RE: [WIRELESS-LAN] Open-Free Access wireless

2009-08-06 Thread Methven, Peter J 
You could probably mitigate some of the risks of providing a free/open
wireless service, if it was heavily restrictive on what ports were open
and if you used deep packet inspection to block common p-2-p ports and
service types. You would still potentially have an issue with traffic
going in and out of your network encrypted which you couldn't deep
packet inspect, but in that situation you can genuinely say you have
made every technical effort possible and I guess the RIAA would have
difficulty proving it was copyrighted material.

 

Many Thanks
Peter

 

Peter Methven. MBCS, BENG (Hons)

Network Specialist

Computer Centre (The Allen McTernan Building)

Heriot-Watt University

Edinburgh

EH14 4AS

Telephone: +44 (0)131 4513516 / 07774 427548

Email p.j.meth...@hw.ac.uk  

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Scott Powell
Sent: 05 August 2009 19:33
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Open-Free Access wireless

 

I've read some responses on how to handle guest access, but I'm being
asked a slightly different question by my campus.  We are considering
providing "free"/"open" wireless access on campus.   I can think of a
myriad of issues, but I need to find out if anyone else has done this
and any comments you might have.  We've been registering our user base,
and then they access the real network via a webvpn.  Guests were handled
via the web auth in the Cisco WLC.   My biggest concerns are how to
handle RIAA and Movie industry copyright notices, CALEA, as well as the
"unthinkable" activity over our wireless network.  If it is "open", I
don't know how I'll be able to identify who did what if at all.  Any
feedback will be appreciated.

 

Scott Powell

Network Manager

Wittenberg University

spow...@wittenberg.edu

937-525-3821

937-327-7372 fax

www.wittenberg.edu

 

 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 



-- 
Heriot-Watt University is a Scottish charity
registered under charity number SC000278.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Open-Free Access wireless

2009-08-06 Thread Scott Powell 
Randy,

Thanks for the comments.  You state that your wireless has been open from the 
beginning.  How have you handled the copyright notices (if any) to date?We 
saw a substantial increase in notices last school year over previous.   I’ve 
got a reasonable process in place for handling “known” offenders.   I have no 
clue how to handle “unknown” .

Scott Powell
Network Manager
Wittenberg University
spow...@wittenberg.edu
937-525-3821
937-327-7372 fax
www.wittenberg.edu


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Randy Ethridge
Sent: Wednesday, August 05, 2009 10:10 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Open-Free Access wireless

We actually are going the other way. Our wireless has been 'open' since day 
one, but due to all the issues mentioned and the changes in the legal landscape 
(or possible changes) we are in the process of securing our wireless. We will 
be requiring daily users to use our Safe Connect platform which also has the 
ability for our help desk ( and in the future, other departments) to create 
guest accounts. We have had multiple RIAA notices with users on wireless with 
no way to track them down which was one factor in deciding to secure the 
wireless.

Randy Ethridge
Information Services
Eastern Illinois University


- Original Message -
From: "Hector J Rios" 
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Sent: Wednesday, August 5, 2009 8:11:58 PM GMT -06:00 US/Canada Central
Subject: Re: [WIRELESS-LAN] Open-Free Access wireless


Scott,

I think you answered your own question. We actually considered the idea at some 
point, strictly because we wanted to make it as easy as possible for everybody 
to connect to our wireless network. But in the end we decided that the cons 
were just too many. You’ve mentioned a few already. And the answer to your 
question as to how you identify who did what, is simply that you won’t be able 
to.  You might be able to map an IP to a MAC address, but then you will still 
have the tedious task of finding the physical device. I think the only 
advantage that a wide open network will give you is that you will be able to 
sniff the traffic. But so will the bad guys, and you won’t know who they are.

We’ve made it really easy for our guests to get on our wireless network by 
obtaining guest accounts that can be created by their hosts (a faculty or staff 
member) on a web application. We then authenticate them via Cisco’s web auth. 
Responding to DMCA notices and the like still involves a little digging around, 
but you do everything from your computer.

Hector Rios
Louisiana State University

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Scott Powell
Sent: Wednesday, August 05, 2009 1:33 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Open-Free Access wireless

I’ve read some responses on how to handle guest access, but I’m being asked a 
slightly different question by my campus.  We are considering providing 
“free”/”open” wireless access on campus.   I can think of a myriad of issues, 
but I need to find out if anyone else has done this and any comments you might 
have.  We’ve been registering our user base, and then they access the real 
network via a webvpn.  Guests were handled via the web auth in the Cisco WLC.   
My biggest concerns are how to handle RIAA and Movie industry copyright 
notices, CALEA, as well as the “unthinkable” activity over our wireless 
network.  If it is “open”, I don’t know how I’ll be able to identify who did 
what if at all.  Any feedback will be appreciated.

Scott Powell
Network Manager
Wittenberg University
spow...@wittenberg.edu
937-525-3821
937-327-7372 fax
www.wittenberg.edu


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Open-Free Access wireless

2009-08-06 Thread Randy Ethridge 
Since we couldn't find them we would block their MAC address from joining the 
network, give the Help desk the information. When the user called about not 
being able to connect the Help desk would check the MAC and notify the user why 
they couldn't connect. This was the process but it was easily defeated by 
spoofing which is leading us to authenticating our wireless users. 

Randy Ethridge 
Network Engineer V 
Information Services 
Eastern Illinois University 
rlethri...@eiu.edu 

- Original Message - 
From: "Scott Powell"  
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Sent: Thursday, August 6, 2009 6:32:12 AM GMT -06:00 US/Canada Central 
Subject: Re: [WIRELESS-LAN] Open-Free Access wireless 




Randy, 



Thanks for the comments.  You state that your wireless has been open from the 
beginning.  How have you handled the copyright notices (if any) to date?    We 
saw a substantial increase in notices last school year over previous.   I’ve 
got a reasonable process in place for handling “known” offenders.   I have no 
clue how to handle “unknown” . 




Scott Powell 

Network Manager 

Wittenberg University 

spow...@wittenberg.edu 

937-525-3821 

937-327-7372 fax 

www.wittenberg.edu 







From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Randy Ethridge 
Sent: Wednesday, August 05, 2009 10:10 PM 
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] Open-Free Access wireless 




We actually are going the other way. Our wireless has been 'open' since day 
one, but due to all the issues mentioned and the changes in the legal landscape 
(or possible changes) we are in the process of securing our wireless. We will 
be requiring daily users to use our Safe Connect platform which also has the 
ability for our help desk ( and in the future, other departments) to create 
guest accounts. We have had multiple RIAA notices with users on wireless with 
no way to track them down which was one factor in deciding to secure the 
wireless. 

Randy Ethridge 
Information Services 
Eastern Illinois University 


- Original Message - 
From: "Hector J Rios"  
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Sent: Wednesday, August 5, 2009 8:11:58 PM GMT -06:00 US/Canada Central 
Subject: Re: [WIRELESS-LAN] Open-Free Access wireless 




Scott, 



I think you answered your own question. We actually considered the idea at some 
point, strictly because we wanted to make it as easy as possible for everybody 
to connect to our wireless network. But in the end we decided that the cons 
were just too many. You’ve mentioned a few already. And the answer to your 
question as to how you identify who did what, is simply that you won’t be able 
to.  You might be able to map an IP to a MAC address, but then you will still 
have the tedious task of finding the physical device. I think the only 
advantage that a wide open network will give you is that you will be able to 
sniff the traffic. But so will the bad guys, and you won’t know who they are. 



We’ve made it really easy for our guests to get on our wireless network by 
obtaining guest accounts that can be created by their hosts (a faculty or staff 
member) on a web application. We then authenticate them via Cisco’s web auth. 
Responding to DMCA notices and the like still involves a little digging around, 
but you do everything from your computer. 



Hector Rios 

Louisiana State University 





From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Scott Powell 
Sent: Wednesday, August 05, 2009 1:33 PM 
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [WIRELESS-LAN] Open-Free Access wireless 



I’ve read some responses on how to handle guest access, but I’m being asked a 
slightly different question by my campus.  We are considering providing 
“free”/”open” wireless access on campus.   I can think of a myriad of issues, 
but I need to find out if anyone else has done this and any comments you might 
have.  We’ve been registering our user base, and then they access the real 
network via a webvpn.  Guests were handled via the web auth in the Cisco WLC.   
My biggest concerns are how to handle RIAA and Movie industry copyright 
notices, CALEA, as well as the “unthinkable” activity over our wireless 
network.  If it is “open”, I don’t know how I’ll be able to identify who did 
what if at all.  Any feedback will be appreciated. 



Scott Powell 

Network Manager 

Wittenberg University 

spow...@wittenberg.edu 

937-525-3821 

937-327-7372 fax 

www.wittenberg.edu 





** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/. 

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/. 

** Participation and subscription inform

RE: [WIRELESS-LAN] Open-Free Access wireless

2009-08-06 Thread Scott Powell 
Thanks Randy.  This is exactly what we’ve talked about internally.  I guess our 
 thought process is in line with reality.

Scott Powell
Network Manager
Wittenberg University
spow...@wittenberg.edu
937-525-3821
937-327-7372 fax
www.wittenberg.edu


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Randy Ethridge
Sent: Thursday, August 06, 2009 7:51 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Open-Free Access wireless

Since we couldn't find them we would block their MAC address from joining the 
network, give the Help desk the information. When the user called about not 
being able to connect the Help desk would check the MAC and notify the user why 
they couldn't connect. This was the process but it was easily defeated by 
spoofing which is leading us to authenticating our wireless users.

Randy Ethridge
Network Engineer V
Information Services
Eastern Illinois University
rlethri...@eiu.edu

- Original Message -
From: "Scott Powell" 
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Sent: Thursday, August 6, 2009 6:32:12 AM GMT -06:00 US/Canada Central
Subject: Re: [WIRELESS-LAN] Open-Free Access wireless
Randy,

Thanks for the comments.  You state that your wireless has been open from the 
beginning.  How have you handled the copyright notices (if any) to date?We 
saw a substantial increase in notices last school year over previous.   I’ve 
got a reasonable process in place for handling “known” offenders.   I have no 
clue how to handle “unknown” .

Scott Powell
Network Manager
Wittenberg University
spow...@wittenberg.edu
937-525-3821
937-327-7372 fax
www.wittenberg.edu


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Randy Ethridge
Sent: Wednesday, August 05, 2009 10:10 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Open-Free Access wireless

We actually are going the other way. Our wireless has been 'open' since day 
one, but due to all the issues mentioned and the changes in the legal landscape 
(or possible changes) we are in the process of securing our wireless. We will 
be requiring daily users to use our Safe Connect platform which also has the 
ability for our help desk ( and in the future, other departments) to create 
guest accounts. We have had multiple RIAA notices with users on wireless with 
no way to track them down which was one factor in deciding to secure the 
wireless.

Randy Ethridge
Information Services
Eastern Illinois University


- Original Message -
From: "Hector J Rios" 
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Sent: Wednesday, August 5, 2009 8:11:58 PM GMT -06:00 US/Canada Central
Subject: Re: [WIRELESS-LAN] Open-Free Access wireless

Scott,

I think you answered your own question. We actually considered the idea at some 
point, strictly because we wanted to make it as easy as possible for everybody 
to connect to our wireless network. But in the end we decided that the cons 
were just too many. You’ve mentioned a few already. And the answer to your 
question as to how you identify who did what, is simply that you won’t be able 
to.  You might be able to map an IP to a MAC address, but then you will still 
have the tedious task of finding the physical device. I think the only 
advantage that a wide open network will give you is that you will be able to 
sniff the traffic. But so will the bad guys, and you won’t know who they are.

We’ve made it really easy for our guests to get on our wireless network by 
obtaining guest accounts that can be created by their hosts (a faculty or staff 
member) on a web application. We then authenticate them via Cisco’s web auth. 
Responding to DMCA notices and the like still involves a little digging around, 
but you do everything from your computer.

Hector Rios
Louisiana State University

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Scott Powell
Sent: Wednesday, August 05, 2009 1:33 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Open-Free Access wireless

I’ve read some responses on how to handle guest access, but I’m being asked a 
slightly different question by my campus.  We are considering providing 
“free”/”open” wireless access on campus.   I can think of a myriad of issues, 
but I need to find out if anyone else has done this and any comments you might 
have.  We’ve been registering our user base, and then they access the real 
network via a webvpn.  Guests were handled via the web auth in the Cisco WLC.   
My biggest concerns are how to handle RIAA and Movie industry copyright 
notices, CALEA, as well as the “unthinkable” activity over our wireless 
network.  If it is “open”, I don’t know how I’ll be able to identify who did 
what if

RE: [WIRELESS-LAN] FW: [WIRELESS-LAN] WiSM 5.2.193

2009-08-06 Thread Bentley, Douglas 
We had the same problem here. Via WCS I upgraded all the WiSM and disabled 
fallback and then issued a reboot "all" and reloaded all the WLC at once.  We 
had a one WLC that did not reboot but that was an easy fix.




Douglas Bentley | University IT/NC Network Engineering 
University of Rochester | 727 Elmwood Ave.| Rochester, NY 14620
T: 585.275.6550 | Email: douglas.bent...@rochester.edu

  


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Watters, John
Sent: Wednesday, August 05, 2009 10:34 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] FW: [WIRELESS-LAN] WiSM 5.2.193

Sorry, I meant to send this to the list.

-jcw

-
John Watters    UA: OIT  205-348-3992


> -Original Message-
> From: Watters, John
> Sent: Wednesday, August 05, 2009 9:33 AM
> To: 'Charles Spurgeon'
> Subject: RE: [WIRELESS-LAN] WiSM 5.2.193
> 
> 
> I upgraded 18 WiSM controllers yesterday & last night that support ~2,000
> APs. I also experienced the delayed joins.
> 
> In addition, I had APs joining controllers in other mobility groups. After
> that it is very hard to get them to move back. (I had a little over 100
> APs join controllers in other mobility groups - about 5%.)
> 
> In addition, I am seeing a lot of looping: When the WiSM controller
> rebooted to do the code upgrade, all its APs joined another controller and
> downloaded the code from that controller even though the controller they
> came from was already running that version (in my case 5.2.178). Then they
> tried to move back to their primary controller (now upgraded to 5.2.193),
> downloaded the new 5.2.193 code and rebooted. They then went back to the
> controller they originally moved to while their primary controller was
> being upgraded. Since that code was at a different level (5.2.178) that
> the new code they had just loaded for the upgraded WiSM, they downloaded
> the 5.3.178 code again & rebooted. They then tried to move back to their
> primary controller (now upgraded to 5.2.193), downloaded the new 5.2.193
> code and rebooted, they then went back to the controller they originally
> moved to while their primary controller was being upgraded. Since that
> code was at a different level (5.2.178) that the new code they had just
> loaded for the upgraded WiSM, they downloaded the 5.3.178 code again &
> rebooted. They then tried to move back to their primary controller
>  do you see the loop here?
> 
> This was finally resolved by just biting the bullet and upgrading all the
> WiSMs as fast as I could (including the suggested emergency boot image).
> That put all the APs into a real mess while it was happening, but really
> gave them no choice in the end except to join a controller running the
> 5.2.193 code which got them to stop downloading different code with every
> join.
> 
> I opened a case with Cisco but got nothing useful back. I have had this
> same problem with other WiSM code upgrades. Surely there is a better way
> to handle this problem of APs moving around to places where they aren't
> wanted.
> 
> If anyone has a workable solution to my problems, please send it along.
> 
> -jcw
> 
> 
> John Watters    The University of Alabama: OIT  205-348-3992
> 
> 
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
> [mailto:wireless-...@listserv.educause.edu] On Behalf Of Charles Spurgeon
> Sent: Wednesday, August 05, 2009 9:12 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] WiSM 5.2.193
> 
> On Tue, Aug 04, 2009 at 09:13:29AM -0500, Hector J Rios wrote:
> >
> >Has anybody upgraded to 5.2.193? Can you provide any feedback?
> 
> We have upgraded 31 WLCs from 4.2.130.0 to 5.2.193.0, with no
> operational issues seen and no problems reported for clients so far.
> 
> We have approx 3,500 APs, and the client count is at its lowest level
> due to summer session with around 3,000 peak simultaneous clients. We
> are installing a number of 1142s, so we needed the new code to support
> them.
> 
> We *did* encounter a weird AP join issue on some of the WLCs in one of
> our mobility groups when there were mixed versions of WLC code while
> upgrading WLCs in the same mobility group (some controllers on 4.2 and
> others on 5.2).
> 
> The issue was a delayed join to the primary WLC for APs during the
> process of upgrading the controller and then waiting for APs to
> re-join the upgraded (primary) controller (we configure the
> primary/secondary/tertiary WLCs on the APs). We escalated the issue
> and Cisco has developed a fix that will presumably ship in newer code.
> 
> Meanwhile, we noticed that if we upgraded the first controller in the
> mobililty group (the one with the lowest MAC address as seen in "show
> mobility summary") to the new controller code first th