RE: [WIRELESS-LAN] AAA Override Bug?

2017-09-15 Thread Hector J Rios 
That definitely sounds like it could be our problem. I’ll look into it. Thanks!

-H

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mccormick, Kevin
Sent: Friday, September 15, 2017 10:32 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] AAA Override Bug?

Are you hitting this bug?

80MR4:AAA override VLAN lost on inter-controller roaming

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb21254

Kevin 
McCormick
Network Administrator
University Technology - Western Illinois University
ke-mccorm...@wiu.edu | (309) 
298-1335 | Morgan Hall 106b
Connect with uTech: Website | 
Facebook | 
Twitter
[Image removed by sender.]

On Fri, Sep 15, 2017 at 10:06 AM, Yahya M. Jaber 
> wrote:
I used to have 8.0.140.0 and now 8.0.140.9 both were working fine with AAA 
override.
Yahya Jaber.
CCIE Wireless.
055-869-7555
ITNC Engineering.
KAUST.



Sent from an Android

On Sep 15, 2017 17:39, Hector J Rios > 
wrote:

This week we identified a bug in our wireless software that is affecting 
eduroam. The behavior we are seeing is the following: when an LSU user connects 
to eduroam we look up their AD group membership. If it is a student, the user 
is placed on network “Y”; if it is an employee (faculty/staff), the user is 
placed on network “Z”. We have noticed employees being incorrectly placed on 
the student network (which is the default WLAN interface). We haven’t yet 
identified why this is happening but we are working with our Cisco. We do have 
AAA override enabled. We have WiSM2s running 8.0.140.0 code. We have confirmed 
that our RADIUS server is sending the correct VLAN id attribute. Anybody 
noticed the same behavior?



Hector Rios

Louisiana State University
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.



This message and its contents including attachments are intended solely for the 
original recipient. If you are not the intended recipient or have received this 
message in error, please notify me immediately and delete this message from 
your computer system. Any unauthorized use or distribution is prohibited. 
Please consider the environment before printing this email.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] spurious cpi report of mass AP disassociation

2017-09-15 Thread Yahya M. Jaber 
Hi,

You can see the same on the WLC GUI.
Also, from the statistics of the AP join at the monitor tab. "This one is 
easier and would show you what happened when you are not there"

Yahya Jaber.
CCIE Wireless.
055-869-7555
ITNC Engineering.
KAUST.



Sent from an Android

On Sep 15, 2017 8:19 PM, Earl Barfield  wrote:
> Date:Mon, 11 Sep 2017 17:48:58 -0700
> From:Mark Duling 
> Subject: Re: spurious cpi report of mass AP disassociation
>
> Thanks for all the replies everyone. Well I'm not used to looking at AP
> logs, but ...


After such an event, log into the controller and run 'show ap summary'
the list of APs shows up in the order that the APs joined the controller
so the ones at the end of the list are the newest ones to join.   Pick
one of the bottom of the list and run 'show ap config general '
and look for the join info near the bottom eg:

> AP Up Time. 1 days, 21 h 15 m 05 s
> AP LWAPP Up Time... 1 days, 21 h 13 m 10 s
> Join Date and Time. Wed Sep 13 16:03:59 2017
> Join Taken Time 0 days, 00 h 01 m 54 s


Is the APs dropped and joined, then it will be evident from the Join
Time.   If the AP rebooted, then it will be evident from the AP Up Time.
If neither, then you had a false alarm from Prime.




--
Earl Barfield -- Academic & Research Tech / Information Technology
Georgia Institute of Technology, Atlanta Georgia, 30332
Internet: earl.barfi...@oit.gatech.edue...@gatech.edu

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.



This message and its contents including attachments are intended solely for the 
original recipient. If you are not the intended recipient or have received this 
message in error, please notify me immediately and delete this message from 
your computer system. Any unauthorized use or distribution is prohibited. 
Please consider the environment before printing this email.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: spurious cpi report of mass AP disassociation

2017-09-15 Thread Earl Barfield 
> Date:Mon, 11 Sep 2017 17:48:58 -0700
> From:Mark Duling 
> Subject: Re: spurious cpi report of mass AP disassociation
> 
> Thanks for all the replies everyone. Well I'm not used to looking at AP
> logs, but ...


After such an event, log into the controller and run 'show ap summary'
the list of APs shows up in the order that the APs joined the controller
so the ones at the end of the list are the newest ones to join.   Pick
one of the bottom of the list and run 'show ap config general '
and look for the join info near the bottom eg:

> AP Up Time. 1 days, 21 h 15 m 05 s
> AP LWAPP Up Time... 1 days, 21 h 13 m 10 s
> Join Date and Time. Wed Sep 13 16:03:59 2017
> Join Taken Time 0 days, 00 h 01 m 54 s


Is the APs dropped and joined, then it will be evident from the Join
Time.   If the AP rebooted, then it will be evident from the AP Up Time.
If neither, then you had a false alarm from Prime.




-- 
Earl Barfield -- Academic & Research Tech / Information Technology
Georgia Institute of Technology, Atlanta Georgia, 30332
Internet: earl.barfi...@oit.gatech.edue...@gatech.edu

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] AAA Override Bug?

2017-09-15 Thread Jeffrey D. Sessler 
That bug is fixed in 8.0.150.0 released about two weeks ago.

Jeff

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mccormick, Kevin
Sent: Friday, September 15, 2017 8:32 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] AAA Override Bug?

Are you hitting this bug?

80MR4:AAA override VLAN lost on inter-controller roaming

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb21254

Kevin 
McCormick
Network Administrator
University Technology - Western Illinois University
ke-mccorm...@wiu.edu | (309) 
298-1335 | Morgan Hall 106b
Connect with uTech: Website | 
Facebook | 
Twitter
[http://www.wiu.edu/university_technology/images/signatures/currentimage.jpg]

On Fri, Sep 15, 2017 at 10:06 AM, Yahya M. Jaber 
> wrote:
I used to have 8.0.140.0 and now 8.0.140.9 both were working fine with AAA 
override.
Yahya Jaber.
CCIE Wireless.
055-869-7555
ITNC Engineering.
KAUST.



Sent from an Android

On Sep 15, 2017 17:39, Hector J Rios > 
wrote:

This week we identified a bug in our wireless software that is affecting 
eduroam. The behavior we are seeing is the following: when an LSU user connects 
to eduroam we look up their AD group membership. If it is a student, the user 
is placed on network “Y”; if it is an employee (faculty/staff), the user is 
placed on network “Z”. We have noticed employees being incorrectly placed on 
the student network (which is the default WLAN interface). We haven’t yet 
identified why this is happening but we are working with our Cisco. We do have 
AAA override enabled. We have WiSM2s running 8.0.140.0 code. We have confirmed 
that our RADIUS server is sending the correct VLAN id attribute. Anybody 
noticed the same behavior?



Hector Rios

Louisiana State University
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.



This message and its contents including attachments are intended solely for the 
original recipient. If you are not the intended recipient or have received this 
message in error, please notify me immediately and delete this message from 
your computer system. Any unauthorized use or distribution is prohibited. 
Please consider the environment before printing this email.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Campus Wireless in Married or Family Student housing

2017-09-15 Thread Wesley Troy Scott 
University of Wyoming began to offer comprehensive wireless coverage in all 
University residences beginning last school year. We have offered wired access 
for many years. We have not had new classes of issues as a result of this 
change. Physical access when needed is scheduled with the occupant through our 
reslife team. If you have an account you can use the authenticated wireless and 
access campus resources. If you don't you can use either the guest wireless or 
a wired port that cannot access internal campus but can access the internet and 
public university services.


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Chuck Enfield 
Sent: Friday, September 15, 2017 7:44:53 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Campus Wireless in Married or Family Student housing

Mike, our approach is the same as yours.  That said, it's not because of any
significant legal obstacle.  In fact, we have a policy that you're not
allowed on our network without an account (even if we don’t force you to log
in, there is supposed to be some method to identify the user, such as
requiring physical access controls for a wired port).  We make the resident
students with dependents agree to this policy, then put them in a situation
where they are forced to violate or their family will not have network
access.

We considered three solutions to this problem:

1. Change the policy to exempt on-campus residences housing dependents.
That would be easy, but it would be ugly, and at odds with the intent of our
policy and sound practice.

2. We explored this with our Risk, Legal, and Identity Management staff.
Everybody concluded that on-campus residency was sufficient to warrant
issuing an account, and that we were better off providing university
wireless with suitable access controls than we were to turn this
responsibility over to the students.  The only thing we needed to address to
implement it was a tweak to the accounts office processes for issuing
accounts such that the student parent or guardian would agree to the network
use terms and conditions for their non-student minor dependents.  We shifted
our schedule around to move those buildings to the end of the project to
provide time for the account process change, but no change was ever
implemented.

3. Much as you said, we could treat them like apartments and let the local
ISPs provide services to these buildings.  We considered this option viable,
but thought that letting the family members use our network was preferable
for both us and them.

Chuck Enfield
Manager, Wireless Engineering
Enterprise Networking & Communication Services
The Pennsylvania State University
110H, USB2, UP, PA 16802
ph: 814.863.8715
fx: 814.865.3988

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Michael Davis
Sent: Friday, September 15, 2017 7:42 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Campus Wireless in Married or Family Student housing

I was wondering if anyone had policies or thoughts on wireless service in
Married/Family student housing?   We've had an informal policy of not
providing it and treating the units as "apartments" where the residents can
purchase and install their own residential wifi.  The thought process (as
handed down in oral history) is that servicing the APs in areas containing
non-University students, had legal implications,etc..  The physical Apt's
are in a "townhouse" style, and the university maintains the maintenance
areas between units and even has Wired networking service to them.

We've been asked to review the policy and was looking for any input on the
subject.

thanks
mike

--
  Mike Davis
  Systems Programmer V
  NSS - University of Delaware  - 302.831.8756
  Newark, DE  19716 Email da...@udel.edu

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] AAA Override Bug?

2017-09-15 Thread Mccormick, Kevin 
Are you hitting this bug?

80MR4:AAA override VLAN lost on inter-controller roaming

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb21254

Kevin McCormick

Network Administrator
University Technology - Western Illinois University
ke-mccorm...@wiu.edu | (309) 298-1335 <3092981335> | Morgan Hall 106b
Connect with uTech: Website  | Facebook
 | Twitter



On Fri, Sep 15, 2017 at 10:06 AM, Yahya M. Jaber 
wrote:

> I used to have 8.0.140.0 and now 8.0.140.9 both were working fine with AAA
> override.
>
> Yahya Jaber.
> CCIE Wireless.
> 055-869-7555
> ITNC Engineering.
> KAUST.
>
>
>
> Sent from an Android
>
> On Sep 15, 2017 17:39, Hector J Rios  wrote:
>
> This week we identified a bug in our wireless software that is affecting
> eduroam. The behavior we are seeing is the following: when an LSU user
> connects to eduroam we look up their AD group membership. If it is a
> student, the user is placed on network “Y”; if it is an employee
> (faculty/staff), the user is placed on network “Z”. We have noticed
> employees being incorrectly placed on the student network (which is the
> default WLAN interface). We haven’t yet identified why this is happening
> but we are working with our Cisco. We do have AAA override enabled. We have
> WiSM2s running 8.0.140.0 code. We have confirmed that our RADIUS server is
> sending the correct VLAN id attribute. Anybody noticed the same behavior?
>
>
>
> Hector Rios
>
> Louisiana State University
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at http://www.educause.edu/
> discuss.
>
>
>
> --
> This message and its contents including attachments are intended solely
> for the original recipient. If you are not the intended recipient or have
> received this message in error, please notify me immediately and delete
> this message from your computer system. Any unauthorized use or
> distribution is prohibited. Please consider the environment before printing
> this email.
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at http://www.educause.edu/
> discuss.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] AAA Override Bug?

2017-09-15 Thread Yahya M. Jaber 
I used to have 8.0.140.0 and now 8.0.140.9 both were working fine with AAA 
override.

Yahya Jaber.
CCIE Wireless.
055-869-7555
ITNC Engineering.
KAUST.



Sent from an Android

On Sep 15, 2017 17:39, Hector J Rios  wrote:

This week we identified a bug in our wireless software that is affecting 
eduroam. The behavior we are seeing is the following: when an LSU user connects 
to eduroam we look up their AD group membership. If it is a student, the user 
is placed on network “Y”; if it is an employee (faculty/staff), the user is 
placed on network “Z”. We have noticed employees being incorrectly placed on 
the student network (which is the default WLAN interface). We haven’t yet 
identified why this is happening but we are working with our Cisco. We do have 
AAA override enabled. We have WiSM2s running 8.0.140.0 code. We have confirmed 
that our RADIUS server is sending the correct VLAN id attribute. Anybody 
noticed the same behavior?



Hector Rios

Louisiana State University

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.



This message and its contents including attachments are intended solely for the 
original recipient. If you are not the intended recipient or have received this 
message in error, please notify me immediately and delete this message from 
your computer system. Any unauthorized use or distribution is prohibited. 
Please consider the environment before printing this email.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

AAA Override Bug?

2017-09-15 Thread Hector J Rios 
This week we identified a bug in our wireless software that is affecting 
eduroam. The behavior we are seeing is the following: when an LSU user connects 
to eduroam we look up their AD group membership. If it is a student, the user 
is placed on network “Y”; if it is an employee (faculty/staff), the user is 
placed on network “Z”. We have noticed employees being incorrectly placed on 
the student network (which is the default WLAN interface). We haven’t yet 
identified why this is happening but we are working with our Cisco. We do have 
AAA override enabled. We have WiSM2s running 8.0.140.0 code. We have confirmed 
that our RADIUS server is sending the correct VLAN id attribute. Anybody 
noticed the same behavior?

Hector Rios
Louisiana State University

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] Campus Wireless in Married or Family Student housing

2017-09-15 Thread Chuck Enfield 
Mike, our approach is the same as yours.  That said, it's not because of any 
significant legal obstacle.  In fact, we have a policy that you're not 
allowed on our network without an account (even if we don’t force you to log 
in, there is supposed to be some method to identify the user, such as 
requiring physical access controls for a wired port).  We make the resident 
students with dependents agree to this policy, then put them in a situation 
where they are forced to violate or their family will not have network 
access.

We considered three solutions to this problem:

1. Change the policy to exempt on-campus residences housing dependents. 
That would be easy, but it would be ugly, and at odds with the intent of our 
policy and sound practice.

2. We explored this with our Risk, Legal, and Identity Management staff. 
Everybody concluded that on-campus residency was sufficient to warrant 
issuing an account, and that we were better off providing university 
wireless with suitable access controls than we were to turn this 
responsibility over to the students.  The only thing we needed to address to 
implement it was a tweak to the accounts office processes for issuing 
accounts such that the student parent or guardian would agree to the network 
use terms and conditions for their non-student minor dependents.  We shifted 
our schedule around to move those buildings to the end of the project to 
provide time for the account process change, but no change was ever 
implemented.

3. Much as you said, we could treat them like apartments and let the local 
ISPs provide services to these buildings.  We considered this option viable, 
but thought that letting the family members use our network was preferable 
for both us and them.

Chuck Enfield
Manager, Wireless Engineering
Enterprise Networking & Communication Services
The Pennsylvania State University
110H, USB2, UP, PA 16802
ph: 814.863.8715
fx: 814.865.3988

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Michael Davis
Sent: Friday, September 15, 2017 7:42 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Campus Wireless in Married or Family Student housing

I was wondering if anyone had policies or thoughts on wireless service in 
Married/Family student housing?   We've had an informal policy of not 
providing it and treating the units as "apartments" where the residents can 
purchase and install their own residential wifi.  The thought process (as 
handed down in oral history) is that servicing the APs in areas containing 
non-University students, had legal implications,etc..  The physical Apt's 
are in a "townhouse" style, and the university maintains the maintenance 
areas between units and even has Wired networking service to them.

We've been asked to review the policy and was looking for any input on the 
subject.

thanks
mike

--
  Mike Davis
  Systems Programmer V
  NSS - University of Delaware  - 302.831.8756
  Newark, DE  19716 Email da...@udel.edu

**
Participation and subscription information for this EDUCAUSE Constituent 
Group discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Campus Wireless in Married or Family Student housing

2017-09-15 Thread Julian Y Koh 
> On Sep 15, 2017, at 06:41, Michael Davis  wrote:
> 
> I was wondering if anyone had policies or thoughts on wireless service in
> Married/Family student housing? 

We have 2 buildings that provide family housing.  We offer the same services 
there as all the other residence halls.  

-- 
Julian Y. Koh
Associate Director, Telecommunications and Network Services
Northwestern Information Technology

2001 Sheridan Road #G-166
Evanston, IL 60208
+1-847-467-5780
Northwestern IT Web Site: 
PGP Public Key: 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] Campus Wireless in Married or Family Student housing

2017-09-15 Thread Jim Pampinella 
What little is left of married student housing at Syracuse University receives 
the same services as the rest of student housing. At one time we had 35 
buildings dedicated to married student housing. With the development of off 
campus housing that is more conducive to married students with families we are 
down to 2 or 3 buildings (12 units each) with married students.

James A. Pampinella
IT Manager
Network and Wiring Services
T 315.443.5768   M 315.420.2246   F 315.443.4325    
japam...@syr.edu 
004 Machinery Hall, Syracuse, NY 13244
syr.edu | its.syr.edu  
Syracuse University

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Michael Davis
Sent: Friday, September 15, 2017 7:42 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Campus Wireless in Married or Family Student housing

I was wondering if anyone had policies or thoughts on wireless service in 
Married/Family student housing?   We've had an informal policy of not providing 
it and treating the units as "apartments" where the residents can purchase and 
install their own residential wifi.  The thought process (as handed down in 
oral history) is that servicing the APs in areas containing non-University 
students, had legal implications,etc..  The physical Apt's are in a "townhouse" 
style, and the university maintains the maintenance areas between units and 
even has Wired networking service to them.

We've been asked to review the policy and was looking for any input on the 
subject.

thanks
mike

--
  Mike Davis
  Systems Programmer V
  NSS - University of Delaware  - 302.831.8756
  Newark, DE  19716 Email da...@udel.edu

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Campus Wireless in Married or Family Student housing

2017-09-15 Thread Michael Davis 

I was wondering if anyone had policies or thoughts on wireless service in
Married/Family student housing?   We've had an informal policy of not
providing it and treating the units as "apartments" where the residents
can purchase and install their own residential wifi.  The thought process
(as handed down in oral history) is that servicing the APs in areas 
containing

non-University students, had legal implications,etc..  The physical Apt's
are in a "townhouse" style, and the university maintains the maintenance
areas between units and even has Wired networking service to them.

We've been asked to review the policy and was looking for any input
on the subject.

thanks
mike

--
 Mike Davis
 Systems Programmer V
 NSS - University of Delaware  - 302.831.8756
 Newark, DE  19716 Email da...@udel.edu

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.