RE: Welcome to Bring-Your-Own-Access | EdTech Magazine

[Williams, Matthew]

I think about it every time I get a ticket that says, "my phone won't work on 
wireless, but my roommate's does.  This is clearly a  network problem that must 
be fixed immediately!"  :)

The biggest issue that I've run into with this is that we have a "Residential 
Learning" environment and there are classrooms in all of our residence halls.  
We don't want to risk BYOA crushing the wireless for our academic programs in 
the res halls.

Then there's the case of once you pull the lid off of that beast, there's no 
going back, at least in our environment.  Once we tell 10,000 residential 
students that they can have at it with their own APs, there's no way to 
backtrack if it causes the problems that I can foresee.

I'd love to see consumer devices start to have some more intelligence that 
would allow them to play a little better in enterprise like environments.  It 
would alleviate a TON of financial pressure for us.  

Respectfully,

Matt

-Original Message-if
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Trent Hurt
Sent: Thursday, March 10, 2016 9:10 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Welcome to Bring-Your-Own-Access | EdTech Magazine

Any folks looking to adopt bring your own access policies?  


http://edtechmagazine.com/higher/article/2015/12/welcome-bring-your-own-access


Sent from my iPhone
**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Welcome to Bring-Your-Own-Access | EdTech Magazine

[trent . hurt]

Any folks looking to adopt bring your own access policies?  


http://edtechmagazine.com/higher/article/2015/12/welcome-bring-your-own-access


Sent from my iPhone
**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Recent Radius Meltdowns

[Curtis K. Larsen]

About a year and a half ago I did pretty exhaustive testing of RADIUS load with 
the Spirent
traffic generator and with the assistance of PacketFence developers.  
(PacketFence is also based
on FreeRADIUS).  They suggested we tweak the MaxConcurrentAPI setting on our 
test AD server.  So
we did, but unfortunately it seemed to make no difference at all in the number 
of authentications
per second we could process from the load generator.

One thing we found though was that if we ran the authentications against a flat 
file on the RADIUS
server itself we could process six times more authentications.  The bottom line 
is that whether it
is SAMBA, NTLM, AD, or network latency itself I can't say - but I do know that 
if I eliminate all
of them performance increases dramatically.

Bottom line:  Use EAP-TLS, and avoid checking LDAP/AD except when absolutely 
necessary.  PEAP is
vulnerable to fake AP/MITM attacks anyway.

If you must check AD all the time - get a lot of servers, load balance them, 
monitor and graph
authentications down to the second.  That way you'll be more likely to identify 
the cause of an
issue.

Thanks,

-- 
Curtis K. Larsen
Sr. Network Engineer
University of Utah IT/CIS



On Thu, March 10, 2016 1:44 pm, Jake Snyder wrote:
> If AD is not keeping up with the NTLM requests, giving the DCs more NTLM 
> worker threads can help
> it keep up with higher loads.
>
> Working with TAC we found specifically in the ACS logs that it was waiting 
> for Windows to respond.
>
> As far as number of devices, they weren't showing increases over earlier in 
> the week or previous
> weeks.
>
> Thanks
> Jake Snyder
>
>
> Sent from my iPhone
>
>> On Mar 10, 2016, at 12:21 PM, Matthew Newton  wrote:
>>
>> Hi,
>>
>>> On Thu, Mar 10, 2016 at 10:54:59AM -0800, Jake Snyder wrote:
>>> That's for the great info on FreeRadius.  I don't think this is
>>> the case in what I'm seeing that, which is specifically that
>>> Windows AD is not keeping up with NTLM.
>>
>> OK, that's interesting. I think the issue that others have seen on
>> this would look like that - and certainly the symptoms sound the
>> same as you described - so I'm wondering how you came to the
>> conclusion that it's AD itself rather than something between AD
>> and ACS.
>>
>> However, I'm not at all familiar with ACS - I guess it sits on a
>> member server and probably calls LsaLogonUser directly - so there
>> is the communication between the member server and the DC, though
>> I guess that /should/ be fairly slick in theory...
>>
>>> These are customers with environments that are relatively stable
>>> and have been performing well for extended periods of time with
>>> similar user counts.  These are also well below the 256 radius
>>> session limit.
>>
>> I'd throw in the consideration of student numbers as well. We
>> always hit our peak number of wireless clients in February/March
>> each year, so this is the time problems often show up. Why this
>> time of year I have no idea! Probably all the new Christmas
>> presents being connected. :)
>>
>>> The MaxConcurrentAPI raises the number of worker threads in AD
>>> so that it NTLM on the DC can keep up with the incoming
>>> requests.  Why did the performance of NTLM change recently?  I
>>> have no idea, but it appears it has.
>>
>> I believe MaxConcurrentAPI helped some people[0] who were having
>> problems with the FreeRADIUS/Samba setup as well, so again I'm not
>> entirely sure it's a pointer to AD having necessarily changed.
>>
>> Maybe reviewing all Windows patches applied to the DCs and ACS
>> servers in the last 3 months and see if anything seems relevant?
>> But I'm not sure how easy this is to do.
>>
>> It's seems very likely to me that sites are seeing a combination
>> of problems, which could be all of WLC running out of RADIUS IDs,
>> ntlm_auth/Samba as well as MaxConcurrentAPI - so it wouldn't
>> surprise me if different things seem to fix the same symptoms for
>> different sites. It's just that the ACS sites don't have the
>> ntlm_auth component of the problem, so it may have taken a few
>> more months of load before the issue reared its head!
>>
>> Cheers,
>>
>> Matthew
>>
>>
>> [0] see e.g. 
>> https://lists.freeradius.org/pipermail/freeradius-users/2015-March/075969.html
>>
>> --
>> Matthew Newton, Ph.D. 
>>
>> Systems Specialist, Infrastructure Services,
>> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>>
>> For IT help contact helpdesk extn. 2253, 
>>
>> **
>> Participation and subscription information for this EDUCAUSE Constituent 
>> Group discussion list
>> can be found at http://www.educause.edu/groups/.
>
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can
> be found at http://www.educause.edu/groups/.
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at 

RE: Typical Registration Numbers for Guest Wireless Service?

[Hector J Rios]

We advertise our guest SSID throughout the campus. Only faculty and staff can 
sponsor guest access.

Hector Rios
Louisiana State University

[cid:image001.png@01D17ADE.C6B4EF90]
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Adam T Ferrero
Sent: Thursday, March 10, 2016 2:40 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Typical Registration Numbers for Guest Wireless 
Service?


  We see about 1,000 guests per day typically.  We never have advertised it but 
the onboarding SSID is open and captive portal so people find it and self 
service onboard (via SMS texted credentials and switching to our WPA2 
enterprise SSID).  Generally our environment is about 30,000 concurrent 
wireless clients.

  Adam

[cid:image003.png@01D17ADE.5CB61420]

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Zielske, Jessica
Sent: Thursday, March 10, 2016 1:36 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Typical Registration Numbers for Guest Wireless Service?

For those implementing a guest wireless service for sponsored and/or 
non-sponsored guests,

Is anyone able to share stats on the quantity of guest registrations over a 
time period, a daily average or the like?

We are working to forecast the load for a new non-sponsored guest wireless 
service, your insight is most appreciated!

Jessica Zielske
Virginia Tech



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Recent Radius Meltdowns

[Jake Snyder]

If AD is not keeping up with the NTLM requests, giving the DCs more NTLM worker 
threads can help it keep up with higher loads.

Working with TAC we found specifically in the ACS logs that it was waiting for 
Windows to respond.

As far as number of devices, they weren't showing increases over earlier in the 
week or previous weeks.

Thanks
Jake Snyder


Sent from my iPhone

> On Mar 10, 2016, at 12:21 PM, Matthew Newton  wrote:
> 
> Hi,
> 
>> On Thu, Mar 10, 2016 at 10:54:59AM -0800, Jake Snyder wrote:
>> That's for the great info on FreeRadius.  I don't think this is
>> the case in what I'm seeing that, which is specifically that
>> Windows AD is not keeping up with NTLM.
> 
> OK, that's interesting. I think the issue that others have seen on
> this would look like that - and certainly the symptoms sound the
> same as you described - so I'm wondering how you came to the
> conclusion that it's AD itself rather than something between AD
> and ACS.
> 
> However, I'm not at all familiar with ACS - I guess it sits on a
> member server and probably calls LsaLogonUser directly - so there
> is the communication between the member server and the DC, though
> I guess that /should/ be fairly slick in theory...
> 
>> These are customers with environments that are relatively stable
>> and have been performing well for extended periods of time with
>> similar user counts.  These are also well below the 256 radius
>> session limit.
> 
> I'd throw in the consideration of student numbers as well. We
> always hit our peak number of wireless clients in February/March
> each year, so this is the time problems often show up. Why this
> time of year I have no idea! Probably all the new Christmas
> presents being connected. :)
> 
>> The MaxConcurrentAPI raises the number of worker threads in AD
>> so that it NTLM on the DC can keep up with the incoming
>> requests.  Why did the performance of NTLM change recently?  I
>> have no idea, but it appears it has.
> 
> I believe MaxConcurrentAPI helped some people[0] who were having
> problems with the FreeRADIUS/Samba setup as well, so again I'm not
> entirely sure it's a pointer to AD having necessarily changed.
> 
> Maybe reviewing all Windows patches applied to the DCs and ACS
> servers in the last 3 months and see if anything seems relevant?
> But I'm not sure how easy this is to do.
> 
> It's seems very likely to me that sites are seeing a combination
> of problems, which could be all of WLC running out of RADIUS IDs,
> ntlm_auth/Samba as well as MaxConcurrentAPI - so it wouldn't
> surprise me if different things seem to fix the same symptoms for
> different sites. It's just that the ACS sites don't have the
> ntlm_auth component of the problem, so it may have taken a few
> more months of load before the issue reared its head!
> 
> Cheers,
> 
> Matthew
> 
> 
> [0] see e.g. 
> https://lists.freeradius.org/pipermail/freeradius-users/2015-March/075969.html
> 
> -- 
> Matthew Newton, Ph.D. 
> 
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
> 
> For IT help contact helpdesk extn. 2253, 
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Typical Registration Numbers for Guest Wireless Service?

[Adam T Ferrero]

  We see about 1,000 guests per day typically.  We never have advertised it but 
the onboarding SSID is open and captive portal so people find it and self 
service onboard (via SMS texted credentials and switching to our WPA2 
enterprise SSID).  Generally our environment is about 30,000 concurrent 
wireless clients.

  Adam

[cid:image001.png@01D17AE3.229CC7C0]

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Zielske, Jessica
Sent: Thursday, March 10, 2016 1:36 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Typical Registration Numbers for Guest Wireless Service?

For those implementing a guest wireless service for sponsored and/or 
non-sponsored guests,

Is anyone able to share stats on the quantity of guest registrations over a 
time period, a daily average or the like?

We are working to forecast the load for a new non-sponsored guest wireless 
service, your insight is most appreciated!

Jessica Zielske
Virginia Tech



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Recent Radius Meltdowns

[Matthew Newton]

Hi,

On Thu, Mar 10, 2016 at 10:54:59AM -0800, Jake Snyder wrote:
> That's for the great info on FreeRadius.  I don't think this is
> the case in what I'm seeing that, which is specifically that
> Windows AD is not keeping up with NTLM.

OK, that's interesting. I think the issue that others have seen on
this would look like that - and certainly the symptoms sound the
same as you described - so I'm wondering how you came to the
conclusion that it's AD itself rather than something between AD
and ACS.

However, I'm not at all familiar with ACS - I guess it sits on a
member server and probably calls LsaLogonUser directly - so there
is the communication between the member server and the DC, though
I guess that /should/ be fairly slick in theory...

> These are customers with environments that are relatively stable
> and have been performing well for extended periods of time with
> similar user counts.  These are also well below the 256 radius
> session limit.

I'd throw in the consideration of student numbers as well. We
always hit our peak number of wireless clients in February/March
each year, so this is the time problems often show up. Why this
time of year I have no idea! Probably all the new Christmas
presents being connected. :)

> The MaxConcurrentAPI raises the number of worker threads in AD
> so that it NTLM on the DC can keep up with the incoming
> requests.  Why did the performance of NTLM change recently?  I
> have no idea, but it appears it has.

I believe MaxConcurrentAPI helped some people[0] who were having
problems with the FreeRADIUS/Samba setup as well, so again I'm not
entirely sure it's a pointer to AD having necessarily changed.

Maybe reviewing all Windows patches applied to the DCs and ACS
servers in the last 3 months and see if anything seems relevant?
But I'm not sure how easy this is to do.

It's seems very likely to me that sites are seeing a combination
of problems, which could be all of WLC running out of RADIUS IDs,
ntlm_auth/Samba as well as MaxConcurrentAPI - so it wouldn't
surprise me if different things seem to fix the same symptoms for
different sites. It's just that the ACS sites don't have the
ntlm_auth component of the problem, so it may have taken a few
more months of load before the issue reared its head!

Cheers,

Matthew


[0] see e.g. 
https://lists.freeradius.org/pipermail/freeradius-users/2015-March/075969.html

-- 
Matthew Newton, Ph.D. 

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Recent Radius Meltdowns

[Kitri Waterman]

This exact discussion came up in a ClearPass in-depth class yesterday at 
Atmosphere/Airheads since ClearPass (based on FreeRadius) only has so many 
worker threads. Anything over a 2 sec delay between ClearPass and AD was...not 
ideal.

The class was "Adapting to Evolving User, Security and Business Needs with 
Aruba Clearpass" with Troy Arnold and Rajesh Ramireddy.

The videos should be available shortly/next week I believe. Definitely worth 
seeing even if you aren't Aruba based.


Kitri Waterman
University of Washington
ki...@uw.edu
 

On 3/10/16, 10:54 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Jake Snyder"  wrote:

>Matthew,
>That's for the great info on FreeRadius.  I don't think this is the case in 
>what I'm seeing that, which is specifically that Windows AD is not keeping up 
>with NTLM.
>
>These are customers with environments that are relatively stable and have been 
>performing well for extended periods of time with similar user counts.  These 
>are also well below the 256 radius session limit.
>
>The MaxConcurrentAPI raises the number of worker threads in AD so that it NTLM 
>on the DC can keep up with the incoming requests.  Why did the performance of 
>NTLM change recently?  I have no idea, but it appears it has.
>
>Thanks
>Jake Snyder
>
>
>Sent from my iPhone
>
>> On Mar 10, 2016, at 7:50 AM, Matthew Newton  wrote:
>> 
>> On Thu, Mar 10, 2016 at 09:14:02AM -0500, Earl Barfield wrote:
 Just wanted to throw this out to the educause community to see if others
 are seeing this.  Although this is not ultimately a problem with Higher Ed,
 the large scale RADIUS deployments in higher ed resulting in more impact
>>> 
>>> If anything (radius server, users, Active Directory, etc) slows down
>>> the auth process, then you're going to have more auth sessions in
>>> progress simultaneously.
>> 
>> This has been a well-known issue in the FreeRADIUS world for a
>> long time now. Anything that slows down the NTLM communication
>> between the RADIUS server and the AD server will eventually lead
>> to problems. It just seems to crop up more in certain
>> circumstances. With FreeRADIUS, part of the problem seemed to be
>> using Samba's ntlm_auth (which involves an exec) so I did quite a
>> bit of hacking a year ago to use a library call and avoid that,
>> which does seems to help. As does faster hardware for the RADIUS
>> servers.
>> 
>> Cisco haven't helped themselves for a long time by using a single
>> UDP source port (and therefore only 256 radius IDs) per
>> controller. Using a different source port per access point would
>> have a decent solution IMO, or even just random ephemeral ports,
>> but they've gone for some half-way solution that uses a few more
>> source ports in 8.1-something. Better than before anyway.
>> 
>> The problem exacerbates itself because when the WLC doesn't get a
>> response from a RADIUS server after a while, it will drop that
>> server and move to the next. Then all 250 or so authentications
>> in-flight (and probably half completed) will get chopped off and
>> have to start again on the next server.
>> 
>> Each hour when all the students moved between lectures we'd see 10
>> minutes of WLCs jumping to a different RADIUS server every minute
>> or so. This makes the higher-ed situation fairly unique and not
>> like business environments, where people don't tend to move around
>> in very large groups all at the same time.
>> 
>> I started to collect mailing list posts on a blog post to try and
>> collect information together if anyone's interested in reading
>> lots of different views on it! http://q.asd.me.uk/0
>> 
>> It's one of those things that if you're not looking for it,
>> though, you might not easily notice it, but just have complaints
>> about bad wireless connectivity at certain times of the day. It
>> becomes easy to see in the WLC SNMP RADIUS server not responding
>> traps, however.
>> 
>> Cheers,
>> 
>> Matthew
>> 
>> 
>> -- 
>> Matthew Newton, Ph.D. 
>> 
>> Systems Specialist, Infrastructure Services,
>> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>> 
>> For IT help contact helpdesk extn. 2253, 
>> 
>> **
>> Participation and subscription information for this EDUCAUSE Constituent 
>> Group discussion list can be found at http://www.educause.edu/groups/.
>
>**
>Participation and subscription information for this EDUCAUSE Constituent Group 
>discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Typical Registration Numbers for Guest Wireless Service?

[Julian Y Koh]

On Thu Mar 10 2016 12:36:16 CST, "Zielske, Jessica"  
wrote:
> 
> Is anyone able to share stats on the quantity of guest registrations over a 
> time period, a daily average or the like?
> 

Our device registrations are good for a period of 7 days.  On average we see 
~1000-1100 registration events per day on a weekday during the school year.  We 
peak at about 2000 simultaneous devices on the guest wireless network on those 
days, with ~8000 unique devices seen per week.  




-- 
Julian Y. Koh
Associate Director, Telecommunications and Network Services
Northwestern Information Technology

2001 Sheridan Road #G-166
Evanston, IL 60208
+1-847-467-5780
NUIT Web Site: 
PGP Public Key:

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Recent Radius Meltdowns

[Jake Snyder]

Matthew,
That's for the great info on FreeRadius.  I don't think this is the case in 
what I'm seeing that, which is specifically that Windows AD is not keeping up 
with NTLM.

These are customers with environments that are relatively stable and have been 
performing well for extended periods of time with similar user counts.  These 
are also well below the 256 radius session limit.

The MaxConcurrentAPI raises the number of worker threads in AD so that it NTLM 
on the DC can keep up with the incoming requests.  Why did the performance of 
NTLM change recently?  I have no idea, but it appears it has.

Thanks
Jake Snyder


Sent from my iPhone

> On Mar 10, 2016, at 7:50 AM, Matthew Newton  wrote:
> 
> On Thu, Mar 10, 2016 at 09:14:02AM -0500, Earl Barfield wrote:
>>> Just wanted to throw this out to the educause community to see if others
>>> are seeing this.  Although this is not ultimately a problem with Higher Ed,
>>> the large scale RADIUS deployments in higher ed resulting in more impact
>> 
>> If anything (radius server, users, Active Directory, etc) slows down
>> the auth process, then you're going to have more auth sessions in
>> progress simultaneously.
> 
> This has been a well-known issue in the FreeRADIUS world for a
> long time now. Anything that slows down the NTLM communication
> between the RADIUS server and the AD server will eventually lead
> to problems. It just seems to crop up more in certain
> circumstances. With FreeRADIUS, part of the problem seemed to be
> using Samba's ntlm_auth (which involves an exec) so I did quite a
> bit of hacking a year ago to use a library call and avoid that,
> which does seems to help. As does faster hardware for the RADIUS
> servers.
> 
> Cisco haven't helped themselves for a long time by using a single
> UDP source port (and therefore only 256 radius IDs) per
> controller. Using a different source port per access point would
> have a decent solution IMO, or even just random ephemeral ports,
> but they've gone for some half-way solution that uses a few more
> source ports in 8.1-something. Better than before anyway.
> 
> The problem exacerbates itself because when the WLC doesn't get a
> response from a RADIUS server after a while, it will drop that
> server and move to the next. Then all 250 or so authentications
> in-flight (and probably half completed) will get chopped off and
> have to start again on the next server.
> 
> Each hour when all the students moved between lectures we'd see 10
> minutes of WLCs jumping to a different RADIUS server every minute
> or so. This makes the higher-ed situation fairly unique and not
> like business environments, where people don't tend to move around
> in very large groups all at the same time.
> 
> I started to collect mailing list posts on a blog post to try and
> collect information together if anyone's interested in reading
> lots of different views on it! http://q.asd.me.uk/0
> 
> It's one of those things that if you're not looking for it,
> though, you might not easily notice it, but just have complaints
> about bad wireless connectivity at certain times of the day. It
> becomes easy to see in the WLC SNMP RADIUS server not responding
> traps, however.
> 
> Cheers,
> 
> Matthew
> 
> 
> -- 
> Matthew Newton, Ph.D. 
> 
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
> 
> For IT help contact helpdesk extn. 2253, 
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Typical Registration Numbers for Guest Wireless Service?

[Zielske, Jessica]

For those implementing a guest wireless service for sponsored and/or 
non-sponsored guests,

Is anyone able to share stats on the quantity of guest registrations over a 
time period, a daily average or the like?

We are working to forecast the load for a new non-sponsored guest wireless 
service, your insight is most appreciated!

Jessica Zielske
Virginia Tech





**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Anyone familiar with cloud WLAN vendor Relay2?

[Bob Brown]

Relay2 is announcing some new stuff and I'm just 
wondering if anyone if familiar with them, has any thoughts on what they're 
doing, how they compare to other vendors like Cisco, Ruckus, HP/Aruba, etc.

Thanks, BobB








Bob Brown

Online Executive Editor, News

T: 508.766.5418
LinkedIn | Twitter: 
@alphadoggs | Facebook 
profile |  
Instagram


NETWORK WORLD

492 Old Connecticut Path | PO Box 9002 | Framingham, MA 01701-9002

NetworkWorld.com |  
idgenterprise.com media kit | Conferences & 
Events




**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Recent Radius Meltdowns

[Matthew Newton]

On Thu, Mar 10, 2016 at 09:14:02AM -0500, Earl Barfield wrote:
> >Just wanted to throw this out to the educause community to see if others
> >are seeing this.  Although this is not ultimately a problem with Higher Ed,
> >the large scale RADIUS deployments in higher ed resulting in more impact
> 
> If anything (radius server, users, Active Directory, etc) slows down
> the auth process, then you're going to have more auth sessions in
> progress simultaneously.

This has been a well-known issue in the FreeRADIUS world for a
long time now. Anything that slows down the NTLM communication
between the RADIUS server and the AD server will eventually lead
to problems. It just seems to crop up more in certain
circumstances. With FreeRADIUS, part of the problem seemed to be
using Samba's ntlm_auth (which involves an exec) so I did quite a
bit of hacking a year ago to use a library call and avoid that,
which does seems to help. As does faster hardware for the RADIUS
servers.

Cisco haven't helped themselves for a long time by using a single
UDP source port (and therefore only 256 radius IDs) per
controller. Using a different source port per access point would
have a decent solution IMO, or even just random ephemeral ports,
but they've gone for some half-way solution that uses a few more
source ports in 8.1-something. Better than before anyway.

The problem exacerbates itself because when the WLC doesn't get a
response from a RADIUS server after a while, it will drop that
server and move to the next. Then all 250 or so authentications
in-flight (and probably half completed) will get chopped off and
have to start again on the next server.

Each hour when all the students moved between lectures we'd see 10
minutes of WLCs jumping to a different RADIUS server every minute
or so. This makes the higher-ed situation fairly unique and not
like business environments, where people don't tend to move around
in very large groups all at the same time.

I started to collect mailing list posts on a blog post to try and
collect information together if anyone's interested in reading
lots of different views on it! http://q.asd.me.uk/0

It's one of those things that if you're not looking for it,
though, you might not easily notice it, but just have complaints
about bad wireless connectivity at certain times of the day. It
becomes easy to see in the WLC SNMP RADIUS server not responding
traps, however.

Cheers,

Matthew


-- 
Matthew Newton, Ph.D. 

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: Recent Radius Meltdowns

[Earl Barfield]

Date:Wed, 9 Mar 2016 14:05:07 -0700
From:Jake Snyder 
Subject: Recent Radius Meltdowns

Just wanted to throw this out to the educause community to see if others
are seeing this.  Although this is not ultimately a problem with Higher Ed,
the large scale RADIUS deployments in higher ed resulting in more impact

Several weeks ago we had a higher ed customer who's Radius environment
started periodically melting down.  The customer was running Cisco
Infrastructure and ACS 5.x on the back end.



I'm curious whether this customer was running WLC 8.1 code or something
older?

Although slightly different environment, we had horrible horrible
radius problems under WLC 8.0 code that were improved tremendously when
we upgraded to 8.1 and enabled the multiple radius queues (Cisco speak
for multiple UDP source ports).


If anything (radius server, users, Active Directory, etc) slows down
the auth process, then you're going to have more auth sessions in
progress simultaneously.

There is an 8-bit field in the radius auth packlet called radius_id that 
the controller and radius server use to keep straight which auth

session is which.  If you exceed 255 radius auth sessions in progress
per queue, then meltdown is inevitable.  More queues allows more auth
sessions.



(Hotel-WLC) >show radius queue summary

Max Radius Queues Per Server. 8
 Source Port numbers used 32769 32770 32771 32772 32773 
32774 32775 32776

Max Radius Buffers Available. 4064
 Currently number of Buffers consumed 11

Radius Authentication Messages Stats
 Total Auth Req sent(allocated).. 13588897
 Total Auth Resp rcvd(freed). 13588897
 Total Auth Req Pkts Dropped(no buffer).. 0

Radius Accounting Messages Stats
 Total Acct Req sent(allocated).. 0
 Total Acct Resp rcvd(freed). 0
 Total Acct Req Pkts Dropped(no buffer).. 0




--
Earl Barfield -- Academic & Research Tech / Information Technology
Georgia Institute of Technology, Atlanta Georgia, 30332
Internet: earl.barfi...@oit.gatech.edue...@gatech.edu

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.