RE: [WIRELESS-LAN] IPv6 on wireless experiences?

[Frank Bulk]

Steven,

 

Did you have a SUP720C or B?  How do I find out what the limit on the ND
table size is?

 

Good article on IPv6 MLD snooping here:
http://blog.ipspace.net/2014/09/ipv6-neighbor-discovery-nd-and.html

 

Frank

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee, Steven
Sent: Wednesday, September 10, 2014 9:49 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] IPv6 on wireless experiences?

 

Jason,

We went through this a few years ago.  At the time, we had about 8000 IPv6
clients on each of our 720's.  We fought with it for about a semester until
we could replace them with SUP2T's.  

 

I dug up some notes from 2011 and included some lessons learned/ best
practices below.  Things may have changed since then so please consult with
your SE before trying any of this.

 

1.  ND table size-  Once you reach the max, all traffic from additional
clients is SW processed.  We did exceed the table size, but other factors
below actually had more of an effect on our CPU.
2.  ND table reachability timer - The default ND reachability timer is
30 seconds as defined by the ND RFC.  This is too aggressive for a wireless
deployment, driving up the CPU as it tries to send out solicitations and
write to the ND table for thousands of clients.  The table rewrite chews up
CPU.  We played with the timers and settled on changing it to 5 minutes.  We
were concerned about the table limit size as once the table reaches its max,
as all traffic from additional clients is processed in SW.   
3.  Mcast - the Sup720 processes mcast in SW, this means all RA's, NS's,
bonjour, etc. will drive your interrupt CPU high.  We started blocking L2
multicast at the interface before it could go to the CPU
4.  Cisco recommended that we enable IPv6 multicast on all your core
routers.  Cisco stated that this will allow MLD snooping to handle most of
the IPv6 solicitation messages (instead of sending them to the CPU).  Sounds
good in theory, but it had unintended consequences that forced all the mcast
traffic that we were blocking in #2 to get punted to the CPU.  Cisco said
bug.  You may want to follow up on this as we moved to the SUP2T
5.  Deny ICMP redirects on your client facing interfaces.  - another
measure to reduce demand on CPU resources.  Cisco may tell you to also deny
ICMP unreachables.  If your running dual stack, this is a bad idea.
6.  uRPF for IPv6 was done solely in SW on the 720.   We replaced with
appropriate ACL's (HW based)

 

In short, depending on the number of IPv6 clients your expecting, you may
want to consider another solution.   Id be happy to provide more detail if
you need.

 

 

steve

 

 

From: Jason Chan mailto:szeho.c...@utoronto.ca> >
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> >
Date: Tuesday, September 9, 2014 10:35 PM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 "
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> >
Subject: Re: [WIRELESS-LAN] IPv6 on wireless experiences?

 

I was wondering if anyone is having issues with exceeding NDP entries number
on routers?

 

I'm also about to enable IPv6 on wireless but I've been advised by Cisco to
watch out for the NDP table size limit on our 6500 with SUP720-3B, which is
only 15K entries.  On the IPv4 side we are slightly above 28K (out of 30K
recommended maximum) entries on one of our routers.

   

Jason

 

--

Jason Chan

Enterprise Infrastructure Solutions,

Information + Technology Services

University of Toronto

Phone: (416)946-5233

Email: szeho.c...@utoronto.ca  

 

 

 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Windows 8.1 on the wireless

[Tristan Gulyas]

Hi,

We’ve seen issues with some of our Windows 8.1 BYOD clients with Broadcom 
chipsets since the update from 8.0.  Devices would authenticate but they 
wouldn’t act upon the DHCP offer.  Rolling back or installing older device 
drivers resolved the issue.

Tristan
 
 
Tristan Gulyas
Senior Network Engineer
Network Operations
eSolutions | Monash University
738 Blackburn Road Clayton 3800www.monash.edu | tristan.gul...@monash.edu
 





On 11 Sep 2014, at 2:10 am, Robert Viou  wrote:

> Wanted to see if others are seeing similar issues.
>  
> We are seeing some Windows 8.1 clients that are having issues connecting to 
> the wireless in some areas.
> It appears that they can connect just fine in some areas but not in others.
> We are using XpressConnect to install a certificate and wireless profile.
>  
> We are running 7.6.220.0 on a Cisco 8510 controller using EAP-TLS.
>  
> Thanks
>
>  
>  
>  
>  
>  
>  
> Robert Viou
> Senior Network Engineer / Network Engineering & Operations
> NORTH DAKOTA STATE UNIVERSITY
>  
> Quentin Burdick Building 136F
> PO Box 6050, Dept. 4530
> Fargo ND 58108-6050
> phone: 701.231.5628
> fax: 701.231.7464
> robert.v...@ndsu.edu
> www.ndsu.edu
>  
> 
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] IPv6 on wireless experiences?

[Hector J Rios]

Excellent notes! Jason, so you know, we have close to 30K students and we have 
been dual-stacked. This semester we collapsed our wireless core to two 6500s. 
The SUP720-3B did not work for us. We needed at least a 3BXL. We are in the 
process of upgrading our SUPs to 2T-XL to future-proof our network.

Hector Rios
Louisiana State University

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee, Steven
Sent: Wednesday, September 10, 2014 9:49 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] IPv6 on wireless experiences?

Jason,
We went through this a few years ago.  At the time, we had about 8000 IPv6 
clients on each of our 720's.  We fought with it for about a semester until we 
could replace them with SUP2T's.

I dug up some notes from 2011 and included some lessons learned/ best practices 
below.  Things may have changed since then so please consult with your SE 
before trying any of this.


  1.  ND table size-  Once you reach the max, all traffic from additional 
clients is SW processed.  We did exceed the table size, but other factors below 
actually had more of an effect on our CPU.
  2.  ND table reachability timer - The default ND reachability timer is 30 
seconds as defined by the ND RFC.  This is too aggressive for a wireless 
deployment, driving up the CPU as it tries to send out solicitations and write 
to the ND table for thousands of clients.  The table rewrite chews up CPU.  We 
played with the timers and settled on changing it to 5 minutes.  We were 
concerned about the table limit size as once the table reaches its max, as all 
traffic from additional clients is processed in SW.
  3.  Mcast - the Sup720 processes mcast in SW, this means all RA's, NS's, 
bonjour, etc. will drive your interrupt CPU high.  We started blocking L2 
multicast at the interface before it could go to the CPU
  4.  Cisco recommended that we enable IPv6 multicast on all your core routers. 
 Cisco stated that this will allow MLD snooping to handle most of the IPv6 
solicitation messages (instead of sending them to the CPU).  Sounds good in 
theory, but it had unintended consequences that forced all the mcast traffic 
that we were blocking in #2 to get punted to the CPU.  Cisco said bug.  You may 
want to follow up on this as we moved to the SUP2T
  5.  Deny ICMP redirects on your client facing interfaces.  - another measure 
to reduce demand on CPU resources.  Cisco may tell you to also deny ICMP 
unreachables.  If your running dual stack, this is a bad idea.
  6.  uRPF for IPv6 was done solely in SW on the 720.   We replaced with 
appropriate ACL's (HW based)

In short, depending on the number of IPv6 clients your expecting, you may want 
to consider another solution.   Id be happy to provide more detail if you need.


steve


From: Jason Chan mailto:szeho.c...@utoronto.ca>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Tuesday, September 9, 2014 10:35 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] IPv6 on wireless experiences?

I was wondering if anyone is having issues with exceeding NDP entries number on 
routers?

I'm also about to enable IPv6 on wireless but I've been advised by Cisco to 
watch out for the NDP table size limit on our 6500 with SUP720-3B, which is 
only 15K entries.  On the IPv4 side we are slightly above 28K (out of 30K 
recommended maximum) entries on one of our routers.

Jason

--
Jason Chan
Enterprise Infrastructure Solutions,
Information + Technology Services
University of Toronto
Phone: (416)946-5233
Email: szeho.c...@utoronto.ca



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] guest wireless

[Dale W. Carder]

Thus spake Peter P Morrissey (ppmor...@syr.edu) on Wed, Sep 10, 2014 at 
04:55:59PM +:
> So you actually act like you like your guests! :) What a concept.

Our director once made the comment that after spending however many
millions on the last upgrade that it better darn well work better 
than the coffee shop across the street. ;-)

Dale

 
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dale W. Carder
> Sent: Wednesday, September 10, 2014 11:58 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] guest wireless
> 
> Thus spake Mark Reboli (mreb...@misericordia.edu) on Tue, Sep 09, 2014 at 
> 03:40:33PM +:
> > I am looking for information on what people do with guest wireless.  Do you 
> > have open wireless on your campus?  Do you have a password that everyone 
> > knows?  Do you create special passwords for groups?  Any assistance would 
> > be helpful.
> 
> For our guests they can use eduroam, otherwise there is an open ssid and a 
> click-through aup captive portal where they submit their name, email address 
> and reason for requesting network access.
> 
> Guests get the same network access as everyone else, and we do not filter nor 
> rate limit their traffic.  
> 
> Dale
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Windows 8.1 on the wireless

[Jeffrey Sessler]

I have run into issues with Win 8.1 computers, especially if they have the 
newer Intel WiFi chipset with support for 802.11ac. The ac support isn't 
important, but the Intel wireless management is. If any of the Cisco extensions 
are enabled within the Intel utility e.g. CCX, we see trouble with association, 
re-association, etc. Same issue with it working in some areas and not in 
others, but I think that has more to do with roam vs initial association. For 
us, once we disable the Cisco extensions via the Intel Utility, the problem 
goes away.

Jeff

>>> On Wednesday, September 10, 2014 at 10:08 AM, in message 
>>> <2b54ac47096f4c00a3a6cbcdc0c01...@bl2pr01mb340.prod.exchangelabs.com>, 
>>> Robert Viou  wrote:

I had a mistake in what I sent out.
 
We are running 7.6.120.0 on a Cisco 8510 controller using EAP-TLS.
 
Wanted to see if others are seeing similar issues.
 
We are seeing some Windows 8.1 clients that are having issues connecting to the 
wireless in some areas.
It appears that they can connect just fine in some areas but not in others. 
We are using XpressConnect to install a certificate and wireless profile.
 
 
 
 
 
 
Thanks
 
 
 
 
 
Robert Viou 
Senior Network Engineer / Network Engineering & Operations
NORTH DAKOTA STATE UNIVERSITY
 
Quentin Burdick Building 136F
PO Box 6050, Dept. 4530
Fargo ND 58108-6050
phone: 701.231.5628
fax: 701.231.7464
robert.v...@ndsu.edu
www.ndsu.edu
 

 
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Robert Viou
Sent: Wednesday, September 10, 2014 11:10 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Windows 8.1 on the wireless
 
Wanted to see if others are seeing similar issues.
 
We are seeing some Windows 8.1 clients that are having issues connecting to the 
wireless in some areas.
It appears that they can connect just fine in some areas but not in others. 
We are using XpressConnect to install a certificate and wireless profile.
 
We are running 7.6.220.0 on a Cisco 8510 controller using EAP-TLS.
 
Thanks

 
 
 
 
 
 
Robert Viou 
Senior Network Engineer / Network Engineering & Operations
NORTH DAKOTA STATE UNIVERSITY
 
Quentin Burdick Building 136F
PO Box 6050, Dept. 4530
Fargo ND 58108-6050
phone: 701.231.5628
fax: 701.231.7464
robert.v...@ndsu.edu
www.ndsu.edu
 

 
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/. 
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/. 

RE: Windows 8.1 on the wireless

[Robert Viou]

I had a mistake in what I sent out.

We are running 7.6.120.0 on a Cisco 8510 controller using EAP-TLS.

Wanted to see if others are seeing similar issues.

We are seeing some Windows 8.1 clients that are having issues connecting to the 
wireless in some areas.
It appears that they can connect just fine in some areas but not in others.
We are using XpressConnect to install a certificate and wireless profile.






Thanks





Robert Viou
Senior Network Engineer / Network Engineering & Operations
NORTH DAKOTA STATE UNIVERSITY

Quentin Burdick Building 136F
PO Box 6050, Dept. 4530
Fargo ND 58108-6050
phone: 701.231.5628
fax: 701.231.7464
robert.v...@ndsu.edu
www.ndsu.edu

[Description: Description: Description: Description: ndsu_sig.gif]

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Robert Viou
Sent: Wednesday, September 10, 2014 11:10 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Windows 8.1 on the wireless

Wanted to see if others are seeing similar issues.

We are seeing some Windows 8.1 clients that are having issues connecting to the 
wireless in some areas.
It appears that they can connect just fine in some areas but not in others.
We are using XpressConnect to install a certificate and wireless profile.

We are running 7.6.220.0 on a Cisco 8510 controller using EAP-TLS.

Thanks







Robert Viou
Senior Network Engineer / Network Engineering & Operations
NORTH DAKOTA STATE UNIVERSITY

Quentin Burdick Building 136F
PO Box 6050, Dept. 4530
Fargo ND 58108-6050
phone: 701.231.5628
fax: 701.231.7464
robert.v...@ndsu.edu
www.ndsu.edu

[Description: Description: Description: Description: ndsu_sig.gif]

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] guest wireless

[Peter P Morrissey]

So you actually act like you like your guests! :) What a concept.
Pete Morrissey

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dale W. Carder
Sent: Wednesday, September 10, 2014 11:58 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] guest wireless

Thus spake Mark Reboli (mreb...@misericordia.edu) on Tue, Sep 09, 2014 at 
03:40:33PM +:
> I am looking for information on what people do with guest wireless.  Do you 
> have open wireless on your campus?  Do you have a password that everyone 
> knows?  Do you create special passwords for groups?  Any assistance would be 
> helpful.

For our guests they can use eduroam, otherwise there is an open ssid and a 
click-through aup captive portal where they submit their name, email address 
and reason for requesting network access.

Guests get the same network access as everyone else, and we do not filter nor 
rate limit their traffic.  

Dale

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Windows 8.1 on the wireless

[Walt Reynolds]

When have not seen this specifically, but have seen that many need drivers 
updated.  Usually from the wireless chipset web site.

Walter Reynolds
University of Michigan

> On Sep 10, 2014, at 12:10 PM, Robert Viou  wrote:
> 
> Wanted to see if others are seeing similar issues.
>  
> We are seeing some Windows 8.1 clients that are having issues connecting to 
> the wireless in some areas.
> It appears that they can connect just fine in some areas but not in others.
> We are using XpressConnect to install a certificate and wireless profile.
>  
> We are running 7.6.220.0 on a Cisco 8510 controller using EAP-TLS.
>  
> Thanks
>
>  
>  
>  
>  
>  
>  
> Robert Viou
> Senior Network Engineer / Network Engineering & Operations
> NORTH DAKOTA STATE UNIVERSITY
>  
> Quentin Burdick Building 136F
> PO Box 6050, Dept. 4530
> Fargo ND 58108-6050
> phone: 701.231.5628
> fax: 701.231.7464
> robert.v...@ndsu.edu
> www.ndsu.edu
>  
> 
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Windows 8.1 on the wireless

[Robert Viou]

Wanted to see if others are seeing similar issues.

We are seeing some Windows 8.1 clients that are having issues connecting to the 
wireless in some areas.
It appears that they can connect just fine in some areas but not in others.
We are using XpressConnect to install a certificate and wireless profile.

We are running 7.6.220.0 on a Cisco 8510 controller using EAP-TLS.

Thanks







Robert Viou
Senior Network Engineer / Network Engineering & Operations
NORTH DAKOTA STATE UNIVERSITY

Quentin Burdick Building 136F
PO Box 6050, Dept. 4530
Fargo ND 58108-6050
phone: 701.231.5628
fax: 701.231.7464
robert.v...@ndsu.edu
www.ndsu.edu

[Description: Description: Description: Description: ndsu_sig.gif]


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] guest wireless

[Dale W. Carder]

Thus spake Mark Reboli (mreb...@misericordia.edu) on Tue, Sep 09, 2014 at 
03:40:33PM +:
> I am looking for information on what people do with guest wireless.  Do you 
> have open wireless on your campus?  Do you have a password that everyone 
> knows?  Do you create special passwords for groups?  Any assistance would be 
> helpful.

For our guests they can use eduroam, otherwise there is an open ssid and 
a click-through aup captive portal where they submit their name, email 
address and reason for requesting network access.

Guests get the same network access as everyone else, and we do not filter 
nor rate limit their traffic.  

Dale

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] IPv6 on wireless experiences?

[Lee, Steven]

Jason,
We went through this a few years ago.  At the time, we had about 8000 IPv6 
clients on each of our 720's.  We fought with it for about a semester until we 
could replace them with SUP2T's.

I dug up some notes from 2011 and included some lessons learned/ best practices 
below.  Things may have changed since then so please consult with your SE 
before trying any of this.


 1.  ND table size-  Once you reach the max, all traffic from additional 
clients is SW processed.  We did exceed the table size, but other factors below 
actually had more of an effect on our CPU.
 2.  ND table reachability timer – The default ND reachability timer is 30 
seconds as defined by the ND RFC.  This is too aggressive for a wireless 
deployment, driving up the CPU as it tries to send out solicitations and write 
to the ND table for thousands of clients.  The table rewrite chews up CPU.  We 
played with the timers and settled on changing it to 5 minutes.  We were 
concerned about the table limit size as once the table reaches its max, as all 
traffic from additional clients is processed in SW.
 3.  Mcast – the Sup720 processes mcast in SW, this means all RA's, NS's, 
bonjour, etc. will drive your interrupt CPU high.  We started blocking L2 
multicast at the interface before it could go to the CPU
 4.  Cisco recommended that we enable IPv6 multicast on all your core routers.  
Cisco stated that this will allow MLD snooping to handle most of the IPv6 
solicitation messages (instead of sending them to the CPU).  Sounds good in 
theory, but it had unintended consequences that forced all the mcast traffic 
that we were blocking in #2 to get punted to the CPU.  Cisco said bug.  You may 
want to follow up on this as we moved to the SUP2T
 5.  Deny ICMP redirects on your client facing interfaces.  - another measure 
to reduce demand on CPU resources.  Cisco may tell you to also deny ICMP 
unreachables.  If your running dual stack, this is a bad idea.
 6.  uRPF for IPv6 was done solely in SW on the 720.   We replaced with 
appropriate ACL's (HW based)

In short, depending on the number of IPv6 clients your expecting, you may want 
to consider another solution.   Id be happy to provide more detail if you need.


steve


From: Jason Chan mailto:szeho.c...@utoronto.ca>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Tuesday, September 9, 2014 10:35 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] IPv6 on wireless experiences?

I was wondering if anyone is having issues with exceeding NDP entries number on 
routers?

I’m also about to enable IPv6 on wireless but I’ve been advised by Cisco to 
watch out for the NDP table size limit on our 6500 with SUP720-3B, which is 
only 15K entries.  On the IPv4 side we are slightly above 28K (out of 30K 
recommended maximum) entries on one of our routers.

Jason

--
Jason Chan
Enterprise Infrastructure Solutions,
Information + Technology Services
University of Toronto
Phone: (416)946-5233
Email: szeho.c...@utoronto.ca




**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] guest wireless

[Dennis Xu]

Yes uog-wifi SSID is also used to provision client devices. We use SecureW2 
JoinNow wizard. 

---
Dennis Xu
Analyst 3, Network Infrastructure
Computing and Communications Services(CCS)
University of Guelph

519-824-4120 Ext 56217
d...@uoguelph.ca 
www.uoguelph.ca/ccs

- Original Message -
From: "Bruce W Osborne (Network Services)" 
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Sent: Wednesday, September 10, 2014 7:52:27 AM
Subject: Re: [WIRELESS-LAN] guest wireless

Dennis,

Do you use uog-wifi to provision client devices? If not, how do they get 
configured for uog-wifi-secure? 

We use CloudPath XpressConnect Wizard on an open SSID to provision clients for 
WPA2-Enterprise.

Bruce Osborne
Network Engineer – Wireless Team
IT Network Services

(434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Dennis Xu [mailto:d...@uoguelph.ca] 
Sent: Tuesday, September 9, 2014 3:46 PM
Subject: Re: guest wireless

We have three SSIDs:

uog-wifi-secure: WPA2/Enterprise. No restrictions after authenticated. 
uog-wifi: web auth. A single portal for both uog users and guests. We use Cisco 
NAC guest servers to manage sponsors and guest accounts. No restrictions for 
uog users and http/https only for guests.
eduroam: WPA2/Enterprise. Only certain ports are opened(such as http/https, 
VPN, secure email ports, etc). 

Our goal is to make uog-wifi guest only by end of this year. 

---
Dennis Xu
Analyst 3, Network Infrastructure
Computing and Communications Services(CCS) University of Guelph

519-824-4120 Ext 56217
d...@uoguelph.ca
www.uoguelph.ca/ccs

- Original Message -
From: "Bradley Williams" 
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Sent: Tuesday, September 9, 2014 12:05:27 PM
Subject: Re: [WIRELESS-LAN] guest wireless




We have an webauth ssid that redirects to a server that can do 
self-provisioning and authentication of guest accounts(as long as they provide 
a phone number or email account to have it sent to). That provides them with 
internet access(no internal network access) and keeps us CALEA compliant. 




Bradley Williams 

Network Services 

Clemson Computing and Information Technology 





From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mark Reboli
Sent: Tuesday, September 09, 2014 11:41 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] guest wireless 



I am looking for information on what people do with guest wireless. Do you have 
open wireless on your campus? Do you have a password that everyone knows? Do 
you create special passwords for groups? Any assistance would be helpful. 



Thank you 



m 



Description: MU Arches

Mark Reboli 

Network/Telcom Manager 

Misericordia University 

(570) 674-6753 



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/ . ** Participation and subscription 
information for this EDUCAUSE Constituent Group discussion list can be found at 
http://www.educause.edu/groups/. 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: guest wireless

[Osborne, Bruce W (Network Services)]

Dennis,

Do you use uog-wifi to provision client devices? If not, how do they get 
configured for uog-wifi-secure? 

We use CloudPath XpressConnect Wizard on an open SSID to provision clients for 
WPA2-Enterprise.

Bruce Osborne
Network Engineer – Wireless Team
IT Network Services

(434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Dennis Xu [mailto:d...@uoguelph.ca] 
Sent: Tuesday, September 9, 2014 3:46 PM
Subject: Re: guest wireless

We have three SSIDs:

uog-wifi-secure: WPA2/Enterprise. No restrictions after authenticated. 
uog-wifi: web auth. A single portal for both uog users and guests. We use Cisco 
NAC guest servers to manage sponsors and guest accounts. No restrictions for 
uog users and http/https only for guests.
eduroam: WPA2/Enterprise. Only certain ports are opened(such as http/https, 
VPN, secure email ports, etc). 

Our goal is to make uog-wifi guest only by end of this year. 

---
Dennis Xu
Analyst 3, Network Infrastructure
Computing and Communications Services(CCS) University of Guelph

519-824-4120 Ext 56217
d...@uoguelph.ca
www.uoguelph.ca/ccs

- Original Message -
From: "Bradley Williams" 
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Sent: Tuesday, September 9, 2014 12:05:27 PM
Subject: Re: [WIRELESS-LAN] guest wireless




We have an webauth ssid that redirects to a server that can do 
self-provisioning and authentication of guest accounts(as long as they provide 
a phone number or email account to have it sent to). That provides them with 
internet access(no internal network access) and keeps us CALEA compliant. 




Bradley Williams 

Network Services 

Clemson Computing and Information Technology 





From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mark Reboli
Sent: Tuesday, September 09, 2014 11:41 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] guest wireless 



I am looking for information on what people do with guest wireless. Do you have 
open wireless on your campus? Do you have a password that everyone knows? Do 
you create special passwords for groups? Any assistance would be helpful. 



Thank you 



m 



Description: MU Arches

Mark Reboli 

Network/Telcom Manager 

Misericordia University 

(570) 674-6753 



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/ . ** Participation and subscription 
information for this EDUCAUSE Constituent Group discussion list can be found at 
http://www.educause.edu/groups/. 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.