Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect
When talking about taking a single SSID and switching some traffic locally and some traffic centrally there is a way to do that using RADIUS. There is a feature called VLAN Based Central Switching. Based on the VLAN you return you can switch traffic either locally or centrally. There are some rules around how this works: 1. If the VLAN passed exists on the flexconnect AP, the traffic is switched locally. 2. If the VLAN passed does not exist on the flexconnect AP, it is forwarded centrally. 3. If the VLAN ID doesn't exist on the WLC, the VLAN is assumed bogus and traffic is dropped on the interface defined under Wlan/AP Group as any centrally traffic would traditionally be done. The trick is if you need to return an interface group or you have overlapping vlan IDs. Today, you can use interface names if the APs are in local mode, but flexconnect rejects this. The workaround is to use the bogus vlan so traffic is forwarded centrally and then define the AP-Group interface so that it drops onto the correct interface (or interface group). I have a request to allow the ability to use interface names when dealing with flexconnect, but we will see if/when this makes it into shipping code. Thanks Jake Snyder @jsnyder81 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Watters, John Sent: Tuesday, March 17, 2015 11:55 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect We played with FlexConnect for a number of months but still could not get what we needed it to do on a consistent basis. Essentially we wanted FlexConnect to drop users into their building VLAN so they would be able to easily interact with the same devices that the wired connections in the buildings could see. As I'm sure you know, this also resolves many of the Apple, Chromecast, etc., problems. We did have one caveat though that we just couldn't get past -- we wanted to drop faculty/staff into one VLAN and students into another (we can easily return the proper VLAN for a particular client in a particular building from Radius server - FreeRadius with a call to our LDAP server for info) but we also need to send everything else back to the controller for central switching (e.g., police connections, special bar-code scanners that roam and serve to identify a user, but not being used for client traffic, for example, to give out free flu shots to eligible folks or let folks into a sporting event). We just couldn't get past having 95+% locally switched and the remainder centrally switched for over 200 buildings many with now over 100 APs each without using FlecConnect groups which are limited to numbers way too small for our campus. We can even live comfortably without roaming between buildings. MOst folks are not used to being able to roam between buildings downtown or many cannot roam between apartments off campus. How did you get around the FlexConnect group problem? == -jcw From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Hector J Rios [hr...@lsu.edu] Sent: Tuesday, March 17, 2015 9:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless I tested FlexConnect on 8.0.110.0. Here are my observations: *Great alternative to switch data locally (obviously) *No AVC Support *When controller is down, AP goes into standalone more. Must make sure that AP is not able to reach any other controller you don't want. This was fixed with an ACL. *Client details page does not show client IPv6 address. Client still gets IPv6 address. (PRIME does show it if you run a report). *Client details page does not show VLAN ID. *Putting AP in FlexConnect mode does not require reboot (Cool!) *No IPv6 ACL support More testing to do, but so far so good. -Hector From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hector J Rios Sent: Thursday, March 12, 2015 11:13 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless We use Cisco's wireless solution with WiSM2s and a variety of WAPs. We actually implemented the guest anchor controller solution last year with dual controllers (WLC2504) and we've been happy. I like Britton's idea of using FlexConnect at the dorms to switch the student data locally. However, I believe there are some limitations that would keep us from using it such as no support for AVC, and some limitations on IPv6. -Hector From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W (Network Services) Sent: Thursday, March 12, 2015 7:42 AM To:
RE: ResHall Wireless - FlexConnect
I've not performed tests to that scale yet. Plus we are only considering this for our ResHalls, of which we have 21 buildings only. -Hector -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Watters, John Sent: Tuesday, March 17, 2015 11:55 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect We played with FlexConnect for a number of months but still could not get what we needed it to do on a consistent basis. Essentially we wanted FlexConnect to drop users into their building VLAN so they would be able to easily interact with the same devices that the wired connections in the buildings could see. As I'm sure you know, this also resolves many of the Apple, Chromecast, etc., problems. We did have one caveat though that we just couldn't get past -- we wanted to drop faculty/staff into one VLAN and students into another (we can easily return the proper VLAN for a particular client in a particular building from Radius server - FreeRadius with a call to our LDAP server for info) but we also need to send everything else back to the controller for central switching (e.g., police connections, special bar-code scanners that roam and serve to identify a user, but not being used for client traffic, for example, to give out free flu shots to eligible folks or let folks into a sporting event). We just couldn't get past having 95+% locally switched and the remainder centrally switched for over 200 buildings many with now over 100 APs each without using FlecConnect groups which are limited to numbers way too small for our campus. We can even live comfortably without roaming between buildings. MOst folks are not used to being able to roam between buildings downtown or many cannot roam between apartments off campus. How did you get around the FlexConnect group problem? == -jcw From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Hector J Rios [hr...@lsu.edu] Sent: Tuesday, March 17, 2015 9:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless I tested FlexConnect on 8.0.110.0. Here are my observations: *Great alternative to switch data locally (obviously) *No AVC Support *When controller is down, AP goes into standalone more. Must make sure that AP is not able to reach any other controller you don't want. This was fixed with an ACL. *Client details page does not show client IPv6 address. Client still gets IPv6 address. (PRIME does show it if you run a report). *Client details page does not show VLAN ID. *Putting AP in FlexConnect mode does not require reboot (Cool!) *No IPv6 ACL support More testing to do, but so far so good. -Hector From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hector J Rios Sent: Thursday, March 12, 2015 11:13 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless We use Cisco's wireless solution with WiSM2s and a variety of WAPs. We actually implemented the guest anchor controller solution last year with dual controllers (WLC2504) and we've been happy. I like Britton's idea of using FlexConnect at the dorms to switch the student data locally. However, I believe there are some limitations that would keep us from using it such as no support for AVC, and some limitations on IPv6. -Hector From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W (Network Services) Sent: Thursday, March 12, 2015 7:42 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless Hector, You do not say what wireless solution you are using. Let me assume a Cisco or Aruba controller based solution. You can have vlans from your controller tunnel to an anchor controller in a DMZ. Use 802.1X authentication based on AD groups. This solution permits controlled internal access and, if you desire, unfiltered Internet access. Until recently, we did something similar with our open Guest wireless network on our Aruba system. We now use a different solution for this. The anchor controller idea was based on Cisco wireless training several years ago. At that time, it was their recommended guest solution. Bruce Osborne Wireless Engineer IT Infrastructure Media Solutions (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Hector J Rios [mailto:hr...@lsu.edu] Sent: Wednesday, March 11, 2015 9:48 AM Subject: ResHall Wireless I'm wondering how many of you treat the wireless in the ResHalls differently from the wireless on the rest of your campus. In terms of geography, we have 21 ResHalls that are in the
RE: [WIRELESS-LAN] PEAP cert question
Yes. It shows the proper name. Apparently, from some of the off-list replies I’ve gotten (thanks!), this is normal functionality. Unless there’s a better/easier way to do this other than PEAP? --Eric From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mike King Sent: Tuesday, March 17, 2015 2:03 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] PEAP cert question Eric, It's been a little while since I've bumped into this, but did you use the correct name for your certificate, and was it a server certificate? I think the name had to be the radius servers name. On Tue, Mar 17, 2015 at 10:43 AM, Eric T. Barnett ebarn...@astate.edumailto:ebarn...@astate.edu wrote: We’re running PEAP for our WPA2-Enterprise SSID, but we keep getting warning messages saying that we’re not using a verified cert. We’re currently using GlobalSign. Is there anybody out there running PEAP on a cert that doesn’t give this error? Mine expires this August, but I’d gladly get rid of it for a cert that doesn’t cause Apple and Microsoft to give that error. Regards, Eric Barnett Wireless Administrator Information and Technology Services Arkansas State University 870 680 4243tel:870%20680%204243 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] PEAP cert question
Eric, It's been a little while since I've bumped into this, but did you use the correct name for your certificate, and was it a server certificate? I think the name had to be the radius servers name. On Tue, Mar 17, 2015 at 10:43 AM, Eric T. Barnett ebarn...@astate.edu wrote: We’re running PEAP for our WPA2-Enterprise SSID, but we keep getting warning messages saying that we’re not using a verified cert. We’re currently using GlobalSign. Is there anybody out there running PEAP on a cert that doesn’t give this error? Mine expires this August, but I’d gladly get rid of it for a cert that doesn’t cause Apple and Microsoft to give that error. Regards, Eric Barnett Wireless Administrator Information and Technology Services Arkansas State University 870 680 4243 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] PEAP cert question
We only see Apple gives the not verified error for our certificate. Other devices are fine. We also deployed the SecureW2 JoinNow utility for secure wireless device onboarding. The Apple devices configured by JoinNow do not get the verification error because JoinNow pushes the trusted certificates to the devices. --- Dennis Xu, MASc, CCIE #13056 Analyst 3, Network Infrastructure Computing and Communications Services(CCS) University of Guelph 519-824-4120 Ext 56217 d...@uoguelph.ca www.uoguelph.ca/ccs - Original Message - From: Eric T. Barnett ebarn...@astate.edu To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Tuesday, March 17, 2015 10:43:55 AM Subject: [WIRELESS-LAN] PEAP cert question We’re running PEAP for our WPA2-Enterprise SSID, but we keep getting warning messages saying that we’re not using a verified cert. We’re currently using GlobalSign. Is there anybody out there running PEAP on a cert that doesn’t give this error? Mine expires this August, but I’d gladly get rid of it for a cert that doesn’t cause Apple and Microsoft to give that error. Regards, Eric Barnett Wireless Administrator Information and Technology Services Arkansas State University 870 680 4243 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
PEAP cert question
We're running PEAP for our WPA2-Enterprise SSID, but we keep getting warning messages saying that we're not using a verified cert. We're currently using GlobalSign. Is there anybody out there running PEAP on a cert that doesn't give this error? Mine expires this August, but I'd gladly get rid of it for a cert that doesn't cause Apple and Microsoft to give that error. Regards, Eric Barnett Wireless Administrator Information and Technology Services Arkansas State University 870 680 4243 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] PEAP cert question
Echoing what Dennis stated, You will need an onboarding utility/supplicant to provide the needed certs to the BYOD in question. If you control the devices, then you can always push the certs via other means, like Group Policy. Without those trusted certs installed onto the client devices, the error will continue to persist. If you do not have an onboarding method, you can provide instructions for your users on how to configure the wireless network themselves. Patrick Patrick Mauretti Sr. Network Administrator Massasoit Community College From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Dennis Xu [d...@uoguelph.ca] Sent: Tuesday, March 17, 2015 10:53 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] PEAP cert question We only see Apple gives the not verified error for our certificate. Other devices are fine. We also deployed the SecureW2 JoinNow utility for secure wireless device onboarding. The Apple devices configured by JoinNow do not get the verification error because JoinNow pushes the trusted certificates to the devices. --- Dennis Xu, MASc, CCIE #13056 Analyst 3, Network Infrastructure Computing and Communications Services(CCS) University of Guelph 519-824-4120 Ext 56217 d...@uoguelph.ca www.uoguelph.ca/ccs - Original Message - From: Eric T. Barnett ebarn...@astate.edu To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Tuesday, March 17, 2015 10:43:55 AM Subject: [WIRELESS-LAN] PEAP cert question We’re running PEAP for our WPA2-Enterprise SSID, but we keep getting warning messages saying that we’re not using a verified cert. We’re currently using GlobalSign. Is there anybody out there running PEAP on a cert that doesn’t give this error? Mine expires this August, but I’d gladly get rid of it for a cert that doesn’t cause Apple and Microsoft to give that error. Regards, Eric Barnett Wireless Administrator Information and Technology Services Arkansas State University 870 680 4243 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: ResHall Wireless - FlexConnect
We played with FlexConnect for a number of months but still could not get what we needed it to do on a consistent basis. Essentially we wanted FlexConnect to drop users into their building VLAN so they would be able to easily interact with the same devices that the wired connections in the buildings could see. As I'm sure you know, this also resolves many of the Apple, Chromecast, etc., problems. We did have one caveat though that we just couldn't get past -- we wanted to drop faculty/staff into one VLAN and students into another (we can easily return the proper VLAN for a particular client in a particular building from Radius server - FreeRadius with a call to our LDAP server for info) but we also need to send everything else back to the controller for central switching (e.g., police connections, special bar-code scanners that roam and serve to identify a user, but not being used for client traffic, for example, to give out free flu shots to eligible folks or let folks into a sporting event). We just couldn't get past having 95+% locally switched and the remainder centrally switched for over 200 buildings many with now over 100 APs each without using FlecConnect groups which are limited to numbers way too small for our campus. We can even live comfortably without roaming between buildings. MOst folks are not used to being able to roam between buildings downtown or many cannot roam between apartments off campus. How did you get around the FlexConnect group problem? == -jcw From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Hector J Rios [hr...@lsu.edu] Sent: Tuesday, March 17, 2015 9:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless I tested FlexConnect on 8.0.110.0. Here are my observations: *Great alternative to switch data locally (obviously) *No AVC Support *When controller is down, AP goes into standalone more. Must make sure that AP is not able to reach any other controller you don’t want. This was fixed with an ACL. *Client details page does not show client IPv6 address. Client still gets IPv6 address. (PRIME does show it if you run a report). *Client details page does not show VLAN ID. *Putting AP in FlexConnect mode does not require reboot (Cool!) *No IPv6 ACL support More testing to do, but so far so good. -Hector From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hector J Rios Sent: Thursday, March 12, 2015 11:13 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless We use Cisco’s wireless solution with WiSM2s and a variety of WAPs. We actually implemented the guest anchor controller solution last year with dual controllers (WLC2504) and we’ve been happy. I like Britton’s idea of using FlexConnect at the dorms to switch the student data locally. However, I believe there are some limitations that would keep us from using it such as no support for AVC, and some limitations on IPv6. -Hector From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W (Network Services) Sent: Thursday, March 12, 2015 7:42 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless Hector, You do not say what wireless solution you are using. Let me assume a Cisco or Aruba controller based solution. You can have vlans from your controller tunnel to an anchor controller in a DMZ. Use 802.1X authentication based on AD groups. This solution permits controlled internal access and, if you desire, unfiltered Internet access. Until recently, we did something similar with our open Guest wireless network on our Aruba system. We now use a different solution for this. The anchor controller idea was based on Cisco wireless training several years ago. At that time, it was their recommended guest solution. Bruce Osborne Wireless Engineer IT Infrastructure Media Solutions (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Hector J Rios [mailto:hr...@lsu.edu] Sent: Wednesday, March 11, 2015 9:48 AM Subject: ResHall Wireless I’m wondering how many of you treat the wireless in the ResHalls differently from the wireless on the rest of your campus. In terms of geography, we have 21 ResHalls that are in the perimeter of our campus. Some of these buildings are next to academic or administrative buildings. Eduroam is our main SSID. So, for the longest time it has only made sense to broadcast eduroam everywhere. Now, on the wired side of the house, our ResHalls have a dedicated connection that gives them direct, non-firewall access to the internet (for access to campus resources, a student must VPN). This came about as a request from the students
