Re: [WIRELESS-LAN] Hacking Cisco WLC - macfilters
On Thu, 15 Apr 2010, Brooks, Stan wrote: Our system uses Mac-Auth via RADIUS. We've built a custom web app in house that updates the RADIUS auth database so trusted people (some of our clean room techs and others) can verify the type of device and enter the MAC into the system. Other than the MAC address, what other sort of data do you store for the entry? User? Time of registration? Any expiry time for the entry? Type of device? Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
802.1X adoption in the US... any stats available?
Has anyone come across a reference that shows statistics on 802.1x adoption in the US? (I mostly find references on Wired 802.1X adoption (gartner)) I'm writing a NSF proposal to request funding to deploy eduroam more widely in the US and could really use the numbers. I feels like trying to explain how many institutions use 802.11 for Wireless. It's a standard, we use it, but how many have it deployed?... Thank you, Philippe Philippe Hanset Network Architect Office of Information Technology OIT Communications: Network Services The University of Tennessee 2309 Kingston Pike Knoxville TN, 37996 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Hacking Cisco WLC - macfilters
We keep a separate database including username, date registered, and type of device, in addition to the MAC address. We would use this database to determine when a device should be expired. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jethro R Binks Sent: Friday, April 16, 2010 3:46 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Hacking Cisco WLC - macfilters On Thu, 15 Apr 2010, Brooks, Stan wrote: Our system uses Mac-Auth via RADIUS. We've built a custom web app in house that updates the RADIUS auth database so trusted people (some of our clean room techs and others) can verify the type of device and enter the MAC into the system. Other than the MAC address, what other sort of data do you store for the entry? User? Time of registration? Any expiry time for the entry? Type of device? Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Hacking Cisco WLC - macfilters
I would be interested in the code from a curiosity perspective, but I also wanted to ask how this is received from a user perspective. Is this a feature that you use as a last resort? We have always bent over backwards to attempt (as much as practical) to steer the user into a web page that tells them what the problem is. We have legacy stories of kids asking dad for a new computer because theirs was quarantined. Randy From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Garry Peirce Sent: Thursday, April 15, 2010 2:06 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Hacking Cisco WLC - macfilters Mike, I manage Cisco controller exclusions via SNMP. We have a homegrown IPAM system which includes a checkbox to be able to disable a machine. Doing so for a wireless host causes this to create an exclusion entry which is then distributed system-wide preventing the host from associating. When this box is unchecked, the entry gets removed (database change, cron process, script runs...) In a nutshell... I've scraped some parts of a script I wrote depicting the insert/removal operation. So as not to include here as an attachment, I'll send it to you directly - if other's would like it, just send me a note. As I scraped from different sections of the script, it may require some re-working to make it run. This might give you something to work with to create a script to purge your entries, but you'll need a way to determine the entries age. I actually include the date of the exclusion in the description field. Then you just have to run it once a month. Btw - you may want to increase the size of the WLC database should you have a large number of excluded addresses. 'config database size 512-2048' From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Schomer, Michael J. Sent: Thursday, April 15, 2010 10:45 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Hacking Cisco WLC - macfilters Although we encourage all wireless devices to connect via WPA/WPA2 802.1x, not all wireless devices support these standards. To accommodate consumer level wireless devices, such as game consoles, we created a separate WPA PSK network. We manually approve each request by adding a mac filter exclusion to that particular network. In the beginning we did all these requests manually, either by entering them directly into each WLC or by using templates in WCS. Eventually, the number of requests necessitated the need to semi-automate the process. We created a web form to gather the information; on the administrator side we could approve or deny each request. Approving the request would run a scripted telnet session to each WLC adding the macfilter. For security and stability reasons we didn't want to continue using scripted telnet sessions. We figured out how to script an https session on the controllers using HTTP GET. This solution is working much better; however we have not found a good way of removing macfilters from the controllers, using this method. (The way the web interface works for removing macfilters is pretty convoluted and would be difficult to script.) We want to run a script once a month that will remove all macfilters a year or more old. So, long story short, has anyone done anything like this? Any suggestions for removing old macfilters? Thanks. -Mike Schomer -ResNet Coordinator -St. Cloud State University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Please help: blocking MAC address from WCS to all controllers with Special Role
Dear All We also want to assign one staff to block and unblock the baleful wireless MAC addresses. Furthermore, this person should not configure other features on both WCS and controllers. However, in order to modify the disabled clients' template, the person also has the right to modify other Templates through WCS. Dose anybody know how to achieve the following purposes: 1. Narrow down the right of the person that he/she only can modify the disabled clients' template ( or do this through command line); 2. Log everything this guy did on both WCS and all controllers. Thank you, and have a nice day. Yours, Linchuan Yang (Antony) Wireless Networking Analyst Network Assessment and Integration, IITS-Concordia University Tel: (514)848-2424 ext. 7664 _ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Dustin Deadwyler Sent: April 14, 2010 12:31 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Please help: blocking MAC address from WCS to all controllers This is my first time posting here, so I hope this helps. On the WCS home page, mouse over the Configure tab and click Controller Template Launch Pad. Scroll down to the Security heading and click on Disabled clients. Pull down the menu on the right side of the screen and select Add Template and click Go. Add a template name, MAC address, and a Description. Click Save and then apply it to any controller you want to block the MAC on. Dustin - Original Message - From: Linchuan mailto:lichu...@alcor.concordia.ca Yang To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Wednesday, April 14, 2010 12:17 PM Subject: [WIRELESS-LAN] Please help: blocking MAC address from WCS to all controllers Dear all We want to block MAC address through WCS to all controllers. However, WCS only sends this information to the current controller which the client is associated on, and does not block the MAC address on other controllers. Does anybody know how to do the global blocking through WCS or other way? If it's possible, can we block multiple MAC addresses to all controllers at the same time? Thank you, and have a nice day. Linchuan Yang (Antony) Wireless Networking Analyst Network Assessment and Integration, IITS-Concordia University Tel: (514)848-2424 ext. 7664 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Acer Netbooks- Issues?
In this case, we ruled out everything obvious and worked back to a single controller- reboot, issue resolved. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jeffrey Sessler Sent: Wednesday, April 14, 2010 4:50 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Acer Netbooks- Issues? If you pull the client association/disassociation information from WCS, are there any stick out like a sore thumb patterns, such as a disconnect at an even five minute interval? Jeff Lee H Badman lhbad...@syr.edu 4/14/2010 12:31 PM So far, XP. Drivers updated, but I did just get a not from one of our support folks that she thinks it's a variety of netbooks while Dells and Macs around her are fine. Trying to get specific cases to work through- you know how that can go... -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jeffrey Sessler Sent: Wednesday, April 14, 2010 2:54 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Acer Netbooks- Issues? Lee, What OS are they running? Jeff Lee H Badman lhbad...@syr.edu 4/14/2010 8:24 AM Seem like the Acer Netbook might be following Apple's lead for being a bit of a pain on wireless. Is any one else seeing any issues with the Netbook? Seems to be older and newer models alike. -Lee ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.http://www.educause.edu/groups/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.http://www.educause.edu/groups/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.http://www.educause.edu/groups/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: Aruba vs HP vs Meraki
Hi Ethan, et al, I am new to the list but noticed this discussion and thought I might offer my two cents. I work at Westmont College, a liberal arts college in the Santa Barbara area. We evaluated Aruba, Cisco and Meraki last summer. We had a previous Aruba installation, running for several years, and with moderate success. What we found was that Meraki's model was made extremely flexible and simple by virtue of having no onsite controller. Being in the cloud, the controller itself was accessible by anyone we chose to allow access to it, not just whoever had knowledge of the specific command structure of the onsite controller, as was the case with the Aruba installation. Because of that flexibility, I or any of my network staff can log on from anywhere, be it a cafe, home or iPhone. Additionally, I can easily log into my local AP, wherever I am on campus, and get local information about that AP. Being a smallish shop, we used a local integrator, Novacoast, to work with us on some reengineering and deployment. I only mention that because before we approached them, NC had never even heard of Meraki. Within a few weeks they were fully credentialed and ready to go. That I almost entirely attribute to how easy Meraki is to deploy, though certainly NC were great. We spent some time working through our preferred configuration, some of which was a logical lift from the Aruba and some entirely new. We had around 270 Aruba ABG units (AP61s I think...) that were not upgradeable to N and as I mentioned the controller management was challenging. Only our Network Manager had access and knowledge enough to manage the unit. We replaced with nearly the same number of Merakis but gained full coverage around campus (indoor and out), N, dual and triband radios and an elegance in operation that has continued. With the Meraki setup even our CIO logs on and can easily run usage reports, drill down to specific APs, clients, time frames etc. Whenever Meraki enables a new feature, of which there have been several, they are applied to the cloud controller and have no effect to the local APs (=no down time). There have been a couple firmware updates but those are applied intelligently so that there is minimal downtime in the middle of the night and the update is applied in batches so we don't have a campus of dark APs during the upgrade. We haven't had a single unit fail. The long and short is that we have barely thought about the system since putting it in. We are in it all the time to check usage (...the ongoing struggle to have enough bandwidth etc etc), troubleshoot client issues (typically client misconfiguration by user), and see what new features have been added. But I don't worry about it. Ever. That may not be a standard TCO argument but for my money it's a big one. Cheers Kevin __ Kevin J. Hess '98 Senior Director Information Technology Westmont College 805.565.6154 kh...@westmont.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
FYI: Security consultant talks about Cisco wireless vulnerabilities
Dear folks, This may be something you're already familiar with. But I'm passing it on for what it's worth Someone just sent me this link, to a ZDnet story apparently reporting on a presentation at BlackHat/Europe conference. http://www.zdnet.co.uk/news/security-threats/2010/04/16/security-researchers-demo-cisco-wi-fi-flaws-40088653/?tag=mncol;txt BUT don't click on that yet! The story ABOUT the presentation seems a big dicey to me. (A better one -- based on a quick skim -- seems to be this story at DarkReading, which interviewed the presenter, Enno Rey, before BlackHat http://www.darkreading.com/vulnerability_management/security/perimeter/showArticle.jhtml?articleID=224202409.) I've done some additional digging, and I think the same team presented the same material at the recent SchmooCon. Here's the SchmooCon video: http://www.ustream.tv/recorded/4500990 FYI, here's the link to the capsule BlackHat session summary and the presenters: http://www.blackhat.com/html/bh-eu-10/bh-eu-10-briefings.html The presenter in both is Enno Rey, with ERNW GmbH, based in Germany. Their English language website is here http://ernw.de/content/e15/e26/index_eng.html Rey mentions an infosec blog: http://www.insinuator.net/ I've only checked the opening minutes of the video. Rey is looking at 2 Cisco WLAN architecturs -- SWAN and the current CUWN. Apparently a big part of the presentation is potential problems in the Cisco's proprietary Wireless LAN Context Control Protocol (WLCCP). There you goI'll pull this together for a blogpost http://www.networkworld.com/community/blog/2989 at Network World later today. Unless you all tell me this was old news from 2 years ago or something Regards, John Cox __ J o h n C o x Senior Editor Main: 508.766.5301 | Direct: 508.766.5422 Office at home: 978-834-0554 NETWORKWORLD Maximize Your Return on IT 492 Old Connecticut Path | Framingham, MA 01701-9002 __ NetworkWorld.comhttp://www.networkworld.com/ | 2009 Media Guidehttp://www.networkworld.com/media/ | Conferences and Eventshttp://www.networkworld.com/events/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Alternatives to XpressConnect
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Everyone, We're looking at deploying WPA/WPA2 and we think that something similar to XpressConnect from CloudPath would be very beneficial. However, in searching I have been unable to determine if there are any vendors offering a similar service. Does anyone know of a competitor to CloudPath in this area? Our current options are 1) writing our own application + all of the benefits and drawbacks that go with a homegrown solution, and 2) a vendor supported tool to configure client's machines. Any suggestions or alternatives are welcome. Thanks, - -- Kevin Ehlers Network Engineer University of Oregon -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkvInagACgkQ0l216NgIDryOTgCeJYfA6geDg9y2KxYIUNopuyGk HNwAoI9mg+x5cr8qmPfnU1ueRYiTsVTe =cYRh -END PGP SIGNATURE- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Hacking Cisco WLC - macfilters
Hi Randy - I'll send you the snippet of code off list. To answer your question for the list - yes, a last resort, but it can also depend on the issue. ex. Those identified as being compromised or those exhibiting malicious behaviors are immediately blocked. Notices are sent to local IT entities as part of the disabling process who have some users with the ability to free disabled hosts. The case you mention of replacing a device when quarantined is unfortunate, but local policies are posted and various methods of access to IT support is provided which you'd hope they would think to make use of before buying new hardware. (works everywhere but at school, but yet my friends do not have any trouble..hmmm.) From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Randall C Grimshaw Sent: Friday, April 16, 2010 9:06 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Hacking Cisco WLC - macfilters I would be interested in the code from a curiosity perspective, but I also wanted to ask how this is received from a user perspective. Is this a feature that you use as a last resort? We have always bent over backwards to attempt (as much as practical) to steer the user into a web page that tells them what the problem is. We have legacy stories of kids asking dad for a new computer because theirs was quarantined. Randy From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Garry Peirce Sent: Thursday, April 15, 2010 2:06 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Hacking Cisco WLC - macfilters Mike, I manage Cisco controller exclusions via SNMP. We have a homegrown IPAM system which includes a checkbox to be able to disable a machine. Doing so for a wireless host causes this to create an exclusion entry which is then distributed system-wide preventing the host from associating. When this box is unchecked, the entry gets removed (database change, cron process, script runs.) In a nutshell. I've scraped some parts of a script I wrote depicting the insert/removal operation. So as not to include here as an attachment, I'll send it to you directly - if other's would like it, just send me a note. As I scraped from different sections of the script, it may require some re-working to make it run. This might give you something to work with to create a script to purge your entries, but you'll need a way to determine the entries age. I actually include the date of the exclusion in the description field. Then you just have to run it once a month. Btw - you may want to increase the size of the WLC database should you have a large number of excluded addresses. 'config database size 512-2048' From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Schomer, Michael J. Sent: Thursday, April 15, 2010 10:45 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Hacking Cisco WLC - macfilters Although we encourage all wireless devices to connect via WPA/WPA2 802.1x, not all wireless devices support these standards. To accommodate consumer level wireless devices, such as game consoles, we created a separate WPA PSK network. We manually approve each request by adding a mac filter exclusion to that particular network. In the beginning we did all these requests manually, either by entering them directly into each WLC or by using templates in WCS. Eventually, the number of requests necessitated the need to semi-automate the process. We created a web form to gather the information; on the administrator side we could approve or deny each request. Approving the request would run a scripted telnet session to each WLC adding the macfilter. For security and stability reasons we didn't want to continue using scripted telnet sessions. We figured out how to script an https session on the controllers using HTTP GET. This solution is working much better; however we have not found a good way of removing macfilters from the controllers, using this method. (The way the web interface works for removing macfilters is pretty convoluted and would be difficult to script.) We want to run a script once a month that will remove all macfilters a year or more old. So, long story short, has anyone done anything like this? Any suggestions for removing old macfilters? Thanks. -Mike Schomer -ResNet Coordinator -St. Cloud State University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE
RE: [WIRELESS-LAN] Alternatives to XpressConnect
The only competitors we've been able to find in the past involves purchasing and deploying supplicants for each client. Why not just use the CloudPath product itself? The other competitors are the OS companies, ie Apple and Microsoft. They seem to be getting better and better at figuring out how to auto-config when they first connect to the network. Pete M. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Kevin Ehlers Sent: Friday, April 16, 2010 1:26 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Alternatives to XpressConnect -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Everyone, We're looking at deploying WPA/WPA2 and we think that something similar to XpressConnect from CloudPath would be very beneficial. However, in searching I have been unable to determine if there are any vendors offering a similar service. Does anyone know of a competitor to CloudPath in this area? Our current options are 1) writing our own application + all of the benefits and drawbacks that go with a homegrown solution, and 2) a vendor supported tool to configure client's machines. Any suggestions or alternatives are welcome. Thanks, - -- Kevin Ehlers Network Engineer University of Oregon -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkvInagACgkQ0l216NgIDryOTgCeJYfA6geDg9y2KxYIUNopuyGk HNwAoI9mg+x5cr8qmPfnU1ueRYiTsVTe =cYRh -END PGP SIGNATURE- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Aruba vs HP vs Meraki
It should also be noted that not all controller in the cloud solutions are the same. The key difference is the control plane. While the data plane is distributed and the management plane is centralized the control plane will be handled differently depending on the vendor. If the control plane is cloud based then the APs are dependent on the WAN link and cloud availability in order to maintain dynamic intelligence (and all of the features that are tied to the control plane - roaming, RF mgmt, etc..). If the control plane is also distributed then the APs will maintain their intelligence when they cannot talk to the cloud. Make sure the vendor explains all of the features which are tied to the control plane before deployment. /rf On Fri, Apr 16, 2010 at 11:28 AM, Kevin Hess kh...@westmont.edu wrote: Hi Ethan, et al, I am new to the list but noticed this discussion and thought I might offer my two cents. I work at Westmont College, a liberal arts college in the Santa Barbara area. We evaluated Aruba, Cisco and Meraki last summer. We had a previous Aruba installation, running for several years, and with moderate success. What we found was that Meraki's model was made extremely flexible and simple by virtue of having no onsite controller. Being in the cloud, the controller itself was accessible by anyone we chose to allow access to it, not just whoever had knowledge of the specific command structure of the onsite controller, as was the case with the Aruba installation. Because of that flexibility, I or any of my network staff can log on from anywhere, be it a cafe, home or iPhone. Additionally, I can easily log into my local AP, wherever I am on campus, and get local information about that AP. Being a smallish shop, we used a local integrator, Novacoast, to work with us on some reengineering and deployment. I only mention that because before we approached them, NC had never even heard of Meraki. Within a few weeks they were fully credentialed and ready to go. That I almost entirely attribute to how easy Meraki is to deploy, though certainly NC were great. We spent some time working through our preferred configuration, some of which was a logical lift from the Aruba and some entirely new. We had around 270 Aruba ABG units (AP61s I think...) that were not upgradeable to N and as I mentioned the controller management was challenging. Only our Network Manager had access and knowledge enough to manage the unit. We replaced with nearly the same number of Merakis but gained full coverage around campus (indoor and out), N, dual and triband radios and an elegance in operation that has continued. With the Meraki setup even our CIO logs on and can easily run usage reports, drill down to specific APs, clients, time frames etc. Whenever Meraki enables a new feature, of which there have been several, they are applied to the cloud controller and have no effect to the local APs (=no down time). There have been a couple firmware updates but those are applied intelligently so that there is minimal downtime in the middle of the night and the update is applied in batches so we don't have a campus of dark APs during the upgrade. We haven't had a single unit fail. The long and short is that we have barely thought about the system since putting it in. We are in it all the time to check usage (...the ongoing struggle to have enough bandwidth etc etc), troubleshoot client issues (typically client misconfiguration by user), and see what new features have been added. But I don't worry about it. Ever. That may not be a standard TCO argument but for my money it's a big one. Cheers Kevin __ Kevin J. Hess '98 Senior Director Information Technology Westmont College 805.565.6154 kh...@westmont.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- /rf ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Aruba vs HP vs Meraki
My only concern with the controller in the cloud approach. What happens if you decide not to pay maintenance. Do all your AP's turn into paper weights? They keep running, just with the last config that was loaded? (Times get tough, sometimes you have to cut corners to keep the ship floating. I'm not advocating this approach, just throwing it out there, because not everyone has the budget they want, or need) On Fri, Apr 16, 2010 at 2:35 PM, Rich Fulton rich.ful...@gmail.com wrote: It should also be noted that not all controller in the cloud solutions are the same. The key difference is the control plane. While the data plane is distributed and the management plane is centralized the control plane will be handled differently depending on the vendor. If the control plane is cloud based then the APs are dependent on the WAN link and cloud availability in order to maintain dynamic intelligence (and all of the features that are tied to the control plane - roaming, RF mgmt, etc..). If the control plane is also distributed then the APs will maintain their intelligence when they cannot talk to the cloud. Make sure the vendor explains all of the features which are tied to the control plane before deployment. /rf ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] FYI: Security consultant talks about Cisco wireless vulnerabilities
From the links you provided, for the current generation products, it appears to be more based web and SNMP based vulnerabilities. IE they're talking about Cross site scripting and other web based attacks on the web based GUI. They even go so far to say these vulnerabilities are well known. I wouldn't be surprised if the SNMP specific attack is a rehash of the 2007 Security Advisory: http://www.ciscosystems.ro/en/US/products/products_security_advisory09186a008081e189.shtml http://www.ciscosystems.ro/en/US/products/products_security_advisory09186a008081e189.shtml *Default SNMP Community Strings* The WLC uses the commonly known values of public and private for its read-only and read-write SNMP community strings. This vulnerability is documented by Cisco Bug ID CSCse02384http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetailsbugId=CSCse02384 I can't remember on my last controller install if Cisco removed Default SNMP settings, as this bug is marked fixed. I also wonder if the Cross site scripting vuln, is a privilege escalation (IE, you have to be authenticated on the box already say with a lobby ambassador account, and perform a privilege escalation attack to work up to administrator) All that being said, the web GUI should be secured, and if it's well known exploits in that it's common on web-interfaces, Cisco should utilized better security practices when coding the web-interface. Mike On Fri, Apr 16, 2010 at 1:31 PM, j...@nww.com wrote: Dear folks, This may be something you're already familiar with. But I'm passing it on for what it's worth…. Someone just sent me this link, to a ZDnet story apparently reporting on a presentation at BlackHat/Europe conference. http://www.zdnet.co.uk/news/security-threats/2010/04/16/security-researchers-demo-cisco-wi-fi-flaws-40088653/?tag=mncol;txt BUT don't click on that yet! The story ABOUT the presentation seems a big dicey to me. (A better one -- based on a quick skim -- seems to be this story at DarkReading, which interviewed the presenter, Enno Rey, before BlackHat http://www.darkreading.com/vulnerability_management/security/perimeter/showArticle.jhtml?articleID=224202409 .) I've done some additional digging, and I think the same team presented the same material at the recent SchmooCon. Here's the SchmooCon video: http://www.ustream.tv/recorded/4500990 FYI, here's the link to the capsule BlackHat session summary and the presenters: http://www.blackhat.com/html/bh-eu-10/bh-eu-10-briefings.html The presenter in both is Enno Rey, with ERNW GmbH, based in Germany. Their English language website is here http://ernw.de/content/e15/e26/index_eng.html Rey mentions an infosec blog: http://www.insinuator.net/ I've only checked the opening minutes of the video. Rey is looking at 2 Cisco WLAN architecturs -- SWAN and the current CUWN. Apparently a big part of the presentation is potential problems in the Cisco's proprietary Wireless LAN Context Control Protocol (WLCCP). There you go….I'll pull this together for a blogpost http://www.networkworld.com/community/blog/2989 at Network World later today. Unless you all tell me this was old news from 2 years ago or something…. Regards, John Cox __ *J o h n C o x * Senior Editor Main: 508.766.5301 | Direct: 508.766.5422 Office at home: 978-834-0554 *NETWORK**WORLD* Maximize Your Return on IT 492 Old Connecticut Path | Framingham, MA 01701-9002 __ NetworkWorld.com http://www.networkworld.com/ | 2009 Media Guidehttp://www.networkworld.com/media/ | Conferences and Events http://www.networkworld.com/events/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.11n configuration on Cisco
Is the AP configured with 2 transmit antennas? Try rebooting/ resetting the AP to factory default? Toggling ClientLink? Bruce T. Johnson | Network Engineer | Partners Healthcare | 617.726.9662 bjohns...@partners.org On Apr 13, 2010, at 11:33 AM, Mike King m...@mpking.com wrote: Ok. I had my controller tweaked to where I liked it, but I forgot to hit the save configuration settings button, and the controller got rebooted in my test lab. I've replicated my tweaks, (40 Mhz 802.11a channels, Client Link enabled on both bands, disabled 1, 2, 5.5, 6Mbps on the 802.11b/g band) But I only seem to be able to associate at 150Mbps and I'm about 15 feet away from the access point. I had 300 Mpbs before the reboot. What am I missing? Mike ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . The information in this e-mail is intended only for the person to whom it is addressed. If you believe this e-mail was sent to you in error and the e-mail contains patient information, please contact the Partners Compliance HelpLine at http://www.partners.org/complianceline . If the e-mail was sent to you in error but does not contain patient information, please contact the sender and properly dispose of the e-mail. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Hacking Cisco WLC - macfilters
Jethro - On the Web App side we capture who entered the MAC and when along with the wireless users ID, device type, and if it's a student or faculty/staff so we can age out the students at the end of term. On the RADIUS side, we log auth times so we can see the last time they authenticated - which also helps in aging out devices. Since we have the user IDs. We can email them to tell them their MAC auth is going away before we delete/age it out. BTW - we gave the system a cute name - WiiRAD - to indicate that it authenticates game consoles via RADIUS. - Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.com GoogleTalk: wlans...@gmail.com -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jethro R Binks Sent: Friday, April 16, 2010 4:46 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Hacking Cisco WLC - macfilters On Thu, 15 Apr 2010, Brooks, Stan wrote: Our system uses Mac-Auth via RADIUS. We've built a custom web app in house that updates the RADIUS auth database so trusted people (some of our clean room techs and others) can verify the type of device and enter the MAC into the system. Other than the MAC address, what other sort of data do you store for the entry? User? Time of registration? Any expiry time for the entry? Type of device? Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] 802.11n configuration on Cisco
Is you security configured as either open or WPA using AES? Under the controller GUI WLANsEdit page footnotes - 7 WMM and open or AES security should be enabled to support higher 11n rates Hope this helps, Ryan Sullivan Datacommunications ACT, UCSD 858-822-5602 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Johnson, Bruce T. Sent: Friday, April 16, 2010 3:15 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.11n configuration on Cisco Is the AP configured with 2 transmit antennas? Try rebooting/ resetting the AP to factory default? Toggling ClientLink? Bruce T. Johnson | Network Engineer | Partners Healthcare | 617.726.9662 bjohns...@partners.org On Apr 13, 2010, at 11:33 AM, Mike King m...@mpking.com wrote: Ok. I had my controller tweaked to where I liked it, but I forgot to hit the save configuration settings button, and the controller got rebooted in my test lab. I've replicated my tweaks, (40 Mhz 802.11a channels, Client Link enabled on both bands, disabled 1, 2, 5.5, 6Mbps on the 802.11b/g band) But I only seem to be able to associate at 150Mbps and I'm about 15 feet away from the access point. I had 300 Mpbs before the reboot. What am I missing? Mike ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . The information in this e-mail is intended only for the person to whom it is addressed. If you believe this e-mail was sent to you in error and the e-mail contains patient information, please contact the Partners Compliance HelpLine at http://www.partners.org/complianceline . If the e-mail was sent to you in error but does not contain patient information, please contact the sender and properly dispose of the e-mail. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.