Re: [WIRELESS-LAN] Wireless Options

[Greg Briggs]

Extreme has APs that can be cloud or controller based.  (and transferred
back and forth) I participated in the pilot for the cloud based offering
and it worked well.  We were considering that for a satellite location and
would have used it when our Meraki AP license lapsed, but that building is
currently unoccupied.We currently use controllers (physical and
virtual) and are happy with that.  The controllers are not difficult to
setup and provide a lot in the way of features and management.  The
management cost difference between the two offerings wouldn't sway me
personally to go cloud based.  I highly recommend at least considering the
controller route.  Cloud based could be the right option for you, but it
might be a mistake to consider it a hard requirement.  The good news is
that with Extreme, if you start cloud based and change your mind, you can
with the same APs.  You can ask sales for a a trial of the virtual
controller.  Support is great, and it was great when we were using the
cloud firmware also.  Our favorite AP is the 3912i because it works very
well in residence halls, which had been our biggest headache previously.

Greg Briggs
Network Manager
Pacific Lutheran University

On Thu, May 17, 2018 at 2:24 PM, John Rodkey  wrote:

> Those are good words to put in my mouth.  In addition to these operational
> benefits, there is a strong philosophical commitment at the C-level to
> cloud-based services whenever it is feasible, so we don't go with on-prem
> unless there is no feasible way to do it with cloud.
>
> I am very appreciative of the comments so far.  Thank you all for your
> input!
>
> I will say we are currently Meraki, have been Meraki since their very
> early days.  We are generally pleased with Meraki's controller
> capabilities, and not terribly excited to go to something else, but since
> this is a large investment and new game-changing players have come on the
> scene since 2008, it is a matter of due diligence to look at the options.
> Pricing is a real factor, and we have had some issues with support since
> the transfer to Cisco.  We have also had enough 'weird' problems with
> multiple clients being unable to maintain a reliable connection that we are
> looking at the possibility of global change (to get a whole new set of
> bugs, no doubt) in hopes of removing these problems.
>
> John
>
> On Thu, May 17, 2018 at 1:38 PM, Enfield III, Charles Albert <
> cae...@psu.edu> wrote:
>
>> I don’t want to put words in John’s mouth, but operating controllers
>> requires time and effort beyond what’s required to manage configurations.
>> Scaling, security, software upgrades, etc., all require resources but
>> contribute nothing to the user experience.  For us the benefits of hosting
>> our own controllers is worth it, but I understand that isn’t true for
>> everybody.  I’m not even sure it will always be true for us.  When the
>> benefits of controllers as traffic aggregators can be easily replaced with
>> SD fabrics, I’ll probably want cloud controllers too.  The details will
>> matter, but it’s where I think we’re going.
>>
>>
>>
>> Chuck Enfield
>> Manager, Wireless Engineering
>> Enterprise Networking & Communication Services
>> The Pennsylvania State University
>> 119L, USB2, UP, PA 16802
>> ph: 814.863.8715
>> fx: 814.865.3988
>>
>>
>>
>> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv <
>> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Peter P Morrissey
>> *Sent:* Thursday, May 17, 2018 4:30 PM
>> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> *Subject:* Re: [WIRELESS-LAN] Wireless Options
>>
>>
>>
>> Same here. I was also curious as to why it would be limited to cloud
>> based solutions. I would drill down a layer into the perceived benefits of
>> cloud based, and define it that way. Easier management requiring less staff
>> time and thus lower TCO and more ability to accomplish other activities?
>> Etc. Maybe.
>>
>>
>>
>> One of the disadvantages of cloud based solutions besides losing some
>> control and visibility is the ongoing costs. We love Meraki as much as
>> anyone, but the annual recurring licensing costs are rather steep and
>> should be carefully weighed against the benefits.
>>
>>
>>
>> Pete Morrissey
>>
>>
>>
>> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
>> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Jake Snyder
>> *Sent:* Thursday, May 17, 2018 2:26 PM
>> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> *Subject:* Re: [WIRELESS-LAN] Wireless Options
>>
>>
>>
>> I’m curious about the requirement that controllers be “cloud based” and
>> what business requirement that maps to.
>>
>>
>>
>> Trying to understand what a cloud based controller give your business
>> that an on-premises controller does not.  How that translates to better
>> experience, happier students or faster connectivity.
>>
>>
>>
>> Sent from my iPhone
>>
>>
>> On May 17, 2018, at 12:13 PM, Norton, Thomas (Network Operations) <
>> 

Re: [WIRELESS-LAN] Wireless Options

[John Rodkey]

Those are good words to put in my mouth.  In addition to these operational
benefits, there is a strong philosophical commitment at the C-level to
cloud-based services whenever it is feasible, so we don't go with on-prem
unless there is no feasible way to do it with cloud.

I am very appreciative of the comments so far.  Thank you all for your
input!

I will say we are currently Meraki, have been Meraki since their very early
days.  We are generally pleased with Meraki's controller capabilities, and
not terribly excited to go to something else, but since this is a large
investment and new game-changing players have come on the scene since 2008,
it is a matter of due diligence to look at the options.  Pricing is a real
factor, and we have had some issues with support since the transfer to
Cisco.  We have also had enough 'weird' problems with multiple clients
being unable to maintain a reliable connection that we are looking at the
possibility of global change (to get a whole new set of bugs, no doubt) in
hopes of removing these problems.

John

On Thu, May 17, 2018 at 1:38 PM, Enfield III, Charles Albert  wrote:

> I don’t want to put words in John’s mouth, but operating controllers
> requires time and effort beyond what’s required to manage configurations.
> Scaling, security, software upgrades, etc., all require resources but
> contribute nothing to the user experience.  For us the benefits of hosting
> our own controllers is worth it, but I understand that isn’t true for
> everybody.  I’m not even sure it will always be true for us.  When the
> benefits of controllers as traffic aggregators can be easily replaced with
> SD fabrics, I’ll probably want cloud controllers too.  The details will
> matter, but it’s where I think we’re going.
>
>
>
> Chuck Enfield
> Manager, Wireless Engineering
> Enterprise Networking & Communication Services
> The Pennsylvania State University
> 119L, USB2, UP, PA 16802
> ph: 814.863.8715
> fx: 814.865.3988
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Peter P Morrissey
> *Sent:* Thursday, May 17, 2018 4:30 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] Wireless Options
>
>
>
> Same here. I was also curious as to why it would be limited to cloud based
> solutions. I would drill down a layer into the perceived benefits of cloud
> based, and define it that way. Easier management requiring less staff time
> and thus lower TCO and more ability to accomplish other activities? Etc.
> Maybe.
>
>
>
> One of the disadvantages of cloud based solutions besides losing some
> control and visibility is the ongoing costs. We love Meraki as much as
> anyone, but the annual recurring licensing costs are rather steep and
> should be carefully weighed against the benefits.
>
>
>
> Pete Morrissey
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Jake Snyder
> *Sent:* Thursday, May 17, 2018 2:26 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] Wireless Options
>
>
>
> I’m curious about the requirement that controllers be “cloud based” and
> what business requirement that maps to.
>
>
>
> Trying to understand what a cloud based controller give your business that
> an on-premises controller does not.  How that translates to better
> experience, happier students or faster connectivity.
>
>
>
> Sent from my iPhone
>
>
> On May 17, 2018, at 12:13 PM, Norton, Thomas (Network Operations) <
> tnort...@liberty.edu> wrote:
>
> I  highly recommend looking at Aruba as well.
>
>
>
> *T.J. Norton*
>
> *Wireless Network Architect*
> *Network Operations*
>
> *Office: (434) 592-6552 *
>
>
>
> [image: Image removed by sender.
> http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]
>
>
> *Liberty University  |  Training Champions for Christ since 1971*
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> ] *On Behalf Of *Trenton Hurt
> *Sent:* Thursday, May 17, 2018 2:11 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] Wireless Options
>
>
>
> https://www.mist.com/
> 
>
>
>
> On Thu, May 17, 2018 at 2:10 PM John Rodkey  wrote:
>
> Our college - about 40 buildings, 1200 students, 3500 wireless clients per
> day, currently 310 WAPs - is considering a major upgrade in WAPs, replacing
> a number that are 9 years old and no longer supported.
>
>
>
> We could replace with the latest model of our existing vendor, but want to
> consider all the feasible 

RE: [WIRELESS-LAN] Wireless Options

[Enfield III, Charles Albert]

I don’t want to put words in John’s mouth, but operating controllers requires 
time and effort beyond what’s required to manage configurations.  Scaling, 
security, software upgrades, etc., all require resources but contribute nothing 
to the user experience.  For us the benefits of hosting our own controllers is 
worth it, but I understand that isn’t true for everybody.  I’m not even sure it 
will always be true for us.  When the benefits of controllers as traffic 
aggregators can be easily replaced with SD fabrics, I’ll probably want cloud 
controllers too.  The details will matter, but it’s where I think we’re going.

Chuck Enfield
Manager, Wireless Engineering
Enterprise Networking & Communication Services
The Pennsylvania State University
119L, USB2, UP, PA 16802
ph: 814.863.8715
fx: 814.865.3988

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 On Behalf Of Peter P Morrissey
Sent: Thursday, May 17, 2018 4:30 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Options

Same here. I was also curious as to why it would be limited to cloud based 
solutions. I would drill down a layer into the perceived benefits of cloud 
based, and define it that way. Easier management requiring less staff time and 
thus lower TCO and more ability to accomplish other activities? Etc. Maybe.

One of the disadvantages of cloud based solutions besides losing some control 
and visibility is the ongoing costs. We love Meraki as much as anyone, but the 
annual recurring licensing costs are rather steep and should be carefully 
weighed against the benefits.

Pete Morrissey

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jake Snyder
Sent: Thursday, May 17, 2018 2:26 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Options

I’m curious about the requirement that controllers be “cloud based” and what 
business requirement that maps to.

Trying to understand what a cloud based controller give your business that an 
on-premises controller does not.  How that translates to better experience, 
happier students or faster connectivity.

Sent from my iPhone

On May 17, 2018, at 12:13 PM, Norton, Thomas (Network Operations) 
> wrote:
I  highly recommend looking at Aruba as well.

T.J. Norton
Wireless Network Architect
Network Operations

Office: (434) 592-6552

[Image removed by sender. 
http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]

Liberty University  |  Training Champions for Christ since 1971

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Trenton Hurt
Sent: Thursday, May 17, 2018 2:11 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Options

https://www.mist.com/

On Thu, May 17, 2018 at 2:10 PM John Rodkey 
> wrote:
Our college - about 40 buildings, 1200 students, 3500 wireless clients per day, 
currently 310 WAPs - is considering a major upgrade in WAPs, replacing a number 
that are 9 years old and no longer supported.

We could replace with the latest model of our existing vendor, but want to 
consider all the feasible alternatives.  We have a hard requirement that the 
controller be cloud-based, the system deal well with Mac clients, understand 
VLANs and an enterprise quality network, and have a rich set of configuration, 
logging, monitoring, and troubleshooting tools for dealing both with clients 
and access points. Responsive support is also required, and unsurprisingly  
total system cost is a significant issue.

3 vendors come to mind:  Meraki, Ubiquiti, and Aerohive.

Questions:
 1) do other vendors come to mind that play well in this space?
 2) what are your positive experiences with any of the above?
 3) what are your negative experiences?
 4) have you recently gone through this analysis, and if so, what were your 
conclusions?
 5) what issues have you experienced with PoE capacity requirements with these 
devices?

John Rodkey
Director of Servers and Networks
Westmont College
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** 

RE: [WIRELESS-LAN] Wireless Options

[Steve Hess]

Definitely include Aruba in your list.  While no solution is perfect and
all have their quirks I’ve found Aruba to be a very solid solution, well
supported, with a large user base that can be utilized to bounce ideas and
problems off of.  As with most things the VAR you choose is often just as
important as the solution itself.  A bad VAR can make a great solution fail
miserably.  Good Luck!





Steve



-

Steve Hess

Manager of Networking and Telecommunications

Wheaton College – Massachusetts



*P* 508-286-3413

*F *508-286-8270

*W **https://wheatoncollege.edu/ *

*[image: cid:image004.png@01D369B4.304C1A80]*



*From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *John Rodkey
*Sent:* Thursday, May 17, 2018 2:10 PM
*To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
*Subject:* [WIRELESS-LAN] Wireless Options



Our college - about 40 buildings, 1200 students, 3500 wireless clients per
day, currently 310 WAPs - is considering a major upgrade in WAPs, replacing
a number that are 9 years old and no longer supported.



We could replace with the latest model of our existing vendor, but want to
consider all the feasible alternatives.  We have a hard requirement that
the controller be cloud-based, the system deal well with Mac clients,
understand VLANs and an enterprise quality network, and have a rich set of
configuration, logging, monitoring, and troubleshooting tools for dealing
both with clients and access points. Responsive support is also required,
and unsurprisingly  total system cost is a significant issue.



3 vendors come to mind:  Meraki, Ubiquiti, and Aerohive.



Questions:

 1) do other vendors come to mind that play well in this space?

 2) what are your positive experiences with any of the above?

 3) what are your negative experiences?

 4) have you recently gone through this analysis, and if so, what were your
conclusions?

 5) what issues have you experienced with PoE capacity requirements with
these devices?



John Rodkey

Director of Servers and Networks

Westmont College

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Wireless Options

[Tolka, Bryan]

Extreme networks is a vendor I would suggest.



Sent from my iPhone

On May 17, 2018, at 2:50 PM, Matt Freitag 
> wrote:

Another +1 on Aruba. We've also had varying experiences with their support but 
they are mostly positive experiences. The two negative experiences I had with 
their support went about like this:

  *   AP-125's spontaneously crash and reboot due to a memory management bug 
with no workaround. This went on for months while we were already replacing our 
AP-125's anyway because those went end-of-support a while ago, but their 
engineering group took months to release a fix to us.
  *   One single CPU in our data path module in our 7240s goes to 100% and 
causes authentication timeouts, increased ping times from our network monitor 
to our APs to the point that the network monitor says they're down, and users 
experience terribly slow connectivity. We saw the issue most when people were 
changing classes and increasing the load on the controller a lot with handling 
all the associations and disassociations, and the workaround roughly equated to 
"split the load between our controllers" which just hid the issue, and then 
when that began to fail us our school year ended and we haven't seen the issue 
since. We expect to see this again in the fall if Aruba doesn't release the fix 
to us over the summer. We've had a ticket open with them since October.

Overwhelmingly positive experience I had with their support tho: all APs on our 
campus would spontaneously reboot. Turns out this was due to a very well 
malformed UDP packet reaching the controller over the GRE tunnel between 
controller and AP causing the AP management process on the controller to hang. 
Since it was hung, the process stopped responding to heartbeat requests from 
the APs, APs would think the controller is down and reboot. Fix was enable 
control plane security which enables an IPSec tunnel between the APs and 
controller and IPSec packet validation mechanisms recognized the bad packets 
causing the bug as bad packets and silently discarded them which resolved our 
issue.

Side note for all the Aruba users, I personally recommend enabling cpsec on 
your controllers just to avoid this scenario and encrypt your user traffic on 
its way to the controller. Doing this will cause all your APs to reboot to 
establish tunnels to the controllers. Double check with your SE and/or Aruba 
TAC to check if there are any caveats to doing this in your environment but 
we've got 1,400 APs and are approaching 10k active users during the school year 
and haven't had a problem.

Back to the topic at hand: overall we've found the product itself is very 
stable and works well. We also stick with the conservative release branch 
because, while that branch doesn't have all the latest features, it's got all 
the stability and we're huge fans of stability here. The APs are easy to set 
up, reasonably priced, also solidly stable, the feature set you do have with 
your chosen release works well, etc. etc.


Matt Freitag
Network Engineer
Information Technology
Michigan Technological University
(906) 487-3696
https://www.mtu.edu/
https://www.mtu.edu/it

On Thu, May 17, 2018 at 2:24 PM, Pramod Bhardwaj 
> wrote:
I recommend Aruba as well, we moved to Aruba last year from Meru and very happy 
with it and no complaints for anyone so far. We have about 260 APS on both the 
campuses

Pramod
Principal Manager of IT Infrastructure
MCC
(978) 656-3308

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
On Behalf Of James Moskwa
Sent: Thursday, May 17, 2018 2:22 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Options

You need to include Aruba in your list.

Regards,
-- Jim

Sr. Network Engineer
Information Technology Department
Johnson & Wales University
8 Abbott Park 
Place
Providence, RI 
02903
Office: 
401-598-1556
Mobile: 401-249-0579
eFax: 401-223-4998
Email: james.mos...@jwu.edu

Visit JWU Gateway to submit a ticket, get University 
forms, and more!


From: EDUCAUSE Listserv 
> 
on behalf of John Rodkey >
Reply-To: EDUCAUSE Listserv 
>
Date: Thursday, May 17, 2018 at 2:10 PM
To: EDUCAUSE Listserv 

Re: [WIRELESS-LAN] Wireless Options

[Matt Freitag]

 Another +1 on Aruba. We've also had varying experiences with their support
but they are mostly positive experiences. The two negative experiences I
had with their support went about like this:

   - AP-125's spontaneously crash and reboot due to a memory management bug
   with no workaround. This went on for months while we were already replacing
   our AP-125's anyway because those went end-of-support a while ago, but
   their engineering group took months to release a fix to us.
   - One single CPU in our data path module in our 7240s goes to 100% and
   causes authentication timeouts, increased ping times from our network
   monitor to our APs to the point that the network monitor says they're down,
   and users experience terribly slow connectivity. We saw the issue most when
   people were changing classes and increasing the load on the controller a
   lot with handling all the associations and disassociations, and the
   workaround roughly equated to "split the load between our controllers"
   which just hid the issue, and then when that began to fail us our school
   year ended and we haven't seen the issue since. We expect to see this again
   in the fall if Aruba doesn't release the fix to us over the summer. We've
   had a ticket open with them since October.

Overwhelmingly positive experience I had with their support tho: all APs on
our campus would spontaneously reboot. Turns out this was due to a very
well malformed UDP packet reaching the controller over the GRE tunnel
between controller and AP causing the AP management process on the
controller to hang. Since it was hung, the process stopped responding to
heartbeat requests from the APs, APs would think the controller is down and
reboot. Fix was enable control plane security which enables an IPSec tunnel
between the APs and controller and IPSec packet validation mechanisms
recognized the bad packets causing the bug as bad packets and silently
discarded them which resolved our issue.

Side note for all the Aruba users, I personally recommend enabling cpsec on
your controllers just to avoid this scenario and encrypt your user traffic
on its way to the controller. Doing this will cause all your APs to reboot
to establish tunnels to the controllers. Double check with your SE and/or
Aruba TAC to check if there are any caveats to doing this in your
environment but we've got 1,400 APs and are approaching 10k active users
during the school year and haven't had a problem.

Back to the topic at hand: overall we've found the product itself is very
stable and works well. We also stick with the conservative release branch
because, while that branch doesn't have all the latest features, it's got
all the stability and we're huge fans of stability here. The APs are easy
to set up, reasonably priced, also solidly stable, the feature set you do
have with your chosen release works well, etc. etc.

Matt Freitag
Network Engineer
Information Technology
Michigan Technological University
(906) 487-3696 <%28906%29%20487-3696>
https://www.mtu.edu/
https://www.mtu.edu/it

On Thu, May 17, 2018 at 2:24 PM, Pramod Bhardwaj <
bhard...@middlesex.mass.edu> wrote:

> I recommend Aruba as well, we moved to Aruba last year from Meru and very
> happy with it and no complaints for anyone so far. We have about 260 APS on
> both the campuses
>
>
>
> *Pramod *
>
> Principal Manager of IT Infrastructure
>
> MCC
>
> (978) 656-3308
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *James Moskwa
> *Sent:* Thursday, May 17, 2018 2:22 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] Wireless Options
>
>
>
> You need to include Aruba in your list.
>
>
>
> Regards,
>
> -- Jim
>
>
>
> Sr. Network Engineer
>
> Information Technology Department
>
> Johnson & Wales University
>
> 8 Abbott Park Place
> 
>
> Providence, RI 02903
> 
>
> Office: 401
> 
> -598-1556
>
> Mobile: 401-249-0579
>
> eFax: 401-223-4998
>
> Email: james.mos...@jwu.edu
>
>
>
> *Visit **JWU Gateway  to submit a ticket, get
> University forms, and more!*
>
>
>
>
>
> *From: *EDUCAUSE Listserv  on behalf
> of John Rodkey 
> *Reply-To: *EDUCAUSE Listserv 
> *Date: *Thursday, May 17, 2018 at 2:10 PM
> *To: *EDUCAUSE Listserv 
> *Subject: *[WIRELESS-LAN] Wireless Options
>
>
>
> Our college - about 40 buildings, 1200 students, 3500 wireless clients per
> day, currently 310 WAPs - is considering a major upgrade in WAPs, replacing
> a number that are 9 years old and no 

Re: [WIRELESS-LAN] Wireless Options

[Jeffrey D. Sessler]

We are using Meraki (cloud) as well as Cisco (controller). For the cloud 
requirement, the Meraki is really easy to setup and manage and they have both 
small as well as very large enterprise deployments. The interface it great, and 
like other cloud offering, you get out of the management of 
controllers/software updates. Meraki pretty much owns k-12, where the 
simplicity is a huge plus over the traditional on-prem controller designs. The 
cloud managed switches/security devices are also easy to manage. Support is top 
notch too.

If you are considering controller-based, my consortium currently uses both 
Aruba and Cisco, although the Aruba schools have recently made the decision to 
move to Cisco. If you’d like to hear information on both, contact me off-list. 
No need to start a “Ford vs Chevy” debate on the list.

Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of John Rodkey 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Thursday, May 17, 2018 at 11:10 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: [WIRELESS-LAN] Wireless Options

Our college - about 40 buildings, 1200 students, 3500 wireless clients per day, 
currently 310 WAPs - is considering a major upgrade in WAPs, replacing a number 
that are 9 years old and no longer supported.

We could replace with the latest model of our existing vendor, but want to 
consider all the feasible alternatives.  We have a hard requirement that the 
controller be cloud-based, the system deal well with Mac clients, understand 
VLANs and an enterprise quality network, and have a rich set of configuration, 
logging, monitoring, and troubleshooting tools for dealing both with clients 
and access points. Responsive support is also required, and unsurprisingly  
total system cost is a significant issue.

3 vendors come to mind:  Meraki, Ubiquiti, and Aerohive.

Questions:
 1) do other vendors come to mind that play well in this space?
 2) what are your positive experiences with any of the above?
 3) what are your negative experiences?
 4) have you recently gone through this analysis, and if so, what were your 
conclusions?
 5) what issues have you experienced with PoE capacity requirements with these 
devices?

John Rodkey
Director of Servers and Networks
Westmont College
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] Wireless Options

[Patrick Mauretti]

  1.  I recommend Aruba as well.
  2.  The AP’s are rock solid, reasonably priced, and easy to set up.
  3.  I have had varying experiences with support, licensing, and with upgrades 
(both good and bad).
  4.  I would ask why you have a requirement that the controller be cloud-based 
in this section.
  5.  The 300 series supports both PoE.af and .at, adjusting AP capabilities as 
needed

-Patrick

Patrick Mauretti
Sr. Network Admin
Massasoit Community College
1 Massasoit Blvd
Brockton, MA 02302
508-588-9100 x1660


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 On Behalf Of John Rodkey
Sent: Thursday, May 17, 2018 2:10 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Wireless Options

Our college - about 40 buildings, 1200 students, 3500 wireless clients per day, 
currently 310 WAPs - is considering a major upgrade in WAPs, replacing a number 
that are 9 years old and no longer supported.

We could replace with the latest model of our existing vendor, but want to 
consider all the feasible alternatives.  We have a hard requirement that the 
controller be cloud-based, the system deal well with Mac clients, understand 
VLANs and an enterprise quality network, and have a rich set of configuration, 
logging, monitoring, and troubleshooting tools for dealing both with clients 
and access points. Responsive support is also required, and unsurprisingly  
total system cost is a significant issue.

3 vendors come to mind:  Meraki, Ubiquiti, and Aerohive.

Questions:
 1) do other vendors come to mind that play well in this space?
 2) what are your positive experiences with any of the above?
 3) what are your negative experiences?
 4) have you recently gone through this analysis, and if so, what were your 
conclusions?
 5) what issues have you experienced with PoE capacity requirements with these 
devices?

John Rodkey
Director of Servers and Networks
Westmont College
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Wireless Options

[Jake Snyder]

I’m curious about the requirement that controllers be “cloud based” and what 
business requirement that maps to.

Trying to understand what a cloud based controller give your business that an 
on-premises controller does not.  How that translates to better experience, 
happier students or faster connectivity. 

Sent from my iPhone

> On May 17, 2018, at 12:13 PM, Norton, Thomas (Network Operations) 
>  wrote:
> 
> I  highly recommend looking at Aruba as well.
>  
> T.J. Norton
> Wireless Network Architect
> Network Operations 
> 
> Office: (434) 592-6552 
>  
> 
> 
> Liberty University  |  Training Champions for Christ since 1971
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Trenton Hurt
> Sent: Thursday, May 17, 2018 2:11 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Wireless Options
>  
> https://www.mist.com/
>  
> On Thu, May 17, 2018 at 2:10 PM John Rodkey  wrote:
> Our college - about 40 buildings, 1200 students, 3500 wireless clients per 
> day, currently 310 WAPs - is considering a major upgrade in WAPs, replacing a 
> number that are 9 years old and no longer supported.
>  
> We could replace with the latest model of our existing vendor, but want to 
> consider all the feasible alternatives.  We have a hard requirement that the 
> controller be cloud-based, the system deal well with Mac clients, understand 
> VLANs and an enterprise quality network, and have a rich set of 
> configuration, logging, monitoring, and troubleshooting tools for dealing 
> both with clients and access points. Responsive support is also required, and 
> unsurprisingly  total system cost is a significant issue.
>  
> 3 vendors come to mind:  Meraki, Ubiquiti, and Aerohive.
>  
> Questions:
>  1) do other vendors come to mind that play well in this space?
>  2) what are your positive experiences with any of the above?
>  3) what are your negative experiences?
>  4) have you recently gone through this analysis, and if so, what were your 
> conclusions?
>  5) what issues have you experienced with PoE capacity requirements with 
> these devices?
>  
> John Rodkey
> Director of Servers and Networks
> Westmont College
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] Wireless Options

[Chris Adams (IT)]

We use Aerohive, we are approaching ~1,900 WAPs across 5 campuses.

2) Our experience with the product has overall been good, we’ve seen good 
hardware options available and have seen continuous improvement in the 
management system. The newer system fixes many of our issues with the legacy 
classic management system such as log retention periods. PPSK has worked very 
well in our dorms and for IOT devices that don’t play well with dot1x. We love 
the AP250 with the first radio being SDR, having 2x 5ghz radios on the same WAP 
has been very beneficial to us.
3) Aerohive has somewhat recently fixed my 2 biggest areas of grief: they now 
offer a wall plate hospitality WAP which has made some of our dorms much more 
tenable to upgrade. Additionally, log retention for reporting is improved with 
NG, we used to only get 3-5 days within hivemanager itself.
5) No fault of Aerohive, but on some 802.3af WAPs, our switches (Aruba/HPE) 
were allocating the max wattage rather than actual or requested wattage which 
caused some challenges with power budgeting. This has been circumvented with an 
obscure CLI command.

Cloud-style management rather than controller has been a big key. We ended up 
adding 4 additional campuses to our original deployment without having to be 
concerned about rolling extra controller hardware or failover licensing. Only 
the cost of the WAP hardware and it’s support. We run all of our WAPs on a 
on-premise VM but since it isn’t required for their operation, we have been 
able to do mid-day fixes and upgrades without disrupting connectivity.

Thanks,

Chris Adams, CISSP

Assistant CIO, Network & Telecom
Division of Information Technology
University of North Georgia

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 On Behalf Of John Rodkey
Sent: Thursday, May 17, 2018 2:10 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Wireless Options

Our college - about 40 buildings, 1200 students, 3500 wireless clients per day, 
currently 310 WAPs - is considering a major upgrade in WAPs, replacing a number 
that are 9 years old and no longer supported.

We could replace with the latest model of our existing vendor, but want to 
consider all the feasible alternatives.  We have a hard requirement that the 
controller be cloud-based, the system deal well with Mac clients, understand 
VLANs and an enterprise quality network, and have a rich set of configuration, 
logging, monitoring, and troubleshooting tools for dealing both with clients 
and access points. Responsive support is also required, and unsurprisingly  
total system cost is a significant issue.

3 vendors come to mind:  Meraki, Ubiquiti, and Aerohive.

Questions:
 1) do other vendors come to mind that play well in this space?
 2) what are your positive experiences with any of the above?
 3) what are your negative experiences?
 4) have you recently gone through this analysis, and if so, what were your 
conclusions?
 5) what issues have you experienced with PoE capacity requirements with these 
devices?

John Rodkey
Director of Servers and Networks
Westmont College
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Wireless Options

[James Moskwa]

You need to include Aruba in your list.

Regards,
-- Jim

Sr. Network Engineer
Information Technology Department
Johnson & Wales University
8 Abbott Park Place
Providence, RI 02903
Office: 401-598-1556
Mobile: 401-249-0579
eFax: 401-223-4998
Email: james.mos...@jwu.edu

Visit JWU Gateway to submit a ticket, get University 
forms, and more!


From: EDUCAUSE Listserv  on behalf of John 
Rodkey 
Reply-To: EDUCAUSE Listserv 
Date: Thursday, May 17, 2018 at 2:10 PM
To: EDUCAUSE Listserv 
Subject: [WIRELESS-LAN] Wireless Options

Our college - about 40 buildings, 1200 students, 3500 wireless clients per day, 
currently 310 WAPs - is considering a major upgrade in WAPs, replacing a number 
that are 9 years old and no longer supported.

We could replace with the latest model of our existing vendor, but want to 
consider all the feasible alternatives.  We have a hard requirement that the 
controller be cloud-based, the system deal well with Mac clients, understand 
VLANs and an enterprise quality network, and have a rich set of configuration, 
logging, monitoring, and troubleshooting tools for dealing both with clients 
and access points. Responsive support is also required, and unsurprisingly  
total system cost is a significant issue.

3 vendors come to mind:  Meraki, Ubiquiti, and Aerohive.

Questions:
 1) do other vendors come to mind that play well in this space?
 2) what are your positive experiences with any of the above?
 3) what are your negative experiences?
 4) have you recently gone through this analysis, and if so, what were your 
conclusions?
 5) what issues have you experienced with PoE capacity requirements with these 
devices?

John Rodkey
Director of Servers and Networks
Westmont College
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] Wireless Options

[Ian Lyons]

Aruba as well.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 On Behalf Of Norton, Thomas (Network 
Operations)
Sent: Thursday, May 17, 2018 2:14 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Options

I  highly recommend looking at Aruba as well.

T.J. Norton
Wireless Network Architect
Network Operations

Office: (434) 592-6552

[Image removed by sender. 
http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]

Liberty University  |  Training Champions for Christ since 1971

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Trenton Hurt
Sent: Thursday, May 17, 2018 2:11 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Options

https://www.mist.com/

On Thu, May 17, 2018 at 2:10 PM John Rodkey 
> wrote:
Our college - about 40 buildings, 1200 students, 3500 wireless clients per day, 
currently 310 WAPs - is considering a major upgrade in WAPs, replacing a number 
that are 9 years old and no longer supported.

We could replace with the latest model of our existing vendor, but want to 
consider all the feasible alternatives.  We have a hard requirement that the 
controller be cloud-based, the system deal well with Mac clients, understand 
VLANs and an enterprise quality network, and have a rich set of configuration, 
logging, monitoring, and troubleshooting tools for dealing both with clients 
and access points. Responsive support is also required, and unsurprisingly  
total system cost is a significant issue.

3 vendors come to mind:  Meraki, Ubiquiti, and Aerohive.

Questions:
 1) do other vendors come to mind that play well in this space?
 2) what are your positive experiences with any of the above?
 3) what are your negative experiences?
 4) have you recently gone through this analysis, and if so, what were your 
conclusions?
 5) what issues have you experienced with PoE capacity requirements with these 
devices?

John Rodkey
Director of Servers and Networks
Westmont College
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] Wireless Options

[Norton, Thomas (Network Operations)]

I  highly recommend looking at Aruba as well.

T.J. Norton
Wireless Network Architect
Network Operations

Office: (434) 592-6552

[http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]

Liberty University  |  Training Champions for Christ since 1971

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Trenton Hurt
Sent: Thursday, May 17, 2018 2:11 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Options

https://www.mist.com/

On Thu, May 17, 2018 at 2:10 PM John Rodkey 
> wrote:
Our college - about 40 buildings, 1200 students, 3500 wireless clients per day, 
currently 310 WAPs - is considering a major upgrade in WAPs, replacing a number 
that are 9 years old and no longer supported.

We could replace with the latest model of our existing vendor, but want to 
consider all the feasible alternatives.  We have a hard requirement that the 
controller be cloud-based, the system deal well with Mac clients, understand 
VLANs and an enterprise quality network, and have a rich set of configuration, 
logging, monitoring, and troubleshooting tools for dealing both with clients 
and access points. Responsive support is also required, and unsurprisingly  
total system cost is a significant issue.

3 vendors come to mind:  Meraki, Ubiquiti, and Aerohive.

Questions:
 1) do other vendors come to mind that play well in this space?
 2) what are your positive experiences with any of the above?
 3) what are your negative experiences?
 4) have you recently gone through this analysis, and if so, what were your 
conclusions?
 5) what issues have you experienced with PoE capacity requirements with these 
devices?

John Rodkey
Director of Servers and Networks
Westmont College
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Wireless Options

[Trenton Hurt]

https://www.mist.com/

On Thu, May 17, 2018 at 2:10 PM John Rodkey  wrote:

> Our college - about 40 buildings, 1200 students, 3500 wireless clients per
> day, currently 310 WAPs - is considering a major upgrade in WAPs, replacing
> a number that are 9 years old and no longer supported.
>
> We could replace with the latest model of our existing vendor, but want to
> consider all the feasible alternatives.  We have a hard requirement that
> the controller be cloud-based, the system deal well with Mac clients,
> understand VLANs and an enterprise quality network, and have a rich set of
> configuration, logging, monitoring, and troubleshooting tools for dealing
> both with clients and access points. Responsive support is also required,
> and unsurprisingly  total system cost is a significant issue.
>
> 3 vendors come to mind:  Meraki, Ubiquiti, and Aerohive.
>
> Questions:
>  1) do other vendors come to mind that play well in this space?
>  2) what are your positive experiences with any of the above?
>  3) what are your negative experiences?
>  4) have you recently gone through this analysis, and if so, what were
> your conclusions?
>  5) what issues have you experienced with PoE capacity requirements with
> these devices?
>
> John Rodkey
> Director of Servers and Networks
> Westmont College
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Wireless Options

[John Rodkey]

Our college - about 40 buildings, 1200 students, 3500 wireless clients per
day, currently 310 WAPs - is considering a major upgrade in WAPs, replacing
a number that are 9 years old and no longer supported.

We could replace with the latest model of our existing vendor, but want to
consider all the feasible alternatives.  We have a hard requirement that
the controller be cloud-based, the system deal well with Mac clients,
understand VLANs and an enterprise quality network, and have a rich set of
configuration, logging, monitoring, and troubleshooting tools for dealing
both with clients and access points. Responsive support is also required,
and unsurprisingly  total system cost is a significant issue.

3 vendors come to mind:  Meraki, Ubiquiti, and Aerohive.

Questions:
 1) do other vendors come to mind that play well in this space?
 2) what are your positive experiences with any of the above?
 3) what are your negative experiences?
 4) have you recently gone through this analysis, and if so, what were your
conclusions?
 5) what issues have you experienced with PoE capacity requirements with
these devices?

John Rodkey
Director of Servers and Networks
Westmont College

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Anyone have experience with wireless lighting and contol systems?

[Hector J Rios]

I know Lutron is a great company with great products but I also know they are 
very expensive. Unlike Eaton, Lutron also uses proprietary frequencies (I 
believe Clear Connect works in the 400s), which from a wireless coexistence 
perspective is excellent, but it comes with the higher price tag. Zigbee and 
Z-wave are two very popular communication protocols and are very affordable. 
Zigbee in particular does share the spectrum with WiFi, but only in the 2.4GHz 
band. The short article below provides good information on the coexistence of 
these two protocols.

https://www.metageek.com/training/resources/zigbee-wifi-coexistence.html

Best,

Hector Rios
Louisiana State University

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Michael Dickson
Sent: Thursday, May 17, 2018 10:44 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Anyone have experience with wireless lighting and 
contol systems?


Hi Manny,



I'm curious, why is your facilities department looking to replace Lutron? We 
are being asked to look at them as a lighting control solution on our campus.



Thanks,

Mike


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
on behalf of Manuel Amaral 
>
Sent: Tuesday, April 3, 2018 2:45 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Anyone have experience with wireless lighting and 
contol systems?


Our facilities department is looking to upgrade some of our lighting 
infrastructure to use lower power LED light fixtures.  One of the proposals is 
to replace all the lighting and the existing Lutron lighting control system 
with a relatively new Eaton WaveLinx wireless lighting system.



Unfortunately, the vendors who came in couldn't even explain what spectrum(s) 
the infrastructure would run on.  A quick review indicates that the controllers 
operate on WiFi or wired LAN for control access and 802.15.4 for communication 
(@ 2.4MHz) between all the various devices (dimmers, switches, occupancy 
sensors, lights, etc).  Each controller currently operates as a standalone 
since they still don't have a centralized management environment and they're 
single user access only.



We're particularly concerned about any potential interference issues that might 
arise within our existing and future wireless environments.  I was wondering 
whether anyone has any familiarity with this or similar environments and 
whether you'd be willing to share your thoughts and experiences on them.





Regards,

Manny

---

Manuel (Manny) Amaral

Director, Information Technology Operations

781-292-2433 | www.olin.edu



[Olin_Identifier_Gradient_Standard_Blue_RGB]



Leading the Revolution in Engineering Education

twitter | 
facebook | 
youtube



We will never ask you for your password!




** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: Anyone have experience with wireless lighting and contol systems?

[Michael Dickson]

Hi Manny,


I'm curious, why is your facilities department looking to replace Lutron? We 
are being asked to look at them as a lighting control solution on our campus.


Thanks,

Mike



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Manuel Amaral 

Sent: Tuesday, April 3, 2018 2:45 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Anyone have experience with wireless lighting and 
contol systems?


Our facilities department is looking to upgrade some of our lighting 
infrastructure to use lower power LED light fixtures.  One of the proposals is 
to replace all the lighting and the existing Lutron lighting control system 
with a relatively new Eaton WaveLinx wireless lighting system.



Unfortunately, the vendors who came in couldn’t even explain what spectrum(s) 
the infrastructure would run on.  A quick review indicates that the controllers 
operate on WiFi or wired LAN for control access and 802.15.4 for communication 
(@ 2.4MHz) between all the various devices (dimmers, switches, occupancy 
sensors, lights, etc).  Each controller currently operates as a standalone 
since they still don’t have a centralized management environment and they’re 
single user access only.



We’re particularly concerned about any potential interference issues that might 
arise within our existing and future wireless environments.  I was wondering 
whether anyone has any familiarity with this or similar environments and 
whether you’d be willing to share your thoughts and experiences on them.





Regards,

Manny

---

Manuel (Manny) Amaral

Director, Information Technology Operations

781-292-2433 | www.olin.edu



[Olin_Identifier_Gradient_Standard_Blue_RGB]



Leading the Revolution in Engineering Education

twitter | 
facebook | 
youtube



We will never ask you for your password!





** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Rotating 802.1x RADIUS CA certificate

[Turner, Ryan H]

That is exactly what my last message was talking about 

From: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU"  
on behalf of "Osborne, Bruce W (Network Operations)" 
Reply-To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 

Date: Thursday, May 17, 2018 at 7:22 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] Rotating 802.1x RADIUS CA certificate

While I agree with Ryan and others about user / client certificates, I believe 
the original topic was RADIUS Server certificates, not user.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Turner, Ryan H [mailto:rhtur...@email.unc.edu]
Sent: Wednesday, May 16, 2018 2:56 PM
Subject: Re: Rotating 802.1x RADIUS CA certificate

I definitely echo the comment about private CAs for your RADIUS.  Control your 
own destiny.  If your users are getting onboarded, then private CA chains 
should get installed as part of the process, as well.  We learned this from a 
swap out from a GoDaddy chain that was being deprecated before we made the 
wholesale switch to TLS.   That was one of the major reasons we went to eduroam 
as our primary SSID.  At the time, we were running people through a branded 
SSID called UNC-Secure.  When we realized we were going to need to swap out 
RADIUS certs, we just stopped onboarding folks to UNC-Secure, and instead 
onboarded them to eduroam.  The eduroam backend RADIUS servers were totally 
different than the UNC-Secure RADIUS servers, and it made the change-out non 
disruptive to our folks.  Otherwise there would have been a date where we had 
to tell everyone to ‘enroll again’ because they would not have trusted the new 
chain.  Twas lots of fun…



Ryan Turner
Senior Manager of Networking
ITS Communication Technologies
The University of North Carolina at Chapel Hill

r...@unc.edu
+1 919 445 0113 Office
+1 919 274 7926 Mobile



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
On Behalf Of Oakes, Carl W
Sent: Wednesday, May 16, 2018 2:27 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Rotating 802.1x RADIUS CA certificate

We did similar stuff but went with SHA512, and it bit us, so I'd go with SHA256.
The SHA512 issue was very subtle, but if a Windows box went from v7 -> v8 -> 
v10, or v7 -> v10, there's a chance it would miss a specific update that 
enabled SHA512.  It was a BEAR to find, but now that we know it and why, 
quickly resolved.  Out of about 90,000 overall (all platforms) devices, we 
ended up with less than 50 in that case.

Other than that, long term self-signed CA's and Certs is the way to go for the 
RADIUS server!   No more embarrassing swap outs. :)

Carl Oakes
Information Resources and Technology
California State University Sacramento



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
On Behalf Of Matt Freitag
Sent: Wednesday, May 16, 2018 10:28 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Rotating 802.1x RADIUS CA certificate

We went through this not long ago. The root cert in our chain is valid until 
2028, and the one intermediate is valid until 2024, so we were able to maintain 
the same chain and just swap out our server cert with pretty much zero pain. 
Some warnings about how the cert changed but we told our users well ahead of 
time that they needed to expect this and this time it's OK to ignore and OK 
their way through any warnings.

We just use SHA256 with a key length of 4096 bits. We do not use our own CA on 
the server that I'm looking at, our certificate is a GlobalSign one.


Matt Freitag
Network Engineer
Information Technology
Michigan Technological University
(906) 487-3696
https://www.mtu.edu/
https://www.mtu.edu/it

On Wed, May 16, 2018 at 12:02 PM, Turner, Ryan H 
> wrote:
We still use SHA2 256 bit certificates with a 2048 length.  When I was doing 
research on this a few years ago, I believe there was extra processing power 
required once you went above 256bit (requires an additional computation).  I 
could be completely wrong about that, but we have had mass deployment of user 
certificates for over 5 years with that setup without any issue.  I don't see 
any reason to get cute with hashing algorithms at this point or length at this 
point as it might cause you more grief than it is worth/


Ryan Turner
Senior Manager of Networking
ITS Communication Technologies
The University of North Carolina at Chapel Hill

r...@unc.edu

RE: Rotating 802.1x RADIUS CA certificate

[Osborne, Bruce W (Network Operations)]

While I agree with Ryan and others about user / client certificates, I believe 
the original topic was RADIUS Server certificates, not user.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Turner, Ryan H [mailto:rhtur...@email.unc.edu]
Sent: Wednesday, May 16, 2018 2:56 PM
Subject: Re: Rotating 802.1x RADIUS CA certificate

I definitely echo the comment about private CAs for your RADIUS.  Control your 
own destiny.  If your users are getting onboarded, then private CA chains 
should get installed as part of the process, as well.  We learned this from a 
swap out from a GoDaddy chain that was being deprecated before we made the 
wholesale switch to TLS.   That was one of the major reasons we went to eduroam 
as our primary SSID.  At the time, we were running people through a branded 
SSID called UNC-Secure.  When we realized we were going to need to swap out 
RADIUS certs, we just stopped onboarding folks to UNC-Secure, and instead 
onboarded them to eduroam.  The eduroam backend RADIUS servers were totally 
different than the UNC-Secure RADIUS servers, and it made the change-out non 
disruptive to our folks.  Otherwise there would have been a date where we had 
to tell everyone to ‘enroll again’ because they would not have trusted the new 
chain.  Twas lots of fun…



Ryan Turner
Senior Manager of Networking
ITS Communication Technologies
The University of North Carolina at Chapel Hill

r...@unc.edu
+1 919 445 0113 Office
+1 919 274 7926 Mobile



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
On Behalf Of Oakes, Carl W
Sent: Wednesday, May 16, 2018 2:27 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Rotating 802.1x RADIUS CA certificate

We did similar stuff but went with SHA512, and it bit us, so I'd go with SHA256.
The SHA512 issue was very subtle, but if a Windows box went from v7 -> v8 -> 
v10, or v7 -> v10, there's a chance it would miss a specific update that 
enabled SHA512.  It was a BEAR to find, but now that we know it and why, 
quickly resolved.  Out of about 90,000 overall (all platforms) devices, we 
ended up with less than 50 in that case.

Other than that, long term self-signed CA's and Certs is the way to go for the 
RADIUS server!   No more embarrassing swap outs. :)

Carl Oakes
Information Resources and Technology
California State University Sacramento



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
On Behalf Of Matt Freitag
Sent: Wednesday, May 16, 2018 10:28 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Rotating 802.1x RADIUS CA certificate

We went through this not long ago. The root cert in our chain is valid until 
2028, and the one intermediate is valid until 2024, so we were able to maintain 
the same chain and just swap out our server cert with pretty much zero pain. 
Some warnings about how the cert changed but we told our users well ahead of 
time that they needed to expect this and this time it's OK to ignore and OK 
their way through any warnings.

We just use SHA256 with a key length of 4096 bits. We do not use our own CA on 
the server that I'm looking at, our certificate is a GlobalSign one.


Matt Freitag
Network Engineer
Information Technology
Michigan Technological University
(906) 487-3696
https://www.mtu.edu/
https://www.mtu.edu/it

On Wed, May 16, 2018 at 12:02 PM, Turner, Ryan H 
> wrote:
We still use SHA2 256 bit certificates with a 2048 length.  When I was doing 
research on this a few years ago, I believe there was extra processing power 
required once you went above 256bit (requires an additional computation).  I 
could be completely wrong about that, but we have had mass deployment of user 
certificates for over 5 years with that setup without any issue.  I don't see 
any reason to get cute with hashing algorithms at this point or length at this 
point as it might cause you more grief than it is worth/


Ryan Turner
Senior Manager of Networking
ITS Communication Technologies
The University of North Carolina at Chapel Hill

r...@unc.edu
+1 919 445 0113 Office
+1 919 274 7926 Mobile



-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
On Behalf Of James Andrewartha
Sent: Tuesday, May 15, 2018 11:24 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Rotating 802.1x RADIUS CA certificate

Hi all,

While debugging another problem (Windows 10