from:"Bruce Boardman"

A10 NAT software

2021-08-18 Thread Bruce Boardman

I've got to upgrade out NATs used for our wireless systems. Any A10 NAT users 
on the 5.x.x train? How's it going if so?
Thanks Bruce

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

ISE CERT Renewal

2021-04-20 Thread Bruce Boardman

We are going through Sectigo to renew RADIUS CERT for our 802.1x auth. 
environment. Cisco is a little bit nebulous regarding the activation and 
acceptance of the CERT with a future CERT valid date. The are  not clear if the 
renewal will take without a CSR (why is a  question to Cisco), but they 
indicate that in that case the private key may need to be uploaded. I don't 
want to get to the expiration day to find out that the CERT needs to be 
reissued, which would be a lengthy outage for machine auth clients needing a 
push of the new CERT.

Anybody renewed on ISE prior to the expiration of the existing CERT using a 
future CERT valid date?  Talk me off the ledge.
Thanks


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

ISE 2.7 Patch Level

2020-08-12 Thread Bruce Boardman

Anybody on ise 2.7 run either of patches? Cisco wants everything to the latest 
and so called greatest, but I don't see a technical reason to move just yet. 
This caught my eye  
CSCvn12644 'ISE 
Crashes during policy evaluation for AD attributes' but it's short on details.  
Wondering if I missing something. Thanks

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Icing ISE 2.1 but where to jump

2020-07-16 Thread Bruce Boardman

We are having to leave our ISE 2.1 servers, in favor a of a supported release. 
Cisco is recommending 2.7 patch 1 (for whatever that's worth). Anybody got any 
experience good or bad with said release? FWIW we just use it for RADIUS.
Thanks Bruce

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Sectigo/InCommon/Comodo AddTrus Eternal CA Root Expiration

2020-04-14 Thread Bruce Boardman

The Setigo 'AddTrust External CA Root' Root certificate is expiring May 30th 
2020. We use a supplicant cert signed by this chain in on Cisco ISE RADIUS PEAP 
config for 802.1x Wireless clients. Cisco is telling me that this end client 
Cert must be reissued using a new root due to differing serial numbers between 
the old and new root certs. Sectigo states that it is not likely needed due to 
cross signing of the new root cert with the old.  Here's the knowledge article 
https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA03l0117LT.

Anyway I was wondering if anyone has had any experience with changing roots on 
ISE or other RADIUS setups, or just knows what makes sense in regards to this 
root swap out and the possible end user impact.

Thanks
Bruce

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] Cisco 8540 WLC random reboots

2018-07-09 Thread Bruce Boardman

We are running 8.2.167.3 in HA with no problem of 6ish months. Now I’ve jinxed 
it!

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 On Behalf Of Alan D Wang
Sent: Monday, July 9, 2018 1:27 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco 8540 WLC random reboots

Do you have the bug ID for the major HA bug?

On Mon, Jul 9, 2018 at 1:17 PM, Rick Coloccia 
mailto:coloc...@geneseo.edu>> wrote:

Hi, yes, it is, but the 8.5.131 code that is out now has a major HA bug that is 
very hard to recover from.

Cisco wireless engineers promised us code by the end of July that will address 
that issue.

On 7/9/2018 1:15 PM, Swartz, Pola wrote:
8.5.131 code is available now.
Smile,
Pola

On Jul 9, 2018, at 11:14 AM, Rick Coloccia 
mailto:coloc...@geneseo.edu>> wrote:

Lots of bugs in 8.5.120, including some giant HA bugs.

The version of 8.5.131 coming later this month is where you'll want to be. 
Specifically, one of the fixes in the version of 8.5 coming later this month 
deals with HA issues.

On 7/9/2018 12:44 PM, Mallon, Jason wrote:
We are currently in the process of migrating to 8540s (8.5.120) from 8510s.  
Here recently we started noticing the HA unit on two of the pairs was in 
maintenance mode.  We rebooted the controllers and they seem to have stayed in 
a continuous boot loop.  We restarted one of the controllers to its emergency 
code (8.2.166) and it rebooted correctly without any issues, disabled SSO mode, 
rebooted back into 8.5.120 with no issues.  We enabled SSO again and 
immediately went back to having boot loop issues.  Is anybody else seeing this 
issue?

Jason Mallon
Network Engineer II, OIT
The University of Alabama
jemal...@ua.edu
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

--

Rick Coloccia, Jr.

Network Manager

State University of NY College at Geneseo

1 College 
Circle, 119 
South Hall

Geneseo, NY 14454

V: 585-245-5577

F: 585-245-5579
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

--

Rick Coloccia, Jr.

Network Manager

State University of NY College at Geneseo

1 College 
Circle, 119 
South Hall

Geneseo, NY 14454

V: 585-245-5577

F: 585-245-5579
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

--
Alan Wang
Network Analyst
Binghamton University
aw...@binghamton.edu

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

ISE 2.2 How's it going

2017-03-08 Thread Bruce Boardman

Anybody using ISE2.2? How's the bug factor?

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RADIUS Performance

2017-03-06 Thread Bruce Boardman

Looking to nail down RADIUS performance on ACS 5.8. Cisco doc says 5.7 able to 
handle 100 per second, but we are seeing peaks over 100 per second on 5.8. 
against and AD identity store.  I heard 5.8 has the ISE RADIUS engine which for 
2.0 lists PEAP MSCHAPv2 at 347 per second against AD. 

I'm wondering if anybody has seen consistently high that 100 per second RADIUS 
auth loads on a single ACS 5.8 box. Thanks

Bruce Boardman Networking Syracuse University 315 412-4156 Skype 
board...@syr.edu

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

2016-11-16 Thread Bruce Boardman

?Mike

Regarding the Troubleshooting and debug challenges with NPS are you exporting 
the MS events to a log collector or using the server's native event viewer? How 
useful have you found the PerfMon RADIUS metrics?



|Bruce Boardman, Network Engineer, Syracuse University -  315 412-4156

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Mike Atkins <matk...@nd.edu>
Sent: Wednesday, November 16, 2016 2:44 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Lee,
We use Microsoft NPS for radius on dot1x wireless (ND-secure & eduroam.) 
Troubleshooting and getting debug information has been very difficult.  Finding 
a deployment guide on expected performance/load is also impossible to find.  I 
think configuration is absolutely key.  My impression is either it works great 
or it does not.

Dennis,
I think we are doing the realm stripping you are talking about using NPS.  Our 
identity management group has two policies configured for eduroam.  The first 
policy says identity @nd.edu<http://nd.edu> authenticate PEAP requests on the 
local server.  The second policy says "@" forward to the two 
eduroam.us<http://eduroam.us> "servers."  There are a couple other policies for 
off campus users that get forwarded from eduroam.us<http://eduroam.us> servers. 
 Maybe not what you are talking about but just thought I would chime in just in 
case.





Mike Atkins
Network Engineer
Office of Information Technology
University of Notre Dame
Phone: 574-631-7210


   .__o
   - _-\_<,
   ---  (*)/'(*)

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>]
 On Behalf Of Lee H Badman
Sent: Wednesday, November 16, 2016 9:40 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Hello to the awesome group.

We've used Cisco ACS with general satisfaction for many years as the RADIUS 
solution for our very, very large WLAN's 802.1X authentication. We also have 
Aruba Clearpass in-house for guest wireless, and have poked around at ISE a 
bit. We're weighing replacing our aging ACS environment, but as many of you 
know times are changing. When you shop for RADIUS, you have to wade through the 
fog of NAC systems because everything is getting ever more "feature rich". For 
major vendors, RADIUS is just a slice of NAC now, and since everybody "is a 
software company!" licensing can be ugly. I'm not slamming those who find value 
in the many interesting features that the likes of ISE and Clearpass offer, but 
I also can't help but be drawn to Microsoft NPS when I think about going 
forward with simple RADIUS.

Way back when, we avoided Microsoft in this role as the reporting wasn't 
particularly strong when it came time to troubleshoot clients. We *may* have 
found relief to this through Splunk, and also enjoy a robust Windows server 
environment staffed by absolutely brilliant MS-minded veteran admins.

All that being said- is anyone using NPS as their RADIUS solution for a large 
secure WLAN environment? Can you share likes, dislikes, regrets, endorsements, 
horror stories, tales of success, etc?


(Any vendor reps lurking- no, I'm not open to hearing about other RADIUS 
solutions. Please, no calls or emails)


Kind regards-

Lee Badman | CWNE #200 | Network Architect

Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu<http://its.syr.edu>
SYRACUSE UNIVERSITY
syr.edu<http://syr.edu>



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

TLS Onboarding Vendors

2016-10-31 Thread Bruce Boardman

We are using Cloud Path for onboarding, but we are considering other options if 
and when we go to EAP TLS. We may get it baked in if we use ISE or Clear Pass 
but I considering other standalone options as well. Anybody have  experience or 
thoughts they'd like to share. Thanks  

Bruce Boardman Networking Syracuse University 315 412-4156 Skype 
board...@syr.edu

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Cisco Stable ACS version

2016-07-29 Thread Bruce Boardman

Looking for insight as to a stable (non-buggy) ACS version.

We use Cisco ACS version 5.4..46 for RADIUS and TACACS. After finding that this 
version includes a bug that allows unsupported browsers to corrupt the ACS 
database, we are going to upgrade. Cisco TAC has recommended version 5.5 and 
5.8, in two separate TAC cases. Both require pre and post patches as well as 
all the usual Cisco mind field of upgrade instructions.

I'd appreciate any feedback regarding experience with either 5.5 or 5.8.

thanks

Bruce Boardman Networking Syracuse University 315 412-4156 Skype 
board...@syr.edu


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Cisco LWAP Advice

2015-12-11 Thread Bruce Boardman

Don’t think it’s well meaning. When I worked in a music store we use to sell 
the sound system at a loss and make our on microphones and guitar strings. Not 
to mentioned we had a loyal customer forever.

Bruce Boardman Networking Syracuse University 315 412-4156 Skype 
board...@syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W 
(Network Services)
Sent: Friday, December 11, 2015 7:34 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco LWAP Advice

I agree with the RFP idea.

When we last did an RFP and in-house demos & proof of concepts, we were 
surprised at what was offered by Aruba Networks. They even worked with us to 
support multicast video on wireless.



Bruce Osborne
Wireless Engineer
IT Infrastructure & Media Solutions

(434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Lee H Badman [mailto:lhbad...@syr.edu]
Sent: Thursday, December 10, 2015 1:41 PM
Subject: Re: Cisco LWAP Advice

If the old controller is all that is tying you to Cisco,  it sounds like RFP 
time- let the market compete for your business.

Lee Badman | Network Architect
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Andrew Conley
Sent: Thursday, December 10, 2015 1:35 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Cisco LWAP Advice




Eddie,



Thanks for the advice! I don't think that Cisco will "give" us a controller - 
but nice try...



Best,

Andrew Conley

Director of Information Technology

San Diego Unified High School District

E: andrew.con...@sduhsd.org<mailto:andrew.con...@sduhsd.org>

W: 760.363.5008 x 1009


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Klaczko, Edwin <eklac...@sd54.org<mailto:eklac...@sd54.org>>
Sent: Thursday, December 10, 2015 9:54 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Cisco LWAP Advice


I concur with Thomas.  Per this doc  
http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3750-series-switches/end_of_life_notice_c51-634665.html



End-of-life was 12/13/2010

End-of-SW maintenance was 6/12/2014

End-of-Service Contract Renewal Date was 9/8/2015



With the size of your district maybe you have a spare 5500 or newer lying 
around if you don’t want to invest the money right now.  Pick which APs you 
want to use first since this will be a good bulk of your costs, then have Cisco 
“give” you the controller for them.  ;)



Eddie Klaczko



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of McClintic, Thomas
Sent: Thursday, December 10, 2015 8:27 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Cisco LWAP Advice



To future proof your deployment it may be best to upgrade your WLC to a 5520. I 
suggest deploying the x700 series LWAP to support 802.11ac as we have seen a 
large increase in clients supporting it. Here is a comparison chart for the 
various ac enabled LWAPs.

http://www.cisco.com/c/en/us/products/wireless/buyers-guide.html#~indoorac



Cisco has nice bundling options so we have opted to use the 3702 after taking 
advantage of the bundling discounts. We use the 2702 in smaller office bundles 
as well, but large buildings with higher density we choose the latter.



Hope this helps!



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jake Snyder
Sent: Wednesday, December 09, 2015 9:07 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Cisco LWAP Advice



So the only AP still sold new that is supported on a 4404 is the 3502i.



Not much in the way for options on that old platform, but that is what you can 
still buy.  Might be time to look at upgrading that old girl.

Thanks

Jake Snyder

jsny...@compunet.biz<mailto:jsny...@compunet.biz>

208-286-3015



Sent from my iPhone



On Dec 9, 2015, at 4:56 PM, Andrew Conley 
<andrew.con...@sduhsd.org<mailto:andrew.con...@sduhsd.org>> wrote:

Hi all,



I'm new to the EduCause community (even though I'm a HS District IT Director 
and Educause is for Higher-Ed..). We're a 135,000 student and 6,000 staff 
district (very large). I am doing a AP deploy

RE: [WIRELESS-LAN] AW: [WIRELESS-LAN] To provide (wireless) service, or not to provide (wireless) service...

2015-05-13 Thread Bruce Boardman

Seems like it doesn’t matter who is floating the radio waves, you or and LTE 
provider, you’ll still be on the hook for support, especially if vpn clients 
are running on all those client devices.

Mongolians? I thought it was Monrovians

Bruce Boardman Networking Syracuse University 315 412-4156

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Philippe Hanset
Sent: Wednesday, May 13, 2015 11:06 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] AW: [WIRELESS-LAN] To provide (wireless) service, 
or not to provide (wireless) service...

Lee,

All you need is a Smart-Phone with a HotSpot feature and a very large Data 
Quota.
(I assume that’s what schools thinking about switching to LTE have in mind!)
You can then do WPA2-PSK between your phone and your TV, your Game Console, ...

Mongolians don’t have wireless in the plains, but they do have goats ...

Philippe

Philippe Hanset
www.anyroam.nethttp://www.anyroam.net



On May 13, 2015, at 10:59 AM, Lee H Badman 
lhbad...@syr.edumailto:lhbad...@syr.edu wrote:

Does the carrier guarantee capacity at this scale? And does it matter that no 
game systems, TVs, etc can play any more? And… students have to use two 
distinct technologies depending on where they are on campus, and probably have 
to VPN in for certain operations from the dorm to campus?

This sounds like an absolute goat rope (I believe Mongolians have another term 
for it).

Lee Badman
Wireless/Network Architect
ITS, Syracuse University
315.443.3003
(Blog: http://wirednot.wordpress.comhttp://wirednot.wordpress.com/)

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]On Behalf Of Brian Helman
Sent: Wednesday, May 13, 2015 9:25 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] AW: [WIRELESS-LAN] To provide (wireless) service, 
or not to provide (wireless) service...

I have a little more information to provide now.  I absolutely appreciate that 
it will be extremely tempting to respond with biased opinions.  I don’t think 
there is anything that can be said that I haven’t already expressed to my team. 
 However, that will not help me write up my recommendation.  So that being 
said, feel free to chime in with tangible reasons to do this or not…

Apparently, our president heard that some schools are investigating purchasing 
bulk data contracts with mobile (“cellular”) carriers for data.  The idea is, 
we would stop providing 802.11g/n/ac wireless in the residence halls and 
instead provide students with the abilities to register their devices with the 
mobile carrier to use 4G/LTE data.  The University will pay for this.

Pros:
No wireless (802.11) to purchase, support
Reduced POE requirements on switches
No wireless driver/configuration mismatches problems to support

Cons:
Is mobile wireless signal available everywhere inside the buildings?  Costs to 
improve signal.
What speeds are available (what range of speeds)?  Is it by user or aggregate?
How is congestion handled?
What devices – mobile phones only?  Hotspots to provide access to non-cellular 
devices (e.g wifi-only tablets; laptops)
More Ethernet ports needed for devices that previously depended on wireless
What provider(s)?
Support shifted from “device to institutional wifi” to “device to myfi” or 
“devide to 3rd party”
Cost per user, per GB?

What else?

If you know of any institutions who have attempted this (I have heard MIT is 
looking at it, but we aren’t MIT), please let me know.

By the way, the background here is .. we installed our 802.11n network ~5 years 
ago and haven’t had any commitment to fund it since.  So now we are trying to 
deal with capacity (BYOD) issues that didn’t exist 5 years ago while upgrading 
to 11ac.  Of course, it’s not a 1:1 swap of equipment since we’d be migrating 
from 2.4GHz to 2.4+5GHz.  That puts the costs for forklift upgrades pretty high 
(did I mention I’ve been unsuccessfully asking for funding for 3 years?).

I believe this can all best be summarized with a simple .. Oy.

-Brian





From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]On Behalf Of Jerkan, Kristijan
Sent: Sunday, May 03, 2015 12:34 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] AW: [WIRELESS-LAN] To provide (wireless) service, or 
not to provide (wireless) service...

As a public institution in the EDU sector we always had a byod policy in our 
dorm network, specifically including „anything You want to connect to the port 
in Your room“.

Parameters:
-5k+ dorm rooms (1.8k the largest segment, 20 the smallest)
-120km radius
-at least one (mostly two) RJ45 port per room (cat5-7 to the switch, fiber 
afterwards)
-10/100MBit ports (deliberatly did not go for 1GBit at the edge)
-no additional accounting, just dhcp

RE: [WIRELESS-LAN] Roll Call- Who's going to WLPC from higher ed?

2015-01-29 Thread Bruce Boardman

Sounds good to me

Bruce Boardman Networking Syracuse University 315 412-4156

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Daniel Westacott
Sent: Thursday, January 29, 2015 11:15 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Roll Call- Who's going to WLPC from higher ed?

I am planning on attending the WLPC and am looking forward to talking about edu 
issues.
Do we want to schedule a dinner event for Edu ?
/daniel/
daniel westacott
Networking and Telecommunications
University of Minnesota

On Thu, Jan 29, 2015 at 9:17 AM, Lee H Badman 
lhbad...@syr.edumailto:lhbad...@syr.edu wrote:
Just curious how many on the list are going to the Wireless LAN Pro Conference 
next week? Bruce Boardman and myself from Syracuse will be there- would be nice 
to connect with our friends from other schools during the event.

-Lee

Lee Badman
Wireless/Network Architect
ITS, Syracuse University
315.443.3003tel:315.443.3003
(Blog: http://wirednot.wordpress.com)

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Trying to get the Wi-Fi Alliance's Attention

2015-01-22 Thread Bruce Boardman

This is no different from any interoperable standard (SNMP is 20 years old and 
still doesn't manage much). It's always the lowest common denominator, leaving 
the vendors 'value-add' out. When an advanced feature gets added, it's advanced 
only in age. Vendors participation in standards bodies is for the marketing 
check box, not Kumbaya and World Peace. But don’t fret, that sort of SOP is job 
security man!  

Bruce Boardman Networking Syracuse University 315 412-4156

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Julian Y Koh
Sent: Thursday, January 22, 2015 4:45 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Trying to get the Wi-Fi Alliance's Attention

On Thu Jan 22 2015 13:47:18 CST, Lee H Badman lhbad...@syr.edu wrote:
 
 I know self-promotion is in poor taste, but wanted to share this 
 
 http://www.networkcomputing.com/wireless-infrastructure/the-case-for-wlan-interoperability/a/d-id/1318718?
  
 

I think you’ve earned the right for a little self-promotion, Lee.  :)

Although you also deserve a bit of mocking for the use of “Class C subnet.”  
:):):)


-- 
Julian Y. Koh
Acting Associate Director, Telecommunications and Network Services
Northwestern University Information Technology (NUIT)

2001 Sheridan Road #G-166
Evanston, IL 60208
847-467-5780
NUIT Web Site: http://www.it.northwestern.edu/
PGP Public Key:http://bt.ittns.northwestern.edu/julian/pgppubkey.html

RE: [WIRELESS-LAN] NAT tracking question

2015-01-15 Thread Bruce Boardman

Seems to be the case that the source port is part of the complaint, and if it's 
not, your right, no track back. I guessing that the complaining entities are 
dealing with lots of NATed networks. 

Bruce Boardman Networking Syracuse University 315 412-4156

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jerry Bucklaew
Sent: Thursday, January 15, 2015 1:45 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] NAT tracking question

Jason, Bruce,

   It sounds intriguing but I do have one question.  This method assumes that 
you will get the source ip and source port in the request/complaint.  How often 
is that the case as I would assume most request are in the flavor of this ip 
was attacking this ip at this 
time?   Do you ever have the need to track down a user without knowing 
the source port, as you  would have no way to do it (unless you do netflow 
also).



On 01/15/2015 12:29 PM, Jason Wang wrote:
 We do the same on a pair of the A10 AX3530's, and it's been working 
 very well for us. We are currently NAT'ing a /12 of internal addresses 
 into a /16 of external addresses (~4000 ports per internal IP). When 
 doing lookups, we just pre-generate a lookup table of the outside IP  
 port to the inside IP, although you could also just calculate it on 
 the fly.

 Jason



 On 01/14/2015 02:06 PM, Bruce Boardman wrote:
 We do this with A10 Networks CGN boxes. They have a feature they call 
 fixed NAT, which predetermines some number of inside addresses to  a 
 pool of outside addresses. These mapping are static, so when you get 
 a particular inside address you'll always get a particular outside 
 address within a defined static port range. If you know one you'll 
 know the other.  We log the traffic, so we can pretty much look back 
 and time correlate use via DHCP and 802.1x.

 Bruce Boardman Networking Syracuse University 315 412-4156

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] NAT tracking question

2015-01-14 Thread Bruce Boardman

We do this with A10 Networks CGN boxes. They have a feature they call fixed 
NAT, which predetermines some number of inside addresses to  a pool of outside 
addresses. These mapping are static, so when you get a particular inside 
address you'll always get a particular outside address within a defined static 
port range. If you know one you'll know the other.  We log the traffic, so we 
can pretty much look back and time correlate use via DHCP and 802.1x. 

Bruce Boardman Networking Syracuse University 315 412-4156

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jerry Bucklaew
Sent: Wednesday, January 14, 2015 2:49 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] NAT tracking question

To ALL:

We have a large Cisco wireless deployment with public ip address space.  
Getting more public IP's is getting difficult so we are considering going to 
NAT.  The issue we have with NAT is that we still want to be able to map an 
outside IP back to a individual user.  Once 
you go to NAT that of course becomes more difficult to do.   I know a 
lot of you are probably already doing this and I was wondering how and what 
products do you use?  I assume most have a one to many NAT and then use 
something like a netflow collector to to track the inside NAT IP to the outside 
Src-IP/DST-IP/Port/Time. Any good working solutions or products would be 
helpful.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Windows 8 and Broadcom wireless cards

2013-12-05 Thread Bruce Boardman

They have to accept the CERT for the RADIUS servers if they are auto 
configuring, but the verbiage about which server may be on a second page of the 
alert, which is likely ignored
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of T. Shayne Ghere
Sent: Thursday, December 5, 2013 1:06 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Windows 8 and Broadcom wireless cards

Lee,

Do the students have to install the certificate when authenticating, or to they 
just use their username/password and it's in there already?  I'm beginning to 
think Windows 8 is Vista all over again.

Thanks
Shayne

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Lee H Badman
Sent: Thursday, December 05, 2013 12:00 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Windows 8 and Broadcom wireless cards

GoDaddy here, working fine.

Lee H. Badman
Network Architect/Wireless TME
ITS, Syracuse University
315.443.3003

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] 
on behalf of T. Shayne Ghere 
[sgh...@fsmail.bradley.edumailto:sgh...@fsmail.bradley.edu]
Sent: Thursday, December 05, 2013 12:57 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Windows 8 and Broadcom wireless cards
Just a thought.

Is anyone using a different certificate other than Globalsign with their ACS 
server?  If you're successful in using the certificates on all Windows 8/8.1pro 
machines, could you please let me know what certificate you're using?

We're using GeoTrust Global CA and GeoTrust DV SSL on our ACS server, and I'm 
wondering if this is the root cause of it not working.  We have to install the 
certificates manually when getting on our secure network and since Globalsign 
is already installed, I'm wondering if this might be the problem.

Thanks again!
Shayne

From: T. Shayne Ghere 
[mailto:sgh...@fsmail.bradley.edumailto:sgh...@fsmail.bradley.edu]
Sent: Wednesday, December 04, 2013 1:48 PM
To: The EDUCAUSE Wireless Issues Constituent Group Listserv
Subject: RE: [WIRELESS-LAN] Windows 8 and Broadcom wireless cards

Has anyone seen people upgrading their Windows 7 computers to Windows 8 or 8.1 
and the wireless breaks completely?   That's what I'm seeing here with the 
Broadcom and some Atheros cards.

I've been working on this since Monday (solid) and cannot get any Broadcom wlan 
cards to connect with Windows 8 or 8.1pro, but if I re-image the computer to 
Windows 7 pro, it works just fine.

We are a complete Cisco shop with about 500 1142N AP's and 128 1231, 1232 and 
1251 AP's so unless we replace the 1200's we're stuck at the 7.0.253.5 code 
(which is supposed to fix it).  But that's not what we're seeing if they're 
upgrading their computers.   All the new computers are working just fine that 
come pre-installed with Windows 8.  Upgrade to 8.1pro and that's the gotcha 
we're seeing too.

Thanks for all the suggestions, but I've shelved the Broadcom chipset as a 
Won't work on our wireless network if you upgrade to 8.   Now moving on to 
some of the others that are coming in.

Going to be fun after Christmas.   /ugh

Thanks
Shayne

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Lee H Badman
Sent: Wednesday, December 04, 2013 1:23 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Windows 8 and Broadcom wireless cards

During our opening, and after a Windows update on my own son's machine at the 
same time, we saw many cases where both WLAN adapter and chipset drivers both 
had to be updated to connect to secure networks.

-Lee

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Michael Hulko
Sent: Wednesday, December 04, 2013 1:40 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Windows 8 and Broadcom wireless cards

Not necessarily related to Windows 8, but we have had the same issue with Intel 
Centrino family chipsets.  We had the users upgrade the chipset to the latest 
version available from Intel's site and that seemed to resolve the issues.

Never rely on the user to tell you that they have updated the drivers

MH

On 2013-12-04, at 12:59 PM, Joe Roth wrote:

Shayne,

We have seen this as well. The instructions from the blog that Don posted are 
essentially what we use. Our Help Desk has a flash drive with a pile of 
wireless nic drivers that they keep handy.

On Wed, Dec 4, 2013 at 12:50

RE: [WIRELESS-LAN] Eduroam rollout- one more time

2013-11-03 Thread Bruce Boardman

So for it's been a one time setup for us. I would guess including testing it 
took about 16 hours.

|Bruce Boardman, Network Engineer, Syracuse University -  315 889-1667

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Charlie Derr 
[cd...@simons-rock.edu]
Sent: Friday, November 01, 2013 4:45 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Eduroam rollout- one more time

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 11/01/2013 04:13 PM, Matt Williams wrote:
 I don't want to hijack this discussion, and I'll apologize now for it, but I 
 do have an eduroam question.  How
 resource intensive is it to implement and maintain an eduroam deployment?  We 
 are a smaller institution, but we've
 had a handful of requests from faculty members to adopt eduroam.  There is 
 some hesitation because we don't want to
 invest a whole lot of time to maintain a service that may get used by 2 or 3 
 people per semester.

 Respectfully,

 Matthew Will Williams Assistant Director, Networking Bucknell University 
 570.577.1491

Hello,

We're quite a small institution (fewer than 400 residential students) and we're 
very happy with the value/effort ratio
eduroam gives us.  We also only have a very few folks traveling to other 
eduroam campuses, but those few have been
very appreciative of the service when they connect somewhere else without any 
trouble/reconfiguration.  It was a
little bit of extra work for some of our technical folks to succeed at our 
testing  deployment but very much a
pleasant challenge that I think we all enjoyed (very little frustration as 
compared to other projects we've undertaken).

As far as hijacking the discussion, thank you for that.  :-]

I was tempted to reply earlier in this thread, and seeing the way it's played 
out, I think I made the right choice in
not trying to send (or further edit) the draft I'd composed.

 ~c
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Icedove - http://www.enigmail.net/

iQIcBAEBCAAGBQJSdBL6AAoJELuLPXMxqTZ/vb8QAIx1bpJ1YINczRFhoPCAjexF
CBdy0I9mGKNZvkEMOfmcFgDox6ysyArTMioDreivnQ/mlPQeoIwo4b2VrGBT1JhO
LnaQI2g8K7nVp54bYOmEjMojB4FimQZhB+mUTORgO6Z50wKfs8gSEhBX1pSjGTbs
oVioeJJOCye0NFbtBbQGcOZlk5mRpQJe/stcCntj/9wxZDxuXJ1bGZ35XldN2xmJ
hWN7JuQTOjTNgEM9R34r1KQKdSu1bVmF669UrQLnE3tdIXdwUmGkNsIsJNzwG8l9
VfMXFLbdkepokiN/mYAhfCZ8BuJj9tfnuq7yxiCfw2A/uqmUBXKY3cOOSQMo+oNP
s1WYRjmqyQh3REb0asRlGFhCfzoGiDIyC9yms7y8hncH5yeTL2D0Uw41ak5jl03x
Dmy2uXrKEhL+4yb/8+x7DKc5Ob4S8Qw20nGjCgGTGcYGlfzfu7IKgeODg39GUel7
YRVuNeBrF0XRWuSO93J/wEQwOckxiR1d2+RJCXmmZjs82ZSaqPwsl/evK9FG63Wc
q4VdkhQ9XFNAcviXUHZxqZdsmXWJW2FBlsc+sztL5PZ62CwDj2EwydCcONVDsa3Z
oFphf11ES61kzXTryQGg7YV1OZCtXBMgH34eSoLkNs00phfT26Djkdmgzkc77RpK
GAIXNrREnSIzcliP197M
=2qNn
-END PGP SIGNATURE-

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Eduroam rollout- one more time

2013-11-01 Thread Bruce Boardman

How did you get those stats, Walter?

Bruce Boardman - Syracuse University Network Engineer - 315 889-1667 
---

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Friday, November 01, 2013 2:20 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Eduroam rollout- one more time

That's pretty cool, thanks Walter.

Lee H. Badman
Network Architect/Wireless TME
ITS, Syracuse University
315.443.3003

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Walter Reynolds 
[wa...@umich.edu]
Sent: Friday, November 01, 2013 2:15 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Eduroam rollout- one more time
Sorry, bad filtering.  Here is the correct data.

199 Unique users from 90 different domains.
This is a list of how many unique users from the country codes in the domains

  1 at
  1 dk
  1 ie
  1 nz
  2 it
  2 pt
  3 fi
  4 au
  4 es
  4 fr
  5 cz
  5 hk
  5 se
  6 za
 10 nl
 14 ca
 14 ch
 32 uk
 40 edu (US based)
 45 de

20 local users have used it off campus.

Walter Reynolds
Principal Systems Security Development Engineer
Information and Technology Services
University of Michigan
(734) 615-9438

On Fri, Nov 1, 2013 at 1:58 PM, Walter Reynolds 
wa...@umich.edumailto:wa...@umich.edu wrote:
We have not even had it rolled out a full week and here is what I have seen.  
May not be exact, but is pretty suprising.

238 unique users from 106 unique domains.

This is the breakout of country codes
  1 ie
  1 nz
  2 at
  2 dk
  2 it
  2 pt
  3 fi
  4 es
  4 fr
  5 au
  5 cz
  5 hk
  5 se
  6 za
 12 nl
 14 ch
 19 ca
 37 uk
 46 de
 64 edu

I also had 30 unique users from my campus use it somewhere else.

Walter Reynolds
Principal Systems Security Development Engineer
Information and Technology Services
University of Michigan
(734) 615-9438tel:%28734%29%20615-9438

On Fri, Nov 1, 2013 at 1:42 PM, Lee H Badman 
lhbad...@syr.edumailto:lhbad...@syr.edu wrote:
Good stuff- I hope we get some users after rolling it out. I did poll our 
distributed support folks, and as of yet can't find any hidden demand.  At the 
same time, we don't know what we don't know, ya know?

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Hanset, Philippe C
Sent: Friday, November 01, 2013 1:31 PM

To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Eduroam rollout- one more time

Lee,

To answer 2 and 3, I have seen many schools that were amazed at how many 
eduroam users they had from all over the world and in many locations
(visiting scientists in labs, students from abroad in greenhouses!,...you name 
it)

Here is a graph from University of Chicago (yes, they are known for having a 
big International presence...but that was just in the first 3 months,
and it was back in 2010!!!)

On Nov 1, 2013, at 12:34 PM, Lee H Badman 
lhbad...@syr.edumailto:lhbad...@syr.edu wrote:

I know this comes up frequently, so forgive me. We're at a different place than 
we were at last inquiry...

Syracuse University has become an Eduroam school, and as we speak we have happy 
Eduroamers around the world. Woo Woo!

At the same time, we have yet to roll out Eduroam on our own campus and are 
getting ready to in accordance to the Eduroam agreement. We're trying to figure 
out the best model:

1.   Retire our own beloved 802.1x SSID, and use Eduroam in its place. This 
has no favor with any of us, including our senior IT managers and so is not 
gonna happen. (Though I value the opinions of others, not wanting to get into a 
debate on this point :) )

2.   Do a targeted rollout of Eduroam, in places where it is likely to be 
used by visitors- academic  buildings, etc. (So far, I can't find evidence of 
anyone coming to SU and asking for it). This model requires building a new WLAN 
group or two and pushing it out to probably 20ish buildings out of our 200+ 
buildings.

3.   Go the easy path, and push it the Eduroam SSID everywhere, as an 
additional WLAN, and live with the fact that it won't get a lot of use in most 
places and puts management traffic in the air that isn't generally going to be 
used.

I can't be the only one who has stood at this juncture and looked at the 
situation the same way. Wondering what others have done between #2 and #3, and 
what your level of satisfaction has been for whatever path you took.

Regards,

Lee Badman
Syracuse University

** Participation

RE: [WIRELESS-LAN] measuring wireless availability?

2012-12-18 Thread Bruce Boardman

I would take the view that it's how available from the infrastructure pov and 
ignore the client, since that is a big variable. And maybe a variable that you 
have no control over!

Bruce Boardman - Syracuse University Network Engineer - 315 889-1667 
---

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Tuesday, December 18, 2012 4:21 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] measuring wireless availability?

Seems like a question that needs context. If it's a survey, availability 
might mean is it present and across how much of campus? versus IT guy/gal 
measure of  five nines kinda thing.

You could just send pictures of windmills to distract them.

-Lee



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jamie Savage
Sent: Tuesday, December 18, 2012 3:51 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] measuring wireless availability?

Hi,

  We've been approached from above to provide an availability % of our wireless 
service on campus.   We're not sure what is meant by 'availability' and have 
pushed the question back for clarification.   On the assumption that they're 
asking for availability stats from a users perspectivethat's a tough one.   
The fact that our wireless infrastructure equipment may be up 98.5% of the time 
does not mean that users are experiencing a quality service 98.5% of the time 
in all locations.  Just wondering if anyone has come up with a reasonable way 
of looking at this in order to provide a number that's meaningful.

...thanks in advance..J


Jamie Savage  |  Senior Communications Technician  |  University Information 
Technology

010 Steacie Science Building  |  York University  |  4700 Keele St. ,  Toronto 
ON  M3J 1P3 Canada

T: 416.736.2100 x22605  |  F: 416.736.5830  |  
jsav...@yorku.camailto:jsav...@yorku.ca  |  www.yorku.cahttp://www.yorku.ca/

York UIT will NEVER send unsolicited requests for passwords or other personal 
information via email.  Messages requesting such information are fraudulent and 
should be deleted.http://www.yorku.ca/ ** Participation and 
subscription information for this EDUCAUSE Constituent Group discussion list 
can be found at http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: PEAP cert signed by 3rd party CA

2012-12-12 Thread Bruce Boardman

Not sure I understand the problem, but we went through this with Cisco ACS and 
Free Radius servers using both Verisign and Go Daddy CERTS. Both work 
generating as you describe. And exporting from the originating CSR server to 
new servers seems to work, although I haven't tested the clients reaction to 
the cert.

Bruce Boardman - Syracuse University Network Engineer - 315 889-1667 
---

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hurt,Trenton W.
Sent: Tuesday, December 11, 2012 5:19 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] PEAP cert signed by 3rd party CA

No I'm actually using Idengines.  I have exported including the key, and now 
have a .pfx file.  I need a .pem and private key file from the pfx file.  I 
have tried a few different openssl commands on the pfx file, but have yet to 
get the right combo for the server.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Danner, Mearl
Sent: Tuesday, December 11, 2012 5:11 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] PEAP cert signed by 3rd party CA

Are you using IAS? On W2K3 servers we had to export the cert with key after 
using the Verisign signup, then delete the cert and import it using the 
exported pfx file.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hurt,Trenton W.
Sent: Tuesday, December 11, 2012 3:59 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] PEAP cert signed by 3rd party CA

What 3rd party CA's are people using for their PEAP server side certificate?  I 
have previously used verisign because they have a specialized wlan radius cert 
that included the correct EKU's for server authentication, 1.3.6.1.5.5.7.3.1.  
I cannot get the cert from verisign to work and I'm now looking at possibly 
changing CA's.  My server requires the CSR be generated from the actual server 
itself, and it requires a .pem file and a private key file along with the 
private key passphrase when importing.

  Any suggestions, tips, tricks on this process is immensely appreciated.

Thanks
Trent


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Wireless Design

2012-10-23 Thread Bruce Boardman

We are having this exact issue and have been working with TAC for a month. We 
have clients that are mis-configured pounding the RADIUS servers, and one by 
one we are identifying and blacklisting devices that have never been on the 
network. This is only a couple days in the works, but seems to have helped and 
TAC thinks it's the issue.



[X]
Per Tac
Hi Bruce,
Good Morning.
After discussing the your scenario with the collaboration team, they suggest we 
track down the EAP-session timeouts and remove those clients or block them 
before reaching the ACS.
“Clients sending malformed requests, or not compliant with the access-challenge 
that ACS sends after a failure can tie up threads for up to 120 seconds.”
And “120” seconds is a lot of time.



We have also add a third server for logging. So far so good


|Bruce Boardman, Network Engineer, Syracuse University -  315 889-1667

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Chris Toth [ct...@bgsu.edu]
Sent: Tuesday, October 23, 2012 11:32 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Wireless Design

We are having authentication issues with our wireless network and I was 
wondering if any other universities are running a similar design without issue. 
 We have 17 wireless controllers each providing both an unsecured web auth and 
a secured WPA/WPA2 access using radius.  The secured access points to a load 
balancer using radius stickiness for 2 virtual cisco ACS servers running 
version 5.3.  We have approximately 10k associated authenticated wireless users 
during peak hours.

Our authentications servers don’t appear to be working very hard; however, they 
are having issues.  We are working with the vendor to resolve these issues but 
I am curious if other universities run their auth servers behind a load 
balancer and how many auth servers are running / per authenticated clients.

Any information you could provide would be helpful.

Thank you,

Chris Toth
Senior Network Technician
Bowling Green State University
Phone:(419) 372-8462
Email:  ct...@bgsu.edumailto:ct...@bgsu.edu

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Wireless Design

2012-10-23 Thread Bruce Boardman

TAC has confirmed the problem and has not yet offered a work around to LB. The 
LB is manually pointing controllers to one of the two RADIUS servers, which 
helps, but of course is not really a solution. The ACE is RADIUS session aware 
I take it?


|Bruce Boardman, Network Engineer, Syracuse University -  315 889-1667

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Dennis Xu [d...@uoguelph.ca]
Sent: Tuesday, October 23, 2012 12:11 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Design

We have two ACS 4.2 servers behind load balancer(ACE) and we do not see any 
issues with wireless PEAP authentications. We are going to upgrade these 
servers to ACS 5.3 soon. Has Cisco confirmed the problem is related with LB? 
What if the ACS servers are not load balanced, will the problem still exist? 
Thanks.

---
Dennis Xu
Network Analyst, Computing and Communication Services
University of Guelph
5198244120 x 56217

- Original Message -
From: Bruce Boardman board...@syr.edu
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Sent: Tuesday, October 23, 2012 11:55:31 AM
Subject: Re: [WIRELESS-LAN] Wireless Design




We are having this exact issue and have been working with TAC for a month. We 
have clients that are mis -configured pounding the RADIUS servers, and one by 
one we are identifying and blacklisting devices that have never been on the 
network. This is only a couple days in the works, but seems to have helped and 
TAC thinks it's the issue.





Per Tac  Hi Bruce,






Good Morning.
After discussing the your scenario with the collaboration team, they suggest we 
track down the EAP -session timeouts and remove those clients or block them 
before reaching the ACS.
“Clients sending malformed requests, or not compliant with the access-challenge 
that ACS sends after a failure can tie up threads for up to 120 seconds.”
And “120” seconds is a lot of time.




We have also add a third server for logging. So far so good




|Bruce Boardman, Network Engineer, Syracuse University - 315 889-1667


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Chris Toth [ct...@bgsu.edu]
Sent: Tuesday, October 23, 2012 11:32 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Wireless Design






We are having authentication issues with our wireless network and I was 
wondering if any other universities are running a similar design without issue. 
We have 17 wireless controllers each providing both an unsecured web auth and a 
secured WPA/WPA2 access using radius. The secured access points to a load 
balancer using radius stickiness for 2 virtual cisco ACS servers running 
version 5.3. We have approximately 10k associated authenticated wireless users 
during peak hours.



Our authentications servers don’t appear to be working very hard; however, they 
are having issues. We are working with the vendor to resolve these issues but I 
am curious if other universities run their auth servers behind a load balancer 
and how many auth servers are running / per authenticated clients.



Any information you could provide would be helpful.



Thank you,



Chris Toth

S enior N etwork T echnician

Bowling Green State University

Phone: (419) 372-8462

Email: ct...@bgsu.edu

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.
**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] NCS Prime 1.2.0.103 dashboard

2012-10-05 Thread Bruce Boardman

we are on 1.1.1.24 but camy from 103 and the advice I got from TAC was use 
Chrome.  It's working  well in a 22.0.1229.79 chrome browser.


|Bruce Boardman, Network Engineer, Syracuse University -  315 889-1667

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Garry Peirce 
[pei...@maine.edu]
Sent: Friday, October 05, 2012 12:14 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] NCS Prime 1.2.0.103 dashboard

Perhaps it’s because it’s Friday, but just getting PI 1.2.0.103 up   running 
and I see that when within the GENERAL dashboard,
I cannot scroll all the way to the right to see the edge of the dashlets on 
that side.

I thought it might be quickest to just ask this group.
Anyone else seeing this? or is this just a user error as I get accustomed to 
the new interface ;-)

If I minimize all dashlets on the left, then I can see a bit more of it.
I’m seeing no difference between IE/Chrome (most current revs).
If I drag/drop the right-side dashlets to the left , then I can see the entire 
thing – I suppose I can move them all to the left hand side.

Secondly, can one create a user-defined dashboard (to be used by a number of 
users) and then lock the layout down?

TIA,

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Apple Petition (Was Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support for instructors.)

2012-07-06 Thread Bruce Boardman

Lets do both, petition that points to the FB page, that way it will be easier 
for Apple to circulate our concerns within apple., amaybe we get some 
enterprise particpation. 

|Bruce Boardman, Network Engineer, Syracuse University -  315 889-1667

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Hanset, Philippe C 
[phan...@utk.edu]
Sent: Friday, July 06, 2012 10:00 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Apple Petition (Was Re: [WIRELESS-LAN] You knew it 
was coming...Airplay/Apple TV support for instructors.)

Thank you Lee.

I definitely believe that it is a great use of the list...A request made by 
Academia and for Academia

Let me add:
Even as an Apple shareholder,
(no conflict of interest, more of a vested interest in the matter ;-),
I believe that it is way past our time to voice our opinion strongly. We cannot 
continue to create ugly hacks
to support those enterprise non-friendly protocols.
I love my Apple TV and can imagine that students and faculty feel the same.
I would like to support these cool devices on campus, but how?
(and without destroying my Wi-Fi!)

The local Student Apple representative on our campus asked me if he could bring 
up an Apple Airport Extreme
on campus to show the features of Airplay to students... (I almost lost it ;-).

In a cense, we don't need to be too detailed in our request it could be:
Apple! help use support AirPlay on our campus networks
Just to start a dialog  (and add a few specifics)

Should we start with a petition, as you all suggested, and if we get no 
response,
we try the FaceBook approach (create a group). Or immediately go the FB way?

I agree with the maturity process of a week.

Philippe
Univ. of TN



On Jul 5, 2012, at 5:12 PM, Lee H Badman wrote:

 So... two thoughts. Perhaps give it another week for people to chime in with 
 their gripes and let the list discuss them? Then perhaps digital signatures- 
 DocuSign is free and elegant.

 I guess also, a courtesy inquiry to Phillipe over whether he sees this as 
 prudent list of the group is probably in order.

 Say, Phillipe- do you see this as prudent use of the list?

 Thanks,

 Lee


 Lee H. Badman
 Wireless/Network Engineer, ITS
 Adjunct Instructor, iSchool
 Syracuse University
 315.443.3003
 
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Curtis K. Larsen 
 [curtis.k.lar...@utah.edu]
 Sent: Thursday, July 05, 2012 5:01 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] Apple Petition (Was Re: [WIRELESS-LAN] You knew 
 it was coming...Airplay/Apple TV support for instructors.)

 You should add fast-roaming to the list.  No Mac or iOS device supports
 fast roaming with Opportunistic Key Caching.  They can do PMK Sticky,
 but it is not the same as OKC.  With Sticky, it is only fast when you
 roam back to an AP you've been on, and the client can only cache up to 8
 AP's.


 Curtis Larsen
 Wireless Network Engineer
 University of Utah
 801-587-1313


 On 07/05/2012 02:46 PM, Lee H Badman wrote:
 Pretty much what I was thinking (ballpark) with all Educause schools 
 individually signed on. May not amount to anything, but would in itself be 
 media fodder.

 Lee H. Badman
 Wireless/Network Engineer, ITS
 Adjunct Instructor, iSchool
 Syracuse University
 315.443.3003
 
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Johnson, Neil M 
 [neil-john...@uiowa.edu]
 Sent: Thursday, July 05, 2012 3:37 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: [WIRELESS-LAN] Apple Petition (Was Re: [WIRELESS-LAN] You knew it 
 was coming...Airplay/Apple TV support for instructors.)


 I'm a little fuzzy on the specifics things to request from Apple, but here 
 is a first pass):


 Whereas, we the undersigned academic and research institutions are receiving 
 numerous requests from our faculty, staff, and students for the ability to 
 utilize Airplay technology in classrooms, conference rooms, and other 
 locations, hereby solemnly request that Apple provide support for Airplay 
 technology in enterprise wireless networks.


 Specifically, we request the following (in order of priority):

   *   That Apple establish a way for the Apple TV (and other Airplay enabled 
 devices) to be discoverable across multiple IPv4 and IPv6 subnets or lacking 
 that:
   *   That Apple establish a way for the Apple TV (and other Airplay enabled 
 devices) to be easily statically configured to be accessible across multiple 
 IPv4 and IPv6 subnets
   *   That the Apple TV support Enterprise Wireless Encryption and 
 Authentication (WPA2-Enterprise)
   *   That authentication to the Apple TV be able to utilize enterprise 
 authentication services (LDAP and/or AD)

 Failure

RE: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support for instructors.

2012-07-05 Thread Bruce Boardman

I'd add a short ans sweet bulleted list of what is lacking to become 
'Enterprise Ready' . 

|Bruce Boardman, Network Engineer, Syracuse University -  315 889-1667

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Johnson, Neil M 
[neil-john...@uiowa.edu]
Sent: Thursday, July 05, 2012 3:09 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support 
for instructors.

How is this for a start :-)

Whereas, we the undersigned academic and research institutions are
receiving numerous requests from our faculty, staff, and students for the
ability to utilize Airplay technology in classrooms, conference rooms, and
other locations, here by solemnly request that Apple provide support or
Airplay technology in enterprise wireless networks.

Failure to provide this support severely limits the usefulness (and
desirability) of Apple products in our institutions.

At your earliest convenience please provide us with a roadmap for support
of Airplay and related technologies in enterprise wireless environments.

Thank you.

-

-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu

On 7/5/12 1:47 PM, Watters, John john.watt...@ua.edu wrote:

I bet if you would write something up we could get signatures from just
about every college and university. Do you have time to work up a short
document that could be passed around on this list (and to others
interested in this subject)?

We need to convince (or coerce) Apple into playing nice in the enterprise
space with all of their products.

-jcw

-
John WattersUA: OIT  205-348-3992

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Thursday, July 05, 2012 1:05 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV
support for instructors.

You mean a good-looking, man-of-action blogger? Hmmm. Let me call the
agency, see if they have anyone on staff.

I was thinking more like a couple of hundred well-known institutions of
higher Ed all signing the same doc.

Lee H. Badman
Wireless/Network Engineer, ITS
Adjunct Instructor, iSchool
Syracuse University
315.443.3003

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Johnson, Neil M
[neil-john...@uiowa.edu]
Sent: Thursday, July 05, 2012 1:23 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV
support for instructors.

Or maybe a well known blogger could write an article about it.. :-)

-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu

From: Lee H Badman lhbad...@syr.edumailto:lhbad...@syr.edu
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.
EDU
Date: Thursday, July 5, 2012 8:56 AM
To:
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.
EDU
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.
EDU
Subject: Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV
support for instructors.

...or somehow have everyone on the Educause list sign a petition that
gets presented to Apple- if you can gain entry into the Bubble of
Blissful Perfection.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.
EDU] on behalf of jkaf...@utica.edumailto:jkaf...@utica.edu
[jkaf...@utica.edumailto:jkaf...@utica.edu]
Sent: Thursday, July 05, 2012 9:10 AM
To:
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.E
DU
Subject: Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV
support for instructors.

Has anyone tried not supporting Bonjour and directing users who complain
to Apple?  Perhaps if we all did that it would get Apple's attention.

John Kaftan
Infrastructure Manager
Utica College

- Reply message -
From: Andy Voelker
avoel...@email.wcu.edumailto:avoel...@email.wcu.edu
Date: Thu, Jul 5, 2012 8:23 am
Subject: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support
for instructors.
To:
WIRELESS-LAN@listserv.educause.edumailto:WIRELESS-LAN@listserv.educause.
edu

Ours completely denied the existence of a possible issue.  Of course, you
could see in his eyes that his answer was somewhat forced...

-- Andy Voelker
Manager of Student Computing in the Technology Commons
WCU Staff Senator
Western Carolina University
Check

RE: ncs/wlc/mse new code available

2012-06-07 Thread Bruce Boardman

maybe because Aruba has fewer bugs!

|Bruce Boardman, Network Engineer, Syracuse University -  315 889-1667

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Osborne, Bruce W 
[bosbo...@liberty.edu]
Sent: Thursday, June 07, 2012 7:40 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] ncs/wlc/mse new code available

I have a question here. I am asking from ignorance, since I am an Aruba 
customer.

Are Cisco’s releases so rare that they need noting here, or are people that 
anxious to see if bugs have been fixed?

We do not generally see customers posting notices of ArubaOS or Aruba AirWave 
upgrades here.

Bruce Osborne
Network Engineer
IT Network Services

(434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Hurt,Trenton W. [mailto:trent.h...@louisville.edu]
Sent: Wednesday, June 06, 2012 5:47 PM
Subject: ncs/wlc/mse new code available

This is 7.2MR1…

http://www.cisco.com/en/US/docs/wireless/ncs/1.1/release/notes/NCS_RN1.1.1.html 
 - NCS

http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_2_110_0.html
  --WLC

http://www.cisco.com/en/US/docs/wireless/mse/3350/release/notes/mse7_2_110_0.html
  --MSE

Trenton Hurt, CWNA, CCNP(W), CCNA(W), CCNA(V), CCNA(R/S)
Wireless Network Administrator
University of Louisville
Phone (502) 852-1513
FAX (502) 852-1424
[Description: Description: 
C:\Users\twhurt01\AppData\Local\Temp\XPgrpwise\IMAGE_19.BMP]

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

inline: image001.png

RE: WCS to NCS migration trouble

2012-02-23 Thread Bruce Boardman

Just ran this upgrade myself and it took all day without any progress. I 
learned the last time I upgraded WCS not to expect anything and to just wait. 
Weird way to create software. It's  like Cisco has never run this stuff on a 
network of any size.


|Bruce Boardman, Network Engineer, Syracuse University -  315 889-1667

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Peter Arbouin 
[p.arbo...@qut.edu.au]
Sent: Thursday, February 23, 2012 7:43 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WCS to NCS migration trouble

Hi,

We had a similar experience. We found that deleting the repo information and 
recreating it worked for us.

Peter.

Peter Arbouin | Network Engineer
Network Operations Centre | Information Technology Services
Queensland University of Technology
Level 3 | 88 Musk Avenue | Kelvin Grove Campus
Mob: 0402476892 | Ph: +61 7 3138 1030
Email: p.arbo...@qut.edu.auUrlBlockedError.aspx

CRICOS No. 00213J

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Andy Page
Sent: Friday, 24 February 2012 7:44 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] WCS to NCS migration trouble

Hello,

I’m wondering if anyone else had trouble with WCS to NCS migration…

We just bought Cisco NCS, managed to get it installed (virtual appliance, fwiw) 
and seems to work well in the short amount of time I’ve played with it. We 
wanted to import everything from WCS, so I followed the instructions on 
upgrading it to a version that allowed for exporting (7.0.230.0), which 
produced wcs.zip. On the NCS server (1.1.0.58), we were unable to get it to 
connect via ftp to our ftp server to grab the zip, but sftp seemed to work (the 
‘show rep repname’ command worked, where it wouldn’t with ftp).

Anyhow, I ran the ‘ncs migrate wcs-data wcs.zip rep ncs-ftp-repo’ command and 
only received the below output…

Initiating WCS 7x DB restore .  Please wait...
INFO: no staging url defined, using local space.rval:2

Is this normal? Should I see a status somewhere? I’ve let the thing go for 
hours with nothing else showing up on the screen. Ctrl-C sends me back to exec 
mode where I can start ncs again, but after logging into NCS, I see no new data 
(controllers, mse, etc).

If you went the WCS to NCS migration route, how was your experience?

Thanks,
Andy Page
Network Design Professional
University of Notre Dame
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: NCS 1.0.2.28 (MR2)

2011-11-18 Thread Bruce Boardman


I've had the same problem, and have a TAC case open. I've had nothing but 
problems getting the export to work, which was the reason we went to this 
version of WCS code.


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Case, Brandon J 
[ca...@purdue.edu]
Sent: Friday, November 18, 2011 8:16 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] NCS 1.0.2.28 (MR2)

Has anyone who is running MR2 tried to migrate data from WCS 7.0.220.0? The 
release notes explicitly say it’s supported but after a 7 hour wait, I was 
presented with this message last night:

 Appliance Restore Process 
ERROR: invalid backup file version. Exception: 7.0.220.0 is not a supported WCS 
version. Please restore a backup of one of the supported versions.

Haven’t opened a TAC case yet but that’s going to be my next step. Just 
wondering if anyone else has had a similar experience yet.

Thanks,
--
Brandon Case, CCNA
Network Engineer, ITaP
Purdue University
ca...@purdue.edumailto:ca...@purdue.edu
Office: (765)49-67096
Mobile: (765)479-7597
Fax:(765)49-46620

PGP Fingerprint:
99CB 02D6 983C 1E2A 015F  205C C7AA E985 A11A 1251

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hurt,Trenton William
Sent: Thursday, November 17, 2011 8:08 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] NCS 1.0.2.28 (MR2)

New NCS release is out.  Lots of bug fixes.

http://www.cisco.com/en/US/docs/wireless/ncs/1.0/release/notes/NCS_RN1.0.2.html#wp208350

Trenton Hurt, CCNP(W), CCNA(W), CCNA(V), CCNA(R/S)
Wireless Network Administrator
University of Louisville
Phone (502) 852-1513
FAX (502) 852-1424
[Description: Description: 
C:\Users\twhurt01\AppData\Local\Temp\XPgrpwise\IMAGE_19.BMP]

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

inline: image001.png

RE: [WIRELESS-LAN] Proxim APs and 802.1X RADIUS VLAN assignment

2011-07-07 Thread Bruce Boardman

I've done this with cisco wireless and radius. I believe the radius attruibute 
passed fron the radius server to the the wirelees session is the 
'tunnel-private-id'. In the cisco wireless case I had to explicity allow this 
attribute to change the networking tagging in order for it to effect the 
traffic. sorry no proxim experience.

|Bruce Boardman, Network Engineer, Syracuse University -  315 889-1667

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jethro R Binks 
[jethro.bi...@strath.ac.uk]
Sent: Thursday, July 07, 2011 11:47 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Proxim APs and 802.1X RADIUS VLAN assignment

Hello all,

I've been having problems using 802.1X authentication, or more
specifically, assignment of VLANs based on the RADIUS attributes.

Goal is to have one SSID, eduroam, to which both visitors and local
users authenticate when using the wireless service.  Visitors remain in
the VLAN to which the SSID is associated, and local users onsite are
switched into a different VLAN based on attributes from the Radius server
backend.

In brief:

I am running the latest v4.0.12 code (but had problems with previous
versions too).

I believe I have followed to the letter the Proxim knowledgebase article
(which was updated a while ago (VLAN Assignment by RADIUS).

I have tested with a variety of clients (Windows laptop, Windows mobile,
Apple i-things).

With no VLAN assignment (i.e., none of the Tunnel- attributes being sent
by RADIUS), it usually works OK (sometimes with a couple of retries); but
the local user remains in the visitor VLAN as expected.

With the VLAN assignment enabled, it will usually NOT work.  Once in a
while you might get lucky and get connected to the right VLAN and get an
address from DHCP, but it is very inconsistent and unreliable.  As far as
I can surmise, the problem is likeliest to lie with the AP.

Since it does occasionally work, the basic infrastructure appears to be
sound.

So, I'm reaching out there to find if there are any other people doing
something this with Proxim APs (AP4000 in particular), to see if you have
seen these problems with other vendor or found a fix.  Or, alternatively,
maybe it isn't the AP, but something else you can suggest that might cause
this inconsistent behaviour.

Thanks for any thoughts,

Jethro.

.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
Jethro R Binks, Network Manager,
Information Services Directorate, University Of Strathclyde, Glasgow, UK

The University of Strathclyde is a charitable body, registered in
Scotland, number SC015263.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.
**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] GPO Software Deployment 802.1x

2011-04-06 Thread Bruce Boardman

We are doing that via VLAN steering using RADIUS.

|Bruce Boardman, Network Engineer, Syracuse University -  315 889-1667

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mike King [m...@mpking.com]
Sent: Wednesday, April 06, 2011 11:56 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] GPO Software Deployment 802.1x

Ben,

Do you have your workstations configured to allow Computer Account logon's to 
wireless?  (I.E., does the machine have connectivity while it's sitting at the 
CTRL-ALT-DEL prompt)

Mike

On Wed, Apr 6, 2011 at 10:24 AM, Benjamin Stewart 
bstew...@salemstate.edumailto:bstew...@salemstate.edu wrote:
Hi-
I’m wondering if anyone has had any luck pushing an msi software deployment 
with Group Policy on wireless stations with 802.1x authentication – WPA2 
Enterprise.

Problem seems to be that the supplicant is not processed until after the user 
logs in to Windows.  I’m assuming the delay in processing the authentication 
and assigning the IP address is too long, and the Group Policy Software 
Installation is not processed at login.  Any help would be greatly appreciated.

Ben

==
Benjamin Stewart
ITS - Networking Services
Salem State University
71 Loring Ave
Salem, MA 01970

Phone: 978-542-7142tel:978-542-7142
Fax: 978-542-6557tel:978-542-6557

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Wireless to the Rescue...

2011-04-02 Thread Bruce Boardman

IMHO Class attendance requires an academic fix not IT.

|Bruce Boardman, Network Engineer, Syracuse University -  315 889-1667

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian Helman 
[bhel...@salemstate.edu]
Sent: Friday, April 01, 2011 2:18 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless to the Rescue...

This is a good point.  We've also talked about some ability to provide 
distance learning to students who are sick .. or (as I look outside at the 6 
of new snow) when we have closures due to weather.  I guess I'm on the 
free-market side of this -- in the end, it's up to the students.  After all, 
isn't every school calling them *cough, cough* customers now?

-Brian

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Trevor Wallis 
[twal...@sbts.edu]
Sent: Friday, April 01, 2011 1:43 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless to the Rescue...

Philippe,

Is there any method of giving grace to a student who is sick and staying
in the dorm?  If you're too sick to go to class, you're too sick to use
the WiFi?

Just wondering if you have a way of handling that.

Regards,

Trevor

Trevor A. Wallis
Vice President of Campus Technology
Chief Information Officer

SOUTHERN SEMINARY
2820 Lexington Road
Louisville, KY 40280
Phone: 502.897.4193
Fax: 502.897.4125
twal...@sbts.edu

Don't be a phishing victim – Southern Seminary and other reputable
organizations will never use email to ask for your password, social
security number or confidential personal information.

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanset, Philippe
C
Sent: Friday, April 01, 2011 12:22 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Wireless to the Rescue...

All,

University of Tennessee has had some class attendance issues lately,
especially with Sophomores.
We came up with a location based wireless solution that could fix this
issue.
We have built a database of rooms surrounding Access-Points that we
correlate with a class roster. Basically if a student is supposed to be in
room x at time y, our filtering only allows the student access to a set of
access points surrounding that room during that time.
No wireless elsewhere.
Dormitories are included in the algorithm.

If you are doing something similar, we would like to know some of the
caveats.

Thanks,

Philippe Hanset
University of TN
(Constituent Group Leader of Wireless-LAN@educause)

(what's the date?)
**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.
**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Comodo CA (InCommon) and Cisco ACS 5.x

2011-01-19 Thread Bruce Boardman

we had a simular issue with Verisign, and had to get a special intermediate 
cert and root cert signed as all our clients had been configured to support the 
older verisign root. It was very slow going, Cisco didn't help much, but 
Verisign did.

|Bruce Boardman, Network Engineer, Syracuse University -  315 889-1667


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Schmidt, Jason W 
[schm...@uww.edu]
Sent: Wednesday, January 19, 2011 11:24 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Comodo CA (InCommon) and Cisco ACS 5.x

All,

Has anyone deployed Cisco ACS 5.x paired with Comodo certificates via InCommon 
for wireless 802.1x (PEAP specifically)? We are seeing an issue with iOS 
devices not trusting the server certificate despite the full chain of 
certificates being installed into ACS and iOS having trust for the root CA. We 
have a case open with Cisco to see if indeed ACS sends the whole chain with a 
PEAP session, but it is slow going.

Thanks for any insight.

--
Jason Schmidt
Network Engineer
UW-Whitewater
262-472-3227


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Observed Signal Strength On Encrypted Wireless

2010-11-05 Thread Bruce Boardman

I agree get the MAC and userid and drill in. It's not the 802.11x.

|Bruce Boardman, Network Engineer, Syracuse University -  315 889-1667

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[wireless-...@listserv.educause.edu] On Behalf Of Jonn Martell [j...@martell.ca]
Sent: Friday, November 05, 2010 5:37 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Observed Signal Strength On Encrypted Wireless

Hi David,

One of the unfortunate things about wireless LANs is the standards
never really addresses what parameters a vendors should use for a
client to decide when to roam and when to stay on the previously
associated AP.

The algorithms are generally based on RSSI (relative signal strength
indicator) which is a value that each manufacturers determine.  All
proprietary algorithms that are generally not advertised.   Other
things that vendors *might* use to decide when to roam vs staying on
the AP includes the number of retries and the SNR.

A vendor for example might have messed up, their roaming algorithms
might be fine for Open but not so good for WPA2. They won't advertise
it - they will just release an updated driver which the users
generally don't upgrade unless told to.

So roaming is all over the map for different client stations. So for
one manufacturer, they might have a higher threshold and remain on a
previously associated AP longer.  That could be the cause of a lower
perceived signal strength.

With WPA2, the addition of encryption and keys does add a layer of
complexity and possible variables to this.

Do some vendors include other variables relating to WPA2 in their
proprietary roaming algorithms? I'm not sure but I would not be
surprised to see that some have...

There's a bunch of stuff in 802.11i that are optional in the WPA2
certification. The re-authentication adds some time but I don't think
that's the case here because unless you do very time sensitive work
(like VOIP), most users won't see the 802.1x/EAP re-auth latency.  The
whole PKC-Fast Roaming 802.11i thing will help in this area but
although it's supported in WPA2, I don't think it's mandatory

I'm guessing that if you ask your help desk to record the usernames
and MAC addresses, you might find a pattern for poorly implemented
client drivers and supplicants?  That's where I might start to focus
my attention. If you can, get driver versions as well.

To determine if sticky roaming is the issue, I would also get the
helpdesk to work with users to disassociate when they have an issue
and re-associate seeing if they end up using a stronger AP (with
stronger signal strength).  That can help determine if it's a roaming
issue or not to help you narrow the problem. If it's not a roaming
issue, they you should check your stats when the client is associated.

If the clients runs CCX (the Cisco extentions), you can also get a
bunch of info from the controller using:

show client roam-history client-MAC
You can also run show and debug on l2roam

My guess is that it's a client issue.  If you called Tier1 support
from vendors they would advise: Upgrade the drivers and try again :)

Hope that helps.

 ... Jonn Martell, speaking as a CWNE/CWNT instructor ;)

On Fri, Nov 5, 2010 at 1:12 PM, David Blahut dabla...@vassar.edu wrote:
 Hello All,

 We are a Cisco CAPWAP shop and recently switched from non-encrypted web
 portal authenticated wireless to WPA2/802.1X/AES encrypted wireless with
 RADIUS and LDAP in the back end.  I have received several help desk tickets
 with reports along the lines that “now that we are using the encrypted
 wireless the signal is weaker or unusable”.

 Anyone else experience this phenomenon?  I can’t believe it’s the wireless
 network, same radios after all.  I could see the client interpreting the
 signal level differently or the client associating to a more distant access
 point because the closer one is more heavily taxed due to the encryption.  I
 could even see that the encrypted wireless is more sensitive to RF
 interference.

 Anyway, any thoughts or ideas are welcomed.

 Thanks,

 David

 ** Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.
**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Wireless Radius Authentication

2010-11-02 Thread Bruce Boardman

sounds like the name of the server changed? and it's not trusted by the clients 
profile.

|Bruce Boardman, Network Engineer, Syracuse University -  315 889-1667


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[wireless-...@listserv.educause.edu] On Behalf Of Tamarack Birch-wheeles 
[tamar...@pdx.edu]
Sent: Tuesday, November 02, 2010 11:44 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Radius Authentication

It sounds like the old RADIUS server is statically configured in EAP properties 
under Connect to these servers:.

--
Tamarack Birch-wheeles
Network Engineer
Portland State University - Networking and Telecommunications
Phone: (503)725-3201


On Tue, Nov 2, 2010 at 8:28 AM, Paul Crittenden 
paul.critten...@simpson.edumailto:paul.critten...@simpson.edu wrote:
We changed our radius authentication server yesterday, both running Windows 
2003 Standard Edition Service Pack 2. We are now getting the security alert, on 
at least some Windows 7 laptops, The server 
“sunny.simpson.eduhttp://sunny.simpson.edu” is not configured as a valid NPS 
server to connect to for this profile.

We click the click button but the next time they connect to the wireless the 
alert pops up. Have you seen this alert or have any ideas how to get rid of it? 
We have researched this and cannot come up with a fix.

Paul Crittenden
Computer Systems Manager
Simpson College
Indianola, Iowa
Phone: 515-961-1680 * optional: 515-961-1681
www.simpson.eduhttp://www.simpson.edu

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: ACS 5.2 with Active Directory

2010-10-22 Thread Bruce Boardman

We saw this when the ACS servers did not have write access to the AD domain. We 
had to have the ACS servers able to write to the Domain, just for the join. 
Once joined, we have been able to give them read only access.

|Bruce Boardman, Network Engineer, Syracuse University -  c  315 412-4156|


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[wireless-...@listserv.educause.edu] On Behalf Of Keeling, Dereck 
[dereck.keel...@wku.edu]
Sent: Friday, October 22, 2010 10:53 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] ACS 5.2 with Active Directory

Hello,

During installation/configuration of 5.2 we noticed after associating with 
Active Directory that ACS could not retrieve or search for groups. This problem 
doesn’t exist on 5.1xx.  Following the exact same procedures on that version 
produced the results we expect. Has anyone ran into this issue?
--
Thank you,
Dereck Keeling
Network Specialist
Western Kentucky University

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

FW: [WIRELESS-LAN] Versign New Root CERT

2010-10-19 Thread Bruce Boardman

Thanks for the hope! Any advice re names or process regarding the back and 
forth? 

|Bruce Boardman, Network Engineer, Syracuse University -  c  315 412-4156|

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Holland, Ryan C.
Sent: Monday, October 18, 2010 12:45 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Versign New Root CERT

Bruce,

We had this exact same issue! Instead of a default 1024bit certificate rooted 
in Equifax, we received a 2048bit certificate rooted in GeoTrust.

We explained that reconfiguring the tens of thousands of devices 'out there' is 
an impossibility at this time. Basically, this resulted in a lot of back and 
forth, but in the end, we leveraged the fact that Verisign had until December 
31, 2010 to comply with new regulations that forced them to the 2048bit 
offering. Thus, we were able to obtain a renewal for our certificate that would 
last another 12 months.

We are now migrating towards using Comodo through Incommon. But again, this is 
through a different root. Luckily, we are nearing a rollout of a new identity 
management solution along with a WLAN encryption upgrade; each requires 
reconfiguration on the user's part. We are leveraging these circumstances to 
roll out a configuration utility that will trust both Equifax as well as our 
new root.

Many folks will say to just use a self-signed root, but for some entities, that 
is not an option since the network engineers may not dictate the security 
policies. :-/

Good luck!

==
Ryan Holland
Network Engineer, Wireless
Office of the Chief Information Officer
The Ohio State University
614-292-9906   holland@osu.edumailto:holland@osu.edu

On Oct 18, 2010, at 12:38 PM, Bruce Boardman wrote:

We just renewed our Verisign CERTs only to find that the Verisign Root has 
changed. This wouldn't be a big deal, if it were for a web server, but since 
it's student laptops configured to accept the only the old public primary root 
it has a big impact. Verisign is saying that our only recourse is to 
reconfigure all the clients. Ouch! We are using a Cisco ACS 5.2 server for the 
Radius auth, and certification. Anyone solve this already, or have any 
suggestions about how to avoid reconfiguring all the clients.

|Bruce Boardman, Network Engineer, Syracuse University -  c  315 412-4156|
**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

--
BEGIN-ANTISPAM-VOTING-LINKS
--

Teach CanIt if this mail (ID 1101816143) is spam:
Spam:https://antispam.osu.edu/b.php?i=1101816143m=35b1c509aa0fc=s
Not spam:https://antispam.osu.edu/b.php?i=1101816143m=35b1c509aa0fc=n
Forget vote: https://antispam.osu.edu/b.php?i=1101816143m=35b1c509aa0fc=f
--
END-ANTISPAM-VOTING-LINKS

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Versign New Root CERT

2010-10-18 Thread Bruce Boardman

We just renewed our Verisign CERTs only to find that the Verisign Root has 
changed. This wouldn't be a big deal, if it were for a web server, but since 
it's student laptops configured to accept the only the old public primary root 
it has a big impact. Verisign is saying that our only recourse is to 
reconfigure all the clients. Ouch! We are using a Cisco ACS 5.2 server for the 
Radius auth, and certification. Anyone solve this already, or have any 
suggestions about how to avoid reconfiguring all the clients.



|Bruce Boardman, Network Engineer, Syracuse University -  c  315 412-4156|
**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

39 matches

Mail list logo