Re: [WIRELESS-LAN] Wireless Segmentation and NAC

[Curtis, Bruce]

Now might be a good time to consider a Zero Trust Network Architecture.

As mentioned on the page to download the NIST Zero Trust Network Architecture 
document

"Zero trust focuses on protecting resources (assets, services, workflows, 
network accounts, etc.), not network segments, as the network location is no 
longer seen as the prime component to the security posture of the resource."

https://csrc.nist.gov/publications/detail/sp/800-207/final

The document itself says

"Zero trust provides a set of principles and concepts around moving the 
PDP/PEPs closer to the resource. The idea is to explicitly authenticate and 
authorize all subjects, assets and workflows that make up the enterprise.”

That is NIST-speak saying one of the principles of Zero Trust is to protect a 
resource as close as possible to the resource.  An example of a resource is 
information on a server etc.  NAC is the opposite, NAC is trying to protect a 
resource as far away from the resource as possible.

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf

We don’t put students and faculty on different Vlans/subnets and our security 
problems are not worse than Universities that adopt NAC and micro segmentation 
based on Vlans/subnets.

In a Zero Trust Architecture separation or segmentation is not based on 
Vlans/subnet (which is just a way of saying based on IP number).  In a Zero 
Trust Architecture access to a resource is dependent on identity and is 
independent of the IP number of the device requesting access.

Something to consider:  a device can have only one IP address at a time but 
most devices use more than one identity to access resources.  For example a 
work-study student may be both a student and staff.  A graduate assistant may 
be a student but also teach labs or classes like faculty.

Google has been very successful with BeyondCorp.   They have measured the 
results and adopting Zero Trust has resulted in much better security than when 
they used the previous architecture based on Vlans/subnets and firewalls.

https://www.rsaconference.com/industry-topics/presentation/how-google-protects-its-corporate-security-perimeter-without-firewalls

Akamai gave a similar report at the following RSA Conference.

https://www.youtube.com/watch?v=qzI-N0p9hFk

If Zero Trust Architecture is recommended by NIST, Google, Akamai and many 
others perhaps it is worth considering for your university?


This presentation lists several reasons why Zero Trust Architecture is a better 
match for Universities than the old perimeter, Vlan/Subnet (IP number) based 
architectures.

https://events.educause.edu/special-topic-events/webinar/2018/encore-selections-from-the-educause-security-professionals-conference-2018/agenda/zerotrust-networks-the-future-of-higher-ed-security-network-design




> On Jan 22, 2021, at 8:35 AM, Joseph Runkles  wrote:
> 
> Hi,
> 
> We are in the middle of conversations with vendors for a wireless overhaul as 
> a relatively small school (we will end up with 1000-1200 AP’s).  We are 
> moving away from Cisco Aironet and currently talking with Ruckus, 
> Extreme(aerohive), Juniper(Mist) and Aruba.  To further complicate things we 
> are also going to replace our NAC at the same time (currently using 
> FortiNAC/Bradford) and have been looking at XMC, A3, ClearPass, Cloudpath. 
> 
> As we consider a re-design of the network I would love to ask some questions 
> and maybe even pick some peoples brains offline. 
> 
> • What are you currently doing for network segmentation for wireless?  
> o Separate vlans for staff/faculty/students/iot/gaming/guest?  Flat 
> networks for each or divided up by buildings?
> o Do you terminate these vlans on the your core or distribution routers 
> with ACLs in between or back on your firewalls with more granular rulesets?
> o Do you allow Byod devices by either staff or students on your 
> admin/production network? 
> o Do you do any posture checks (Antivirus, OS, Patches) on devices (byod 
> or domain joined) before dropping them on the network.  
> 
> • AAA (pardon my ignorance) 
> o What are you doing for IoT/gaming devices?  PPSK? Mac auth? 
> o Are you using RADIUS?  Your own server or the vendors controller/cloud? 
> Is your RADIUS providing more than Authentication?  Do you pass vlan info or 
> other attributes from RADIUS?
> o Are you using AD groups or attributes to delineate 
> Students/staff/faculty/Part time student employee/ect…?  Passing that along 
> to your NAC or Controller to apply an access profile for that particular user?
> 
> I realize that I am unloading a bunch of questions, and there are more.  
> However, I would love to see or hear what other people are doing in 
> production.  If things are meeting your needs, what would you change if you 
> could do a re-design.  Just trying to see things from a different perspective 
> and consider alternate possibilities as we work through this re-design.   If 
> 

Re: [WIRELESS-LAN] Issues with Zoom in Res Halls

[John Rodkey]

Mike Dorshimer's experience mirrors ours at Westmont.  We had to upgrade
our firewalls, switch stack associated with the Internet, Bandwidth from
our ISPs, and core switches to deal with the increased traffic demands.  We
found that even though wireless signal and connectivity appeared solid,
there was a certain unpredictability present in wireless that wasn't
present for wired connections.  This unpredictability seems to be more
likely in APs running 802.11ax compared to 802.11ac for some reason.
However, we do not have the resources to do a deep dive that would be
necessary to track down these intermittent problems.

John Rodkey
Director of Servers and Networks
Westmont College

Verification: Unsure if this is a legitimate email to an email list? Make
sure it is recorded at https://my.westmont.edu/it_emails


"*God-fearing faith... is neither brash nor foolhardy and does not tempt
God."* - Martin Luther


On Mon, Jan 25, 2021 at 5:54 PM Dorshimer, Michael 
wrote:

> We hit that hurdle last semester as well. All students were remote in the
> spring and of course no issues because the traffic demand was distributed.
> In the fall they all returned to campus but we maintained much of the zoom
> schedule. Our WAN links were hit hard and we had to upgrade them, wireless
> took a beating with all the HD video use, on top of the existing noise
> floor from IoT and rogue devices. We took a flood of helpdesk tickets and
> tried our best to suggest best practices and campus wide messaging.
>
> I later found out there is also the ability to host the majority of heavy
> Zoom traffic locally on a few VMs. I believe there was no additional
> licensing cost, at least at our subscription level. Just some server and
> admin time to set it up. Perhaps worth looking into.
>
> Mike Dorshimer
> Network Administrator
> Shippensburg University
>
> -Original Message-
> From: The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Charles Rumford
> Sent: Friday, January 22, 2021 10:22 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Issues with Zoom in Res Halls
>
> Hey -
>
> We have started getting reports of issues with Zoom calls in our Res
> Halls. Most of the complaints have been around multiple drops during calls
> or lagging calls.
> Our res halls are currently only at 40-50% capacity if that.
>
> I was curious if anyone else has been seeing any issues with an increase
> of Zoom calls from on campus students.
>
>
> --
> Charles Rumford (he/his/him)
> IT Architect
> ISC Tech Services
> University of Pennsylvania
> OpenPGP Key ID: 0xF3D8215A
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] Issues with Zoom in Res Halls

[Dorshimer, Michael]

We hit that hurdle last semester as well. All students were remote in the 
spring and of course no issues because the traffic demand was distributed. In 
the fall they all returned to campus but we maintained much of the zoom 
schedule. Our WAN links were hit hard and we had to upgrade them, wireless took 
a beating with all the HD video use, on top of the existing noise floor from 
IoT and rogue devices. We took a flood of helpdesk tickets and tried our best 
to suggest best practices and campus wide messaging. 

I later found out there is also the ability to host the majority of heavy Zoom 
traffic locally on a few VMs. I believe there was no additional licensing cost, 
at least at our subscription level. Just some server and admin time to set it 
up. Perhaps worth looking into.

Mike Dorshimer
Network Administrator
Shippensburg University

-Original Message-
From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Charles Rumford
Sent: Friday, January 22, 2021 10:22 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Issues with Zoom in Res Halls

Hey -

We have started getting reports of issues with Zoom calls in our Res Halls. 
Most of the complaints have been around multiple drops during calls or lagging 
calls. 
Our res halls are currently only at 40-50% capacity if that.

I was curious if anyone else has been seeing any issues with an increase of 
Zoom calls from on campus students.


-- 
Charles Rumford (he/his/him)
IT Architect
ISC Tech Services
University of Pennsylvania
OpenPGP Key ID: 0xF3D8215A

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: Issues with Zoom in Res Halls

[Jennifer Minella]

Charles, I doubt this is the issue but I'm just sharing because we had another 
edu customer with this issue in the last 2 weeks. Students returned to the 
campus and/but were still taking instruction via Zoom (even when on campus and 
sitting in a classroom). They don't use proxies and the added bandwidth 
(latency-sensitive audio and video streams going in/out) were simply tanking 
their Internet connection and well - more specifically - not overloading the 
Internet bandwidth but overloading what their firewall/gateway security tools 
could handle. 

Not as likely in your situation but sharing anyway. 
-jj

___
Jennifer Minella, CISSP, HP MASE
VP of Engineering & Security
Carolina Advanced Digital, Inc.
www.cadinc.com
j...@cadinc.com
919.460.1313 Main Office
919.539.2726 Mobile/text 


-Original Message-
From: Charles Rumford  
Sent: Friday, January 22, 2021 10:22 PM
Subject: Issues with Zoom in Res Halls

Hey -

We have started getting reports of issues with Zoom calls in our Res Halls. 
Most of the complaints have been around multiple drops during calls or lagging 
calls. 
Our res halls are currently only at 40-50% capacity if that.

I was curious if anyone else has been seeing any issues with an increase of 
Zoom calls from on campus students.


-- 
Charles Rumford (he/his/him)
IT Architect
ISC Tech Services
University of Pennsylvania
OpenPGP Key ID: 0xF3D8215A

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community
Visit https://cadinc.com/blog for tech articles and news.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [External] Re: [WIRELESS-LAN] Wireless Segmentation and NAC

[Jennifer Minella]

Joey, If you are interested in the differences between the various NAC/AAA 
solutions I can answer that privately including/especially Bradford/FortiNAC 
and ClearPass. They do not do the same things and the thing they _do_ do that 
are similar, they do in very different ways.

The TL:DR version is that 90% of the time, we integrate both together and use 
ClearPass for Wi-Fi and FortiNAC for Wired (specifically for non-RADIUS based 
enforcement). ClearPass’s built in RADIUS and TACACS+ services are amazing so 
if you’re doing AAA-only (vs non-RADIUS based auth) that is perfect. If you’re 
talking wired then that’s a different (longer) story. FortiNAC historically (as 
Bradford) did not have a RADIUS server built-in but that is changing with the 
next major release.

P.S. The Aruba Instant mode can currently operate with hundreds of APs in a 
local cluster (not 25). A cluster of Instant (when not managed with something) 
is determined by L2 adjacency. This will grow with the AOS 10 and can e 
extended even further with on-prem gateways (a tunnel aggregator/terminator not 
a controller).

-jj


___
Jennifer Minella, CISSP, HP MASE
VP of Engineering & Security
Carolina Advanced Digital, Inc.
www.cadinc.com
j...@cadinc.com
919.460.1313 Main Office
919.539.2726 Mobile/text
[CAD LOGO EMAIL SIG]

From: Rodolfo Nunez 
Sent: Monday, January 25, 2021 10:42 AM
Subject: Re: [External] Re: [WIRELESS-LAN] Wireless Segmentation and NAC

Hi Joey,

All those are really good questions and I think most of the answers really 
depend on your architecture guidelines, needs, expertise, and risk management. 
As a data point, this is how we are doing wireless:

We are an Aruba shop, we have on prem controllers. I would rather be 
controller-less but the Aruba technical team advised against it for an 
institution of our size (1000 employees, 2600 students).
More than 1300 WAPs (this is growing since we are replacing a different 
wireless technology in three buildings)
We have 3 SSIDs: Secure, EduRoam and Guest
We have two vlans: The first vlan is for Secure that behaves like being on the 
wired network, the second vlan is for EduRoam and Guest and has very limited 
access to administrative resources.
Flat networks (it sounded more work than gain for us to split by buildings, not 
everyone is happy with this choice. Glad that the overhead and complexity has 
not been needed.) . This also helps with IP managements (used to use public IP 
addresses years ago currently we NAT) but MAC capturing is easier this way. 
Roaming seems to work better.
We use radius on prem (then again, we would rather do cloud radius but we have 
not investigated this option with our SSO cloud provider)
BYOD, IoT, gaming, all are around, it cannot be stopeed. We provide best effort 
support (unless it is an IT managed device), they connect to the Guest network.
No NAC

Hope this helps.

Rodolfo

--
Rodolfo Nunez
pronouns: he/him/his
Director, IT Infrastructure
Barnard College, Columbia University
212-854-1319
rnu...@barnard.edu
www.barnard.edu/bcit



On Sun, Jan 24, 2021 at 8:58 PM Ricardo Stella 
mailto:ste...@rider.edu>> wrote:
Aruba + Clearpass + Eduroam

On Fri, Jan 22, 2021 at 1:31 PM Martin MacLeod-Brown 
mailto:mmacl...@london.edu>> wrote:
We are a controller based network trying Aruba Central for the first time.
It shows promise and Im sure it is going to improve with every release but (for 
us) it is not production ready yet.
Things we have to deal with include config conflicts, or valid config that 
refuses to push to the controller, or the sheer delay between the config and 
the push to the controller..
For instance we were setting up site to site VPN’s today and some config went 
over instantly, other config took 40mins before it synced across

It seems to be a work in progress still…



Martin Macleod-Brown | Network Infrastructure Engineer | Information Technology
[cid:image002.jpg@01D6F33F.D60947F0]


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of John Pertalion
Sent: 22 January 2021 16:45
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Wireless Segmentation 
and NAC

Aruba Instant can manage 25 access points per network.

Aruba Central can handle thousands of access points.

Moody would be best served by Central, if they wanted to go controllerless.



On Fri, Jan 22, 2021 at 11:31 AM Enfield, Chuck 
mailto:cae...@psu.edu>> wrote:
Just curious, but for the respondents recommending Aruba, would that be the 
controller-based flavor or the Instant/Central flavor?  We have over 80K 
simultaneous clients in the normal times (I think.  The normal times seem so 
very long ago.) so we still need controllers for traffic aggregation, but if my 
school was the size of Moody I 

Re: [WIRELESS-LAN] Issues with Zoom in Res Halls

[Coehoorn, Joel]

One thing to remember is Zoom is bi-directional hi-def streaming video.
Literally NOTHING is harder on your wifi and WAN connection, except maybe
certain low-latency online games (these tend to need more bi-directional
packets, but less bandwidth)

Back last Spring, when the whole remote thing really got started, I had the
discussion with our leadership about whether our network could handle such
traffic. I considered three scenarios: 1) Around 10% of students still on
campus, but attending virtually due to self isolation or quarantine. 2) At
most 50% on campus attending virtually if we had to do an alternating days
type model (this never actually happened).  And  3) 100% remote, where
students are NOT generally on campus, so it's faculty using the network
resources. Given those scenarios, I was confident we would be okay for 1
and 3, and made a few calls about #2 in case we needed to quickly adjust
bandwidth or coverage.

Today, we've so far received the first 5 inches of snow out of an expected
12, and last night the provost declared classes would be 100% virtual for
the storm. This goes beyond any of those scenarios, and our network is
being tested. I'm seeing more drops/retries, but not to the level things
are being disrupted. Crossing my fingers it holds up, but I won't be
surprised to hear complaints later, either. This isn't bad; it's the
natural result of pushing the edge of what the network is designed for. It
means I did my job well. The network can handle normal to large loads, and
for the truly exceptional events provides basic service for the 90%. Of
course 100% would be better, but spending those resources for a once a
century event seems wasteful (until you're sitting in the middle of one).

Joel Coehoorn
Director of Information Technology
York College of Nebraska


On Mon, Jan 25, 2021 at 11:13 AM Jeffrey D. Sessler 
wrote:

> There was mention of a bug in one of the code bases (maybe 8.5) that could
> cause this, but there was updated code for it.
>
> Also, go have a look at the events for the AP's in question.  We had a few
> reports of call pauses/lags, and with the Zoom diagnostic data from the
> meeting details in-hand, we correlated it to the client's connected AP
> switching channels because of RRM/Interference.
>
> If you're not familiar with the Zoom client/meeting data, ask your Zoom
> admin to give you access to the dashboard. For live and past meetings you
> can see a wealth of information on what the client is up to and how it is
> performing.
>
> Jeff
>
> -Original Message-
> From: The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Charles Rumford
> Sent: Friday, January 22, 2021 7:22 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Issues with Zoom in Res Halls
>
> Hey -
>
> We have started getting reports of issues with Zoom calls in our Res
> Halls. Most of the complaints have been around multiple drops during calls
> or lagging calls.
> Our res halls are currently only at 40-50% capacity if that.
>
> I was curious if anyone else has been seeing any issues with an increase
> of Zoom calls from on campus students.
>
>
> --
> Charles Rumford (he/his/him)
> IT Architect
> ISC Tech Services
> University of Pennsylvania
> OpenPGP Key ID: 0xF3D8215A
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] Issues with Zoom in Res Halls

[Jeffrey D. Sessler]

There was mention of a bug in one of the code bases (maybe 8.5) that could 
cause this, but there was updated code for it. 

Also, go have a look at the events for the AP's in question.  We had a few 
reports of call pauses/lags, and with the Zoom diagnostic data from the meeting 
details in-hand, we correlated it to the client's connected AP switching 
channels because of RRM/Interference.  

If you're not familiar with the Zoom client/meeting data, ask your Zoom admin 
to give you access to the dashboard. For live and past meetings you can see a 
wealth of information on what the client is up to and how it is performing. 

Jeff

-Original Message-
From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Charles Rumford
Sent: Friday, January 22, 2021 7:22 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Issues with Zoom in Res Halls

Hey -

We have started getting reports of issues with Zoom calls in our Res Halls. 
Most of the complaints have been around multiple drops during calls or lagging 
calls. 
Our res halls are currently only at 40-50% capacity if that.

I was curious if anyone else has been seeing any issues with an increase of 
Zoom calls from on campus students.


-- 
Charles Rumford (he/his/him)
IT Architect
ISC Tech Services
University of Pennsylvania
OpenPGP Key ID: 0xF3D8215A

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Wireless Segmentation and NAC

[Rodolfo Nunez]

Hi Joey,

All those are really good questions and I think most of the answers really
depend on your architecture guidelines, needs, expertise, and risk
management. As a data point, this is how we are doing wireless:

We are an Aruba shop, we have on prem controllers. I would rather be
controller-less but the Aruba technical team advised against it for an
institution of our size (1000 employees, 2600 students).
More than 1300 WAPs (this is growing since we are replacing a different
wireless technology in three buildings)
We have 3 SSIDs: Secure, EduRoam and Guest
We have two vlans: The first vlan is for Secure that behaves like being on
the wired network, the second vlan is for EduRoam and Guest and has very
limited access to administrative resources.
Flat networks (it sounded more work than gain for us to split by buildings,
not everyone is happy with this choice. Glad that the overhead and
complexity has not been needed.) . This also helps with IP managements
(used to use public IP addresses years ago currently we NAT) but MAC
capturing is easier this way. Roaming seems to work better.
We use radius on prem (then again, we would rather do cloud radius but we
have not investigated this option with our SSO cloud provider)
BYOD, IoT, gaming, all are around, it cannot be stopeed. We provide best
effort support (unless it is an IT managed device), they connect to the
Guest network.
No NAC

Hope this helps.

Rodolfo

-- 
Rodolfo Nunez
pronouns: he/him/his
Director, IT Infrastructure
Barnard College, Columbia University
212-854-1319
rnu...@barnard.edu
www.barnard.edu/bcit


On Sun, Jan 24, 2021 at 8:58 PM Ricardo Stella  wrote:

> Aruba + Clearpass + Eduroam
>
> On Fri, Jan 22, 2021 at 1:31 PM Martin MacLeod-Brown 
> wrote:
>
>> We are a controller based network trying Aruba Central for the first time.
>>
>> It shows promise and Im sure it is going to improve with every release
>> but (for us) it is not production ready yet.
>>
>> Things we have to deal with include config conflicts, or valid config
>> that refuses to push to the controller, or the sheer delay between the
>> config and the push to the controller..
>>
>> For instance we were setting up site to site VPN’s today and some config
>> went over instantly, other config took 40mins before it synced across
>>
>>
>>
>> It seems to be a work in progress still…
>>
>>
>>
>>
>>
>>
>>
>> *Martin Macleod-Brown | Network Infrastructure Engineer | Information
>> Technology   *
>>
>>
>>
>>
>>
>> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
>> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *John Pertalion
>> *Sent:* 22 January 2021 16:45
>> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> *Subject:* Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Wireless
>> Segmentation and NAC
>>
>>
>>
>> Aruba Instant can manage 25 access points per network.
>>
>>
>>
>> Aruba Central can handle thousands of access points.
>>
>>
>>
>> Moody would be best served by Central, if they wanted to go
>> controllerless.
>>
>>
>>
>>
>>
>>
>>
>> On Fri, Jan 22, 2021 at 11:31 AM Enfield, Chuck  wrote:
>>
>> Just curious, but for the respondents recommending Aruba, would that be
>> the controller-based flavor or the Instant/Central flavor?  We have over
>> 80K simultaneous clients in the normal times (I think.  The normal times
>> seem so very long ago.) so we still need controllers for traffic
>> aggregation, but if my school was the size of Moody I wouldn’t want to
>> manage controllers.  Is Instant a good option for a network that size?
>>
>>
>>
>> Chuck
>>
>>
>>
>> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
>> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Sneed, Billy (Staff)
>> *Sent:* Friday, January 22, 2021 11:11 AM
>> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> *Subject:* Re: [WIRELESS-LAN] Wireless Segmentation and NAC
>>
>>
>>
>> Sounds like a fun project!
>>
>> Agreed that Aruba and ClearPass are solid. They're both working well for
>> us and have for a long time.
>>
>>
>>
>> If I were to investigate a new system for wireless service and network
>> access control, I'd take a very thorough look at Mist.
>>
>> https://www.juniper.net/us/en/solutions/wired-wireless-access/
>> 
>>
>>
>>
>> Regards,
>>
>> Billy
>>
>>
>>
>> --
>>
>> Billy Sneed
>>
>> Enterprise Architect
>>
>> Information Technology Services
>>
>> Middlebury College
>>
>> wsn...@middlebury.edu
>>
>> 802.443.5769
>> --
>>
>> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
>> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Rob