RE: ResHall Wireless

[Hector J Rios]

We use Cisco's wireless solution with WiSM2s and a variety of WAPs. We actually 
implemented the guest anchor controller solution last year with dual 
controllers (WLC2504) and we've been happy.

I like Britton's idea of using FlexConnect at the dorms to switch the student 
data locally. However, I believe there are some limitations that would keep us 
from using it such as no support for AVC, and some limitations on IPv6.

-Hector

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W 
(Network Services)
Sent: Thursday, March 12, 2015 7:42 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] ResHall Wireless

Hector,

You do not say what wireless solution you are using. Let me assume a Cisco or 
Aruba controller based solution. You can have vlans from your controller tunnel 
to an anchor controller in a DMZ.  Use 802.1X authentication based on AD groups.

This solution permits controlled internal access and, if you desire, unfiltered 
Internet access. Until recently, we did something similar with our open Guest 
wireless network on our Aruba system. We now use a different solution for this.

The anchor controller idea was based on Cisco wireless training several years 
ago. At that time, it was their recommended guest solution.

Bruce Osborne
Wireless Engineer
IT Infrastructure & Media Solutions

(434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Hector J Rios [mailto:hr...@lsu.edu]
Sent: Wednesday, March 11, 2015 9:48 AM
Subject: ResHall Wireless

I'm wondering how many of you treat the wireless in the ResHalls differently 
from the wireless on the rest of your campus. In terms of geography, we have 21 
ResHalls that are in the perimeter of our campus. Some of these buildings are 
next to academic or administrative buildings. Eduroam is our main SSID. So, for 
the longest time it has only made sense to broadcast eduroam everywhere. Now, 
on the wired side of the house, our ResHalls have a dedicated connection that 
gives them direct, non-firewall access to the internet (for access to campus 
resources, a student must VPN). This came about as a request from the students 
to have more freedom in their residence. Makes sense. But wireless is different 
as it goes through our campus core, traverses our perimeter firewall, and goes 
out our main internet connection.

I've struggled to find an alternative solution to this. We recognize that 
students in ResHalls are different in the sense that they pay for a place to 
live and should get an internet service that is similar to their home service. 
However, any alternatives that we have considered (separate SSID, dynamic VLAN 
assignment, user groups) just seem to complicate the setup.

Any good ideas out there or creative ways in which you have tackled this 
challenge?

Thanks,

Hector Rios, CCNP, CCA
Assistant Director, Network Engineering
Dept. of Networking and Infrastructure
Information Technology Services
Louisiana State University

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] ResHall Wireless

[Britton Anderson]

I'm a little late to the party, but as Bruce alluded to I'm not certain
what wireless solution you're using. But in our case, we have a similar
setup with different security rules in our student network. We actually
carve off their network in a separate VRF and control their traffic routes.
To make that work on wireless, we've done two things. In the larger dorms
where they're routing at the building, we put their APs in FlexConnect mode
and drop their wireless traffic into the building network. For the smaller
dorms where routing isn't present, we have a separate network presented to
our production controllers inside the Student VRF and broadcast the same
SSID's tied to this network via AP groups only containing APs in those
residence hall spaces.

This gets a little weird sometimes with some dorms being physically close
to staff spaces. But we work with those on a case by case basis. Most of
our buildings are concrete, so that doesn't happen often...



Britton Anderson  | Senior Network Communications
Specialist | University of Alaska  | 907.450.8250

On Thu, Mar 12, 2015 at 4:41 AM, Osborne, Bruce W (Network Services) <
bosbo...@liberty.edu> wrote:

>  Hector,
>
>
>
> You do not say what wireless solution you are using. Let me assume a Cisco
> or Aruba controller based solution. You can have vlans from your controller
> tunnel to an anchor controller in a DMZ.  Use 802.1X authentication based
> on AD groups.
>
>
>
> This solution permits controlled internal access and, if you desire,
> unfiltered Internet access. Until recently, we did something similar with
> our open Guest wireless network on our Aruba system. We now use a different
> solution for this.
>
>
>
> The anchor controller idea was based on Cisco wireless training several
> years ago. At that time, it was their recommended guest solution.
>
>
>
> *Bruce Osborne*
>
> *Wireless Engineer*
>
> *IT Infrastructure & Media Solutions*
>
>
>
> *(434) 592-4229 <%28434%29%20592-4229>*
>
>
>
> *LIBERTY UNIVERSITY*
>
> *Training Champions for Christ since 1971*
>
>
>
> *From:* Hector J Rios [mailto:hr...@lsu.edu]
> *Sent:* Wednesday, March 11, 2015 9:48 AM
> *Subject:* ResHall Wireless
>
>
>
> I’m wondering how many of you treat the wireless in the ResHalls
> differently from the wireless on the rest of your campus. In terms of
> geography, we have 21 ResHalls that are in the perimeter of our campus.
> Some of these buildings are next to academic or administrative buildings.
> Eduroam is our main SSID. So, for the longest time it has only made sense
> to broadcast eduroam everywhere. Now, on the wired side of the house, our
> ResHalls have a dedicated connection that gives them direct, non-firewall
> access to the internet (for access to campus resources, a student must
> VPN). This came about as a request from the students to have more freedom
> in their residence. Makes sense. But wireless is different as it goes
> through our campus core, traverses our perimeter firewall, and goes out our
> main internet connection.
>
>
>
> I’ve struggled to find an alternative solution to this. We recognize that
> students in ResHalls are different in the sense that they pay for a place
> to live and should get an internet service that is similar to their home
> service. However, any alternatives that we have considered (separate SSID,
> dynamic VLAN assignment, user groups) just seem to complicate the setup.
>
>
>
> Any good ideas out there or creative ways in which you have tackled this
> challenge?
>
>
>
> Thanks,
>
>
>
> Hector Rios, CCNP, CCA
>
> Assistant Director, Network Engineering
>
> Dept. of Networking and Infrastructure
>
> Information Technology Services
>
> Louisiana State University
>
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>  ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Cloudpath ES4

[Curtis K. Larsen]

We've used the wizard for years, and we're in pilot mode with the ES, and 
EAP-TLS right now.  We use the ES for onboarding with PacketFence/FreeRADIUS 
doing the back-end authentications/NAC quarantine.  We support both PEAP and 
EAP-TLS at the moment.

So far the experience has been positive.  We've seen a couple of issues with a 
corrupt cert store on Android -fixed by re-onbaording.  It would be nice if 
Google would implement profiles for Android more like iOS or even Chrome OS 
have.  The guest options with SMS are really nice/flexible too.  We also use 
the guest sponsoring capability in case a guest does not have cell coverage to 
self-onboard.  The ability to offer a self-onboard choice to long term 
vendors/contractors for WPA2-Enterprise is handy as well.

I'd like to see Cloudpath add some permission level views to the admin console 
(like read-only for helpdesk).  As far as I can tell it's all or nothing right 
now.

Thanks,

Curtis Larsen
University of Utah
Network Engineer III


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Frank Sweetser [f...@wpi.edu]
Sent: Thursday, March 12, 2015 6:54 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cloudpath ES4

We've always been some form of certificates (well, before that we were
WEP...).  We wanted to avoid PEAP to make sure that we didn't encourage users
(students in particular) to leave their username and passwords lying around on
devices.

Cloudpath did a pretty good job in articulating why they believe EAP-TLS
produces a better overall user experience when compared with PEAP:

http://techfieldday.com/appearance/cloudpath-networks-presents-at-wireless-field-day-6/

The one black spot on EAP-TLS I will warn you of is android devices.  The
android certificate store is opaque, and fragile.

The opaque part is that from the perspective of a user, and most applications,
it's a one way black box.  You dump certificates in, but there does not appear
to be any way to enumerate the user certificates installed, only the CA list.
  Recent versions of the XpressConnect app will display a list of certificates
that it believes it has installed, but I don't know of any good way to verify
or look for what other certificates are present.

The fragile part is even more exciting.  Android itself requires a "secure"
screen lock before it will store certificates, and not all screen lock types
meet this criteria.  If you play around with your screen lock settings after
loading certificates, we've seen cases where the store is locked and/or
corrupted, sometimes to the point where the phone has to be factory defaulted
to fix.

Overall, though, using certificates on the vast majority of devices with good
solid support for them has worked out very well for us.

Frank Sweetser fs at wpi.edu|  For every problem, there is a solution that
Manager of Network Operations   |  is simple, elegant, and wrong.
Worcester Polytechnic Institute |   - HL Mencken

On 3/11/2015 7:16 PM, Jason Cook wrote:
> HI Frank,
>
> Great, thanks for detailed feedback.. Sounds worth a trial at the very least.
>
> That covers most of our questions for the moment, did you migrate from a 
> PEAP/MsCHAP environment when moving to cloudpath?  If so was it a better 
> experience for users?
>
> Regards
>
> Jason
>
> --
> Jason Cook
> The University of Adelaide, AUSTRALIA 5005
> Ph: +61 8 8313 4800
>
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Frank Sweetser
> Sent: Wednesday, 11 March 2015 2:08 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Cloudpath ES4
>
> Hi Jason,
>
> we've been on ES3 for a while now, and are planning on moving to ES4 in 
> production this week.  First, your questions:
>
>- We've been exclusively on EAP-TLS fore wireless since before we moved to 
> Cloudpath, and it's worked on very well.  The multiple certificate templates 
> and workflows give you quite a bit of flexibility in who gets what (different 
> CAs for student vs staff, different expiration period, etc).  The server acts 
> as an OCSP responder, so you can easily revoke any specific certificates, 
> allowing you to knock a single device offline rather than all devices owned 
> by a given user.  In addition, it can also use the OCSP checks to track 
> certificate usage, and send out notices to users who are actively using 
> certificates coming up on expiration in the near future.
>
> If you have other registration systems, you can also trigger a server side 
> HTTP callout on certificate issuance.  We have this as a tie in to our IPAM 
> system, automating that portion of it completely and allowing our users to 
> skip several steps.
>
>- We haven't gone live on Cloudpath based guests, but have mocked it up in 
> the lab, and it should wo

Re: [WIRELESS-LAN] Cloudpath ES4

[Frank Sweetser]

We've always been some form of certificates (well, before that we were 
WEP...).  We wanted to avoid PEAP to make sure that we didn't encourage users 
(students in particular) to leave their username and passwords lying around on 
devices.


Cloudpath did a pretty good job in articulating why they believe EAP-TLS 
produces a better overall user experience when compared with PEAP:


http://techfieldday.com/appearance/cloudpath-networks-presents-at-wireless-field-day-6/

The one black spot on EAP-TLS I will warn you of is android devices.  The 
android certificate store is opaque, and fragile.


The opaque part is that from the perspective of a user, and most applications, 
it's a one way black box.  You dump certificates in, but there does not appear 
to be any way to enumerate the user certificates installed, only the CA list. 
 Recent versions of the XpressConnect app will display a list of certificates 
that it believes it has installed, but I don't know of any good way to verify 
or look for what other certificates are present.


The fragile part is even more exciting.  Android itself requires a "secure" 
screen lock before it will store certificates, and not all screen lock types 
meet this criteria.  If you play around with your screen lock settings after 
loading certificates, we've seen cases where the store is locked and/or 
corrupted, sometimes to the point where the phone has to be factory defaulted 
to fix.


Overall, though, using certificates on the vast majority of devices with good 
solid support for them has worked out very well for us.


Frank Sweetser fs at wpi.edu|  For every problem, there is a solution that
Manager of Network Operations   |  is simple, elegant, and wrong.
Worcester Polytechnic Institute |   - HL Mencken

On 3/11/2015 7:16 PM, Jason Cook wrote:

HI Frank,

Great, thanks for detailed feedback.. Sounds worth a trial at the very least.

That covers most of our questions for the moment, did you migrate from a 
PEAP/MsCHAP environment when moving to cloudpath?  If so was it a better 
experience for users?

Regards

Jason

--
Jason Cook
The University of Adelaide, AUSTRALIA 5005
Ph: +61 8 8313 4800

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Frank Sweetser
Sent: Wednesday, 11 March 2015 2:08 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cloudpath ES4

Hi Jason,

we've been on ES3 for a while now, and are planning on moving to ES4 in 
production this week.  First, your questions:

   - We've been exclusively on EAP-TLS fore wireless since before we moved to 
Cloudpath, and it's worked on very well.  The multiple certificate templates 
and workflows give you quite a bit of flexibility in who gets what (different 
CAs for student vs staff, different expiration period, etc).  The server acts 
as an OCSP responder, so you can easily revoke any specific certificates, 
allowing you to knock a single device offline rather than all devices owned by 
a given user.  In addition, it can also use the OCSP checks to track 
certificate usage, and send out notices to users who are actively using 
certificates coming up on expiration in the near future.

If you have other registration systems, you can also trigger a server side HTTP 
callout on certificate issuance.  We have this as a tie in to our IPAM system, 
automating that portion of it completely and allowing our users to skip several 
steps.

   - We haven't gone live on Cloudpath based guests, but have mocked it up in 
the lab, and it should work.  While I don't believe they have a whole lot of 
explicit guest functionality, the workflows are flexible enough that you can 
still accomplish a lot.  If you can have temporary guest credentials set up in 
your upstream authentication source with appropriate group memberships, you can 
easily flag them in Cloudpath for special treatment - for example, you can have 
long term guests set up with 90 day certificates for authentication.

   - Their features on this look pretty good, but we haven't used them at all.

   - Ditto - we're currently using freeradius with a custom tie in to our IPAM 
system, but are seriously looking at Clearpass to replace it in the near future.

Two other caveats I'll mention for free:

   - The ES system includes a complete from-scratch rewrite of the wizard, so 
it won't be the same one you're used to.  The initial releases didn't have all 
of the same functionality as the cloud hosted one, so while they've promised 
full feature parity, I'd double check carefully that all of the features you 
need are already implemented.

   - The clustering functionality looks pretty cool, but read it carefully and 
test, as it's still a newish feature with a lot of caveats.  Also, last time I 
checked in order to take full advantage of it you'll need to front it with a 
load balancer, as I don't believe it had any built in service

RE: ResHall Wireless

[Osborne, Bruce W (Network Services)]

Hector,

You do not say what wireless solution you are using. Let me assume a Cisco or 
Aruba controller based solution. You can have vlans from your controller tunnel 
to an anchor controller in a DMZ.  Use 802.1X authentication based on AD groups.

This solution permits controlled internal access and, if you desire, unfiltered 
Internet access. Until recently, we did something similar with our open Guest 
wireless network on our Aruba system. We now use a different solution for this.

The anchor controller idea was based on Cisco wireless training several years 
ago. At that time, it was their recommended guest solution.

Bruce Osborne
Wireless Engineer
IT Infrastructure & Media Solutions

(434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Hector J Rios [mailto:hr...@lsu.edu]
Sent: Wednesday, March 11, 2015 9:48 AM
Subject: ResHall Wireless

I'm wondering how many of you treat the wireless in the ResHalls differently 
from the wireless on the rest of your campus. In terms of geography, we have 21 
ResHalls that are in the perimeter of our campus. Some of these buildings are 
next to academic or administrative buildings. Eduroam is our main SSID. So, for 
the longest time it has only made sense to broadcast eduroam everywhere. Now, 
on the wired side of the house, our ResHalls have a dedicated connection that 
gives them direct, non-firewall access to the internet (for access to campus 
resources, a student must VPN). This came about as a request from the students 
to have more freedom in their residence. Makes sense. But wireless is different 
as it goes through our campus core, traverses our perimeter firewall, and goes 
out our main internet connection.

I've struggled to find an alternative solution to this. We recognize that 
students in ResHalls are different in the sense that they pay for a place to 
live and should get an internet service that is similar to their home service. 
However, any alternatives that we have considered (separate SSID, dynamic VLAN 
assignment, user groups) just seem to complicate the setup.

Any good ideas out there or creative ways in which you have tackled this 
challenge?

Thanks,

Hector Rios, CCNP, CCA
Assistant Director, Network Engineering
Dept. of Networking and Infrastructure
Information Technology Services
Louisiana State University

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Apple watch wifi

[Julian Y Koh]

On Wed Mar 11 2015 22:02:39 CDT, Trent Hurt  wrote:
> 
> How Apple watch will use wifi. Doesn't actually connect to network. 
> 
> http://iphone.appleinsider.com/articles/14/09/15/apple-watch-airdrop-ibeacon-continuity-coax-advanced-features-from-bluetooth-wifi
> 
> Sent from my iPhone

802.11b/g only.  Yay, more 2.4GHz!  :)


-- 
Julian Y. Koh
Acting Associate Director, Telecommunications and Network Services
Northwestern University Information Technology (NUIT)

2001 Sheridan Road #G-166
Evanston, IL 60208
847-467-5780
NUIT Web Site: 
PGP Public Key:

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: ResHall Wireless

[Bob Williamson]

Matthew,

My guess is you already have an infrastructure in place, but Ruckus does a self 
activation portal which creates a dynamic PSK for each device.

Hope that info helps,
Bob Williamson
Network Administrator
Annie Wright Schools | 827 N Tacoma Ave, Tacoma, WA 98403 | 
www.aw.org
D: 253.272.2216 | F: 253.572.3616 | 
bob_william...@aw.org

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Williams, Matthew
Sent: Wednesday, March 11, 2015 7:41 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] ResHall Wireless

We’re still investigating this as well.  Our wishlist would be a randomized PSK 
for each user, sort of like an authenticated guest network.  We haven’t seen 
anything that can pull that off though.

Respectfully,

Matthew Williams
IT Manager, Wireless
Kent State University
Office: (330) 672-7246
Mobile: (330) 469-0445

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Christopher Michael 
Allison
Sent: Wednesday, March 11, 2015 10:31 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] ResHall Wireless


We use a seperate SSID currently but they have an IP similar to the other 
wireless on campus. We have had talks about DMZing our Residence halls from 
main campus including their wireless.

​


CHRISTOPHER ALLISON
Network Engineer I

Information Technology
Mail Code 4622
625 Wham Drive
Carbondale, Illinois 62901

chris.m.alli...@siu.edu
P: 618 / 453 - 8415
F: 618 / 453 - 5261
INFOTECH.SIU.EDU
[http://asset.siu.edu/_assets/images/email_sig/SIU_email_2line.gif]

"Choose a job you love, and you will never have to work a day in your life."
Confucius

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Hector J Rios mailto:hr...@lsu.edu>>
Sent: Wednesday, March 11, 2015 8:47 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] ResHall Wireless

I’m wondering how many of you treat the wireless in the ResHalls differently 
from the wireless on the rest of your campus. In terms of geography, we have 21 
ResHalls that are in the perimeter of our campus. Some of these buildings are 
next to academic or administrative buildings. Eduroam is our main SSID. So, for 
the longest time it has only made sense to broadcast eduroam everywhere. Now, 
on the wired side of the house, our ResHalls have a dedicated connection that 
gives them direct, non-firewall access to the internet (for access to campus 
resources, a student must VPN). This came about as a request from the students 
to have more freedom in their residence. Makes sense. But wireless is different 
as it goes through our campus core, traverses our perimeter firewall, and goes 
out our main internet connection.

I’ve struggled to find an alternative solution to this. We recognize that 
students in ResHalls are different in the sense that they pay for a place to 
live and should get an internet service that is similar to their home service. 
However, any alternatives that we have considered (separate SSID, dynamic VLAN 
assignment, user groups) just seem to complicate the setup.

Any good ideas out there or creative ways in which you have tackled this 
challenge?

Thanks,

Hector Rios, CCNP, CCA
Assistant Director, Network Engineering
Dept. of Networking and Infrastructure
Information Technology Services
Louisiana State University

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.