:53 AM, John Duran wrote: Good Morning All, Who is using NAC (Network Access Control) for wireless client authentication and posturing? 1) What solution did you select? Bradford Campus Manager 2) How easily did it integrate with you existing infrastructure? Very easily, works with many different vendors 3) What is you existing infrastructure and wireless solution? Cisco l2/l3 with Meru Wireless infrastructure 4) How well has it performed? Much better than our old Cisco CCA system, it is not inline which is the biggest benefit. 5) If you had to do it again would you select the same product? Yes Campus Manger has worked very well, and in the times we have had issues they have been able to work with us to resolve 6) What were the success and failures of the deployment? We initially had issues with Meru/Bradford integration but both companies worked together to eventually work it out. 7) What was the impact on your technical staff to prepare for deployment? It has a bit of a learning curve to it, but not unlike any other product 8) How well does it scale? Very well we have both our wired and wireless on the same set of boxes and because they are not inline they seem to scale very well. We have around 18000 students, 1 active wired ports and over 300 AP's 9) How are the management tools and maintenance for the solution? Mangement tools are ok, they use Java applets which aren't great but get the job done. UI is supposed to get a refresh in the next major release. Thank a million, John V. Duran University of New Mexico Network Engineer ITS/Network Communications/Data Services Ph: (505) 249-7890 Fax: (505) 277-8101 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Network Access Control
(Answers embedded below) From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of John Duran Sent: Thursday, September 11, 2008 10:54 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Network Access Control Good Morning All, Who is using NAC (Network Access Control) for wireless client authentication and posturing? 1)What solution did you select? Cisco Clean Access (CCA) 2) How easily did it integrate with you existing infrastructure? Very easily as we already had it in place at the time for the students (we have since put the rest of the campus behind it) 3) What is you existing infrastructure and wireless solution? Cisco 4) How well has it performed? CCA has performed pretty well, though it has had its share of problems. 5) If you had to do it again would you select the same product? Not sure; I know that we should've have done a thorough RFP on it in retrospect, but we just didn't have the time. We chose it quickly to solve a terrible problem we were having with viruses. 6) What were the success and failures of the deployment? Ramming it down users' throats was a challenge, but we pulled it off. LOTS of legwork from our Helpdesk folks for documentation, training, and communication. We have practically eliminated viruses on campus as a result, and those staff hours (to track them down and clean them up) have been reclaimed for other more productive purposes. It also makes network registration of users a cinch (we authenticate via ldap against active directory where everyone has a login), and if we need to track someone down in a hurry it is very easy now. We are still having some problems with failover on the appliances, i.e. it ain't workin' (appears to be a software issue with the sync and only happens under load), but it's been an open issue for so long because we haven't given the Cisco TAC time to debug it with us. We also have purposely not upgraded to the latest version because it seems like people are still having lots of problems [that we don't want to deal with]; we're still at 4.1.2.1. Users still occasionally complain that CCA rejects them because their computer isn't updated, to which we say Too Bad Pal (insert diplomacy here). That's the whole purpose, get over it and fix your computer. The worst case of this is when a professor goes into a classroom 5 minutes before class and turns on all the computers (which have been diligently turned off the night before to save energy). An update came out recently, and all the computers fail CCA login until they are updated. Our answer to that has basically been well then plan ahead and show up sooner than 5 minutes beforehand. It can be a difficult situation, but we're working through it. 7) What was the impact on your technical staff to prepare for deployment? For us in the Networks group it was HUGE. We had to re-IP a lot of things, and since CCA is implemented in-band here it had major implications on our core network setup. We actually paid our Cisco reseller to have several consultants on-site for the initial implementation, including an expert engineer who originally worked at Perfigo. I also had a vacant position for primary network person, which was back-filled by consultants for this implementation. I ended up hiring one of them full-time, and he's still with us after 3 years (and hopefully many more!). 8) How well does it scale? Great, just buy more appliances to handle more users. I think it was something like 1,500 users per appliance? We own 4 pairs of servers (we have 2,400 students plus all the faculty and staff), and another pair which manages the whole setup (10 servers total). 9) How are the management tools and maintenance for the solution? The whole thing is managed through a secure web gui from the manager server pair, and it is pretty complete and fairly easy to use. There are a few things missing from it that we'd like to see added, but for the most part it works well for us. Good luck!!! Thank a million, John V. Duran University of New Mexico Network Engineer ITS/Network Communications/Data Services Ph: (505) 249-7890 Fax: (505) 277-8101 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -Tim --- Tim Cantin, Senior Network Engineer Wellesley College, IS/Technology Infrastructure Group 223 Simpson Hall East, 106 Central Street Wellesley, Massachusetts 02481-8203 http://www.wellesley.edu/~tcantin/ BLOCKED::http://www.wellesley.edu/~tcantin/ phone: (781)283-3520 fax: (781)283-3682 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Network Access Control
1) What solution did you select? Impulse's SafeConnect 2) How easily did it integrate with you existing infrastructure? Very easy. Ran a few commands on our core (set up SFlow PBR), and plugged it in. Configuring the policies to check for on students machines took longer than the infrastructure setup. Integrating with wireless was a non-issue as no extra steps were necessary to activate it on the wireless vlan. 3) What is you existing infrastructure and wireless solution? Wired:Alcatel 9800/6850/6800 Wireless:Alcatel OAW-6000 4) How well has it performed? No major issues so far. Configuration tweaks every so often but nothing big 5) If you had to do it again would you select the same product? Yes 6) What were the success and failures of the deployment? The worst part was the first year we deployed it and all the students that had viruses/spyware that caused issues installing the items we require (patches, AV, AS, etc...). It wasn't too bad, but it did take longer the first year than subsequent years. 7) What was the impact on your technical staff to prepare for deployment? Outside of training helpdesk users on how to handle issues, the impact was minimal. The majority of the time was spent by me configuring the policies and wording exactly how we wanted them 8) How well does it scale? The NAC uses SFlow data from the routers to recognize users, and adds Policy Based Routing to the routers to quarantine users, therefore the traffic passes across our enterprise lan, and not through a NAC Appliance. Because of this, it scales as much as our routers do. 9) How are the management tools and maintenance for the solution? Management tools are great, and allow very specific customization of exactly what is checked for and what message the end user sees. Thank a million, John V. Duran University of New Mexico Network Engineer ITS/Network Communications/Data Services Ph: (505) 249-7890 Fax: (505) 277-8101 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Network Access Control
Who is using NAC (Network Access Control) for wireless client authentication and posturing? 1) What solution did you select? Impulse SafeConnect 2) How easily did it integrate with you existing infrastructure? We were the pilot for some advanced 802.1x functionality, but it integrated nicely. Radius authentication starts and stops are passed to the NAC. Phase 1, this replaced a large portion of a homegrown solution. 3) What is your existing infrastructure and wireless solution? Cisco LWAPP thin APs 4) How well has it performed? Very well with some tuning. The developers are excellent to work with. The solution provides an agent that assists with continuous posture checking and quarantine for Windows Machines. There is an agent for the Mac with less functionality at this time. 5) If you had to do it again would you select the same product? Yes. 6) What were the success and failures of the deployment? The deployment is a success. Opening went very smoothly. The vendor is making progress on the remaining feature requests. 7) What was the impact on your technical staff to prepare for deployment? We did move all management interfaces for the network and other infrastructure to a separate private network. I recommend doing this regardless of product selection. We did a lot of testing. 8) How well does it scale? We are approaching 5200 concurrent users on wireless and growing. We also manage our wired resnet networks. Phase 1. 9) How are the management tools and maintenance for the solution? The management tools are minimal. The solution is pretty much a packaged service so maintenance has been limited and the support has been terrific. We developed our own reporting tools and have turned them over to the vendor who has expressed an interest in integrating similar functionality. Now on to Phase2. Thank a million, You are welcome a million. There are going to be more questions, please feel free to write me off-list for more answers. Randy Grimshaw Syracuse University [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Network Access Control
John Duran wrote: Good Morning All, Who is using NAC (Network Access Control) for wireless client authentication and posturing? 1) What solution did you select? 2) How easily did it integrate with you existing infrastructure? 3) What is you existing infrastructure and wireless solution? 4) How well has it performed? 5) If you had to do it again would you select the same product? 6) What were the success and failures of the deployment? 7) What was the impact on your technical staff to prepare for deployment? 8) How well does it scale? 9) How are the management tools and maintenance for the solution? When our wireless was provided by heavy access points, there was no separate wireless LAN from the wired one. Now that we've gone to lightweight APs, we run that LAN through another Cisco Clean Access server, just like we've done for the wired side. In that regard, there was no difference from the users' side, and little of consequence on our side, either. It's done all right. We're considering alternative NAC products, but Cisco remains under consideration. The obstacle lies in problems with the software Agent that would be installed on users' systems, and the inherent bottleneck/single point of failure an in-band system presents. Our backbone is not Cisco, so out-of-band isn't really an option. But we're a small school; your mileage may vary. -- Regards, -- Cal Frye, Network Administrator, Oberlin College www.calfrye.com, www.pitalabs.com All serious daring starts from within. --Eudora Welty. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] FYI: Cisco controllers may put radios on UNII-2e channels
Don, I did some testing of four client interfaces in the spring when we had identified this issue (I've been meaning to post about this for a while, but spare time has been hard to come by), and collected the test results in a spreadsheet. The two bga interfaces were not able to associate with UNII-2e channels. Of the two bgan interfaces, one worked with UNII-2e channels and the other did not. To make the test info available I have created a Google spreadsheet which can be found at: http://spreadsheets.google.com/pub?key=pvI5m65uYyGaZlGrZV7fxFA One of my goals is to make it possible for others to add their test data to the Google spreadsheet, so that everyone can benefit from the info collected on the channel support levels for 5 GHz clients It looks like Google has an automatic form creator to help automate the process of collecting data in a spreadsheet, so I will try sending that form to the wireless-lan list and see what happens. -Charles Charles E. Spurgeon / UTnet UT Austin ITS / Networking [EMAIL PROTECTED] / 512.475.9265 On Wed, Sep 10, 2008 at 09:05:43PM -0400, Don Wright wrote: Charles, I'd be interested to know which client/drivers you've already tested this with. Maybe others have some as well to add to a list of either working or not. Thanks, -- Don Wright Brown University CIS - NTG On 9/10/08 10:41 AM, Charles Spurgeon [EMAIL PROTECTED] wrote: FYI. This documents something that we have stumbled over with UNII-2e channels and is a heads up for anyone running Cisco LWAPP gear and using the auto channel selection component of RRM (Dynamic Channel Assignment (DCA) in Cisco-speak). The Cisco WLC release notes for v4.1.185.0 have an important caveat (CSCsi86794) that describes the behavior of DCA and the UNII-2 Extended channels (UNII-2e).(1) For some reason this caveat is missing in 4.2.130.0 release notes, while the DCA issue still appears to be present in that code. (Based on the text in the 4.1.185.0 release notes the UNII-2e support appears to have first shown up in 4.1.171.0.) Briefly, Cisco has added support for the UNII-2e channels to the wireless lan controller and LWAPP APs, and these channels are automatically enabled for use by DCA. As a result of the new support, AP radios may be automatically assigned by DCA to one of the UNII-2e channels. We found several radios in our system where that had happened. Unfortunately, none of the 802.11a clients that we have tested know about the UNII-2e channels, and therefore most (all?) 802.11a clients cannot associate with AP radios that have been assigned to the UNII-2e channels. An AP radio on one of those channels is no longer available to dot11a clients and your wireless coverage will have holes in it even though the AP is up and system monitors are happy. If the client NIC has an 802.11an radio then it may have support for the UNII-2e channels. You would need to test against an AP radio set to one of the UNII-2e channels to find out, since the vendor docs that we have looked at don't tend to have any documentation about the presence or absence of UNII-2e support. To avoid this issue, Cisco's release notes tell you to disable the UNII-2e channels in DCA. However, the release notes incorrectly tell you to also disable channel 149, which is NOT one of the UNII-2e channels. Instead, it is one of the older channels that is supported by all 802.11a NICs that we've tested. If you want to avoid issues with AP radios being set to UNII-2e channels that are invisible to clients then you can do that by disabling all DCA channels in the UNII-2e range of 100-140. Note that when you disable these channels using either the CLI or the Web GUI the AP radios must be disabled and then re-enabled to make that change. We would be interested in hearing about the experience at other sites with UNII-2e channels, especially the results of any tests of UNII-2e support in clients. Thanks, -Charles Charles E. Spurgeon / UTnet UT Austin ITS / Networking [EMAIL PROTECTED] / 512.475.9265 (1) The UNII-2e channels appear to be relatively recent additions. This Cisco doc mentions them in the context of DFS support requirements: http://tinyurl.com/yq7y9r ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
WiFi Client Interface 5 GHz Channel Test Spreadsheet
If you have trouble viewing or submitting this form, you can fill it out online: http://spreadsheets.google.com/viewform?key=pvI5m65uYyGaZlGrZV7fxFA WiFi Client Interface 5 GHz Channel Test Spreadsheet This form is provided to help automate the process of collecting test information on channel support in 5GHz 802.11a and 802.11an client interfaces. The channel support spreadsheet can be seen at: http://spreadsheets.google.com/pub?key=pvI5m65uYyGaZlGrZV7fxFA The testbed that I have used to test channel support on client interfaces is based on creating an SSID (example: 5ghztest) and assigning it to the 5GHz radio on an AP in my office. That way the client interface can be made to associate with the correct AP as the channels are changed on the AP to test interface channel support. Next, at least one channel in each UNII channel group is tested by setting the AP to that channel and checking to see of the client can associate with the test AP. Finally, an iperf test is run from the client machine to an iperf server to make sure that the client interface can exchange traffic over the channel being tested and that performance on that channel is acceptable. Testing at least one channel from each UNII channel group results in four AP reconfigurations and four tests per client interface. Name: (insert name and email address) Test Report Date: (insert date) Interface under test: model name and number, interface type (cardbus, USB, integrated) Operating System and Version? Example: Windows XP SP2 Interface Driver Version and Regulatory Domain Example: Driver Version n US Domain Access point used to test against: AP model and software version UNII-1 Channels -Yes: Works on one or more UNII-1 Channels. No: Fails on one or more channels. (36,40,44,48) UNII-2 Channels -Yes: Works on one or more UNII-2 Channels. No: Fails on one or more channels. ( 52,56,60,64) UNIII-2e Channels - Yes: Works on one or more UNII-2e DFS Channels. No: Fails on one or more channels. (100,104,108,112,116,120,124,128,132,136,140) UNII-3 Channels -Yes: Works on one or more UNII-3 Channels. No: Fails on one or more channels. (149,153,157,161,165) Powered by Google Docs Terms of Service - Additional Terms ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] FYI: Cisco controllers may put radios on UNII-2e channels
For those wanting to test Macs, you can save yourself a lot of work by simply running the Console application, selecting all messages, and then toggle the Airport off/on. When the driver comes back up, OS X displays all of the channels that the installed card is capable of using. As an example, here is what a current MacBook Pro with Atheros displays. 9/11/08 5:26:32 PM kernel en1: 802.11d country code set to 'US'. 9/11/08 5:26:32 PM kernel en1: Supported channels 1 2 3 4 5 6 7 8 9 10 11 36 40 44 48 52 56 60 64 149 153 157 161 165 Current iMac w/ BCM43xx 9/11/08 3:07:24 PM kernel en1: 802.11d country code set to 'US'. 9/11/08 3:07:24 PM kernel en1: Supported channels 1 2 3 4 5 6 7 8 9 10 11 5 6 7 8 9 10 11 1 2 3 4 5 6 7 36 40 44 48 52 56 60 64 100 104 108 112 116 120 124 128 132 136 140 149 153 157 161 165 40 48 56 64 104 112 120 128 136 153 161 36 44 52 60 Also, a optionclick of the Airport icon in the menu bar will provide other information including current channel, transmit rate, RSSI, etc. best, Jeff Charles Spurgeon [EMAIL PROTECTED] 9/11/2008 2:17 PM Don, I did some testing of four client interfaces in the spring when we had identified this issue (I've been meaning to post about this for a while, but spare time has been hard to come by), and collected the test results in a spreadsheet. The two bga interfaces were not able to associate with UNII-2e channels. Of the two bgan interfaces, one worked with UNII-2e channels and the other did not. To make the test info available I have created a Google spreadsheet which can be found at: http://spreadsheets.google.com/pub?key=pvI5m65uYyGaZlGrZV7fxFA One of my goals is to make it possible for others to add their test data to the Google spreadsheet, so that everyone can benefit from the info collected on the channel support levels for 5 GHz clients It looks like Google has an automatic form creator to help automate the process of collecting data in a spreadsheet, so I will try sending that form to the wireless-lan list and see what happens. -Charles Charles E. Spurgeon / UTnet UT Austin ITS / Networking [EMAIL PROTECTED] / 512.475.9265 On Wed, Sep 10, 2008 at 09:05:43PM -0400, Don Wright wrote: Charles, I'd be interested to know which client/drivers you've already tested this with. Maybe others have some as well to add to a list of either working or not. Thanks, -- Don Wright Brown University CIS - NTG On 9/10/08 10:41 AM, Charles Spurgeon [EMAIL PROTECTED] wrote: FYI. This documents something that we have stumbled over with UNII-2e channels and is a heads up for anyone running Cisco LWAPP gear and using the auto channel selection component of RRM (Dynamic Channel Assignment (DCA) in Cisco-speak). The Cisco WLC release notes for v4.1.185.0 have an important caveat (CSCsi86794) that describes the behavior of DCA and the UNII-2 Extended channels (UNII-2e).(1) For some reason this caveat is missing in 4.2.130.0 release notes, while the DCA issue still appears to be present in that code. (Based on the text in the 4.1.185.0 release notes the UNII-2e support appears to have first shown up in 4.1.171.0.) Briefly, Cisco has added support for the UNII-2e channels to the wireless lan controller and LWAPP APs, and these channels are automatically enabled for use by DCA. As a result of the new support, AP radios may be automatically assigned by DCA to one of the UNII-2e channels. We found several radios in our system where that had happened. Unfortunately, none of the 802.11a clients that we have tested know about the UNII-2e channels, and therefore most (all?) 802.11a clients cannot associate with AP radios that have been assigned to the UNII-2e channels. An AP radio on one of those channels is no longer available to dot11a clients and your wireless coverage will have holes in it even though the AP is up and system monitors are happy. If the client NIC has an 802.11an radio then it may have support for the UNII-2e channels. You would need to test against an AP radio set to one of the UNII-2e channels to find out, since the vendor docs that we have looked at don't tend to have any documentation about the presence or absence of UNII-2e support. To avoid this issue, Cisco's release notes tell you to disable the UNII-2e channels in DCA. However, the release notes incorrectly tell you to also disable channel 149, which is NOT one of the UNII-2e channels. Instead, it is one of the older channels that is supported by all 802.11a NICs that we've tested. If you want to avoid issues with AP radios being set to UNII-2e channels that are invisible to clients then you can do that by disabling all DCA channels in the UNII-2e range of 100-140. Note that when you disable these channels using either the CLI or the Web GUI the AP radios must be disabled and then re-enabled to make that change. We would be interested in