RE: [WIRELESS-LAN] Bandwidth utilization and IOS7 upgrade

2013-09-19 Thread Colantuoni, Robert 


> Anyone have more info or a contact for the Akamai edge cache server? I

> can't seem to find anything on their website about the program.

>



http://www.akamai.com/html/partners/network_partner.html



We participate in both the Akamai Accelerated Networks Program (AANP) and 
another CDN (beta) that doesn't want to be mentioned publically.



During most of last semester, our caching subnet saw 100Mb/s IN and 400Mb/s OUT 
average. This was with an uplink that averages ~ 2.5Gb/s.



It was turn-key - it took me more time to push the approval through our legal 
dept than it did to get the servers online. They support both IPv4/6 and use 
eBGP to keep track of your address space so they can correctly route your 
customers to the local on-campus cache.



They restored caching last night at 8pm and we saw about 400Mb/s offload to the 
cache and our internet link flattened out.



---

Robert G Colantuoni

Senior Programmer Analyst

CIT - Network and Classroom Services

SUNY Buffalo

r...@buffalo.edu

716.645.3552





**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Bandwidth utilization and IOS7 upgrade

2013-09-18 Thread Colantuoni, Robert 
They tracked our problem down to an issue on their side -- they were not 
properly processing our BGP advertisements. They've fixed it but I haven't seen 
any change in traffic just yet... 

---
Robert G Colantuoni
Senior Programmer Analyst
CIT - Network and Classroom Services
SUNY Buffalo
r...@buffalo.edu
716.645.3552


> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Peter P
> Morrissey
> Sent: Wednesday, September 18, 2013 4:03 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Bandwidth utilization and IOS7 upgrade
> 
> Ours didn't at first, but eventually kicked in and thankfully took on a
> good 2 gigs worth.
> Pete Morrissey
> 
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Julian Y Koh
> Sent: Wednesday, September 18, 2013 3:48 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Bandwidth utilization and IOS7 upgrade
> 
> On Sep 18, 2013, at 14:40 , "Colantuoni, Robert" 
>  wrote:
> >
> > We actually have an Akamai cache on campus, which has taken the brunt
> of the load in the past. It doesn't seem to be getting the traffic this
> time around, they are trouble-shooting it now.
> 
> Yeah, our Akamai server isn't picking up the load this time either.
> 
> 
> --
> Julian Y. Koh
> Acting Associate Director, Telecommunications and Network Services
> Northwestern University Information Technology (NUIT)
> 
> 2001 Sheridan Road #G-166
> Evanston, IL 60208
> 847-467-5780
> NUIT Web Site: <http://www.it.northwestern.edu/> PGP Public
> Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html>
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Eduroam technical questions

2012-11-13 Thread Colantuoni, Robert 

OK - one more question - We currently handling security reports regarding abuse 
on our wireless network by looking up the IP/User and then pushing the user 
account into a "deact" group and filtering for that on the radius server. This 
cuts off the users network access without affecting their ability to check 
email and it can be automated on the operational side.

Has anyone instituted a filter on their Eduroam realm that could disable user 
accounts if they are reported for abuse?  What is the policy on this - can we 
do that?

---
Robert G Colantuoni
Senior Programmer Analyst
CIT - Network and Classroom Services
SUNY Buffalo
r...@buffalo.edu
716.645.3552

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanset, Philippe C
Sent: Tuesday, November 13, 2012 10:02 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Eduroam technical questions

Lee,

eduroam is EAP agnostic.
All that the roaming does is pass the initial SSL/TLS tunnel to the home 
institution.
Then in the tunnel, exchanges occur between your device and your home 
institution
So, as long as your institution does a tunneled EAP, your are done. The visited 
institution
has nothing to do with oyur EAP -method.

EAP-TTLS, PEAP, EAP-TLS ... all tunneled will work

Philippe

On Nov 13, 2012, at 9:52 AM, Lee H Badman 
mailto:lhbad...@syr.edu>>
 wrote:


I have read through the most recent docs, not quite grasping:


- If we use MS-CHAPv2 w PEAP on our campus, and that's all we want to use, does 
that exclude us from Eduroam?


- If not, what happens when I roam to another campus that uses TLS, or visa 
versa? The goal is autoconnection, with no reconfig, but is everyone on Eduroam 
really and truly using the same EAP with no need to reconfigure as you roam 
campus to campus?


Sorry to be thick, I realize a lot of time went in to the documents.




Lee H. Badman
Network Architect/Wireless TME
ITS, Syracuse University
315.443.3003
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found 
athttp://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: RADIUS Server preference for 10K+ Client Environments?

2011-11-01 Thread Colantuoni, Robert 
Freeradius on Linux using AD backend for 802.1x and LDAP (ssl) for everything 
else. We have 4 servers for 2 services areas.

Logging/reporting is all homegrown, but we'll probably end up with a commercial 
product after our next upgrade cycle. 

---
Rob Colantuoni
CIT - Network and Classroom Services
r...@buffalo.edu
(716) 645-3552

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman 
[lhbad...@syr.edu]
Sent: Tuesday, November 01, 2011 2:25 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] RADIUS Server preference for 10K+ Client Environments?

We’re feeling some frustration with our current RADIUS solution (ACS 5, virtual 
appliances) that are frequently attributed to the size of our client base. (At 
the same time, the logging and reporting on ACS is among the best I’ve ever 
seen.)

For those of you with large (10,000 + users) RADIUS deployments, what servers 
are you using and what are your points of pain and/or appreciation?

We currently only use the servers in question for wireless client support, 
doing MS-CHAPv2/PEAP.


Regards-

Lee Badman


Lee H. Badman
Wireless/Network Engineer
Information Technology and Services
Adjunct Instructor, iSchool
Syracuse University
315 443-3003


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] option 43 for finding master controller

2011-06-02 Thread Colantuoni, Robert 
Here's ours... we use option 43 and we set the 'campus' code later in the 
config so that we can pass different controllers based on different parts of 
the campus. The link in the comments will take you to the cisco doc for their 
LWAPs.


option campus  code 180 = string;
option controllers code 43  = string;

class "wireless_controller"   {
match hardware;
default-lease-time 604800;  #  7 days.
max-lease-time 1209600; # 14 days.
min-lease-time 604800;  #  7 days.

# 
http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo1130/1130hig5/113h_g.htm#wp1007971
#
# The hex string is assembled by concatenating the TLV values shown 
below:
# Type + Length + Value
#
# Type is always f1(hex). Length is the number of controller management 
IP addresses
#  times 4 in hex. Value is the IP address of the controller listed 
sequentially in hex.
#
# For example, suppose that there are two controllers with management 
interface IP addresses,
#  10.126.126.2 and 10.127.127.2. The type is f1(hex). The length is 2 
* 4 = 8 = 08 (hex).
#  The IP addresses translate to 0a7e7e02 and 0a7f7f02. Assembling the 
string then yields
#  f1080a7e7e020a7f7f02. The resulting Cisco IOS command added to the 
DHCP scope is listed below:
#
# option 43 hex f1080a7e7e020a7f7f02

if config-option campus = "north" {
log(error, "wireless controller - north");
# North
# 10.3.240.2 == 0A.03.F0.02
# 10.3.240.4 == 0A.03.F0.04
option controllers f1:08:0a:03:f0:02:0a:03:f0:04;
} elsif config-option campus = "south" {
log(error, "wireless controller - south");
# South
# 10.3.241.2 == 0A.03.F1.02
# 10.3.241.4 == 0A.03.F1.04
option controllers f1:08:0a:03:f1:02:0a:03:f1:04;
} else {
log(error, "wireless controller - no campus");
log(error, "handing off no controllers!");
}
}


---
Robert G Colantuoni
Senior Programmer Analyst
CIT - Network and Classroom Services
SUNY Buffalo
r...@buffalo.edu
716.645.3552


> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Danner, Mearl
> Sent: Thursday, June 02, 2011 11:37 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] option 43 for finding master controller
> 
> Here's ours - at the top of dhcpd.conf. We got it from:
> 
> 
> http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_
> example09186a00808714fe.shtml
> 
> option space Cisco_LWAPP_AP;
> option Cisco_LWAPP_AP.server-address code 241 = string;
> 
> class "Cisco AP c1130" {
>match if option vendor-class-identifier = "Cisco AP c1130";
>option vendor-class-identifier "Cisco AP c1130";
>vendor-option-space Cisco_LWAPP_AP;
>option Cisco_LWAPP_AP.server-address
> ac:1e:00:0d:ac:1e:00:96:ac:1e:00:97:ac:1e:00:98:ac:1e:00:99;
> }
> 
> My assumption would be to declare the class definitions at the top and
> move the option line to the scope.
> 
> Can't remember why we hex encoded the controller addresses.
> 
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ken Connell
> Sent: Thursday, June 02, 2011 10:11 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] option 43 for finding master controller
> 
> The following is at the top of my dhcpd.conf:
> option serverip code 43 = ip-address;
> class "vendor-class" {
> match option vendor-class-identifier;
> }
> .
> .
> .
> Scope is as follows:
> subnet 10.16.0.0 netmask 255.255.254.0
> {
> option broadcast-address 10.16.1.255;
> option domain-name "rbb.ryerson.ca";
> option domain-name-servers 141.117.100.1, 141.117.100.4;
> option routers 10.16.0.1;
> range 10.16.0.5 10.16.0.9;
> default-lease-time infinite;
> max-lease-time infinite;
> subclass "vendor-class" "ArubaAP" {
> option vendor-class-identifier "ArubaAP";
> #
> # option serverip 
> #
> option serverip 10.10.10.1;
> }
> }
> 
> 
> 
> Ken Connell
> Intermediate Network Engineer
> Computer & Communication Services
> Ryerson University
> 350 Victoria St
> RM AB50
> Toronto, Ont
> M5B 2K3
> 416-979-5000 x6709
> 
> - Original Message -
> From: "Danner, Mearl" 
> Date: Thursday, June 2, 2011 9:48 am
> Subject: Re: [WIRELESS-LAN] option 43 for finding master controller
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> 
> 
> > We use it globally for our Cisco LWAPPs, but not per scope. The ISC
> > server is a bit ticky about using class declarations. I worried with
> > it (not pe