Re: [WIRELESS-LAN] Free Aruba APs - just pay shipping

[Wesley Troy Scott]

Hi Brad,


If the access points are still available the University of Wyoming can give 
them a good home and a few more years of life. We'd gladly pay shipping.


If they are and you are willing to shoot me an email directly I'd be glad to 
discuss the details with you offline.


Best,


Troy Scott


tsc...@uwyo.edu


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Brad Weldon 

Sent: Wednesday, August 30, 2017 11:02:28 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Free Aruba APs - just pay shipping

After recent campus upgrades, we have an excess of Aruba APs that we'd like to 
give away to anyone willing to pay shipping costs from zip code 97132.

73 each Aruba AP105
9 each Aruba IAP105
28 each Aruba AP125

End of Life Statement from Aruba Networks:
http://www.arubanetworks.com/support-services/end-of-life/#AccessPoints

After 10/31/2017, all remaining units will be recycled and no longer available.

- - - - -
Brad Weldon
Network Engineer
George Fox University
503.554.2571
- - - - -
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

[Lee H Badman]

Great information. Thanks, Hector. Now I have some homework too.

-Original Message-
From: Hector J Rios [hr...@lsu.edu]
Received: Wednesday, 30 Aug 2017, 15:41
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

Thank you for the good thoughts on the storm. Luckily we are fine.

So far we’ve been told that the issue we experienced was a combination of two 
things: 1) the 8540’s memory queues and buffers reached their maximum capacity. 
This affected both 802.1X and CAPWAP. Thus the AP flapping. 2) RADIUS and EAP 
timers must be EXTRA optimized. I say EXTRA, because we’ve always followed best 
practices and recommendations from TAC.

This is a good document to read: 
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/118703-technote-wlc-00.html

Finally, what is most interesting is the fact that even though the 8540 is 
advertised to support 6000 APs and 64000 clients, these numbers do not seem to 
be valid if your environment is mainly 802.1X. So, if your environment is 
mainly 802.1X, and you have an 8540, I would recommend you talk to your Cisco 
SE so they can tell you what the official supported number of APs is. I’ve yet 
to find any official documentation that even hints to this. Miercom performed a 
comparative test in 2015 between Aruba and Cisco, and in the report they did 
test client authentication rate, but only for the Cisco 5520.

https://www.cisco.com/c/dam/en/us/products/collateral/wireless/8540-wireless-controller/miercom-report-wlcs-cisco-aruba.pdf

TAC’s recommendation is for us to use 8.2.160 on the 8540s. We will make all 
necessary config changes and start moving APs in waves of 500 slowly so we can 
watch utilization. Our plan also includes not to exceed the AP capacity of the 
8540s by 50%-60%. If this works, we will have to get an additional pair of 
8540s. I’ll let you know if we are successful.

BTW, we require to have AVC turned on. TAC is very concerned about this. We’ll 
also be watching this.

-Hector

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Wednesday, August 30, 2017 6:43 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?


Hi Hector,



I hope the storm is not causing havoc for you down there- good thoughts to you 
on that.



Did you get anywhere with Cisco on your 8540/8.2.160 problems? I'm being told 
we may need to go that same combination and it doesn't inspire confidence.



Evidently my 8.2.151 (you know... one of those STABLE code versions) may be a 
time bomb that caused a spontaneous 8540 reboot. The comment was made that our 
3300 APs on a platform that supposedly supports 6000 somehow equals a dense 
deployment and that we likely are hitting:

___
Regarding the logs, I was able to check the logs, and yes It seems your 
deployment is a high-density deployment with over 3000 APs.

Based on your deployment and the logs I was able to identify this

It seems the WLC is having load process utilization  on the task SpamReceive 
Task and HAConfigSyncTask.

spamApTask15992   ( 53/ 78)0 (  0/  0)%  30   22
 spamApTask05991   ( 72/ 70)0 (  0/  0)%  305
 spamReceiveTask5990   ( 52/ 78)0 (  0/  0)%  990
 spamSocketTask 5989   (175/ 32)0 (  0/  0)%   0   13
 HAPeerToPeerCommTa 5988   ( 90/ 64)0 (  0/  0)%   07
 rmgrPing   5987   ( 80/ 67)0 (  0/  0)%   0   13

HAConfigSyncTask   6204   (240/  7)0 (  0/  0)%  993
​
Based on the symptoms, the WLC version and your WLC density. You may be hitting 
bug.

CSCvd20251 - Data Plane stopped working on Cisco 5508 WLC running 
8.0.140.0
 ___
I hope to have confirmation today. I can't imagine what Cisco could have done 
between .151 and .6 to make this sort of thing better, and I am really 
interested in whether they isolated your own .160 problems. There is no way in 
hell I'm moving to that version without seeing case notes on every single issue 
people are having in this continual cycle of trading one set of bugs for 
another.

This game just isn't fun anymore.

Thanks-




Lee Badman | Network Architect | CWNE #200
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
on behalf of Hector J Rios >
Sent: Friday, August 25, 2017 3:11 PM
To: 

RE: Move In/Opening Week- Any Problems?

[Hector J Rios]

Thank you for the good thoughts on the storm. Luckily we are fine.

So far we’ve been told that the issue we experienced was a combination of two 
things: 1) the 8540’s memory queues and buffers reached their maximum capacity. 
This affected both 802.1X and CAPWAP. Thus the AP flapping. 2) RADIUS and EAP 
timers must be EXTRA optimized. I say EXTRA, because we’ve always followed best 
practices and recommendations from TAC.

This is a good document to read: 
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/118703-technote-wlc-00.html

Finally, what is most interesting is the fact that even though the 8540 is 
advertised to support 6000 APs and 64000 clients, these numbers do not seem to 
be valid if your environment is mainly 802.1X. So, if your environment is 
mainly 802.1X, and you have an 8540, I would recommend you talk to your Cisco 
SE so they can tell you what the official supported number of APs is. I’ve yet 
to find any official documentation that even hints to this. Miercom performed a 
comparative test in 2015 between Aruba and Cisco, and in the report they did 
test client authentication rate, but only for the Cisco 5520.

https://www.cisco.com/c/dam/en/us/products/collateral/wireless/8540-wireless-controller/miercom-report-wlcs-cisco-aruba.pdf

TAC’s recommendation is for us to use 8.2.160 on the 8540s. We will make all 
necessary config changes and start moving APs in waves of 500 slowly so we can 
watch utilization. Our plan also includes not to exceed the AP capacity of the 
8540s by 50%-60%. If this works, we will have to get an additional pair of 
8540s. I’ll let you know if we are successful.

BTW, we require to have AVC turned on. TAC is very concerned about this. We’ll 
also be watching this.

-Hector

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Wednesday, August 30, 2017 6:43 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?


Hi Hector,



I hope the storm is not causing havoc for you down there- good thoughts to you 
on that.



Did you get anywhere with Cisco on your 8540/8.2.160 problems? I'm being told 
we may need to go that same combination and it doesn't inspire confidence.



Evidently my 8.2.151 (you know... one of those STABLE code versions) may be a 
time bomb that caused a spontaneous 8540 reboot. The comment was made that our 
3300 APs on a platform that supposedly supports 6000 somehow equals a dense 
deployment and that we likely are hitting:

___
Regarding the logs, I was able to check the logs, and yes It seems your 
deployment is a high-density deployment with over 3000 APs.

Based on your deployment and the logs I was able to identify this

It seems the WLC is having load process utilization  on the task SpamReceive 
Task and HAConfigSyncTask.

spamApTask15992   ( 53/ 78)0 (  0/  0)%  30   22
 spamApTask05991   ( 72/ 70)0 (  0/  0)%  305
 spamReceiveTask5990   ( 52/ 78)0 (  0/  0)%  990
 spamSocketTask 5989   (175/ 32)0 (  0/  0)%   0   13
 HAPeerToPeerCommTa 5988   ( 90/ 64)0 (  0/  0)%   07
 rmgrPing   5987   ( 80/ 67)0 (  0/  0)%   0   13

HAConfigSyncTask   6204   (240/  7)0 (  0/  0)%  993
​
Based on the symptoms, the WLC version and your WLC density. You may be hitting 
bug.

CSCvd20251 - Data Plane stopped working on Cisco 5508 WLC running 
8.0.140.0
 ___
I hope to have confirmation today. I can't imagine what Cisco could have done 
between .151 and .6 to make this sort of thing better, and I am really 
interested in whether they isolated your own .160 problems. There is no way in 
hell I'm moving to that version without seeing case notes on every single issue 
people are having in this continual cycle of trading one set of bugs for 
another.

This game just isn't fun anymore.

Thanks-




Lee Badman | Network Architect | CWNE #200
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
on behalf of Hector J Rios >
Sent: Friday, August 25, 2017 3:11 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

Here’s ours:

2 8540s in HA mode (bought with the idea of replacing all WiSM2s)
4 pairs of WiSM2s in HA mode
3 server ClearPass cluster for both eduroam and guest
Main SSID: eduroam with PEAP/MSCHAP
Mix of WAPs; 

Free Aruba APs - just pay shipping

[Brad Weldon]

After recent campus upgrades, we have an excess of Aruba APs that we'd like
to give away to anyone willing to pay shipping costs from zip code 97132.

73 each Aruba AP105
9 each Aruba IAP105
28 each Aruba AP125

End of Life Statement from Aruba Networks:
http://www.arubanetworks.com/support-services/end-of-life/#AccessPoints

After 10/31/2017, all remaining units will be recycled and no longer
available.

- - - - -
Brad Weldon
Network Engineer
George Fox University
503.554.2571
- - - - -

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] 5GHz Micro Adapters

[Justin Hehnlin]

I've found this wiki resource interesting - in particular, using
find/search for 'MU-MIMO' etc. The interface column is relatively
descriptive.

https://wikidevi.com/wiki/List_of_802.11ac_Hardware/Wireless_Adapters#Devices

--
Justin Hehnlin
Wireless Network Engineer
University of Michigan
Information and Technology Services
Infrastructure - Network Engineering
(734)763-7872

On Wed, Aug 30, 2017 at 10:37 AM, Johnson, Christopher 
wrote:

> Thank you everyone for your feedback! Lots of good information! We’ll be
> looking into purchasing a couple adapters to help with
> testing/troubleshooting and advising 2.4 only clients.
>
>
>
> Thank you everyone and have a great day!
>
>
>
> *Christopher Johnson*
>
> Wireless Network Engineer
>
> AT Infrastructure Operations & Networking (ION)
>
> Illinois State University
>
> (309) 438-8444
>
> Stay connected with ISU IT news and tips with @ISU IT Help on Facebook
>  and Twitter
> 
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Jason Cook
> *Sent:* Monday, August 28, 2017 7:26 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] 5GHz Micro Adapters
>
>
>
> We’ve been very happy with these
>
> http://www.edimax.com/edimax/merchandise/merchandise_
> detail/data/edimax/global/wireless_adapters_ac1200_dual-band/ew-7822uac/
>
> but they are full size
>
>
>
> http://www.edimax.com/edimax/merchandise/merchandise_list/
> data/edimax/global/wireless_adapters/
>
> I’ve heard good things about the micro and nano’s (we know the full size
> is great) and have been meaning buy a couple for testing.
>
> As understand it the smaller ones may have a weaker antenna which could
> lead to issues. But haven’t tested it myself
>
>
>
>
>
> --
>
> Jason Cook
>
> Technology Services
>
> The University of Adelaide, AUSTRALIA 5005
>
> Ph: +61 8 8313 4800 <+61%208%208313%204800>
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Norton, Thomas
> (Network Operations)
> *Sent:* Tuesday, 29 August 2017 8:33 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] 5GHz Micro Adapters
>
>
>
> Due to poor performance with them, we moved away from recommending micro
> usb for 2.4 only clients...  We now recommend a 802.11ac 2x2 USB adapter,
> typically the Linksys  (AC1200) WUSB6300. To provide the best user
> experience possible, we always keep a couple on hand to issue out for
> affected students. The big downfall we have found with these is the size,
> but for the price point you can't beat the performance.
>
>
>
>
>
> *T.J. Norton*
>
> *Wireless Network Architect*
> *Network Operations*
>
> *(434) 592-6552 <(434)%20592-6552> *
>
>
>
> [image: http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]
>
> *Liberty University  |  Training Champions for Christ since 1971*
>
>
> On Aug 28, 2017, at 6:47 PM, Johnson, Christopher 
> wrote:
>
> Good Evening,
>
>
>1. Has anyone had any experience and would recommend a particular 5GHz
>Wifi Micro USB adapter for students that have a Windows Laptop with a
>2.4GHz only integrated adapter?
>2. How is the quality/performance of a 5GHz Micro USB Adapter?
>
>
>1. I can’t imagine it performing as well as a laptop with Wi-Fi
>   antennas integrated throughout the monitor.
>   2. Would it be better to recommended the internal Wi-Fi NIC be
>   swapped out for another compatible model – although I could see this 
> being
>   an issue if the antennas weren’t dual-band capable.
>
>
>
> Thank you and have a great night!
>
>
>
> *Christopher Johnson*
>
> Wireless Network Engineer
>
> AT Infrastructure Operations & Networking (ION)
>
> Illinois State University
>
> (309) 438-8444
>
> Stay connected with ISU IT news and tips with @ISU IT Help on Facebook
> 
> and Twitter
> 
>
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at http://www.educause.edu/
> discuss
> 

RE: Wireless onboarding and security posturing

[Turner, Ryan H]

We have been extremely happy with SecureW2.  Outstanding support.  No major 
issues with large amounts of TLS onboardings over several years.  We moved to 
SecureW2 from Cloudpath ES.


Ryan Turner
Manager of Network Operations
ITS Communication Technologies
The University of North Carolina at Chapel Hill

r...@unc.edu
+1 919 445 0113 Office
+1 919 274 7926 Mobile



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W 
(Network Operations)
Sent: Wednesday, August 30, 2017 8:00 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless onboarding and security posturing

A few years ago we worked to move away from NAC (Bradford Campus Manager) to 
801.1X authentication without NAC. We ended up purchasing Aruba ClearPass but 
purchased (& did not use) some OnGuard NAC licenses to appease some management 
that we could deploy NAC if needed. He have not needed that.

We have been onboarding with the deprecated CloudPath Wizard product for 
several years. We are now evaluating onboarding (non-NAC) alternatives. So far 
the best choice appears to be SecureW2 when pricing & features are considered.

I asked CloudPath ES, like Wizard has a one-time onboarding NAC-like feature. 
Apparently, SecureW2 had similar features but removed them due to non-use. 
Pricing appeatrs to be much better than Aruba’s offering.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Curtis L. Parish [mailto:curtis.par...@mtsu.edu]
Sent: Tuesday, August 29, 2017 12:08 PM
Subject: Wireless onboarding and security posturing

Greetings

Looking for philosophy (policy?) as well as what products you are using to 
implement your solutions.

Currently we use a NAC agent as a part of our onboarding procedure for windows 
computers connecting via NAC.   Agents of course add a whole layer of support 
woes to the help desk.  As the percentage (not necessarily number) of windows 
devices on wireless networks decreases, the effectiveness of deploying an agent 
seems to have decreasing returns.   At the same time windows has increased 
their security posture over the years  (nagging you to  do updates and to turn 
on the firewall  and virus protection) other devices have been added to the 
mix, like IOT, that  have little or no protection built in.   Spending so  of 
our  time supporting an agent that only protects a decreasing percentage of the 
devices on the network  may not be the best policy.   There is the argument 
that windows devices can cause the most problems,  but do we spend the time 
focused on the single problem solution (windows agent) as opposed to   
implementing and supporting a more holistic solution that can recognize and 
respond to threats  across platforms.


We have talked to universities that run their wireless networks as wide open 
public access networks  and choose  only to defend with firewalls.   We on the 
other end  are more offensive and require  user registration, NAC agents and  
MAC registration,  along with the separation of the wireless network from the 
campus network.

So, how do you provide and protect your wireless networks?


Curtis


Curtis Parish
 615.494.8861
Senior Network Engineer
[wordmark_web]



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] 5GHz Micro Adapters

[Johnson, Christopher]

Thank you everyone for your feedback! Lots of good information! We’ll be 
looking into purchasing a couple adapters to help with testing/troubleshooting 
and advising 2.4 only clients.

Thank you everyone and have a great day!

Christopher Johnson
Wireless Network Engineer
AT Infrastructure Operations & Networking (ION)
Illinois State University
(309) 438-8444
Stay connected with ISU IT news and tips with @ISU IT Help on 
Facebook and 
Twitter
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jason Cook
Sent: Monday, August 28, 2017 7:26 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] 5GHz Micro Adapters

We’ve been very happy with these
http://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/wireless_adapters_ac1200_dual-band/ew-7822uac/
but they are full size

http://www.edimax.com/edimax/merchandise/merchandise_list/data/edimax/global/wireless_adapters/
I’ve heard good things about the micro and nano’s (we know the full size is 
great) and have been meaning buy a couple for testing.
As understand it the smaller ones may have a weaker antenna which could lead to 
issues. But haven’t tested it myself


--
Jason Cook
Technology Services
The University of Adelaide, AUSTRALIA 5005
Ph: +61 8 8313 4800

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Norton, Thomas 
(Network Operations)
Sent: Tuesday, 29 August 2017 8:33 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] 5GHz Micro Adapters

Due to poor performance with them, we moved away from recommending micro usb 
for 2.4 only clients...  We now recommend a 802.11ac 2x2 USB adapter, typically 
the Linksys  (AC1200) WUSB6300. To provide the best user experience possible, 
we always keep a couple on hand to issue out for affected students. The big 
downfall we have found with these is the size, but for the price point you 
can't beat the performance.


T.J. Norton
Wireless Network Architect
Network Operations

(434) 592-6552

[http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]

Liberty University  |  Training Champions for Christ since 1971

On Aug 28, 2017, at 6:47 PM, Johnson, Christopher 
> wrote:
Good Evening,


  1.  Has anyone had any experience and would recommend a particular 5GHz Wifi 
Micro USB adapter for students that have a Windows Laptop with a 2.4GHz only 
integrated adapter?
  2.  How is the quality/performance of a 5GHz Micro USB Adapter?

 *   I can’t imagine it performing as well as a laptop with Wi-Fi antennas 
integrated throughout the monitor.
 *   Would it be better to recommended the internal Wi-Fi NIC be swapped 
out for another compatible model – although I could see this being an issue if 
the antennas weren’t dual-band capable.

Thank you and have a great night!

Christopher Johnson
Wireless Network Engineer
AT Infrastructure Operations & Networking (ION)
Illinois State University
(309) 438-8444
Stay connected with ISU IT news and tips with @ISU IT Help on 
Facebook
 and 
Twitter

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Wireless onboarding and security posturing

[Osborne, Bruce W (Network Operations)]

A few years ago we worked to move away from NAC (Bradford Campus Manager) to 
801.1X authentication without NAC. We ended up purchasing Aruba ClearPass but 
purchased (& did not use) some OnGuard NAC licenses to appease some management 
that we could deploy NAC if needed. He have not needed that.

We have been onboarding with the deprecated CloudPath Wizard product for 
several years. We are now evaluating onboarding (non-NAC) alternatives. So far 
the best choice appears to be SecureW2 when pricing & features are considered.

I asked CloudPath ES, like Wizard has a one-time onboarding NAC-like feature. 
Apparently, SecureW2 had similar features but removed them due to non-use. 
Pricing appeatrs to be much better than Aruba’s offering.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Curtis L. Parish [mailto:curtis.par...@mtsu.edu]
Sent: Tuesday, August 29, 2017 12:08 PM
Subject: Wireless onboarding and security posturing

Greetings

Looking for philosophy (policy?) as well as what products you are using to 
implement your solutions.

Currently we use a NAC agent as a part of our onboarding procedure for windows 
computers connecting via NAC.   Agents of course add a whole layer of support 
woes to the help desk.  As the percentage (not necessarily number) of windows 
devices on wireless networks decreases, the effectiveness of deploying an agent 
seems to have decreasing returns.   At the same time windows has increased 
their security posture over the years  (nagging you to  do updates and to turn 
on the firewall  and virus protection) other devices have been added to the 
mix, like IOT, that  have little or no protection built in.   Spending so  of 
our  time supporting an agent that only protects a decreasing percentage of the 
devices on the network  may not be the best policy.   There is the argument 
that windows devices can cause the most problems,  but do we spend the time 
focused on the single problem solution (windows agent) as opposed to   
implementing and supporting a more holistic solution that can recognize and 
respond to threats  across platforms.


We have talked to universities that run their wireless networks as wide open 
public access networks  and choose  only to defend with firewalls.   We on the 
other end  are more offensive and require  user registration, NAC agents and  
MAC registration,  along with the separation of the wireless network from the 
campus network.

So, how do you provide and protect your wireless networks?


Curtis


Curtis Parish
 615.494.8861
Senior Network Engineer
[wordmark_web]



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Plastered buildings

[Osborne, Bruce W (Network Operations)]

Yeah.

We have a stone mansion used that has the lath. We put an AP per room and just 
upgraded them to Aruba AP-203H APs.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Harris, Robert [mailto:robert.har...@culinary.edu]
Sent: Tuesday, August 29, 2017 8:31 AM
Subject: Re: Plastered buildings

Do you have the option to go into the rooms? Aruba has a series of APs that 
mount to a wall plate over an outlet. AP-303H , if it’s an option.

[The Culinary Institute of America]
Robert Harris
Manager of Network Services
Culinary Institute of America
1946 Campus Drive
Hyde Park, NY
845-451-1681
www.ciachef.edu
Food is Life
Create and Savor Yours.™

Please consider the environment before printing this e-mail.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Rodkey
Sent: Tuesday, August 29, 2017 12:20 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Plastered buildings

How do you deal with buildings that have plaster and fine metal mesh enclosing 
them?  We have placed access points on the exterior of the building, but the 
signal isn't getting through.  The rooms all open onto an outside hallway - 
there is no common internal hallway.

John Rodkey
Director of Servers and Networks
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: Move In/Opening Week- Any Problems?

[Lee H Badman]

Hi Hector,


I hope the storm is not causing havoc for you down there- good thoughts to you 
on that.


Did you get anywhere with Cisco on your 8540/8.2.160 problems? I'm being told 
we may need to go that same combination and it doesn't inspire confidence.


Evidently my 8.2.151 (you know... one of those STABLE code versions) may be a 
time bomb that caused a spontaneous 8540 reboot. The comment was made that our 
3300 APs on a platform that supposedly supports 6000 somehow equals a dense 
deployment and that we likely are hitting:

___

Regarding the logs, I was able to check the logs, and yes It seems your 
deployment is a high-density deployment with over 3000 APs.

Based on your deployment and the logs I was able to identify this

It seems the WLC is having load process utilization  on the task SpamReceive 
Task and HAConfigSyncTask.

spamApTask15992   ( 53/ 78)0 (  0/  0)%  30   22
 spamApTask05991   ( 72/ 70)0 (  0/  0)%  305
 spamReceiveTask5990   ( 52/ 78)0 (  0/  0)%  990
 spamSocketTask 5989   (175/ 32)0 (  0/  0)%   0   13
 HAPeerToPeerCommTa 5988   ( 90/ 64)0 (  0/  0)%   07
 rmgrPing   5987   ( 80/ 67)0 (  0/  0)%   0   13

HAConfigSyncTask   6204   (240/  7)0 (  0/  0)%  993
​
Based on the symptoms, the WLC version and your WLC density. You may be hitting 
bug.

CSCvd20251 - Data Plane stopped working on Cisco 5508 WLC running 
8.0.140.0
 ___
I hope to have confirmation today. I can't imagine what Cisco could have done 
between .151 and .6 to make this sort of thing better, and I am really 
interested in whether they isolated your own .160 problems. There is no way in 
hell I'm moving to that version without seeing case notes on every single issue 
people are having in this continual cycle of trading one set of bugs for 
another.

This game just isn't fun anymore.

Thanks-



Lee Badman | Network Architect | CWNE #200
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Hector J Rios 
Sent: Friday, August 25, 2017 3:11 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

Here’s ours:

2 8540s in HA mode (bought with the idea of replacing all WiSM2s)
4 pairs of WiSM2s in HA mode
3 server ClearPass cluster for both eduroam and guest
Main SSID: eduroam with PEAP/MSCHAP
Mix of WAPs; 3500, 3600, 3700, 2800, 1810w
Total number of WAPs: 3500
21000 peak users

We tested the 8540s extensively over the spring and summer, primarily with the 
8.2.151 code and a mix of 2800s and 1810ws. We had AVC turned on, and were 
using RLANs for the wired ports. The largest number of WAPs we had on this pair 
was 469. We tested code 8.2.160 towards the end of the summer with all WAPs on 
the 8540s, and had no issues. First the day of classes, we had all WiSM2s 
running 8.2.160 simply as a backup. Early morning we started getting reports of 
802.1X authentication failures (these failures had nothing to do with 
ClearPass). Shortly after that, WAPs starting flapping (disconnecting from the 
8540s moving to WiSM2s and then moving back again). We tried playing with the 
TCP MSS setting, adjusting EAP timers, turning AVC off and multiple other 
things, but nothing worked. In the end, we downgraded the WiSM2s to 8.0.140 and 
moved all WAPs that were not 2800 or 1810s. The 8540s were downgraded to 
8.2.151 so the 2800s and 1810s would have a controller to connect to. Network 
stability was restored after this.

Needless to say it was a very unpleasant experience. We are still working with 
Cisco to find out the root cause of the problem.

Hector Rios
Louisiana State University

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Friday, August 25, 2017 8:22 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

It might be beneficial to share notes in case other schools are hitting common 
problems. I’m wondering how everyone who is in the thick of it is faring with 
back-to-school?

On this end, we are doing OK halfway to our expected total daily peak clients 
(we’re at 15K now high water mark).

Our significant WLAN-related changes since end of Spring semester
· Running 8.2.151 on our 8540s
· Significant quantities of Wave 2 APs
· ISE as RADIUS (only, no NAC, no onboarding)

No changes to:
· our guest WLAN (Clearpass/an Aruba controller pair)
· onboarding (Cloudpath Wiz)