RE: Certificate Expiration and IoT (Door Locks)

[Chris Hart]

Neil  - we rolled out these locks to 3 Res Halls this past summer.   We have 
them on the eduroam SSID connecting via PEAP/MSCHAPv2  with a local account on 
our ClearPass server.   We have an enforcement policy that assigns this user 
account a VLAN ID that is private IP space that is restricted to only be able 
to communicate with the Lock system database server.   We only had 1 complaint 
that we had to troubleshoot but it was found that a bunch of the lock were not 
configured to do their nightly check in for updates.  The locks can also be set 
to check for an update upon a failure of proximity card.  So if a student is 
issued a new card and tries to enter their room it will fail, the lock will 
check for an update and then on the next attempt the student should then have 
access.   We used Assaa Abloy as our vendor.


Chris



[cid:image005.png@01D14944.D438EFC0]

Chris Hart
Senior Network Engineer







From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Neil M
Sent: Wednesday, November 2, 2016 10:18 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Certificate Expiration and IoT (Door Locks)


Our housing department is pushing pretty hard to replace keyed locks on dorm 
room doors with Wi-Fi connected proximity card locks (a pilot this summer and 
then eventually rolling out to ~3,000 rooms).

The locks would be “offline” locks that cache valid cards locally and only 
connect to the Wi-Fi network periodically for updates and when presented with a 
non-cached card.

While the locks support multiple methods for authenticating to the wireless 
network (everything from a PSK to PEAP/MSCHAPv2 to EAP-TLS), I think EAP-TLS is 
probably the most secure method for these devices.

My thinking is to setup a private PKI and generate a client cert for every 
lock. However, I have two issues concerning EAP-TLS.


1.   What should I use for a client certificate expiration date?
Our key and access folks don’t want to update the locks client certs very 
often. (They will have to touch each lock on a regular basis to replace 
batteries, but don’t want to have to connect a computer to the locks every 
year).
The same question applies for the server certificate expiration.

2.   Should I advertise a separate SSID?
We currently use eduroam as our primary campus SSID.  I would prefer not to 
have to add an additional SSID just for these devices, but their use case seems 
different enough to warrant one.

If your institution has implemented or thinking about implementing Wi-Fi 
connected locks, I’d appreciate your feedback.

Thanks.
-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319-384-0938
e-mail: neil-john...@uiowa.edu<mailto:neil-john...@uiowa.edu>


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_groups_&d=CwMGaQ&c=yHlS04HhBraes5BQ9ueu5zKhE7rtNXt_d012z2PA6ws&r=CYuLo9E3nFauO_1q7Vz54s0evFy-qRGi6zN4VOktgIw&m=jQN_IkDWmkvRcvH-7FVl2Phvn-yhMGWEx3BuUp1QSbw&s=wqfOHLfpg1wKrXpXJCoL6Dx_jsG8pol4X6a3pySq-xY&e=>.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Aruba controller loading

[Chris Hart]

We found on the older M3 blades that we could run 80% of the Max.  We found 
having multiple SSIDs and 802.1X overhead processing will lower the recommended 
AP counts but that was over 6 years ago and we have stuck with the 80% of the 
Max since then. I think the newer 72xx series are beefier and can handle 
more but the marketing numbers are based on Max counts with a basic 
configuration.  



Chris Hart
Northwestern University 

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Earl Barfield
Sent: Friday, March 10, 2017 7:58 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Aruba controller loading

I know that the Aruba / Hewlett Packard literature says that you can support 
2000 APs on their biggest controller (7240XM).

Is anyone actually running that many APs per controller in real production?  If 
not, then how may APs per controller do you run?

For relative size info, we're a diverse higher-ed installation with about 5000 
APs and peak simultaneous user counts right about 30,000.

Thanks.


--
Earl Barfield -- Academic & Research Tech / Information Technology Georgia 
Institute of Technology, Atlanta Georgia, 30332
Internet: earl.barfi...@oit.gatech.edue...@gatech.edu

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at 
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss&d=CwICaQ&c=yHlS04HhBraes5BQ9ueu5zKhE7rtNXt_d012z2PA6ws&r=CYuLo9E3nFauO_1q7Vz54s0evFy-qRGi6zN4VOktgIw&m=4-n3mEfqQ8oMEQcGhvgSyWcC5gcdQkOyvbXJT7H_LsM&s=51wsnLk6VDuPI551n3u-ZNCfNPjkce664IYo1LfufdI&e=
 .

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] Birds of a feather reporting in Airwave?

[Chris Hart]

We report on –
RADIUS Authentication Issues by client
Top bandwidth APs
Top APs user counts
User Session reports to verify a good distribution of 5/2.4
RF Health report with most options included in the pre-canned report
Guest SSID users count and bandwidth
Monthly and Quarterly reports that show client breakdown connection type/device 
type unique users

We also have triggers for
Thresholds of traffic for more than 5 minutes.  This was an old one when we had 
some APs connected at 100Mbps and wanted to know if we need to upgrade the 
links to Gig ports.
CPU alerts for the controllers
Channel Utilization


Chris Hart


[cid:image005.png@01D14944.D438EFC0]

Chris Hart
Network Operations Engineer Lead
Tel: 847-467-7747
Email: ch...@northwestern.edu<mailto:rozmu...@northwestern.edu>
2020  Ridge Ave, Evanston, IL






From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Holland, Ryan
Sent: Tuesday, January 30, 2018 9:23 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Birds of a feather reporting in Airwave?

I didn’t see a reply to this, so fwiw, we use:

RF Health Report, looking for:
- APs with high 5ghz noise floor
- APs with sustained high average channel utilization
- APs with “lots” of channel changes

Device Summary report, looking for:
- APs with high maximum concurrent users
- Buildings/folders with more-than-expected max concurrent users

Client Session report, looking for:
- Device Type (AOS) breakdown
- Summary, which includes unique devices and total number of sessions

Hope that gives you a starting point / comparable.


Ryan Holland
Senior Network Engineer
The Ohio State University
Office of the Chief Information Officer
Telecommunications Network Center (TNC)
320 W. 8th Ave.
Columbus, OH 43201
614-292-9906 Office
holland@osu.edu<mailto:holland@osu.edu> 
ocio.osu.edu<https://urldefense.proofpoint.com/v2/url?u=http-3A__ocio.osu.edu_&d=DwMGaQ&c=yHlS04HhBraes5BQ9ueu5zKhE7rtNXt_d012z2PA6ws&r=CYuLo9E3nFauO_1q7Vz54s0evFy-qRGi6zN4VOktgIw&m=OzplNceydd9mQ0Iv_MVCnmztmE6aRXlxKsYKgopXyX0&s=QeS2LafJ0H6DYDMfYNdnhB6Tt-cjsf2ZvAH8vLA94-Q&e=>

On Dec 21, 2017, at 5:07 PM, Chad Burnham 
mailto:cburn...@du.edu>> wrote:

HI fellow list members,

I was looking for other folks on this list that use Aruba’s Airwave to generate 
meaningful reports to aid in monitoring and operating your wireless networks.

We have been trying to develop better and more meaningful reporting that shows 
a deeper understanding of the health of all of our wireless networks over time.

As we have invested significant resources in cabling, switches, controllers, 
Clearpass and Airwave servers and new/more next gen WAPs, we are trying to show 
the value more and more to senior management with our various tools.

We have got some reports working today (we are running 8.2.2.1); we are trying 
to find the “best of breed” reporting that you may rely in your environments 
and apply them here @ DU.

Knowing when we have problems before our users do is a goal. Increasing the 
customer perception of excellent wireless service is also a goal. Our audience 
types could be our own team or they may be senior management or even student 
government.

Yes, we are working with our local Aruba/HPE SE and the Aruba/HPE product 
manager of Airwave in this journey; they are an excellent resource and business 
partner.

Some of the area of theme/focus might include:
• Are the networks healthy?
• RF Performance
• RF Capacity
• RF Channel Utilization
• Bandwidth Usage
• Users, device types, etc.

Thanks in advance for anyone that can share what they might be proud of.

Happy Holidays,

Chad



Director of Network Services
Information Technology
University of Denver
2100 S. High St. #106
Denver, CO 80208
SIP URI = chad.burn...@du.edu<mailto:chad.burn...@du.edu>
Desk Phone: 303-871-4441
Mobile Phone: 303-520-5657
https://du.webex.com/join/cburnham<https://urldefense.proofpoint.com/v2/url?u=https-3A__du.webex.com_join_cburnham&d=DwMGaQ&c=yHlS04HhBraes5BQ9ueu5zKhE7rtNXt_d012z2PA6ws&r=CYuLo9E3nFauO_1q7Vz54s0evFy-qRGi6zN4VOktgIw&m=OzplNceydd9mQ0Iv_MVCnmztmE6aRXlxKsYKgopXyX0&s=wg1-7f3IoSD7Wcl257Ru90fqlUwj4UogfoBT0nuO4C8&e=>
https://udenver.zoom.us/my/cburnham<https://urldefense.proofpoint.com/v2/url?u=https-3A__udenver.zoom.us_my_cburnham&d=DwMGaQ&c=yHlS04HhBraes5BQ9ueu5zKhE7rtNXt_d012z2PA6ws&r=CYuLo9E3nFauO_1q7Vz54s0evFy-qRGi6zN4VOktgIw&m=OzplNceydd9mQ0Iv_MVCnmztmE6aRXlxKsYKgopXyX0&s=rDpfl7UXJ4IV4O_ix_OKUrEjFCEUnjCrXzfYT1jHNlY&e=>




** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss&d=DwMGaQ&c=yHlS04HhBrae

RE: [WIRELESS-LAN] Anyone seeing problems with Ubuntu 12.04 using WPA2 protected networks?

[Chris Hart]

We had a similar issue with Aruba 6.2.1.1 - The difference was that the user 
could connect to the eduroam SSID with no issues.  The only difference was that 
band steering was not enabled on the eduroam SSID.   I had the user follow the 
instructions on the web page listed below to disable the 802.11n as it seems to 
be a driver issue with the high data rates.


sudo modprobe -r iwlwifi
sudo modprobe iwlwifi 11n_disable=1

This is where I found the info to pass along to the user.
http://ubuntuforums.org/showthread.php?t=2030227



> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Aaron Smith
> Sent: Wednesday, September 04, 2013 2:38 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Anyone seeing problems with Ubuntu 12.04
> using WPA2 protected networks?
> 
> Hello folks,
> 
> I am wondering if anyone else is seeing a problem with laptops running
> Ubuntu 12.04, Precise Pangolin, getting connected to WPA2 protected
> networks?  I have reports of four students with this version of Linux not
> getting connected to our WPA2 Enterprise (802.1x) or the WPA2
> Personal/preshared key wireless networks but they can connect to the open
> mac auth'd guest network.  I found several threads discussing problems with
> wireless on 12.04.  This page seems to summarize them:
> http://www.linuxplained.com/how-to-fix-wireless-problems-in-ubuntu-
> 1204-precise-pangolin/
> No word yet on if they have fixed any of our students problems.
> 
> Here is what happens for the one client seen in person.  It is an Acer Aspire
> 5750G with an Atheros AR5B97 Wireless Network Adapter.  The client can
> connect to the network, get authenticated and get an IP address.  If we
> immediately start a ping to the gateway, we see it work for 30-45 seconds
> then it stops.  If we open a web page during that period it will sometimes
> open if we are quick.  From controllers side everything looks fine.  No black
> list or receive errors from the AP.  Other clients are not effected in any 
> way.
> When the client boots into Windows partition there are no problems using
> the WPA2 Enterprise 802.1x network.
> 
> Our wireless controllers are running ArubaOS 6.2.1.2.  I have a ticket open
> with Aruba Support and am waiting to hear back after sending some logs and
> debugging earlier today.  I wanted to reach out the this community to see if
> anyone else has seen this problem and maybe even found a solution.
> 
> Thanks,
> Aaron Smith
> Network Engineer
> Swarthmore College
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Bandwidth utilization and IOS7 upgrade

[Chris Hart]

Doubled for us as well from yesterday-

[cid:image001.png@01CEB47C.2AC8A520]



Chris Hart
Network Engineer, Telecommunications & Network Services
Northwestern University Information Technology (NUIT)

2001 Sheridan Rd
Evanston, IL  60208
847-467-7747
www.it.northwestern.edu<http://www.it.northwestern.edu/>


<>

[WIRELESS-LAN] WPA2 vulnerability found

[Chris Hart]

This is not good -It does not mention anything about keys that are
rotated.  

 

http://www.networkworld.com/newsletters/wireless/2010/072610wireless1.html

 

 

 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Separate SSID for 5GHz band

[Chris Hart]

We are considering it for the purpose of Multicast TV as the quality on the 2.4 
band is not satisfactory.   We still need to do further testing in this area 
before any determinations are made.

Chris


> 
> Has anyone here considered creating a separate SSID for the 5GHz band?
> 
> The ideas is to encourage users to exclusively use 5 GHZ over 2.4.
> 
> We've implemented band-steering, but it was suggested this would insure
> that users use 5GHz and not fall back to 2.4.
> 
> Thanks.
> 
> -Neil
> 
> --
> Neil Johnson
> Network Engineer
> The University of Iowa
> Phone: 319 384-0938
> Fax: 319 335-2951
> Mobile: 319 540-2081
> E-Mail: neil-john...@uiowa.edu
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: You knew it was coming...Airplay/Apple TV support for instructors.

[Chris Hart]

Here at Northwestern we have had few of the same requests.   For the short term 
we have created a new SSID for that area which bridges traffic to a local 
network where multicast is enabled.   We are talking to Aruba to help with a 
long term plan.   


Chris Hart
Northwestern University, Evanston
ch...@northwestern.edu




> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson,
> Neil M
> Sent: Friday, December 16, 2011 11:17 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support
> for instructors.
> 
> We have a request to support Airplay/Apple TV's on our enterprise network
> so that instructors can mirror presentations from their iPad's to classroom
> and meeting room projectors.
> 
> For performance reasons, we suppress multicast on our wireless networks
> and to conserve IP address space we dynamically assign users to wireless
> subnets so that two devices in a room may be on different IP subnets. So for
> right now it's not possible on our network.
> 
> Of course the next question we get asked is if instructors can bring in their
> own "temporary" access points to do this.
> 
> I'm wondering what other institutions responses are to request like these?
> Do you have an official policy?
> 
> Thanks.
> -Neil
> --
> Neil Johnson
> Network Engineer
> The University of Iowa
> Phone: 319 384-0938
> Fax: 319 335-2951
> Mobile: 319 540-2081
> E-Mail: neil-john...@uiowa.edu
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Laptop Dropping Transmit?

[Chris Hart]

I have some users that are having connectivity issues.
Specs
Cisco 350's and 1200's  AP's

IBM ThinkPad T40
Intel Pro Wireless 2100 integrated wireless adapter (Centrino 802.11b)
Windows XP Pro SP 1, WPA update (Q815485) installed.


I went over to where the user was having the issue.  Used our  iPAQ and
looked at his mac address on the AirMagnet (wireless analyzer) program and
did not see any signal strength from his machine.
He was able to see the wireless network in the available wireless networks
screen so it looked like he was able to receive a signal.  I did not see
his mac address on any of the nearby AP's.  The one AP  that he was
previously connected to showed that sender station is leaving (or has left)
BSS.
The user disabled and enabled the wireless and then I was able to see a
signal from his machine.
He was stationary and working when it happened so it is not a sleep/standby
issue.


Chris Hart
(847) 467-7747
IT-TNS
Northwestern University, Evanston
[EMAIL PROTECTED]
**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/cg/.

Re: [WIRELESS-LAN] Guest Access On Wireless

[Chris Hart]

we've done this using multiple SSIDs on Cisco access points.  I am not
sure what APs you're using, but if they support dot1q trunking and
multiple SSIDs, you can setup a 'GUEST' ssid that would allow them
associate and obtain an IP.  From a security standpoint, we've locked
down the guest vLAN to only allow http, https, pop, pops, imap, imaps,
vpn, and dns traffic out of that vLAN.  hope that helps...
-
Gabriel Kuri | Operating Systems & Network Analyst
Instructional and Information Technology Division
http://www.csupomona.edu/~iit | +1 909 979 6363
California State Polytechnic University, Pomona
Do you restrict this vLAN  from local resources to prevent University users
from using the guest SSID.

Chris Hart
(847) 467-7747
IT-TNS
Northwestern University, Evanston
[EMAIL PROTECTED]
**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Peap info

[Chris Hart]

At Northwestern University we are looking to move away  from using VPN for 
Authentication and Encryption for our wireless users.
We do not want to have to use 3rd party supplicants because of end user 
support issues.
We are currently using Funk Steel Belted Radius and have tested using 
802.1X with PEAP on Windows and MAC so far in small numbers with success.


TTLS does not have a built in supplicant for Windows XP and TLS requires a 
per client certificate so these are not good options.
This leaves PEAP or using an appliance of some sort to provide an IPSEC 
tunnel or a Secure desktop SSL connection.





So my questions are

1. Am I missing other options?

2.  Is PEAP a good solution - is it secure, client issues?


thanks

Chris


Chris Hart
(847) 467-7747
IT-TNS
Northwestern University, Evanston
[EMAIL PROTECTED]

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Peap info

[Chris Hart]

Thanks for all of the info so far.



Funk has told me they will open a case with engineering to have it
addressed in their code, but I have no timetable.  Maybe if people using
Funk products would call them and push them for the same problem I did,
it might get a little more of a push.

Michael King
Bridgewater State College



Is there a bug ID or case # that can be referred when calling Funk.




Chris Hart
(847) 467-7747
IT-TNS
Northwestern University, Evanston
[EMAIL PROTECTED]

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Cisco WLSM Recommendations

[Chris Hart]

At 03:43 PM 5/11/2005, you wrote:
We have begun the final phase of our wireless rollout at the University of 
Richmond, and have decided to implement Layer Three Roaming with the Cisco 
WLSM.  The demo WLSM has been installed in one of our 6500 chassis and we 
have been successful at configuring it to work in our test lab.  If anyone 
is willing to share their experiences in design, configurations, 
limitations or dynamic VLAN uses with a current installation, we would 
greatly appreciate the feedback.


Thank you in advance.

Sincerely,

Chip Greene
Network Specialist
University of Richmond
Jepson Hall – G12
University of Richmond, VA
(804) 287-6056
[EMAIL PROTECTED]


Was wondering how this rollout went? ( or any others)   We are again 
looking at the WLSM blade for the 6509.


The questions/issue I have relates to a limit of 300 AP's per blade and not 
being able to have multiple blades in a chassis.


How does roaming work from an AP managed by  WLSM/6509-1 when the user 
roams to an AP managed by WLSM/6509-2.
Even if you plan the division of AP's per WLSM  geographically there has to 
be a point where you could go from one to the other.


Thanks

Chris



Chris Hart
(847) 467-7747
IT-TNS
Northwestern University, Evanston
[EMAIL PROTECTED]

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Cisco WLSM Recommendations

[Chris Hart]

At 03:29 PM 6/30/2005, you wrote:
Talk to your Cisco engineers about per AP card support.  It comes back to 
the number of roams per second and the amount of resources those roams 
consume (ex: if you are doing LEAP/PEAP/etc, it will consume more 
resources to roam than if you are running open).  We run ours open at 
present (web redirect authentication), and would be comfortable with 1,000 
APs on a single card based on our discussions and experiments.  We have 
deployed ~1,200 APs across two cards in different chassis-- and life is 
better.  Roaming is not supported between cards, chassis, or mobility 
groups on a card.


The Airspace acquisition will of course change everything.




-William
**


Well this is good to hear.   We were planning on possible using PEAP with 
possibly 600 AP by next year.


Thanks for the info

We like the Airspace solution but do not want to have to run 2 different 
solutions at one time.   I think in the future the Cisco 1200 AP's  will be 
able to be migrated.



Chris



Chris Hart
(847) 467-7747
IT-TNS
Northwestern University, Evanston
[EMAIL PROTECTED]

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] WinXP 802.1x and password changes

[Chris Hart]

At 10:16 AM 8/18/2005, you wrote:

Funk has issued a fix for this problem, and is planning to have it
available by Monday.



We have not had a chance to implement the new release of SBR yet and are 
configuring a FreeRadius server.


I an not having any luck with my WLSM and authentication with my WLSE or 
AP's anyone have any quick tips/tricks.




Thanks

Chris


Chris Hart
(847) 467-7747
IT-TNS
Northwestern University, Evanston
[EMAIL PROTECTED]

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] WinXP 802.1x and password changes

[Chris Hart]

Chris Hart wrote:

WLSM to pass 802.1x PEAP/MSCHAPv2  Authentication to the Radius server 
for client authentication

along with WDS and management  -  From what I have read this is  LEAP.



Gotcha..

We don't have the WLSM, so I'm not sure how well our architecture maps 
to yours, but what we do:


We have our AP management interfaces on several RFC-1918 networks. On 
each /24, we have one AP configured to be the WDS master and one as a 
slave/backup.


We run a radius server on the master and slave APs solely for
authenticating the WDS domain, since we were never able to get the LEAP 
stuff sorted out. All of our participating APs in the WDS then 
authenticate to the local WDS masters.


What version of IOS do you have on the APs? There's a problem with UDP 
and WDS with 12.3(4)JA


We are at 12.3(4).   I will have to look into this bug.



Basically, it interferes with UDP traffic headed out via the default 
route, which includes the WDS traffic to the WLSE.


I should have been more specific above.. we use LEAP and the radius server 
on the master AP to do our AP-AP and AP-WLSE authentication. We use OSC's 
RADIATOR to do our 802.1x EAP-TTLS authentication. We aren't using the 
AP's radius server to do user authentication.


-JEff


I upgraded the code on a few AP's and they now connect to the WLSM/ 
WDS.My only issue currently is the WLSE does not seem to be able to 
authenticate with the WLSM/WDS.  I can see the Auth ok message on the 
FreeRadius server.


Thanks again for pointing out the bug.


Chris Hart
(847) 467-7747
IT-TNS
Northwestern University, Evanston
[EMAIL PROTECTED]

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Peap info

[Chris Hart]

At 05:47 PM 7/5/2005, you wrote:
You can have FreeRADIUS authenticate users directly to Active 
Directory.  The mschap module is able to use the ntlm_auth program 
provided by the Samba project to accomplish this.


We're not currently using this functionality here, but I have tested it 
and it does work for user authentication.  It currently does not work for 
machine authentication, though.


--Mike

---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas



We have setup our FreeRadius server to authenticate to Active Directory 
using the ntlm_auth program as noted above and it works .but I then 
changed my password and did not get prompted to enter credentials.


Am I miss something?   I have not started to do any debugging yet.  More 
detail to follow after further testing on Tuesday.






Chris Hart
(847) 467-7747
IT-TNS
Northwestern University, Evanston
[EMAIL PROTECTED]

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] WinXP 802.1x and password changes

[Chris Hart]

Has anyone confirmed that Funk update  has resolved the issue with the 
password change?


Chris




At 10:16 AM 8/18/2005, you wrote:

Funk has issued a fix for this problem, and is planning to have it
available by Monday.

Contact Alan Phillips [EMAIL PROTECTED] for further details.

> At 17:07 -0400 07/19/2005, King, Michael wrote:
> >Can everyone that's using Funk SBR, and is Concerned with
> the password
> >expiration on the Microsoft 802.1x client please Mail me off list.
> >
> >The Funk Bug ID is 5429, and Funk has stated that we are the only
> >people to every experience this problem.






Chris Hart
(847) 467-7747
IT-TNS
Northwestern University, Evanston
[EMAIL PROTECTED]

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

[WIRELESS-LAN] Cisco WLSM Recommendations

[Chris Hart]

At Northwestern we are getting close to the recommended 600 AP's that 
tunnel back to the 6509 SUP720.   I am curious what others have seen 
as what count of AP's  or tunnels that start to cause issues.
We will have 2 SSID's on all of the AP's and on about 180 of them 3 
SSID's that are tunneled.  We may even add a guest SSID to all 600 
AP's.  So about 1400 to a possible 2000 tunnels



I really do not want to install another pair of  WLSM blades.


Thanks




Chris Hart
(847) 467-7747
IT-TNS
Northwestern University, Evanston
[EMAIL PROTECTED]

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Streaming multicast over wireless

[Chris Hart]

I am working on testing streaming multicast video over wireless and 
wanted to find what others have found in their testing/deployment.


I know Dartmouth is doing this on their campus. Using 802.11a radios 
for this purpose.


<http://new.arubanetworks.com/solutions/case-studies/dartmouth.php>


We actually have the same Video Furnace  IP TV system as Dartmouth 
and we currently provide over 20 channels to our dormitories. Each 
channel is currently a 2 Mbps stream.


I am starting to test the system over the wireless network.  I wanted 
to see if other schools had done similar testing yet.


The first question I am trying to answer is how many users per AP?
The second is will this work with 802.11g (not allowing  802.11b 
speeds).  As most of our users still have 802.11b/g radios?

The third is what is the implications of adding wireless VOIP sometime soon?

Our current infrastructure is Cisco 1200's using a WLSM/WLSE 
solution.  I hope to start migrating to a controller based system 
next summer/fall.






Chris Hart
(847) 467-7747
IT-TNS
Northwestern University, Evanston
[EMAIL PROTECTED]

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Analysis Tools

[Chris Hart]

At Northwestern we currently use AirMagnets Handheld Analyzer and are 
looking to upgrade to a product that also supports 802.11g.   We are 
looking at AirMagnet's laptop version but wanted to know if anyone 
else know used a similar commercial product we might want to check out.



thanks

Chris


Chris Hart
(847) 467-7747
IT-TNS
Northwestern University, Evanston
[EMAIL PROTECTED]

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] How does your enterprise do your wireless door locks?

[Chris Hart]

We did the same thing but on eduroam with a special VLAN dedicated for the 
locks.



Chris Hart
Northwestern University

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Lee H Badman
Sent: Tuesday, March 31, 2020 1:54 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] How does your enterprise do your wireless door 
locks?

Same locks. We started on dedicated 802.1X SSID, then moved them to main SSID 
(is not eduroam here) using VLAN steering to get them into their own private IP 
space. They seem to handle PEAP with MS-CHAPv2 quite nicely. No idea on TLS.

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Jess Walczak
Sent: Tuesday, March 31, 2020 2:47 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] How does your enterprise do your wireless door locks?

Sending out a question as to how you do your wifi that serves your wireless 
door locks.  Do you have them on your branded wifi/eduroam, their own SSID, or 
a shared IoT or infrastructure SSID?  Is it a hidden SSID?  Do you have them 
using a simple PSK or do you onboard it with a tool like ISE or Clearpass.  Do 
you install a cert?

Our institution has purchased Assa Abloy model IN120 door locks.  We are a 
Cisco shop and we have ISE, so we could easily onboard using their Mac Address 
Bypass device profiling, but that would consume an expensive license, so 
perhaps other folks have done something simpler and found it to work well and 
to be enough security/segmentation.

Thanks!--JW

Jess Walczak
Network Engineer
Innovation & Technology Services
University of St. Thomas | 
stthomas.edu<https://urldefense.com/v3/__http:/stthomas.edu__;!!Dq0X2DkFhyF93HkjWTBQKhk!CuDtygLpLz1Y-Es48FWE9eFsuCfwNPQB1hL0bKcoY_W2Bj5OugjCGGxs1BBV78K1ijU$>


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://urldefense.com/v3/__https:/www.educause.edu/community__;!!Dq0X2DkFhyF93HkjWTBQKhk!CuDtygLpLz1Y-Es48FWE9eFsuCfwNPQB1hL0bKcoY_W2Bj5OugjCGGxs1BBVE3R0NaE$>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://urldefense.com/v3/__https:/www.educause.edu/community__;!!Dq0X2DkFhyF93HkjWTBQKhk!CuDtygLpLz1Y-Es48FWE9eFsuCfwNPQB1hL0bKcoY_W2Bj5OugjCGGxs1BBVE3R0NaE$>

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] Client roaming

[Chris Hart]

I think you will want to set the eirp settings in the ARM profiles and not in 
the radio profile in 8.x.

rf arm-profile "3-9-no80-g"
no 80MHz-support
min-tx-power 3
max-tx-power 9
cm-lb-thresh 30



Chris








From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Michael Davis
Sent: Wednesday, October 14, 2020 2:14 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Client roaming

Is there a reliable way to read TX power in ArubaOS 8 ?   When we moved to 
in-room
APs I set them on a profile with moderate 5GHz power and absolute minimum 
2.4GHz, but
this year I'm seeing the same MacOS/iOS issues as others and in trying some 
older CLI
commands, it appears that maybe my settings are not what I would expect?

Does the below indicate that the min 2.4GHz EIRP for this hardware (AP-303H) is 
7.0 (6.2)
and my attempts at forcing it between 3-6 is futile?

-
MD%show ap debug driver-log ap-name AP-NAME | include EIRP
12717444000.66 Radio0: User EIRP 18.0 Actual EIRP 18.0 Max EIRP 28.6 
Min EIRP 7.6
12817517190.778855 Radio1: User EIRP 7.0 Actual EIRP 7.0 Max EIRP 22.1 Min 
EIRP 6.2

-

rf dot11g-radio-profile "inroom_radio_g_ui"
no high-efficiency-enable
am-scan-profile "inroom_radio_g_ui_amscan_g_ui"
eirp-min 3
eirp-max 6
!
rf dot11a-radio-profile "inroom_radio_a_ui"
no high-efficiency-enable
smart-antenna
am-scan-profile "inroom_radio_a_ui_amscan_a_ui"
max-channel-bandwidth 40MHz
eirp-min 15
eirp-max 18
On 10/14/20 9:05 AM, McGuire, Michael wrote:
I was so happy to come across this thread last night. As I started reading 
through the descriptions of what others are experiencing I began to realize 
maybe I'm not crazy (maybe).

We're an Aruba shop and have been struggling with the same reports of poor 
performance in the residence halls for the past 2-3 weeks.

Last week the pattern finally began to emerge that most clients having issues 
are MacOS & iOS, which seem to be hanging onto the 2.4GHz radio.

Even in locations where the student is in the same room (our residence halls 
are APs in every suite common area or every other room in traditional halls) 
they were still on the 2.4GHz radio.

AirWave would show the client's health fluctuating from near 100% to 30% and 
constant gaps in Usage data within the 2 hour window. The SSID had a "Too Many 
Frame Errors/sec" of over 2,000 frames/s.

I've been making some head way by increasing the max for 5GHz slightly, while 
severely limiting max power on the 2.4 GHz.

This seems to be getting most clients (not all) to move to the 5GHz radio where 
they are showing MUCH better stats.

As these are Residence Halls and given the current pandemic, going room to room 
to take measurements in these locations is not feasible.



- Michael

Michael McGuire
Network Systems Administrator
Monmouth University
mmcgu...@monmouth.edu
732.263.5589
[Monmouth University 
Logo]
400 Cedar Avenue
West Long Branch, NJ 07764
monmouth.edu

[cid:image002.png@01D6A235.584CE890]
[https://www.monmouth.edu/identity/wp-content/uploads/sites/61/2018/08/social-icons-facebook.png]
[https://www.monmouth.edu/identity/wp-content/uploads/sites/61/2018/08/social-icons-instagram.png]
[https://www.monmouth.edu/identity/wp-content/uploads/sites/61/2018/08/social-icons-snapchat.png]
[https://www.monmouth.edu/identity/wp-content/uploads/sites/61/2018/08/social-icons-linkedin.png]
[https://www.monmouth.edu/identity/wp-content/uploads/sites/61/2018/08/icons-green.png]
We are a green campus.
Think before you print.


From: The EDUCAUSE Wireless Issues Community Group Listserv 
[mailto:WIRELESS-LAN@LIS

RE: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing any issues in the fall with large classrooms and delayed connection times (Aruba 8.5.0.13)

[Chris Hart]

What rates did you set for the ARP policing?

Thanks

Chris Hart


[cid:image001.png@01D7A94B.455C09A0]
Chris Hart
Network Operations Engineer Lead
Tel: 847-467-7747
Email: ch...@northwestern.edu<mailto:ch...@northwestern.edu>
2020 Ridge Ave, Evanston, IL





From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Viou, Robert
Sent: Saturday, September 11, 2021 9:37 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing 
any issues in the fall with large classrooms and delayed connection times 
(Aruba 8.5.0.13)

After working with the Aruba TAC last night, these are the changes we made that 
appear to have corrected the issues we were seeing.
Disabling Airgroup temporarily stops the issue with Queuing of the Arp packets. 
But the changes that we added below allowed us to re-enable Airgroup with 
APGroup set in the Profile.
Still need to monitor to be sure it is fixed, but so far looks good.

Monitor/police non-gratuitous ARP attacks: ENABLED
Monitor/police non-gratuitous ARP attack action: DROP



Bob

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Turner, Ryan H
Sent: Saturday, September 11, 2021 9:12 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing 
any issues in the fall with large classrooms and delayed connection times 
(Aruba 8.5.0.13)

We had to make major changes to bring stability to Khrushchev environment.  I 
think we have at this point.

We had to significantly detune the ARP policing policies.

We had to block virtually every SNMP poller.

We had to reboot our controllers.

We had to put in place an ACL to block communication from the Mobility masters.

A ridiculous amount of work to basically get us where we were 2 years ago and 
we probably have 15% lower connections compared to then.  I am hoping that the 
upcoming firmware fix will allow us to at least reverse the ACL and SNMP 
pollers. At this point we are pretty blind into information on individual 
connections.

Ryan Turner
Head of Networking, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

On Sep 10, 2021, at 4:25 PM, Johnson, Christopher 
mailto:cbjo...@ilstu.edu>> wrote:

I haven’t heard anything as of yet. Although interestingly while doing a 
packet-capture to monitor arp/dhcp rates – noticed one client sending 
DHCPRequests about 3-4-5 times a minutes – and disassociating/re-associating 
constantly – and from the received signal strength of the client – there didn’t 
appear to be any reason for this iPhone – 14.7.X – to behave in such a matter. 
So I’m wondering if that’s not an isolated behavior.

Christopher Johnson
Wireless Network Engineer
Office of Technology Solutions | Illinois State University
(309) 438-8444

Stay connected with ISU IT news and tips with @ISU IT Help on 
Facebook<https://urldefense.com/v3/__https:/nam02.safelinks.protection.outlook.com/?url=https*3A*2F*2Fwww.facebook.com*2FISUITHelp*2F&data=04*7C01*7CRobert.Viou*40NDSU.EDU*7Cdd0c720e506c47cda65308d9752e34d8*7Cec37a091b9a647e598d0903d4a419203*7C1*7C0*7C637669663628347496*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=TP7NNp8n1*2BVyS2hYfqa7cYLY0bjswlO0FqAqTKioBQk*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJQ!!Dq0X2DkFhyF93HkjWTBQKhk!B0zi5_9S-YJgbcLXO3V2Gp9eodGAJkAvcl9Yf_7gjJ4zM_PVEU4Txe1S-wPrRjZULnc$>
 and 
Twitter<https://urldefense.com/v3/__https:/nam02.safelinks.protection.outlook.com/?url=https*3A*2F*2Ftwitter.com*2FISUITHelp&data=04*7C01*7CRobert.Viou*40NDSU.EDU*7Cdd0c720e506c47cda65308d9752e34d8*7Cec37a091b9a647e598d0903d4a419203*7C1*7C0*7C637669663628357488*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=RMTjQdg9p3bfKvhQcn*2BylQWZg2I*2FI3MyRPn31Qnh5rs*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJQ!!Dq0X2DkFhyF93HkjWTBQKhk!B0zi5_9S-YJgbcLXO3V2Gp9eodGAJkAvcl9Yf_7gjJ4zM_PVEU4Txe1S-wPrg4Vpb6Q$>

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Viou, Robert
Sent: Friday, September 10, 2021 10:28 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Anyone else seeing 
any issues in the fall with large classrooms and delayed connection times 
(Aruba 8.5.0.13)

Some people who received this message don't often get email from 
robert.v...@ndsu.edu<mailto:robert.v...@ndsu.edu>. Learn why this is 
important<https://urldefense.com/v3/__http:/aka.ms/LearnAboutSenderIdentification__;!!Dq0X2DkFhyF93HkjWTBQKhk!B0zi5_9S-YJgbcLXO3V2Gp9eodGAJkAvcl9Yf_7gjJ4zM_PVEU4Txe1S-wPrBMxB_YE$>
[This message came