Re: [WIRELESS-LAN] WLC 5508 logging authentications

2016-03-03 Thread Joachim Tingvold 

On 3 Mar 2016, at 18:12, Matthew Newton wrote:

I’ve found some posts that indicate that info is only available
through SNMP traps, but I haven’t been able to find the OIDs.
Has anyone been able to log auths without using PI?

I feed the whole lot to snmptrapd which just syslogs them, then
push them via logstash into elasticsearch, which makes it easy to
see what is happening (and also tie up with RADIUS logs, DHCP
logs, etc). If you tell snmptrapd where the MIBs ar then it'll
decode them for you - just make sure it's got the whole Cisco-v2
bundle (including the AIRESPACE and CISCO-LWAPP mibs).


I ended up doing this brute-force style a few years back. I started out 
by using the Cisco MIB's, but I experienced that the traps where corrupt 
(or at least the packets where mangled), so I had to do a different 
approach that at least did _some_ error-handling;




It's really ugly, but it did the trick. I believe it should still work.

--
Joachim

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] WLC 5508 logging authentications

2016-03-03 Thread Jeremy Gibbs 
John,

A long time ago, I used splunk universal forwarder to export logs from a
windows server to my syslog server.  I am not sure if it is still possible,
but it was always free to do and worked well.  I haven't touched it in 4
years since I stopped collecting windows logs, so I am unsure if that is
still a possible solution.  Anyway, it might be worth looking into.




*--Jeremy L. Gibbs*
Sr. Network Engineer
Utica College IITS

T: (315) 223-2383
F: (315) 792-3814
E: jlgi...@utica.edu
http://www.utica.edu

On Thu, Mar 3, 2016 at 4:16 PM, John York  wrote:

> Ah, one of my problems was that I didn’t have accounting properly
> configured on the Windows NPS box.  It only logs to SQL or a text file tho,
> no syslog (at least without a 3rd party client.)  Perhaps I could
> schedule a task with PowerShell…
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Dennis Xu
> *Sent:* Thursday, March 3, 2016 3:49 PM
>
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] WLC 5508 logging authentications
>
>
>
> It depends on what Radius logs you are looking at. In Radius
> authentication logs, yes CallingStationID field contains client MAC
> address(because WLC does not know client's IP address at this stage). But
> if you look at Radius accounting logs, you should see client IP addresses
> in CallingStationID. We search in accounting logs because those give us the
> session start and stop times.
>
>
>
>
> Dennis Xu, MASc, CCIE #13056
> Analyst 3, Network Infrastructure
> Computing and Communications Services(CCS)
> University of Guelph
>
>
>
> 519-824-4120 Ext 56217
> d...@uoguelph.ca
> www.uoguelph.ca/ccs
>
>
> --
>
> *From: *"John York" 
> *To: *WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Sent: *Thursday, March 3, 2016 3:28:42 PM
> *Subject: *Re: [WIRELESS-LAN] WLC 5508 logging authentications
>
>
>
> I have the stuff in a SIEM, but not correlated ;-(
>
>
>
> My Windows NPS logs have the IP of the WLC in the ClientIPAddress field.
> Rats.  Client MAC is in CallingStationID, though.
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> ] *On Behalf Of *Dennis Xu
> *Sent:* Thursday, March 3, 2016 3:04 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] WLC 5508 logging authentications
>
>
>
> We have the similar process here. But I think once you get the inside IP
> and time, you can lookup the username from the Radius auth logs(skip the
> DHCP lookup).
>
>
>
> We are currently implanting SIEM. We hope by dumping logs to SIEM from all
> systems, we can just do a simple lookup from SIEM.
>
>
>
>
> Dennis Xu, MASc, CCIE #13056
> Analyst 3, Network Infrastructure
> Computing and Communications Services(CCS)
> University of Guelph
>
>
>
> 519-824-4120 Ext 56217
> d...@uoguelph.ca
> www.uoguelph.ca/ccs
>
>
> --
>
> *From: *"John York" 
> *To: *WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Sent: *Thursday, March 3, 2016 2:53:57 PM
> *Subject: *Re: [WIRELESS-LAN] WLC 5508 logging authentications
>
>
>
> We have Win NPS running Radius.  It takes several lookups to get what I
> want and I was hoping to shorten the process.  A typical one goes like this:
>
>
>
> Receive:  outside IP, port, and time
>
> Lookup in firewall NAT logs
>
> Output:  inside IP, time
>
> Lookup IP in DHCP logs
>
> Output:   MAC address, time
>
> Lookup MAC in NPS logs
>
> Output:  username
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> ] *On Behalf Of *Dennis Xu
> *Sent:* Thursday, March 3, 2016 12:08 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] WLC 5508 logging authentications
>
>
>
> Hi John,
>
>
>
> You are right that WLCs do not log authentication sessions in syslog. Do
> you have Radius servers to authenticate wireless users? Radius server is
> the better place to collect authentication logs.
>
>
>
> Regards,
>
>
> Dennis Xu, MASc, CCIE #13056
> Analyst 3, Network Infrastructure
> Computing and Communications Services(CCS)
> University of Guelph
>
>
>
> 519-824-4120 Ext 56217
> d...@uoguelph.ca
> www.uoguelph.ca/ccs
>
>
> --
>
> *From: *"John York" 
> *To: *WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Sent: *Thursday, March 3, 2016 11:29:56 AM
> *Subject: *[WIRELESS-LAN] WLC 5508 logging authentications
>
>
>
> Hi
>
> We have one 5508 (soon to be a failover pair) and don’t run PI. Our users
> connect either through 802.1x or an open SSID with a webauth portal from
> the 5508.  I need to be able to log authentications so I can track down
> users who have annoyed DMCA or our security department.  I’m finding that
> 5508 syslog outputs a huge amount of stuff, but doesn’t include successful
> authentications.  I’ve found some posts that indicate that info is only
> available through SNMP traps,

RE: WLC 5508 logging authentications

2016-03-03 Thread John York 
Ah, one of my problems was that I didn’t have accounting properly configured on 
the Windows NPS box.  It only logs to SQL or a text file tho, no syslog (at 
least without a 3rd party client.)  Perhaps I could schedule a task with 
PowerShell…

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dennis Xu
Sent: Thursday, March 3, 2016 3:49 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications

It depends on what Radius logs you are looking at. In Radius authentication 
logs, yes CallingStationID field contains client MAC address(because WLC does 
not know client's IP address at this stage). But if you look at Radius 
accounting logs, you should see client IP addresses in CallingStationID. We 
search in accounting logs because those give us the session start and stop 
times.



Dennis Xu, MASc, CCIE #13056
Analyst 3, Network Infrastructure
Computing and Communications Services(CCS)
University of Guelph

519-824-4120 Ext 56217
d...@uoguelph.ca
www.uoguelph.ca/ccs


From: "John York" mailto:yo...@brcc.edu>>
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Sent: Thursday, March 3, 2016 3:28:42 PM
Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications

I have the stuff in a SIEM, but not correlated ;-(

My Windows NPS logs have the IP of the WLC in the ClientIPAddress field.  Rats. 
 Client MAC is in CallingStationID, though.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dennis Xu
Sent: Thursday, March 3, 2016 3:04 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications

We have the similar process here. But I think once you get the inside IP and 
time, you can lookup the username from the Radius auth logs(skip the DHCP 
lookup).

We are currently implanting SIEM. We hope by dumping logs to SIEM from all 
systems, we can just do a simple lookup from SIEM.


Dennis Xu, MASc, CCIE #13056
Analyst 3, Network Infrastructure
Computing and Communications Services(CCS)
University of Guelph

519-824-4120 Ext 56217
d...@uoguelph.ca
www.uoguelph.ca/ccs


From: "John York" mailto:yo...@brcc.edu>>
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Sent: Thursday, March 3, 2016 2:53:57 PM
Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications

We have Win NPS running Radius.  It takes several lookups to get what I want 
and I was hoping to shorten the process.  A typical one goes like this:

Receive:  outside IP, port, and time
Lookup in firewall NAT logs
Output:  inside IP, time
Lookup IP in DHCP logs
Output:   MAC address, time
Lookup MAC in NPS logs
Output:  username

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dennis Xu
Sent: Thursday, March 3, 2016 12:08 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications

Hi John,

You are right that WLCs do not log authentication sessions in syslog. Do you 
have Radius servers to authenticate wireless users? Radius server is the better 
place to collect authentication logs.

Regards,

Dennis Xu, MASc, CCIE #13056
Analyst 3, Network Infrastructure
Computing and Communications Services(CCS)
University of Guelph

519-824-4120 Ext 56217
d...@uoguelph.ca
www.uoguelph.ca/ccs


From: "John York" mailto:yo...@brcc.edu>>
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Sent: Thursday, March 3, 2016 11:29:56 AM
Subject: [WIRELESS-LAN] WLC 5508 logging authentications

Hi
We have one 5508 (soon to be a failover pair) and don’t run PI. Our users 
connect either through 802.1x or an open SSID with a webauth portal from the 
5508.  I need to be able to log authentications so I can track down users who 
have annoyed DMCA or our security department.  I’m finding that 5508 syslog 
outputs a huge amount of stuff, but doesn’t include successful authentications. 
 I’ve found some posts that indicate that info is only available through SNMP 
traps, but I haven’t been able to find the OIDs.  Has anyone been able to log 
auths without using PI?
Thanks
John
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscrip

Re: [WIRELESS-LAN] WLC 5508 logging authentications

2016-03-03 Thread Dennis Xu 
It depends on what Radius logs you are looking at. In Radius authentication 
logs, yes CallingStationID field contains client MAC address(because WLC does 
not know client's IP address at this stage). But if you look at Radius 
accounting logs, you should see client IP addresses in CallingStationID . We 
search in accounting logs because those give us the session start and stop 
times. 


Dennis Xu, MASc, CCIE #13056 
Analyst 3, Network Infrastructure 
Computing and Communications Services(CCS) 
University of Guelph 

519-824-4120 Ext 56217 
d...@uoguelph.ca 
www.uoguelph.ca/ccs 

- Original Message -

From: "John York"  
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Sent: Thursday, March 3, 2016 3:28:42 PM 
Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications 



I have the stuff in a SIEM, but not correlated ;-( 



My Windows NPS logs have the IP of the WLC in the ClientIPAddress field. Rats. 
Client MAC is in CallingStationID, though. 




From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dennis Xu 
Sent: Thursday, March 3, 2016 3:04 PM 
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications 





We have the similar process here. But I think once you get the inside IP and 
time, you can lookup the username from the Radius auth logs(skip the DHCP 
lookup). 





We are currently implanting SIEM. We hope by dumping logs to SIEM from all 
systems, we can just do a simple lookup from SIEM. 






Dennis Xu, MASc, CCIE #13056 
Analyst 3, Network Infrastructure 
Computing and Communications Services(CCS) 
University of Guelph 





519-824-4120 Ext 56217 
d...@uoguelph.ca 
www.uoguelph.ca/ccs 



- Original Message -



From: "John York" < yo...@brcc.edu > 
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Sent: Thursday, March 3, 2016 2:53:57 PM 
Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications 





We have Win NPS running Radius. It takes several lookups to get what I want and 
I was hoping to shorten the process. A typical one goes like this: 



Receive: outside IP, port, and time 

Lookup in firewall NAT logs 

Output: inside IP, time 

Lookup IP in DHCP logs 

Output: MAC address, time 

Lookup MAC in NPS logs 

Output: username 




From: The EDUCAUSE Wireless Issues Constituent Group Listserv [ 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU ] On Behalf Of Dennis Xu 
Sent: Thursday, March 3, 2016 12:08 PM 
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications 





Hi John, 





You are right that WLCs do not log authentication sessions in syslog. Do you 
have Radius servers to authenticate wireless users? Radius server is the better 
place to collect authentication logs. 





Regards, 



Dennis Xu, MASc, CCIE #13056 
Analyst 3, Network Infrastructure 
Computing and Communications Services(CCS) 
University of Guelph 





519-824-4120 Ext 56217 
d...@uoguelph.ca 
www.uoguelph.ca/ccs 






From: "John York" < yo...@brcc.edu > 
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Sent: Thursday, March 3, 2016 11:29:56 AM 
Subject: [WIRELESS-LAN] WLC 5508 logging authentications 





Hi 

We have one 5508 (soon to be a failover pair) and don’t run PI. Our users 
connect either through 802.1x or an open SSID with a webauth portal from the 
5508. I need to be able to log authentications so I can track down users who 
have annoyed DMCA or our security department. I’m finding that 5508 syslog 
outputs a huge amount of stuff, but doesn’t include successful authentications. 
I’ve found some posts that indicate that info is only available through SNMP 
traps, but I haven’t been able to find the OIDs. Has anyone been able to log 
auths without using PI? 

Thanks 

John 

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/ . 





** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/ . 

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/ . 





** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/ . 
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/ . 




**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: WLC 5508 logging authentications

2016-03-03 Thread John York 
Cool!  Maybe I can do this with my SIEM…

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Manon Lessard
Sent: Thursday, March 3, 2016 3:16 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications

John,


Have you by any chance looked at this document?

https://supportforums.cisco.com/document/9869811/cisco-wlc-snmp-historical-user-statistics-monitoring-w-syslog-or-splunk

I don’t know if it works on 5508s but I tested on a WISM2 and MIB 
1.3.6.1.4.1.14179.2.1.4.1.3 yields usernames among other things.


Just an idea…

Manon Lessard
Technicienne en développement de systèmes CCNP
Direction des technologies de l'information
Pavillon Louis-Jacques-Casault
1055, avenue du Séminaire
Bureau 0403
Université Laval, Québec (Québec)
G1V 0A6, Canada

418 656-2131, poste 12853
Télécopieur : 418 656-7305
manon.less...@dti.ulaval.ca
www.dti.ulaval.ca

Avis relatif à la confidentialité | Notice of 
Confidentiality



[Description : Description : Description : Description : Description : 
Description : Description : Description : Description : Description : 
Description : Description : Description : Description : Description : 
Description : Description : Description : Description : Logo de l'Université 
Laval]



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John York
Sent: 3 mars 2016 11:30
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] WLC 5508 logging authentications

Hi
We have one 5508 (soon to be a failover pair) and don’t run PI. Our users 
connect either through 802.1x or an open SSID with a webauth portal from the 
5508.  I need to be able to log authentications so I can track down users who 
have annoyed DMCA or our security department.  I’m finding that 5508 syslog 
outputs a huge amount of stuff, but doesn’t include successful authentications. 
 I’ve found some posts that indicate that info is only available through SNMP 
traps, but I haven’t been able to find the OIDs.  Has anyone been able to log 
auths without using PI?
Thanks
John
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: WLC 5508 logging authentications

2016-03-03 Thread Manon Lessard 
John,


Have you by any chance looked at this document?

https://supportforums.cisco.com/document/9869811/cisco-wlc-snmp-historical-user-statistics-monitoring-w-syslog-or-splunk

I don’t know if it works on 5508s but I tested on a WISM2 and MIB 
1.3.6.1.4.1.14179.2.1.4.1.3 yields usernames among other things.


Just an idea…

Manon Lessard
Technicienne en développement de systèmes CCNP
Direction des technologies de l'information
Pavillon Louis-Jacques-Casault
1055, avenue du Séminaire
Bureau 0403
Université Laval, Québec (Québec)
G1V 0A6, Canada

418 656-2131, poste 12853
Télécopieur : 418 656-7305
manon.less...@dti.ulaval.ca
www.dti.ulaval.ca

Avis relatif à la confidentialité | Notice of 
Confidentiality



[Description : Description : Description : Description : Description : 
Description : Description : Description : Description : Description : 
Description : Description : Description : Description : Description : 
Description : Description : Description : Description : Logo de l'Université 
Laval]



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John York
Sent: 3 mars 2016 11:30
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] WLC 5508 logging authentications

Hi
We have one 5508 (soon to be a failover pair) and don’t run PI. Our users 
connect either through 802.1x or an open SSID with a webauth portal from the 
5508.  I need to be able to log authentications so I can track down users who 
have annoyed DMCA or our security department.  I’m finding that 5508 syslog 
outputs a huge amount of stuff, but doesn’t include successful authentications. 
 I’ve found some posts that indicate that info is only available through SNMP 
traps, but I haven’t been able to find the OIDs.  Has anyone been able to log 
auths without using PI?
Thanks
John
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: WLC 5508 logging authentications

2016-03-03 Thread John York 
Thanks, this is helpful!

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Wier, Timothy A.
Sent: Thursday, March 3, 2016 3:10 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications

Depending on your firewall hardware you may be able to get the details from the 
WLC into the firewall logs. We use a Palo Alto and there is a document on how 
to use the SNMP traps to associate a user at the firewall. See 
https://supportforums.cisco.com/sites/default/files/attachments/discussion/cisco_wlc_-_palo_alto_networks_config_guide.pdf.
 It is a little out of data as we are running the 7.x PA code but I was able to 
make it work. I’m using snmptrapd, syslog-ng, and sec for my stack.

It may also help you decode the SNMP traps. I used this as my guide to use sec, 
simple event correlator, to create a text log of which users were on which APs 
at what time. We have Prime but the text file is easier to keep for a long time 
compared with the Prime association history logs.

Tim Wier
Network Manager
Concordia University Chicago
tim.w...@cuchicago.edu
708-209-3565

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John York
Sent: Thursday, March 3, 2016 1:54 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications

We have Win NPS running Radius.  It takes several lookups to get what I want 
and I was hoping to shorten the process.  A typical one goes like this:

Receive:  outside IP, port, and time
Lookup in firewall NAT logs
Output:  inside IP, time
Lookup IP in DHCP logs
Output:   MAC address, time
Lookup MAC in NPS logs
Output:  username

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dennis Xu
Sent: Thursday, March 3, 2016 12:08 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications

Hi John,

You are right that WLCs do not log authentication sessions in syslog. Do you 
have Radius servers to authenticate wireless users? Radius server is the better 
place to collect authentication logs.

Regards,

Dennis Xu, MASc, CCIE #13056
Analyst 3, Network Infrastructure
Computing and Communications Services(CCS)
University of Guelph

519-824-4120 Ext 56217
d...@uoguelph.ca
www.uoguelph.ca/ccs


From: "John York" mailto:yo...@brcc.edu>>
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Sent: Thursday, March 3, 2016 11:29:56 AM
Subject: [WIRELESS-LAN] WLC 5508 logging authentications

Hi
We have one 5508 (soon to be a failover pair) and don’t run PI. Our users 
connect either through 802.1x or an open SSID with a webauth portal from the 
5508.  I need to be able to log authentications so I can track down users who 
have annoyed DMCA or our security department.  I’m finding that 5508 syslog 
outputs a huge amount of stuff, but doesn’t include successful authentications. 
 I’ve found some posts that indicate that info is only available through SNMP 
traps, but I haven’t been able to find the OIDs.  Has anyone been able to log 
auths without using PI?
Thanks
John
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: WLC 5508 logging authentications

2016-03-03 Thread John York 
I have the stuff in a SIEM, but not correlated ;-(

My Windows NPS logs have the IP of the WLC in the ClientIPAddress field.  Rats. 
 Client MAC is in CallingStationID, though.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dennis Xu
Sent: Thursday, March 3, 2016 3:04 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications

We have the similar process here. But I think once you get the inside IP and 
time, you can lookup the username from the Radius auth logs(skip the DHCP 
lookup).

We are currently implanting SIEM. We hope by dumping logs to SIEM from all 
systems, we can just do a simple lookup from SIEM.


Dennis Xu, MASc, CCIE #13056
Analyst 3, Network Infrastructure
Computing and Communications Services(CCS)
University of Guelph

519-824-4120 Ext 56217
d...@uoguelph.ca
www.uoguelph.ca/ccs


From: "John York" mailto:yo...@brcc.edu>>
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Sent: Thursday, March 3, 2016 2:53:57 PM
Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications

We have Win NPS running Radius.  It takes several lookups to get what I want 
and I was hoping to shorten the process.  A typical one goes like this:

Receive:  outside IP, port, and time
Lookup in firewall NAT logs
Output:  inside IP, time
Lookup IP in DHCP logs
Output:   MAC address, time
Lookup MAC in NPS logs
Output:  username

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dennis Xu
Sent: Thursday, March 3, 2016 12:08 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications

Hi John,

You are right that WLCs do not log authentication sessions in syslog. Do you 
have Radius servers to authenticate wireless users? Radius server is the better 
place to collect authentication logs.

Regards,

Dennis Xu, MASc, CCIE #13056
Analyst 3, Network Infrastructure
Computing and Communications Services(CCS)
University of Guelph

519-824-4120 Ext 56217
d...@uoguelph.ca
www.uoguelph.ca/ccs


From: "John York" mailto:yo...@brcc.edu>>
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Sent: Thursday, March 3, 2016 11:29:56 AM
Subject: [WIRELESS-LAN] WLC 5508 logging authentications

Hi
We have one 5508 (soon to be a failover pair) and don’t run PI. Our users 
connect either through 802.1x or an open SSID with a webauth portal from the 
5508.  I need to be able to log authentications so I can track down users who 
have annoyed DMCA or our security department.  I’m finding that 5508 syslog 
outputs a huge amount of stuff, but doesn’t include successful authentications. 
 I’ve found some posts that indicate that info is only available through SNMP 
traps, but I haven’t been able to find the OIDs.  Has anyone been able to log 
auths without using PI?
Thanks
John
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: WLC 5508 logging authentications

2016-03-03 Thread Wier, Timothy A. 
Depending on your firewall hardware you may be able to get the details from the 
WLC into the firewall logs. We use a Palo Alto and there is a document on how 
to use the SNMP traps to associate a user at the firewall. See 
https://supportforums.cisco.com/sites/default/files/attachments/discussion/cisco_wlc_-_palo_alto_networks_config_guide.pdf.
 It is a little out of data as we are running the 7.x PA code but I was able to 
make it work. I’m using snmptrapd, syslog-ng, and sec for my stack.

It may also help you decode the SNMP traps. I used this as my guide to use sec, 
simple event correlator, to create a text log of which users were on which APs 
at what time. We have Prime but the text file is easier to keep for a long time 
compared with the Prime association history logs.

Tim Wier
Network Manager
Concordia University Chicago
tim.w...@cuchicago.edu
708-209-3565

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John York
Sent: Thursday, March 3, 2016 1:54 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications

We have Win NPS running Radius.  It takes several lookups to get what I want 
and I was hoping to shorten the process.  A typical one goes like this:

Receive:  outside IP, port, and time
Lookup in firewall NAT logs
Output:  inside IP, time
Lookup IP in DHCP logs
Output:   MAC address, time
Lookup MAC in NPS logs
Output:  username

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dennis Xu
Sent: Thursday, March 3, 2016 12:08 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications

Hi John,

You are right that WLCs do not log authentication sessions in syslog. Do you 
have Radius servers to authenticate wireless users? Radius server is the better 
place to collect authentication logs.

Regards,

Dennis Xu, MASc, CCIE #13056
Analyst 3, Network Infrastructure
Computing and Communications Services(CCS)
University of Guelph

519-824-4120 Ext 56217
d...@uoguelph.ca
www.uoguelph.ca/ccs


From: "John York" mailto:yo...@brcc.edu>>
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Sent: Thursday, March 3, 2016 11:29:56 AM
Subject: [WIRELESS-LAN] WLC 5508 logging authentications

Hi
We have one 5508 (soon to be a failover pair) and don’t run PI. Our users 
connect either through 802.1x or an open SSID with a webauth portal from the 
5508.  I need to be able to log authentications so I can track down users who 
have annoyed DMCA or our security department.  I’m finding that 5508 syslog 
outputs a huge amount of stuff, but doesn’t include successful authentications. 
 I’ve found some posts that indicate that info is only available through SNMP 
traps, but I haven’t been able to find the OIDs.  Has anyone been able to log 
auths without using PI?
Thanks
John
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] WLC 5508 logging authentications

2016-03-03 Thread Dennis Xu 
We have the similar process here. But I think once you get the inside IP and 
time, you can lookup the username from the Radius auth logs(skip the DHCP 
lookup). 

We are currently implanting SIEM. We hope by dumping logs to SIEM from all 
systems, we can just do a simple lookup from SIEM. 


Dennis Xu, MASc, CCIE #13056 
Analyst 3, Network Infrastructure 
Computing and Communications Services(CCS) 
University of Guelph 

519-824-4120 Ext 56217 
d...@uoguelph.ca 
www.uoguelph.ca/ccs 

- Original Message -

From: "John York"  
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Sent: Thursday, March 3, 2016 2:53:57 PM 
Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications 



We have Win NPS running Radius. It takes several lookups to get what I want and 
I was hoping to shorten the process. A typical one goes like this: 



Receive: outside IP, port, and time 

Lookup in firewall NAT logs 

Output: inside IP, time 

Lookup IP in DHCP logs 

Output: MAC address, time 

Lookup MAC in NPS logs 

Output: username 




From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dennis Xu 
Sent: Thursday, March 3, 2016 12:08 PM 
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications 





Hi John, 





You are right that WLCs do not log authentication sessions in syslog. Do you 
have Radius servers to authenticate wireless users? Radius server is the better 
place to collect authentication logs. 





Regards, 



Dennis Xu, MASc, CCIE #13056 
Analyst 3, Network Infrastructure 
Computing and Communications Services(CCS) 
University of Guelph 





519-824-4120 Ext 56217 
d...@uoguelph.ca 
www.uoguelph.ca/ccs 



- Original Message -



From: "John York" < yo...@brcc.edu > 
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Sent: Thursday, March 3, 2016 11:29:56 AM 
Subject: [WIRELESS-LAN] WLC 5508 logging authentications 





Hi 

We have one 5508 (soon to be a failover pair) and don’t run PI. Our users 
connect either through 802.1x or an open SSID with a webauth portal from the 
5508. I need to be able to log authentications so I can track down users who 
have annoyed DMCA or our security department. I’m finding that 5508 syslog 
outputs a huge amount of stuff, but doesn’t include successful authentications. 
I’ve found some posts that indicate that info is only available through SNMP 
traps, but I haven’t been able to find the OIDs. Has anyone been able to log 
auths without using PI? 

Thanks 

John 

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/ . 





** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/ . 
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/ . 




**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: WLC 5508 logging authentications

2016-03-03 Thread John York 
We have Win NPS running Radius.  It takes several lookups to get what I want 
and I was hoping to shorten the process.  A typical one goes like this:

Receive:  outside IP, port, and time
Lookup in firewall NAT logs
Output:  inside IP, time
Lookup IP in DHCP logs
Output:   MAC address, time
Lookup MAC in NPS logs
Output:  username

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dennis Xu
Sent: Thursday, March 3, 2016 12:08 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications

Hi John,

You are right that WLCs do not log authentication sessions in syslog. Do you 
have Radius servers to authenticate wireless users? Radius server is the better 
place to collect authentication logs.

Regards,

Dennis Xu, MASc, CCIE #13056
Analyst 3, Network Infrastructure
Computing and Communications Services(CCS)
University of Guelph

519-824-4120 Ext 56217
d...@uoguelph.ca
www.uoguelph.ca/ccs


From: "John York" mailto:yo...@brcc.edu>>
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Sent: Thursday, March 3, 2016 11:29:56 AM
Subject: [WIRELESS-LAN] WLC 5508 logging authentications

Hi
We have one 5508 (soon to be a failover pair) and don’t run PI. Our users 
connect either through 802.1x or an open SSID with a webauth portal from the 
5508.  I need to be able to log authentications so I can track down users who 
have annoyed DMCA or our security department.  I’m finding that 5508 syslog 
outputs a huge amount of stuff, but doesn’t include successful authentications. 
 I’ve found some posts that indicate that info is only available through SNMP 
traps, but I haven’t been able to find the OIDs.  Has anyone been able to log 
auths without using PI?
Thanks
John
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Wireless Service Improvement Plan

2016-03-03 Thread Friskney, Doyle 
Remember the majority of your wireless uses are students and students will not 
use a formal reporting process.  Just hold several focus groups with your users 
(students and faculty) and they will be more than willing to let you know where 
you have problems.   Defaulting to analytic tools and incident reports will not 
meet the test of user needs.  Good luck, I also found this lesson the hard way 
but not ask the user and do not depend only on the analytic tools

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Von Lichtenberg, Charles" 
mailto:chuck...@bu.edu>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Thursday, March 3, 2016 at 11:19 AM
To: 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] Wireless Service Improvement Plan

We routinely participate in the TechQual survey and in the last one we started 
to show some erosion of satisfaction with our wireless services from our 
community. Commentary from the survey is too vague to do much with but the 
overall stats from the survey suggest that we need to improve things. We do 
routinely look at incident reports and have bolstered services when necessary 
but that's been far and few over the past two years since we deployed wireless 
pervasively inside buildings across the campus. Note that we have not covered 
the outside and I know that this is one area that we are often dinged and has 
come up in past conversations on this list. So the question is how do we 
determine going forward where and we need to improve things beyond general 
technology refresh, or at least determine where the significant pain points are 
for our community so we can quantify and qualify it for the Administration to 
get support to do something if it is significant. So I am trying to find out if 
anyone has a formally defined Service Improvement Plan for wireless services 
that they are willing to share, and if not, what sort of processes you have put 
into place towards improving your service including how you measure and report 
on how well the service is operating, how you solicit any input from your 
community about the service, etc. This is a very vague question on purpose 
because I am sure we are all gleaning data from our Network management tools, 
Authentication Servers, Incident tickets, etc. and I am curious about how you 
are correlating all of this in any upward reporting and justifications for 
improvements that you make to your administrations.

Charles von Lichtenberg
Director, Network Services Group, Information Services & Technology
Boston University

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] WLC 5508 logging authentications

2016-03-03 Thread Lee H Badman 
RADIUS logs are chock full of info...

Lee Badman (mobile)

On Mar 3, 2016, at 11:30 AM, John York mailto:yo...@brcc.edu>> 
wrote:

Hi
We have one 5508 (soon to be a failover pair) and don't run PI. Our users 
connect either through 802.1x or an open SSID with a webauth portal from the 
5508.  I need to be able to log authentications so I can track down users who 
have annoyed DMCA or our security department.  I'm finding that 5508 syslog 
outputs a huge amount of stuff, but doesn't include successful authentications. 
 I've found some posts that indicate that info is only available through SNMP 
traps, but I haven't been able to find the OIDs.  Has anyone been able to log 
auths without using PI?
Thanks
John
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] WLC 5508 logging authentications

2016-03-03 Thread Matthew Newton 
On Thu, Mar 03, 2016 at 04:29:56PM +, John York wrote:
> I’m finding that 5508 syslog outputs a huge amount of stuff, but
> doesn’t include successful authentications.

WLC syslogs aren't particularly useful for a lot of stuff IMO...

> I’ve found some posts that indicate that info is only available
> through SNMP traps, but I haven’t been able to find the OIDs.
> Has anyone been able to log auths without using PI?

SNMP traps - we have pretty much all of them enabled, including
client 802.11 association, authentication, association with stats
(this latter gives more useful things than the plain association,
not just extra stats).

I feed the whole lot to snmptrapd which just syslogs them, then
push them via logstash into elasticsearch, which makes it easy to
see what is happening (and also tie up with RADIUS logs, DHCP
logs, etc). If you tell snmptrapd where the MIBs ar then it'll
decode them for you - just make sure it's got the whole Cisco-v2
bundle (including the AIRESPACE and CISCO-LWAPP mibs).

For example you should look at
AIRESPACE-WIRELESS-MIB::bsnDot11StationAssociate,
CISCO-LWAPP-DOT11-CLIENT-MIB::ciscoLwappDot11ClientAssocDataStatsTrap
etc.

For 802.1X of course your RADIUS logs are also good for this. But
for open networks SNMP traps is the only way to go that I'm aware
of.

We don't run PI either.

Cheers,

Matthew


-- 
Matthew Newton, Ph.D. 

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] WLC 5508 logging authentications

2016-03-03 Thread Dennis Xu 
Hi John, 

You are right that WLCs do not log authentication sessions in syslog. Do you 
have Radius servers to authenticate wireless users? Radius server is the better 
place to collect authentication logs. 

Regards, 

Dennis Xu, MASc, CCIE #13056 
Analyst 3, Network Infrastructure 
Computing and Communications Services(CCS) 
University of Guelph 

519-824-4120 Ext 56217 
d...@uoguelph.ca 
www.uoguelph.ca/ccs 

- Original Message -

From: "John York"  
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Sent: Thursday, March 3, 2016 11:29:56 AM 
Subject: [WIRELESS-LAN] WLC 5508 logging authentications 



Hi 

We have one 5508 (soon to be a failover pair) and don’t run PI. Our users 
connect either through 802.1x or an open SSID with a webauth portal from the 
5508. I need to be able to log authentications so I can track down users who 
have annoyed DMCA or our security department. I’m finding that 5508 syslog 
outputs a huge amount of stuff, but doesn’t include successful authentications. 
I’ve found some posts that indicate that info is only available through SNMP 
traps, but I haven’t been able to find the OIDs. Has anyone been able to log 
auths without using PI? 

Thanks 

John 
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/ . 




**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

WLC 5508 logging authentications

2016-03-03 Thread John York 
Hi
We have one 5508 (soon to be a failover pair) and don’t run PI. Our users 
connect either through 802.1x or an open SSID with a webauth portal from the 
5508.  I need to be able to log authentications so I can track down users who 
have annoyed DMCA or our security department.  I’m finding that 5508 syslog 
outputs a huge amount of stuff, but doesn’t include successful authentications. 
 I’ve found some posts that indicate that info is only available through SNMP 
traps, but I haven’t been able to find the OIDs.  Has anyone been able to log 
auths without using PI?
Thanks
John

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Wireless Service Improvement Plan

2016-03-03 Thread Von Lichtenberg, Charles 
We routinely participate in the TechQual survey and in the last one we
started to show some erosion of satisfaction with our wireless services from
our community. Commentary from the survey is too vague to do much with but
the overall stats from the survey suggest that we need to improve things. We
do routinely look at incident reports and have bolstered services when
necessary but that's been far and few over the past two years since we
deployed wireless pervasively inside buildings across the campus. Note that
we have not covered the outside and I know that this is one area that we are
often dinged and has come up in past conversations on this list. So the
question is how do we determine going forward where and we need to improve
things beyond general technology refresh, or at least determine where the
significant pain points are for our community so we can quantify and qualify
it for the Administration to get support to do something if it is
significant. So I am trying to find out if anyone has a formally defined
Service Improvement Plan for wireless services that they are willing to
share, and if not, what sort of processes you have put into place towards
improving your service including how you measure and report on how well the
service is operating, how you solicit any input from your community about
the service, etc. This is a very vague question on purpose because I am sure
we are all gleaning data from our Network management tools, Authentication
Servers, Incident tickets, etc. and I am curious about how you are
correlating all of this in any upward reporting and justifications for
improvements that you make to your administrations.

 

Charles von Lichtenberg

Director, Network Services Group, Information Services & Technology

Boston University

 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.



smime.p7s
Description: S/MIME cryptographic signature

Re: [WIRELESS-LAN] Open Networks in Resnet

2016-03-03 Thread Paul Miklas 
To date we haven't had many issues without the portal, not surprising that our 
help desk has stated that support tickets for access to wireless have gone 
down. This semester is a trail period for not having a portal and our staff 
will be reviewing and making a decision to either add it back or keep it off 
for next fall. If you asked me today I would say I would like to keep it off. 
Nonetheless we are going gather metrics and issues to determine the future use 
of a portal. 

As far as IP depletion we currently don't have a lot of outside coverage so 
drive by's haven't been an issue and our subnet is a /20 for guests and have 
yet to use over 50% of IPs. 



From: "Lee H Badman"  
To: WIRELESS-LAN@listserv.educause.edu 
Sent: Thursday, March 3, 2016 8:05:34 AM 
Subject: Re: [WIRELESS-LAN] Open Networks in Resnet 



Any concerns since you got rid of the portal? 



Thanks- 



Lee 




Lee Badman | Network Architect (CWNA, CWSP, Mobility+) 

Information Technology Services 
206 Machinery Hall 
120 Smith Drive 
Syracuse, New York 13244 

t 315.443.3003 f 315.443.4325 e lhbad...@syr.edu w its.syr.edu 

SYRACUSE UNIVERSITY 
syr.edu 





From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Paul Miklas 
Sent: Wednesday, March 02, 2016 6:38 PM 
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] Open Networks in Resnet 





At St. Edward's we are running 4 SSIDs and sometimes a 5th for special events. 





SEU for the majority on 802.1x 


SEU-Guest as an open network with port / subnet restrictions, also the first 
semester of not using a captive portal with our guest network 


SEU-Help for our on boarding 


eduroam 



























From: "Lee H Badman" < lhbad...@syr.edu > 
To: WIRELESS-LAN@listserv.educause.edu 
Sent: Wednesday, March 2, 2016 2:35:00 PM 
Subject: [WIRELESS-LAN] Open Networks in Resnet 





 





Other than Jeff Sessler at Scripps, who else is running an open network in 
their resnet environment? Off-list answer is fine, if you prefer. I’d like to 
bounce a few questions off of those doing this, off-list. 





Kind regards, 





Lee Badman 








Lee Badman | Network Architect (CWNA, CWSP, Mobility+) 


Information Technology Services 
206 Machinery Hall 
120 Smith Drive 
Syracuse, New York 13244 


t 315.443.3003 f 315.443.4325 e lhbad...@syr.edu w its.syr.edu 


SYRACUSE UNIVERSITY 
syr.edu 











** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/ . 




** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/ . 
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/ . 



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Open Networks in Resnet

2016-03-03 Thread Lee H Badman 
Any concerns since you got rid of the portal?

Thanks-

Lee

Lee Badman | Network Architect (CWNA, CWSP, Mobility+)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Paul Miklas
Sent: Wednesday, March 02, 2016 6:38 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Open Networks in Resnet

At St. Edward's we are running 4 SSIDs and sometimes a 5th for special events.

SEU for the majority on 802.1x
SEU-Guest as an open network with port / subnet restrictions, also the first 
semester of not using a captive portal with our guest network
SEU-Help for our on boarding
eduroam









From: "Lee H Badman" mailto:lhbad...@syr.edu>>
To: 
WIRELESS-LAN@listserv.educause.edu
Sent: Wednesday, March 2, 2016 2:35:00 PM
Subject: [WIRELESS-LAN] Open Networks in Resnet



Other than Jeff Sessler at Scripps, who else is running an open network in 
their resnet environment? Off-list answer is fine, if you prefer. I’d like to 
bounce a few questions off of those doing this, off-list.

Kind regards,

Lee Badman


Lee Badman | Network Architect (CWNA, CWSP, Mobility+)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Open Networks in Resnet

2016-03-03 Thread Edward Ip 
I should also say, the following policy is applied to our Guest SSID

Bandwidth is limited based on policies applied on our Radware LinkProof 
appliance (VLan Priority, Time of Day limits and App priority). No access to 
our internal networks except for a few student application (Blackboard and 
student information system). At one point we limit per device to 5Mbps up or 
down speeds. Browsing, email and remote secure connections (VPN) are 
unrestricted, everything else is limited.

Edward Ip
Algonquin College | 1385 Woodroffe Avenue | Room C316 | Ottawa | Ontario | K2G 
1V8 | Canada
algonquincollege.com

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Edward Ip
Sent: Thursday, March 03, 2016 8:54 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Open Networks in Resnet

We run two SSID campus wide including in our Resnet building.

Secure-SSID (Authenticated)
Open-SSID (Guest)

Edward Ip
Algonquin College | 1385 Woodroffe Avenue | Room C316 | Ottawa | Ontario | K2G 
1V8 | Canada
algonquincollege.com

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Wednesday, March 02, 2016 3:35 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Open Networks in Resnet



Other than Jeff Sessler at Scripps, who else is running an open network in 
their resnet environment? Off-list answer is fine, if you prefer. I'd like to 
bounce a few questions off of those doing this, off-list.

Kind regards,

Lee Badman


Lee Badman | Network Architect (CWNA, CWSP, Mobility+)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Open Networks in Resnet

2016-03-03 Thread Edward Ip 
We run two SSID campus wide including in our Resnet building.

Secure-SSID (Authenticated)
Open-SSID (Guest)

Edward Ip
Algonquin College | 1385 Woodroffe Avenue | Room C316 | Ottawa | Ontario | K2G 
1V8 | Canada
algonquincollege.com

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Wednesday, March 02, 2016 3:35 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Open Networks in Resnet



Other than Jeff Sessler at Scripps, who else is running an open network in 
their resnet environment? Off-list answer is fine, if you prefer. I'd like to 
bounce a few questions off of those doing this, off-list.

Kind regards,

Lee Badman


Lee Badman | Network Architect (CWNA, CWSP, Mobility+)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Open Networks in Resnet

2016-03-03 Thread Chuck Anderson 
If the captive portal is DHCP/IP-based, doesn't that just move the
problem to a different DHCP scope?  We had to make our scope large
enough to handle drive/walk-bys.

We have:

WPI-Wireless - EAP-TLS

eduroam - EAP-TLS

WPI-Wireless-Setup - Open, Portal for onboarding the two above, with
limited Internet access to allow Apple & Google devices to do their
initial setup with the cloud.

WPI-Guest - Open, Portal for guest access, full Internet access,
subject to the same restrictions accessing on-campus resources as
traffic coming from the Internet.

On Thu, Mar 03, 2016 at 12:59:37PM +, Osborne, Bruce W (Network Services) 
wrote:
> Interesting…
> 
> Without a captive portal, how do you stop “drive-by” devices that probe all 
> open networks for Internet access, consuming ip addresses needlessly?
> 
> We found we needed a captive portal to discourage those, mainly mobile, 
> devices from exhausting our Guest DHCP scopes.
> ​
> 
> Bruce Osborne
> Wireless Engineer
> IT Network Services - Wireless
> 
> (434) 592-4229
> 
> LIBERTY UNIVERSITY
> Training Champions for Christ since 1971
> 
> From: Paul Miklas [mailto:pmik...@stedwards.edu]
> Sent: Wednesday, March 2, 2016 6:38 PM
> Subject: Re: Open Networks in Resnet
> 
> At St. Edward's we are running 4 SSIDs and sometimes a 5th for special events.
> 
> SEU for the majority on 802.1x
> SEU-Guest as an open network with port / subnet restrictions, also the first 
> semester of not using a captive portal with our guest network
> SEU-Help for our on boarding
> eduroam
> 
> 
> From: "Lee H Badman" mailto:lhbad...@syr.edu>>
> To: 
> WIRELESS-LAN@listserv.educause.edu
> Sent: Wednesday, March 2, 2016 2:35:00 PM
> Subject: [WIRELESS-LAN] Open Networks in Resnet
> 
> 
> 
> Other than Jeff Sessler at Scripps, who else is running an open network in 
> their resnet environment? Off-list answer is fine, if you prefer. I’d like to 
> bounce a few questions off of those doing this, off-list.
> 
> Kind regards,
> 
> Lee Badman

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: 802.1x causing Android phone to reboot

2016-03-03 Thread Osborne, Bruce W (Network Services) 
Possible Android debugging help here: 
https://code.google.com/p/android/issues/detail?id=188867

What RADIUS server do you use? This could be related to TLS 1.2 enforcement. 
Some RADIUS servers implemented the standard incorrectly. I know FreeRADIUS has 
updated versions that work correctly.
​

Bruce Osborne
Wireless Engineer
IT Network Services - Wireless

(434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Jeremy Gibbs [mailto:jlgi...@utica.edu]
Sent: Wednesday, March 2, 2016 11:29 PM
Subject: 802.1x causing Android phone to reboot

Hello everyone,

I have a very interesting problem.  When a faculty members Samsung Galaxy J1 
joins our UC_Secure (802.1x) network, her phone reboots after 2-5 minutes 
regardless of usage.  Right before the phone reboots, it locks up for 4-5 
seconds.

This particular phone is running Android 5.1.1 kernel version 3.10.49 on 
Verizon.

We can leave the phone on a non 802.1x network and it will NEVER reboot.  A 
coworker of mine captured the logs of the phone during one of these reboots.  
Nothing ever showed up in the log.  However, the fact that it doesn't happen on 
her home wireless network and that it also doesn't happen on our unsecure 
network, makes me believe it is a bug with 802.1x.

Has anyone else ever run across this issue?  I haven't heard of anyone else 
complaining about this.  So maybe it's just an isolated hardware issue.

Thanks

--

Jeremy L. Gibbs
Sr. Network Engineer
Utica College IITS
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Open Networks in Resnet

2016-03-03 Thread Osborne, Bruce W (Network Services) 
Interesting…

Without a captive portal, how do you stop “drive-by” devices that probe all 
open networks for Internet access, consuming ip addresses needlessly?

We found we needed a captive portal to discourage those, mainly mobile, devices 
from exhausting our Guest DHCP scopes.
​

Bruce Osborne
Wireless Engineer
IT Network Services - Wireless

(434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Paul Miklas [mailto:pmik...@stedwards.edu]
Sent: Wednesday, March 2, 2016 6:38 PM
Subject: Re: Open Networks in Resnet

At St. Edward's we are running 4 SSIDs and sometimes a 5th for special events.

SEU for the majority on 802.1x
SEU-Guest as an open network with port / subnet restrictions, also the first 
semester of not using a captive portal with our guest network
SEU-Help for our on boarding
eduroam









From: "Lee H Badman" mailto:lhbad...@syr.edu>>
To: 
WIRELESS-LAN@listserv.educause.edu
Sent: Wednesday, March 2, 2016 2:35:00 PM
Subject: [WIRELESS-LAN] Open Networks in Resnet



Other than Jeff Sessler at Scripps, who else is running an open network in 
their resnet environment? Off-list answer is fine, if you prefer. I’d like to 
bounce a few questions off of those doing this, off-list.

Kind regards,

Lee Badman


Lee Badman | Network Architect (CWNA, CWSP, Mobility+)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Open Networks in Resnet

2016-03-03 Thread Osborne, Bruce W (Network Services) 
Our guest network is open but bandwidth limited with a self-registration 
captive portal (currently, just email address).

Our network for non-802.1X devices & 802.1X registration is open, but with a 
captive portal unless the device has been mac registered. We block some 
internal services (web server & Blackboard) even for registered devices since 
only 802.1X-capable devices need those services.

​

Bruce Osborne
Wireless Engineer
IT Network Services - Wireless

(434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Lee H Badman [mailto:lhbad...@syr.edu]
Sent: Wednesday, March 2, 2016 3:35 PM
Subject: Open Networks in Resnet



Other than Jeff Sessler at Scripps, who else is running an open network in 
their resnet environment? Off-list answer is fine, if you prefer. I’d like to 
bounce a few questions off of those doing this, off-list.

Kind regards,

Lee Badman


Lee Badman | Network Architect (CWNA, CWSP, Mobility+)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.