RE: [External] Re: [WIRELESS-LAN] Onboarding android 10 and 11

2021-07-13 Thread Adam T. Ferrero 

  We are steering Android folks towards the "geteduroam" app from SURF 
(https://www.geteduroam.app/).  It takes your eduroam CAT profile so you can 
add you on prem SSID and geteduroam app will configured both eduroam and your 
local SSID on devices.

  The app is nice (simple, pretty, functional).  Doesn't need any instructions. 
 Must stay installed or it removes the wireless profile.  There is a MIME type 
issue where the app is offered for unrelated downloads but I think it's fixed 
in beta.  Still, it otherwise just works for Android 11 in our limited testing.

  Adam

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Dennis Xu
Sent: Tuesday, July 13, 2021 8:43 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [External] Re: [WIRELESS-LAN] Onboarding android 10 and 11

We are dealing the same issue. The new JoinNow UI since this year for Android 
10 and 11 is very difficult to go through, but it looks like there is no other 
onboarding solutions around. The Eduroam CAT is very easy to use (like the old 
JoinNow) but it is only for eduroam SSID.

Dennis Xu


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Marsen Nuzi
Sent: Friday, July 9, 2021 8:41 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Onboarding android 10 and 11

CAUTION: This email originated from outside of the University of Guelph. Do not 
click links or open attachments unless you recognize the sender and know the 
content is safe. If in doubt, forward suspicious emails to 
ith...@uoguelph.ca

Hello everyone,
We noticed that android 11 had issues onboarding to our secure SSID, and in 
particular it could not connect to it but it stays to whatever SSID is already 
connected to. After a quick call with secure w2 we were told that there is a 
workaround which seems very tedious especially for the average user. Users have 
to uninstall the secure w2 join app and start the process all over again and 
with more steps. I was curious how is everyone else dealing with this issue and 
if they have found something easier.
Thanks

Marsen Nuzi
Information Technology

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [External] Re: [WIRELESS-LAN] Rate Limits on Guest Wi-Fi

2021-04-13 Thread Adam T. Ferrero 

  Once we got all our pipes bigger than most folks could use, we dropped all 
the rate limiting games we were playing.  It's simpler and easier to operate.  
On the wired side, when we were increasing from 10 to 100 to gig we used to 
wrongly think they're going to use it all up and our upstream pipes will have 
to be massive to deal with it.  Users just use what they need/want and when you 
raise their throughput ceiling they'll just get it faster and get out of the 
way.  Third party optics and internet bandwidth are all cheap now.

  Adam

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Martin MacLeod-Brown
Sent: Tuesday, April 13, 2021 3:12 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [External] Re: [WIRELESS-LAN] Rate Limits on Guest Wi-Fi

That is an interesting question. I believe (perhaps wrongly) that rate limiting 
increases Wi-Fi inefficiency as you are then forcing the client to stay on the 
medium longer to transmit/receive data?
We used to rate limit back in the day, but then removed all limits when we went 
to 802.11ac and didn't notice any impact to the network...

From: The EDUCAUSE Wireless Issues Community Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis K. Larsen
Sent: 13 April 2021 00:21
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Rate Limits on Guest Wi-Fi

Hello,

Curious to know if any have removed or recently raised the rate limit on the 
Guest Wi-Fi network at your institution, particularly large universities or 
hospitals.  If you have taken that step how is it going?  Also curious to hear 
what speeds you rate limit to if it is rate limited and how you came to that 
conclusion.

Thanks,

--
Curtis K. Larsen
Wireless Network Engineer III
The University of Utah


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [External] Re: [WIRELESS-LAN] WLAN onboarding

2021-04-07 Thread Adam T. Ferrero 

  I love the geteduroam app!  It is awesome, easy, pretty, and simple.  We are 
planning to leverage it for more of our onboarding.

  We are open SSID with Aruba Clearpass captive portal, SMS texted credentials 
for self service guests (via Twilio), and switch to WPA2 enterprise for actual 
internet access.  We’d been using Aruba OS specific landing pages to feed their 
Quick Connect tool to onboard.  Aruba is encouraging Onboard rather than Quick 
Connect but that comes with license fees.  With Android 11 changes and a 
desired to deprecate our PEAP/MSCHAP we’ve been spending time here.

  Still a work in progress but geteduroam app is a win!  Nice work to that team!

  Adam

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Philippe Hanset
Sent: Wednesday, April 7, 2021 10:55 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [External] Re: [WIRELESS-LAN] WLAN onboarding

Lee,

Based on your timeframe you might also want to consider the new development 
that is done in Europe called “geteduroam”.
https://www.geteduroam.app
It is App based and will feed from CAT but it is based on EAP-TLS or on 
EAP-TTLS/PEAP if preferred.

So you could start with CAT  and username/password (CAT allows you to provision 
eduroam and other SSIDs as well) and evolve later to EAP-TLS.

Philippe


Philippe Hanset, CEO
www.anyroam.net
Operator of eduroam-US
+1 (865) 236-0770






On Apr 7, 2021, at 10:05 AM, Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu>
 wrote:

Hello everyone, hope your semesters are going along smoothly and that you are 
all staying healthy. As always- this message is not an invite for vendors to 
contact me.

Looking out down our short timeline, we need to make a number of decisions 
about various aspects of our WLAN operations. One of these decision points is 
if/how to do the 802.1X onboarding after our current solution goes End of 
Everything at year’s end. To that end, I’m looking for any and all feedback on 
these questions:

- If you are using PEAP/MS-CHAP v2, what is your onboarder of choice (even if 
none, with manual config as methodology)?
-If you are doing PEAP-TLS, what is your onboarder of choice?
-Have you recently piloted any onboarders that you just hate for any reason?
-For those using eduroam as your 802.1X environment, have you found the free 
configuration tool to be reliable? Any downsides to using it at scale?

Interested in 3rd party, native, whatever.

Thanks as always,

Lee Badman

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu w 
its.syr.edu
Campus Wireless Policy: 
https://answers.syr.edu/display/network/Wireless+Network+and+Systems
SYRACUSE UNIVERSITY
syr.edu

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [External] [WIRELESS-LAN] Wireless Upgrade Project

2020-12-30 Thread Adam T. Ferrero 

  I can comment on a few of these.

  6 to 8 was a major deal for us last year.  We had to reconfigure just about 
everything but I think it performs better.

  Between AX and a desire to use some saved dollars to expand our coverage area 
significantly, we are pushing a bunch of Aruba 535/555s out.  I think it'll be 
quite a while before significant AX clients enjoy it but even longer for 6E 
clients.

  We are Extreme and converted every stack to fabric attach (~2,500 switches).  
Between that and the shortest path bridging core, it is awesome.  Once it's 
done, its operationally easier to manage.  We had a location lost due to fire 
and it was trivial to drop the same vlan on another campus for the PCs that 
were recovered and relocated.  It's trivial for us to RSPAN remote port mirror 
anywhere off the fabric down to a server on our Main Campus.  Fabric attach is 
very nice, but the bigger win for us was routing with SPB fabric.  It was easy 
to deploy VRF/L3VSNs and use IP shortcuts to route the traffic.  We have a 
Staff VRF, Student VRF, VoIP VRF, etc. and staff user subnets talk to others 
without restriction but pass through our firewall to get anywhere else.  I'm a 
real big fan.  The implementation is significant from what we were running so 
it took us refreshing from VSP 9000s to VSP 8600s before we really pushed it.

  Reach out off list if you want to hear more about anything.  Good luck.

  Adam

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Luis Quispe
Sent: Wednesday, December 30, 2020 10:12 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [External] [WIRELESS-LAN] Wireless Upgrade Project

Hello everyone,

Hope you're all having a relaxing time off before getting back into the new 
year.  We're looking for some feedback from those that have recently gone 
through a campus wifi upgrade/change.  From the non-technical perspective, we 
plan to communicate with our user base for all phases of the project.  Does 
anyone have any suggestions on communicating with the users?  Not so much on 
the how, but the information provided to the user, or requested information 
that can be useful.

On the technical perspective, has anyone gone from on-prem controller to 
controller-less and cloud management?  We will be conducting POCs with both 
Extreme Networks and Juniper Mist and as you may know, both of these solutions 
are Cloud managed solutions.  We are also doing a POC with Aruba, but there's a 
little gray area there when it comes to controller-less.  What I mean is that, 
we were told we could go the route of Instant-AP with Cloud-Central, but given 
what we have about 1800 APs, we should prefer to go with the on-prem solution 
instead.  Here are some questions:


  *   I know that there are a few schools here that are Aruba Wireless 
customers, please comment on going to the newer version 8 OS (we are still on 
6).
  *   If anyone has any comments on going with or tested either Mist or 
Extreme, please do so!  With administrations now pushing to go to the cloud 
when possible, has anyone considered going controller-less?
  *   Has anyone considered AX as a driver to change, or waiting to see what 
happens with Wifi6E?
  *   While most wireless solutions would provide decent management dashboards, 
does anyone have any comments on which provides useful information for 
troubleshooting?  Mist provides many points of user-experience information that 
could help with troubleshooting issues, does anyone have feedback on that?
  *   For those that have experience with Extreme, has anyone employed that 
Fabric-Attach process to do without having to manually bridge vlans to the 
access points?  Was this really a game changer?
  *   With the Next-Gen solutions talking about all the analytics available, 
does that really help the system auto-tune power and channel properly?

I know this this a lot, any feedback will greatly appreciated,

Luis Quispe
Senior Network Administrator
Division of IT
Stevens Institute of Technology



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [External] Re: [WIRELESS-LAN] AP Management Network Size

2020-06-18 Thread Adam T. Ferrero 

  We have ~6k APs and place them on AP mgmt. subnets of /22.  We tunnel all 
traffic back to controllers so the broadcast isn't significant (no user 
broadcast on the AP mgmt. vlan).  The weakest devices we have are VoIP phones 
where 200 broadcast packets per second can hurt them but broadcast pps above 50 
is abnormal here.

  Adam

-Original Message-
From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Curtis, Bruce
Sent: Thursday, June 18, 2020 2:19 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [External] Re: [WIRELESS-LAN] AP Management Network Size

We take a more Zero Trust approach and don’t put APs on a separate Vlan.

The APs are on the same Vlan as other devices in the building..

No problems in more than 14 years.

We do give them private IPv4 numbers but they get public IPv6 numbers.

> On Jun 17, 2020, at 2:56 PM, Jesse Thomas  wrote:
> 
> Hi Everyone,
> 
> We are preparing to replace our existing Cisco WiSM2 controllers with 9800s. 
> Part of this upgrade will include redesigning our AP management 
> network(s)—currently, we have about 500 APs spread across 3 different /24's. 
> 
> As we move towards an in-room design in our residence halls and provide 
> denser 5GHz coverage throughout campus in the coming years, we expect the 
> number of APs to grow by quite a bit. 
> 
> I am interested in how others have sized your AP management networks? I have 
> not found any concrete guidance from Cisco and various recommendations 
> elsewhere range from /25 to /21. Larger ranges would of course be easier to 
> manage, but at the same time we don't want to introduce issues related to 
> broadcast traffic.
> 
> Thanks for any input that you can provide.
> 
> Regards,
> 
> 
> --
> Jesse Thomas
> Network & Systems Administrator
> Hamilton College
> 315-859-4211
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire 
> community list. If you want to reply only to the person who sent the 
> message, copy and paste their email address and forward the email 
> reply. Additional participation and subscription information can be 
> found at https://www.educause.edu/community
> 

Bruce Curtis
Network Engineer  /  Information Technology NORTH DAKOTA STATE UNIVERSITY
phone: 701.231.8527
bruce.cur...@ndsu.edu


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] SMS gateways

2019-11-13 Thread Adam T. Ferrero 

 +1 Twilio is very nice to work with



Sent from my Verizon, Samsung Galaxy smartphone


 Original message 
From: Lee H Badman <00db5b77bd95-dmarc-requ...@listserv.educause.edu>
Date: 11/13/19 18:46 (GMT-05:00)
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] SMS gateways

This email originated from outside of Temple University. Use caution when 
clicking on links or attachments.
Twillio. Works fantastic.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Entwistle, Bruce 
<0139f1156e70-dmarc-requ...@listserv.educause.edu>
Sent: Wednesday, November 13, 2019 6:25:32 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] SMS gateways

We are looking at using the Guest portal of Clearpass for authenticating guest 
to our wireless network.  A part of this would be sending account information 
to guests through a SMS gateway.  Is there a recommended SMS gateway vendor 
that will work with Clearpass?

Thank you
Bruce Entwistle
Network Manager
University of Redlands


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] Re-authentication times for guest wireless solutions

2018-05-10 Thread Adam T. Ferrero 

  We let folks captive portal to Clearpass on an open SSID and we Twilio SMS 
text them a credential.  Then they switch to the WPA2 SSID and the credential 
is good for 5 days.  It’s around 1,000 guests per day.

  Adam

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 On Behalf Of Daniel Wurst
Sent: Thursday, May 10, 2018 12:00 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Re-authentication times for guest wireless solutions

Hi all!

This summer we plan to make changes to our guest wireless solution. We plan to 
have users go to a captive portal page on our Aruba controllers. Currently we 
have our re-authentication interval set to 8 hours. We were wondering how often 
other universities are making wireless guests re-authenticate to their networks.

Any feedback is greatly appreciated.

Have a good one!

Dan
--
Daniel Wurst
Network Engineer
Denison University
wur...@denison.edu
740-587-6229

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] Best Wireless Solution for Residence Hall Rooms

2017-10-11 Thread Adam T. Ferrero 

  We also switched from hallway deployment to nearly every suite.  It solved 
our issues.  We have about 6,000 beds.

  Adam

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brad Weldon
Sent: Wednesday, October 11, 2017 12:17 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Best Wireless Solution for Residence Hall Rooms

A few years ago we transitioned from in-hall APs to 1 or 2 in every suite or 1 
for every 2 dorm rooms. Complaints went way down. We based the decision on RSSI 
values and that most students were bringing newer hardware that supported 5 
GHz. Much of our roll-out occurred by updating classroom and admin APs over the 
course of 3 years and then redeploying replaced APs into dorm areas.

Brad


- - - - -
Brad Weldon
Network Engineer
George Fox University
503.554.2571
- - - - -

On Wed, Oct 11, 2017 at 8:54 AM, Max McGrath 
mailto:mmcgr...@carthage.edu>> wrote:
Umut -

We used to do APs in the hallways years ago, but had similar complaints that 
you are receiving.  We've been doing in-room APs for the last 5 years and the 
complaints have dropped significantly.  We are an Extreme Networks customer and 
use their AP7502 (http://www.extremenetworks.com/product/wing-ap-7502/) in our 
residence halls.  We used to do an AP for every 6 rooms; we now do an AP in 
about every other room.  I foresee a day when we have an AP in every room.

Max

--
Max McGrath [Image removed by sender.] 

Network Administrator
Carthage College
262-551-
mmcgr...@carthage.edu

On Wed, Oct 11, 2017 at 10:49 AM, Umut Arus 
mailto:um...@sabanciuniv.edu>> wrote:
Hello all,

We have 500 Aruba APs for 3000 students in dorm building hallways however we 
are getting complaint still even if fine tuning because of walls. I think it is 
very contemporary issue for many.

In every room with Aruba solution would be very expensive. We'd like to ask you 
what is your best solution that you have resolved it?

thanks.

--
Umut Arus
System Specialist
Information Technology
Sabancı University

Phone: +90216 483 9172

[Image removed by sender.]
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Move In/Opening Week- Any Problems?

2017-08-25 Thread ADAM T FERRERO 
Lee and friends,

  We changed several things and are faring very well this move in.  With just 6 
thousand clients in residence halls we aren't at half way yet.  We top around 
12 - 14k devices there which should hit before the weekend ends.


-  Aruba wireless with new controller code this year (6.5.3.2).  Just 
about one AP per suite same as previous years.

-  WPA2 enterprise with posture checking and onboarding via Aruba 
Clearpass (now at 6.6.5)

o   Big changes here, we used to require our own Symantec endpoint so the 
onboarding process was captive portal them to feed the Aruba Onguard agent for 
posture checking and then captive portal to feed them Symantec installer.  Now 
we are allowing a larger list of AV products including Windows Defender and 
Mac's built in firewall / AV.  So, the onboarding is reduced a step and the 
calls for help is very low this year.  Onguard will even auto remediate and 
enable Defender or builtin  firewall if nothing else exists.

-  WPA2 PSK for other devices still in effect.  They pre-register the 
MAC addresses via Clearpass portal.

-  Wired 802.1x no change.  Still barely anyone connecting devices (~3% 
wired vs wireless).  We reviewed the what if we were 100% wireless and we still 
needed 95% of the wired switches just to feed those wireless APs.  So we keep 
offering it as an option.

-  No open wireless except for onboarding guests (also Clearpass) but 
that's everywhere not just Residence Halls.

-  No multicast support so printers and IoT things don't usually work.  
We are working on using Clearpass to limit visibility of those devices just for 
the users that own them.  Aruba has all this functionality available.  We are 
going to test in coming months so we can enable it at a later date.  We've 
purposefully left it off for now not wanting the whole of our enterprise to see 
and print to some poor students printer.

  Good luck with start of school everyone!

  Adam


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Friday, August 25, 2017 9:22 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

It might be beneficial to share notes in case other schools are hitting common 
problems. I'm wondering how everyone who is in the thick of it is faring with 
back-to-school?

On this end, we are doing OK halfway to our expected total daily peak clients 
(we're at 15K now high water mark).

Our significant WLAN-related changes since end of Spring semester
* Running 8.2.151 on our 8540s
* Significant quantities of Wave 2 APs
* ISE as RADIUS (only, no NAC, no onboarding)

No changes to:
* our guest WLAN (Clearpass/an Aruba controller pair)
* onboarding (Cloudpath Wiz)
* overall topology
* open network in dorms for gadgets
* non-use of AVC, it crapped out and never got solved after hundreds of 
hours with TAC

Fears:
* We haven't yet hit the scale that will reveal problems with any of 
the newer stuff listed above

Anyone else care to share?

-Lee


Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: IPTV deployment

2017-04-27 Thread Adam T Ferrero 

  We deployed Xfinity on Campus last summer for 6,000 residents.  Our Comcast 
estimate was max 3 - 5 Gbps additional internet load so we upgraded firewalls 
to accommodate.  Turns out between IPTV and natural growth it was only ~ 1 Gbps 
more than the prior semester.  Almost all of them stream over wireless and we 
have not adjusted the data rates.  Everything is performing well (of course we 
have one AP per suite so coverage is very good).

  Adam

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Baugh, Craig
Sent: Thursday, April 27, 2017 3:11 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] IPTV deployment

Yes Sir,. both...
I am looking at it from the wireless perspective And my boss is worried :)

Our platform is all Cisco.
8540 controllers (8.3) and a mix of 3502, 3602, 3702, and 3802 WAPs.
Our transmit rates are:
802.11 a
[cid:image001.png@01D2BF77.B58918C0]
802.11 b/g
[cid:image002.png@01D2BF77.B58918C0]

Specs show IPTV needs 2Mbps to stream 720p content to client devices.

>From the wireless perspective, have you (or anyone else on this thread),had 
>any problems with IPTV?
Did you have to adjust your data rates since multicast travels at the lowest 
mandatory?

Thank you for your reply.
//Craig






From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W 
(Network Operations)
Sent: Thursday, April 27, 2017 6:37 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] IPTV deployment

Craig,

Are you looking at this from a wireless perspective, worried, or both?

What is your wireless platform?

We implemented multicast IPTV on Aruba wireless using our existing Haivision 
wired IPTV services. In fact, we helped Aruba test their "Dynamic Multicast 
Optimization" solution.

Generally, for 802.11 networks, multicast is transmitted at the lowest 
transmitted rate. That is bad for multicast video. Since our video streams are 
encrypted, we cannot apply QoS separately to prioritize key frames.

If you wish, I can reach out to our IPTV team to get more information on our 
Haivision (formerly Video Furnace) system.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Baugh, Craig [mailto:c.ba...@tcu.edu]
Sent: Wednesday, April 26, 2017 11:18 AM
Subject: IPTV deployment

Good morning,
I am looking for any advice from colleges that have implemented IPTV services.
Would like to know of any challenges, limitations, or problems that have come 
up during implementation.


Thank you for your help.

//Craig Baugh
//Network Engineer
//Texas Christian University.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] ClearPass AirGroup in the classroom

2017-04-07 Thread Adam T Ferrero 

  Count us as one of those institutions.  We are replacing all my free open 
source things (Freeradius, Packet Fence) with Aruba Clearpass and its been 
working very well for us for a couple years.  Our residence halls are entirely 
self service with Aruba Onguard doing health checks for wireless and wired.  
Students can flow through the process on their own.  We also replaced our guest 
wireless offering where anyone can hit our open onboarding SSID, get an SMS 
text with their password and then switch to our secure SSID for access.

  We have AppleTV and some others working and plan to add AirGroup location 
over the summer or so.  Lastly we are migrating remaining Freeradius services 
over as well.  I’m a die hard Freeradius fanatic, but I must admit that the GUI 
Clearpass put on top has made things easier for me and my team.

  Adam


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Cappalli, Tim (Aruba)
Sent: Friday, April 7, 2017 3:06 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] ClearPass AirGroup in the classroom

Also keep in mind that the registration feature isn’t just for AirGroup. Many 
of our enterprise and edu customers leverage it as headless device self-service 
registration for wired and wireless (Chromecasts, AppleTV, printers, game 
consoles, etc). Users can register and manage all of their devices, you can 
limit number of devices and types using role based portal access.

We’re planning on publishing a deployment guide for the Device Registration 
feature later this year.

Let me know if I can be of any help.

tim


TIM CAPPALLI
Aruba Security TME
t...@hpe.com

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Howard, Christopher" 
mailto:christopher-how...@utc.edu>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, April 7, 2017 at 2:44 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] ClearPass AirGroup in the classroom

I can confirm this point.  We have Clearpass just for airgroup.  The AppleTVs 
are manually registered in Clearpass by our staff, but that’s all that’s there 
(no user devices).  We set it so that wireless clients can see only the 
AppleTVs that are connected to APs in the same AP group.  We typically have an 
AP group per building and only shrink that for larger buildings.  It has worked 
well for us so far.  We felt this was a decent compromise between irritation to 
the user for a registration vs controlling the size of population that has 
access to the Apple TVs.  We also recommend to the owner of the Apple TV that 
they set it to use a pass code to prevent unwelcome broadcasts.

We’ve had no complaints about connection reliability.

Christopher Howard
Director, Network Engineering
University of Tennessee at Chattanooga
christopher-how...@utc.edu

On Apr 7, 2017, at 2:30 PM, Harris, Rob 
mailto:r_har...@culinary.edu>> wrote:

Talk to your aruba rep or integration partner, I believe there’s a proximity 
mode also (you can airgroup to any device on the same AP you’re on, rather than 
have to register).


Robert Harris
Manager of Network Services
Culinary Institute of America
1946 Campus Drive
Hyde Park, NY
845-451-1681
www.ciachef.edu
Food is Life
Create and Savor Yours.™

Please consider the environment before printing this e-mail.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Albert Luo
Sent: Friday, April 7, 2017 2:17 PM
To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>;
 Harris, Rob mailto:r_har...@culinary.edu>>
Subject: [WIRELESS-LAN] ClearPass AirGroup in the classroom

Hello,

My university is planning to replace freeRADIUS with ARUBA ClearPass. One of 
the selling points is that ClearPass supports AirGroup. With AirGroup and Apple 
TV in the classroom, user can cast iPhone/iPad screen to the Apple TV big 
screen. User will need to register their MAC addresses and joint the same group 
with the Apple TV. One member of AirGroup project team is questioning the 
usability (requires MAC registration) and the connection reliability ( wireless 
screen cast), support cost. I couldn’t find much discussion on AirGroup 
implementation experiences.

I hope you can sharing your experiences on evaluating and implementing AirGroup 
in the classroom environment and how to support. Thank you very much.

Albert Luo
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription infor

RE: [WIRELESS-LAN] SSID names

2017-02-21 Thread Adam T Ferrero 

  These have served us pretty well.  We only have a mac auth SSID in our 
residence halls.  Occasionally it would be useful to have it everywhere but we 
don't currently.

TUsecurewirelessWPA2 enterprise which gives different access levels 
(staff, student, guest)
TUguestwireless Open for onboarding (SMS text credentials)
eduroam Guest like access for anyone

  Adam

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Michael Dickson
Sent: Tuesday, February 21, 2017 4:02 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] SSID names

eduroam  (our only 802.1x offering)
UMASS  (open, CP, primarily for guests)
UMASS-DEVICES  (MAC auth'd device support for non-802.1x capable devices, as 
allowed by policy)

Mike

Michael Dickson
Network Analyst
Information Technology
University of Massachusetts Amherst
413-545-9639
michael.dick...@umass.edu
PGP: 0x16777D39


On 2017-02-21 15:36, Jim Stasik wrote:
> Hello, I have been encouraged by one of our governance bodies to 
> consider renaming our wireless SSIDs to better match the network names 
> to the function of the networks behind them.  I don’t get it, but 
> maybe I am a little too close to it.  We don’t have any residential on 
> our campuses so have just two primary SSIDs in use on our campus (as 
> well as eduRoam).  One is named Public and is our onboarding/guest 
> network.  The other is our authenticated/secure network which we call 
> MC3Waves and is for all students, staff, faculty and administrators, 
> with 802.1x on the back end to steer the end user to the appropriate 
> role.  We have had these network around for as long as I can remember
> (15 years maybe).  I am curious how others are naming and separating 
> the SSIDs in their environment?
> 
> Thanks in advance,
> 
> Jim Stasik
> 
> Director of Enterprise Infrastructure Services
> 
> Montgomery County Community College
> 
> jsta...@mc3.edu
> 
> 215.641.6678
> 
> -
> 
> Montgomery County Community College is proud to be designated as an 
> Achieving the Dream Leader College for its commitment to student 
> access and success.
>  ** Participation and subscription information for this 
> EDUCAUSE Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] Per room wireless

2016-11-04 Thread Adam T Ferrero 
  We have an AP in nearly every suite.  That is what made things work well for 
us.

  Adam

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Sullivan, Don
Sent: Friday, November 4, 2016 10:52 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Per room wireless

For Samford University, depending on the dorm construction, we have a per room 
or every other room model.

Don Sullivan
Network Administrator
205-726-2111

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Michael Blaisdell
Sent: Friday, November 04, 2016 9:48 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Per room wireless

How many on the list have moved to a per room model for wireless for student 
residence halls?



Michael Blaisdell
Director of Network Services
IT Services
Learning Commons/Library
Saint Francis University
117 Evergreen Drive
Loretto, PA  15940
814-472-3242
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.francis.edu&d=DQIFAg&c=GTxgfYI6i4KYikqC6GK_Jzn2mYGEh-v4HEPYCyQcJzU&r=gESFfxkz83JEIAAPJ78hwRDbYXa0egqYOhaeRMDNKZQ&m=CPL1nOzVIjBbPzlFotrM-u0-a5W_rv8deZk0dVe0uQs&s=TkUVerKAULlr5LwuFeI7rhcCmPZ7tQBWz-DePvMLaGQ&e=
 
The best way to predict the future is to invent it. Alan Kay

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at 
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_groups_&d=DQIFAg&c=GTxgfYI6i4KYikqC6GK_Jzn2mYGEh-v4HEPYCyQcJzU&r=gESFfxkz83JEIAAPJ78hwRDbYXa0egqYOhaeRMDNKZQ&m=CPL1nOzVIjBbPzlFotrM-u0-a5W_rv8deZk0dVe0uQs&s=g0tBKBiJlKSwtI40-H_vaGtTn9_ir6m4uCD0NXTtGwc&e=
 .

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Aruba and Bradford

2016-07-21 Thread Adam T Ferrero 

  We are very happy with our Aruba Clearpass implementation.  We brought it in 
for host integrity checking in our residence halls and have continued to add 
more services.  It handled Meru and now Aruba wireless as well as our Avaya 
wired infrastructure.  It is feature rich and very flexible.

  We have 6,000 students in Temple managed residence halls (13 - 15k devices) 
with less than 5% of the devices connecting wired.  We do force the Onguard 
agent on Windows and MACs and require our managed anti-virus.  Other devices 
can just authenticate and work against wireless WPA2 enterprise SSID or wired 
.1x.  Non .1x capable devices are self-registered by the students into 
Clearpass (they add the mac address and we then mac auth accept them).  We 
built out all the pretty captive portal pages so onboarding process is terribly 
smooth and self service.

  We've rolled all our enterprise WPA2 enterprise authentication onto Clearpass 
as well (~50,000 concurrent clients).  I was against the purchase initially two 
years ago (being a freeradius / Packet Fence fanatic) but it has served us 
superbly.  Last fall showed the lowest Help Desk ticket volume of any move-in 
ever.  Here's hoping we all do equally well this fall.

  Adam

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian Helman
Sent: Thursday, July 21, 2016 9:28 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Aruba and Bradford

Thanks everyone.  Keep the info flowing ...

Bruce, we're a mixed shop on the wired side.  Since 2011 we've been a Juniper 
shop.  Before that, and I still have a lot of their gear that I haven't 
upgraded, we were Alcatel(-Lucent).

Those of you who are using ClearPass, anyone have a mixed wireless shop (ie, 
did you start with another vendor and move to Aruba)?  I'm curious if you 
avoided using ClearPass on the other wireless or embraced it, and to what level 
of success?

So, how many of your friends/acquaintances think you all get the summer off, 
because we work in academia?  This is all great information everyone!

-Brian 

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W 
(Network Services)
Sent: Thursday, July 21, 2016 7:26 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Aruba and Bradford

Brian,

What wired vendor are you using?  I know for Cisco wired switches, you can pass 
the vlan name (as defined on the access switch) instead of the vlan ID for a 
role. This lets you have many student VLANs in the network, for instance.

​
 
Bruce Osborne
Wireless Engineer
IT Network Services - Wireless
 
(434) 592-4229
 
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Bucklaew, Jerry [mailto:j...@buffalo.edu]
Sent: Wednesday, July 20, 2016 4:50 AM
Subject: Re: Aruba and Bradford

Brian,

We are a bradford shop and are migrating to clearpass.  We used the 
bradford for registration or our resnet as well as our wireless gaming network. 
 It worked ok, but my major issues with it were..

1. Bradford is designed around vlan switching, moving ports from one vlan to 
the other.  Vlan switch is labor/process intensive to setup/run because it 
needs to know about every switch, needs to know about every link change and 
needs to talk to every switch.

2. Bradford is not flexible when it comes to passing back radius attributes.  
For example you can pass back only one attribute, interface-name I think.  You 
can not do multiple.

3. Bradford is not flexible about registration, the device needs to be on the 
network in order to register.  User admin of registration does not exists.


We moved to clearpass for our wirelesss network and it is just a much more 
flexible system.  It can do almost anything, very customizable.  Our main 
driver was dorm Ap's.  By moving to dorm ap's (every other room) we are putting 
half our wired ports through the aruba system.  To get the same look and feel 
from a user perspective both wired and dorm ap wired need to be off the same 
system.  We moved away from vlan switching to 802.1x/mac off on the dorm ap's 
and a inline 
system for the rest of the wired ports.   Eventually we are moving to 
802.1x/mac off for everything, away from vlan 
switching.  Besides the same look and feel, it gives us a much more flexible 
registration system and a very nice "my devices" portal so users can manage 
their own registrations.

I can give more specifics if you need it.


On 7/19/2016 5:10 PM, Brian Helman wrote:
> Feel free to ping me off-list.  I may sanitize/redact comments and repost 
> them for the benefit of others though..
>
>
>
> If you are an Aruba AND Bradford shop, what was you reason for using 
> Bradford vs Clearpass?  Our primary interest in NAC is onboarding and 
> guest networks (wired and w

RE: Third Party 10Gbs optics with Aruba Controllers

2016-06-30 Thread Adam T Ferrero 

  We are Aruba and happen to have Aruba direct 10G optics sort of 
unintentionally.  We've been using Approved Optics parts for Avaya, Palo Alto, 
Intel, and Check Point for a couple years.  Our savings is multiple six figures 
at this point.  No one ever complains about it and we are transparent about the 
fact that we use them.  Should an optic come into question we will do the usual 
swap/clean optics, fiber jumpers, etc. to identify root cause.

  It was ruled against the law (Manguson-Moss Act of 1975) for the 
manufacturers to require you to purchase their optics.  Juniper is the only one 
that has very reasonable pricing for optics so we do purchase them directly.  
But, we've otherwise been completely thrilled with our very affordable, 
lifetime warrantied optics.  When I did the research I was amazed at the number 
of Fortune 500s and the social media giants that figured this out long ago.

  Do your homework and I'd expect you'll find it's well worth the effort.

  Adam Ferrero


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian Helman
Sent: Thursday, June 30, 2016 10:01 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Third Party 10Gbs optics with Aruba Controllers

Over on the NETMAN list we have lots of discussions about 3rd party optics.  
I'm in the process of pricing comparative solutions right now to our existing 
wireless.  FOR EXISTING ARUBA CUSTOMERS .. do you use 3rd party optics on your 
controllers?  If so, have you ever had support issues from Aruba?

Feel free to ping me directly.

Vendors, this is not a sales opportunity, but if you can answer the questions 
from a usage/technical viewpoint, that would be great.

Thanks!

-Brian

Brian Helman, M.Ed |  Director, ITS/Networking Services | *: 978.542.7272
Salem State University, 352 Lafayette St., Salem Massachusetts 01970
GPS: 42.502129, -70.894779

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] student residential routers?

2016-06-27 Thread Adam T Ferrero 
Hector,

  We are in the same boat and want to eliminate the carrier drop down that the 
user has to select.  Not to mention all the obscure international carriers that 
we are missing.  Clearpass 6.5 has a couple non SMTP methods that we had 
trouble executing against a Verizon SMS gateway.  Clearpass 6.6.0 is adding 
SMPP support and we are hoping to get that to go.  Seems like an easier path 
for us.

  Adam Ferrero
  Temple University

Sent from my Verizon Wireless 4G LTE Tablet


 Original message 
From: Hector J Rios 
Date: 6/27/2016 15:20 (GMT-05:00)
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] student residential routers?

I did. But the issue with using SMTP is that the user must chose the provider.  
I don't like  that.

Thank you everyone else for your responses, especially when I completely forgot 
to change the subject of my original message.

H

On Jun 27, 2016, at 2:11 PM, Trenton Hurt 
mailto:trenth...@gmail.com>> wrote:

Have you looked at sms over smtp

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/SMS-over-SMTP-in-CPPM/ta-p/192395



On Monday, June 27, 2016, Hector J Rios mailto:hr...@lsu.edu>> 
wrote:
Any recommendations on an SMS gateway service? We are implementing ClearPass 
and we want our sponsors to have the ability to send credentials via text. I 
know about leveraging SMTP, but I'm interested in that option.

Regards,

Hector Rios
Louisiana State University
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Typical Registration Numbers for Guest Wireless Service?

2016-03-10 Thread Adam T Ferrero 

  We see about 1,000 guests per day typically.  We never have advertised it but 
the onboarding SSID is open and captive portal so people find it and self 
service onboard (via SMS texted credentials and switching to our WPA2 
enterprise SSID).  Generally our environment is about 30,000 concurrent 
wireless clients.

  Adam

[cid:image001.png@01D17AE3.229CC7C0]

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Zielske, Jessica
Sent: Thursday, March 10, 2016 1:36 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Typical Registration Numbers for Guest Wireless Service?

For those implementing a guest wireless service for sponsored and/or 
non-sponsored guests,

Is anyone able to share stats on the quantity of guest registrations over a 
time period, a daily average or the like?

We are working to forecast the load for a new non-sponsored guest wireless 
service, your insight is most appreciated!

Jessica Zielske
Virginia Tech



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Wireless Options in Athletic Buses

2015-11-18 Thread Adam T Ferrero 

  We put some gear on our shuttle buses that travel between campuses a few 
years ago.  Basically a Cradlepoint router (Verizon LTE cellular backhaul with 
an ethernet hand off).  That ethernet hand off goes to a wifi access point that 
is able to do dns lookup and find its controller (happens to be Meru but I know 
Aruba does supports similar mechanisms).  Everything is tunneled back encrypted 
through the controller.

  This has served us well for those students that enjoy a 45 minute commute 
between campuses.

  Adam

[Adam T  Ferrero]

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Daniel Wurst
Sent: Wednesday, November 18, 2015 12:57 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Wireless Options in Athletic Buses

Hi,

This is my first post in this group.  I have really enjoyed being a part of 
this group and have learned quite a bit so you thank you to all members.

Recently I was asked If there was a way we could supply wireless connectivity 
in our athletic buses for student athletes as they travel to sporting events.  
My thoughts would be some kind of cellular network hot spot that the students 
could log into with their devices.

I was wondering if other Universities have attempted anything like this or have 
any hot spot devices they would recommend for this use.

Appreciate any feedback on this topic.

Thank you,

--
Daniel Wurst
Network Engineer II
Denison University
Fellows 003B
wur...@denison.edu<mailto:wur...@denison.edu>
740-587-6229
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

<>

RE: [WIRELESS-LAN] Measuring RADIUS Auths

2015-10-15 Thread Adam T Ferrero 
Charles,

  We use freeradius and Zenoss.  There is a Zenoss zenpack that will generate 
graphs for you (if you happen to use Zenoss for monitoring): 
http://wiki.zenoss.org/ZenPack:FreeRADIUS.  It leverages the freeradius status 
module (not exactly independent I suppose).

  Adam

[cid:image001.png@01D1077A.D8404430]
[cid:image002.png@01D1077A.D8404430]
[cid:image003.png@01D1077A.D8404430]

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Charles Rumford
Sent: Thursday, October 15, 2015 5:14 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Measuring RADIUS Auths

We are using FreeRADIUS, but I want to measure independent of the RADIUS server.
--
Charles Rumford
Network Engineer/Senior Wireless Engineer
ISC Network Operations
University of Pennsylvania
OpenPGP Key ID: 0xF3D8215A
(p) 215-746-2808


Sent from my phone

On Oct 15, 2015, at 17:12, Jeremy Gibbs 
mailto:jlgi...@utica.edu>> wrote:
What are you using for a RADIUS server?


--

Jeremy L. Gibbs
Sr. Network Engineer
Utica College IITS

T: (315) 223-2383
F: (315) 792-3814
E: jlgi...@utica.edu
http://www.utica.edu

On Thu, Oct 15, 2015 at 5:08 PM, Charles Rumford 
mailto:charl...@isc.upenn.edu>> wrote:
I'm currently embarking on a project to determine the number of RADIUS auths 
per minute each one of my controllers is generating to plan for the capacity I 
need for my RADIUS servers.

I was curious if anyone has embarked on a similar journey and tried to measure 
auth rates coming from their controllers?

I have a couple of ideas that I'm up for sharing, but I wanted to see if anyone 
else has done this.

Thanks!


Charles Rumford
Network Engineer/Senior Wireless Engineer
ISC Network Operations
University of Pennsylvania
OpenPGP Key ID: 0xF3D8215A
(p) 215-746-2808


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey

2015-09-08 Thread Adam T Ferrero 

  A mix of a few recent topics I wanted to comment on (HEOA tracking and Device 
nets).

  Our lawyers and CISO have reviewed HEOA.  We say that we are required to 
block illegal peer to peer and know who is using each IP address.  We block all 
peer to peer with Procera appliances currently.  With ~40,000 wireless clients 
on RFC1918 private IPs and 2 – 3 Gbps of NAT-ed traffic flows tracking to the 
individual user was no trivial task.

  I wasn’t comfortable logging that volume of traffic flow on our Check Point 
firewalls (though they might handle it).  Instead we leveraged netflow on 
multiple boxes to provide the answers.  We’ve also been working with CERT more 
recently to improve our hit rate on identifying the user (we were missing some).

 Our only open wireless is for onboarding (to SMS text message credentials to 
cell phone number we could potentially subpoena for records).  We do this with 
Packet Fence today and Aruba Clearpass tomorrow (though Packet Fence worked 
tremendously for us).  Both have a click here to provision yourself for our 
WPA2 enterprise SSID with proper certificate validations.  The complaints are 
that it takes too long (3 – 5 minutes is average to figure it out), that you 
have to select your cell carrier and some are missing (which we are eliminating 
with an SMS gateway service), or that folks don’t have SMS text capable cell 
phones (but they want their iPad connected).

  In our residence halls we leverage Aruba Clearpass.  There are two SSIDs (one 
WPA2 enterprise and one WPA2 PSK w/ mac authentication requirements).  Students 
can workflow themselves through the process.  We steer them to the WPA2 
enterprise SSID and they just need to have their enterprise ldap credentials.  
If they have a computer (Windows or Mac currently), they are steered to a 
captive portal page serving them the Aruba Onguard agent.  Once they have that 
it steers them to install our managed Symantec Endpoint Protection.  After that 
they are connected (unless either of those requirements stops running).  Smart 
devices like phones and tablets just need to authenticate and they are good.  
They have to hit a Clearpass page to add the mac address of their gaming 
systems before they work on the WPA2 PSK SSID.  We have profiling of devices so 
we don’t allow the computers and smart devices to connect to the PSK network.  
95% of devices are wireless, but we did enable 802.1x for all wired ports.  It 
was a tremendous effort for us, but has been running terribly well with just 
about 1 access point per suite.

  Reach out if you care for more details.

  Adam

[Adam T  Ferrero]

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Coehoorn, Joel
Sent: Tuesday, September 08, 2015 9:51 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
dorms- quick Survey

HEOA just requires that we provide an individual notices to students once per 
year that includes an explanation of copyright and our enforcement policies. 
Said policies must include technical measures to limit copyright infringement 
and a policy to promote legal alternatives, but I didn't see anything in there 
about data retention requiring us to keep logs relating IPs/MACs to users.



[http://www.york.edu/Portals/0/Images/Logo/YorkCollegeLogoSmall.jpg]


Joel Coehoorn
Director of Information Technology
402.363.5603
jcoeho...@york.edu<mailto:jcoeho...@york.edu>



The mission of York College is to transform lives through Christ-centered 
education and to equip students for lifelong service to God, family, and society

On Mon, Sep 7, 2015 at 5:38 PM, Steve Bohrer 
mailto:skboh...@simons-rock.edu>> wrote:
Hi Jeff,

Can you comment on how the Higher Education Opportunity Act (HEOA) fits into 
this? Our understanding is that HEOA, in addition to the opportunity of Pell 
grants, now also gives us the opportunity to provide specific annual user 
eduction about copyright, and to get involved with copyright enforcement. IANAL 
enough to discuss whether HEOA compliance requires more or less user identity 
info than DMCA compliance, but HEOA was historically one of the reasons we've 
tried to know who owns the devices on our wired and wireless networks. Are 
there Educause or other resources about HEOA similar to the one you cite for 
DMCA?

Steve Bohrer
Network Admin, ITS
Bard College at Simon's Rock
413-528-7645

> On Sep 4, 2015, at 5:28 PM, Jeffrey D. Sessler 
> mailto:j...@scrippscollege.edu>> wrote:
>
> Matthew,
>
> Under the DMCA, the ISP only has to, upon learning of the infringing 
> transmission, act quickly to remove or disable access to the infringing 
> transmission. We can carry that out with no knowledge of who’s behind the 
> device. That said, it only applies to resources owned by the institution.
>
> Here is some key in

RE: [WIRELESS-LAN] Wireless NAT & Tools for tracking DMCA reports

2013-10-04 Thread Adam T Ferrero 

  We have 17k+ concurrent wireless clients and 100% are private IPs.  We then 
NAT at the firewall.  We also purposefully block peer to peer with fairly good 
success.  But, when we get an infringement notice or virus report or a subpoena 
for information we have had a challenge.  We only get one - three per month, so 
the volume is very low.

  We figure we are legally obligated to be able to identify every person on our 
network due to the Higher Ed Opportunity Act (HEOA).  It's a financial aid law, 
but there are a few paragraphs in there that say we need to identify everyone.  
We have no open guest wireless partly because of it (open wireless to 
onboarding guests via sending them a password via SMS text message and then all 
users switch to WPA2 enterprise offering).

  Regarding DMCA stuff, our strategy has been to use netflow.  We netflow from 
our internet routers (now 1:1 sample and they see the public addresses), from 
the firewalls (1:100 sample and should see public and private conversations), 
and from our core routers inside the firewall (1:100 sample should see private 
IP).

  We often just get a timestamp and our public IP and port.  We attempt to map 
that to a destination and then search netflow for that destination and 
timestamp.  We are missing a small percentage of these and are struggling to 
close that gap.  Some folks have suspected our 1:100 sample rate is causing us 
to miss data, but I can't push it down to 1:1 on all the gear.  It's always the 
inside that we miss so it's possible its true.

  Adam

[Adam T  Ferrero2]

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

<><><>

RE: [Off-Topic] Computer Labs

2013-08-21 Thread Adam T Ferrero 

  Here at Temple University we centralized computer labs.  We used to have 
countless small labs in each School or College scattered across our campuses.  
We opened a 700 computer lab with all software and access for all majors and 
shutdown nearly all of those smaller labs.

http://www.temple.edu/cs/techcenter/

  There are certain specialty rooms (recording booths or the video production 
room), but the bulk of the lab enables all majors to come and work together.  
Last I heard a statistic it was pumping through ~8,000 students a day.  We do 
network maintenance at midnight and the lab is still packed at that hour.

  It's as much a social gathering place as a place of study with several break 
out rooms for collaboration.  I think it's pretty awesome.  By all measures 
here, it has been wildly successful.

  Adam

RE: [WIRELESS-LAN] Non-802.1x devices on wireless...

2013-06-07 Thread Adam T Ferrero 

  We have been operating the following for a couple years with reasonable 
success.

Campus wide:

-  TUguestwireless – open wireless for onboarding and self service 
account creation via SMS text messaging – no internet access otherwise (via 
Packet Fence).  Will soon add one click mobileconfig provisioning (last piece 
we are missing to make it awesome).



-  TUsecurewireless – WPA2 enterprise.  Authentication alone gets you 
access and we use Freeradius to steer staff, students, and guests to different 
vlans (to get different access privileges).



-  eduroam

  Residence Halls only:

-  TUresnet – WPA2 enterprise authentication and one time registration 
forces our managed AV



-  TUresnetextra – WPA2 PSK w/ mac authentication requires device 
registration via portal.


  Anything else is a one off case for us (which happens).  Next we are adding 
one click mobileconfig provisioning to ease onboarding (soon) and continuous 
posture checking (much later).  The only complaints are occasionally the folks 
that just want anyone to connect without providing any credentials.  We don’t 
do it.  Either self service and we know the cell phone number or sponsored 
access.  We think we are regulated by HEOA to know who connects anywhere (no 
small feat when you add NAT into the puzzle).  There are plenty of evil doers 
out there and we hope they will move on to someone else’s open network.

  a...@temple.edu
 Temple University – Network Services
  Join the team! We are looking for a Linux Sys Admin type to support AAA, NAC, 
Monitoring environments
  
https://hospats.adminsvc.temple.edu/CSS_External/CSSPage_Referred.ASP?Req=TU-16534

RE: [WIRELESS-LAN] Student devices

2013-05-03 Thread Adam T Ferrero 

  We have:


-  Open wireless SSID for onboarding only.  SMS text message 
credentials.  Soon to add .mobileconfig one click provisioning feature.

-  Single WPA2 enterprise SSID for student, staff, guests - Freeradius 
detects ldap attributes and steers user groups towards certain vlans which 
leads to specific access permissions (controlled by router acls and firewall 
rules).

-  eduroam - Freeradius again steers folks based upon role

  It has served us fairly well and I personally love not having an open network 
for anything besides onboarding (plus we think it meets HEOA compliance).  The 
one click provisioning should alleviate the last of the usability complaints 
(hopefully).

  Adam
  Temple University

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: How to separate the access privilege of staff and students

2012-11-05 Thread Adam T Ferrero 

  We do exactly this with Freeradius as well.  We key off of an ldap attribute 
that distinguishes between staff and student.  It is done in the post-auth 
section of the outer tunnel virtual server (WPA2 enterprise SSID).  Because we 
allow NAC guest accounts (non-ldap), we have a final block that will place 
those guests on a guest vlan if that ldap attribute doesn't exist.

  Our wireless controllers are set to honor the vlan attribute from radius 
accepts (tunnel-private-group-id) and default to a "registration" vlan if it 
doesn't exist.  That registration network gives a captive portal page (but 
users aren't supposed to ever get there for that reason).

  We even had to extend to distinguish between controller IP addresses to set 
unique vlans because of our scale.  We had a /21 in place for students in a 
particular equipment room.  At max we had three wireless controllers in that 
room sharing the IP space, but even with 10 minute lease times we exhausted the 
supply frequently.  Now we have a /20 for student for each of those 
controllers.  4,000 IPs for student would be about 26 students per AP.  
Thankfully, we are not that dense yet but I didn't expect us to need this much 
so soon.  Users continue to suck down what we provide, we just try not to be 
too far behind increasing capacity to match.  On a good day we increase when we 
break 75% of the capacity.

  I hope the snippet helps (I changed IPs and pvids to protect the innocent).

  Adam


post-auth {

if ((Huntgroup-Name == "wireless") && (User-Name == 
Calling-Station-Id)) {
# User-Name == Calling-Station-Id => mac filtering / open 
wireless - allow controller to set vlan
noop
}
elsif ((Huntgroup-Name == "wireless") && 
("%{reply:ldapStafforStudentAttribute}" == "staff")) {
# Wireless controller, not open wireless as above, must be WPA2 
802.1x call.  Set vlan id via ldap attr
update reply {
Tunnel-Medium-Type = 6
Tunnel-Type = 13
# staff go to vlan 3008 on all controllers (separate IP 
addressing, but identical pvid in different rooms)
Tunnel-Private-Group-ID = "3008"
}
}
elsif ((Huntgroup-Name == "wireless") && ("%{reply: 
ldapStafforStudentAttribute }" == "student")) {
# Wireless controller, not open wireless as above, must be WPA2 
802.1x call.  Set vlan id via ldap attr
switch "%{NAS-IP-Address}" {
   case "10.10.10.13" {
update reply {
Tunnel-Medium-Type = 6
Tunnel-Type = 13
# students on the .13 controller go to vlan 3006
Tunnel-Private-Group-ID = "3006"
}
}
   case "10.10.10.17" {
update reply {
Tunnel-Medium-Type = 6
Tunnel-Type = 13
# students on the .17 controller go to vlan 3007
Tunnel-Private-Group-ID = "3007"
}
}
   case {
update reply {
Tunnel-Medium-Type = 6
Tunnel-Type = 13
# students on every other controller go to vlan 
3009 (we used to have the same pvid everywhere until we need to grow so large)
Tunnel-Private-Group-ID = "3009"
}
}
}
}
else {
# Non-ldap guests
update reply {
Tunnel-Medium-Type = 6
Tunnel-Type = 13
   # non-ldap accounts (guests) get placed on vlan 3005 (which has 
router filter and firewall implications to restrict to general web browsing)
   Tunnel-Private-Group-ID = "3005"
}
}
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Linchuan Yang
Sent: Monday, November 05, 2012 12:00 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] How to separate the access privilege of staff and 
students

Dear All

Good morning. We want to separate the access privilege of staff and students by 
using the same SSID. We are using free radius linked with Active Directory. 
Could you please explain how to do it in detail? Shall we need ACS (ISE) or 
other?

Thank you, and have a nice day.

Yours,
Linchuan Yang (Antony)
Wireless Networking Analyst
Network Assessment and Integration,
IITS-Concordia Univer

RE: [WIRELESS-LAN] FreeRADIUS performance question

2012-09-05 Thread Adam T Ferrero 

  That is a fun exercise.  Here we are for yesterday September 4th.  We had 
load issues last semester with the addition of tons of wireless, but we scaled 
up to get ahead of it (all vmware).  We seem to be purring along this semester 
(at least AAA, NAC, wireless-wise).  I have been wanting to graph the 
Freeradius auths via Zenoss, but the project hasn't made it to the top of the 
pile yet.

 98 10:54:22
 98 13:51:08
 98 13:51:20
100 12:20:46
100 13:52:25
105 13:52:49
107 12:09:18
111 12:18:21
114 10:56:28
146 12:18:22

  Adam Ferrero
  a...@temple.edu
  Temple University
  Awesome at wireless?  We want you on our team!
  
https://hospats.adminsvc.temple.edu/CSS_External/CSSPage_Referred.ASP?Req=TU-15524


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] PacketFence

2012-04-26 Thread Adam T. Ferrero 

  Fair enough regarding "NAC".  Our custom "Get Connected" process has been in 
place for over a decade for wired Residence Hall connectivity.  We have switch 
ports on a fixed vlan and we have two IP subnets on that vlan (call them 
registration and student).  When the dhcp request comes across initially for a 
new student, they get an address on the registration vlan side.  There they are 
served a dns server that wildcards everything to our captive portal 
registration page.

  Students log into that page and download a custom executable (for Windows or 
Macs).  That executable is smart enough to detect antivirus software, remove it 
and install our own managed AV.  Only after that is installed can they get to 
the final step of the registration.  Through database and scripts behind the 
scenes, we then register the mac address of that device.  After a certain time 
interval, their dhcp renews give them an IP address on the student IP subnet 
and off they go.

  That is all wired.  For wireless we have a hybrid with WPA2/802.1x radius 
calls hitting Packet Fence and placing folks in registration or student vlans.  
Registration still goes to our custom "Get Connected" page.

  What comes next is very simple posture assessments.  We just want to make 
sure that there is antivirus installed and the definitions are not ridiculously 
out of date.  Exact rules have yet to be determined, but the notion is simple 
enough (caveat - not much about NAC is simple).  So, for wired I prefer that we 
use 802.1x on the switch ports and actually detect whether AV is running and 
current before placing them on the student vlan.  We would want those folks to 
be able to get themselves remediated on their own too (your AV is out of date, 
so we will allow you to get the updates but not much else until then).  It 
would eliminate our upkeep on the custom "Get Connected" processes (which is 
web servers, scripts, databases and executables).  They have served us very 
well for almost 5,000 beds / semester, but I think we have a more elegant 
option available today.

  We did not look at Cisco Identity Services Engine so I cannot comment there.  
The solutions we looked at (just a handful seriously), were all very expensive. 
 We were comparing six digits and up against very low five digits.  It fit the 
bill for us.  Residence Hall wireless and enterprise wide guest wireless 
credentialing with the hope of posture assessments in the future.  Time will 
tell how we do there.

  Adam

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: PacketFence

2012-04-26 Thread Adam T. Ferrero 

  We have been using Packet Fence successfully since last summer.  We reviewed 
it and a few other commercial offerings.  It is our first NAC implementation 
and was prompted by the installation of 675 new wireless access points in our 
Residence Halls.  We wanted a way to enforce a few rules on the students living 
on campus.  Previously we have been running our own custom processes to ensure 
those rules (wildcard dns, captive portal, custom executables, all non 802.1x 
stuff).

  Since it was six figures less expensive than the next best commercial 
alternative and we have a talented staff that could support it, it wasn't a 
difficult choice.  It is a commercial open source offering, so we pay Inverse a 
few dollars so that we can call for help when we get stuck.

  We did a two months of testing, then a one building pilot for two weeks and 
then deployed to all locations last fall (we rushed it).  During the winter 
intersession we added support to enterprise wide guest wireless credentialing 
(displacing another commercial solution).  We have needed to continue to scale 
it upward just because of our size, but now we are architected so that we can 
do that fairly easily (with hardware load balancing).  Next we need to enable 
the statement of health checking within Packet Fence.  We integrated Packet 
Fence with our custom solution and executables to figure that out presently, 
but want to go straight 802.1x and Packet Fence.

  I've been very happy with the selection and with the support from Inverse.  
I'd be happy to share more experiences.

  Adam Ferrero
  Executive Director Network Services
  Temple University, Computer Services

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.