Re: [WIRELESS-LAN] interesting design recommendation from ......
Aruba has a VRD on high density classrooms published that's pretty good, especially since we did a lot of work with them on it. We are currently supporting 90 high density classrooms with great success and are trying to get the rest funded. It's better to design well up front. The AP 135s have been great for it too, not that I'm condoning 80 devices per radio. On Nov 28, 2012, at 11:16 AM, Osborne, Bruce W bosbo...@liberty.edumailto:bosbo...@liberty.edu wrote: Mike, Here at Liberty University, we only support WPA2-Enterprise and an open SSID that only permits non-802.1X devices registered by the user. We place some restrictions on the open network to encourage the use of the WPA2-Enterprise network. The sole exception is a hidden WEP network for some old Cisco wireless phones. Once they are retired, that network will disappear. When we supported WPA2-Personal, we only allowed AES encryption with no issues at all. Why allow TKIP, except for migration to AES? I have not seen any recent client that does not support WPA2, except for these old Cisco phones on a non-Cisco wireless network. Bruce Osborne Network Engineer IT Network Services (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Mike King [mailto:m...@mpking.com] Sent: Wednesday, November 28, 2012 9:54 AM Subject: Re: interesting design recommendation from .. Unfortunately James, I don't see support for WEP / TKIP going away anytime soon. WEP was broken in August of 2001. That was 11 years ago. WPA2 has been available since June 2004. That was 7 years ago. WPA with TKIP was Only published as a temporary measure, until WPA2 was ratified, and was supposed to cease being used when WPA2 was published. Yea, that didn't happen. No vendor want's to lose a sale because they weren't backward compatible. Only you (the operator of the network) has the power to draw the line in the sand, and say we will only support WPA2. (Let me know how that works out, since I would love to try that) Mike On Wed, Nov 28, 2012 at 9:42 AM, Gogan, James P go...@email.unc.edumailto:go...@email.unc.edu wrote: We continue to see 75% or more of our user population hanging on with 2.4 devices ….. frustrating….. have to continue to engineer for the bulk of users being 2.4 for the foreseeable future. And while I'm venting - we're STILL having a hell of a time getting all of the departments that utilize utility monitoring devices, ticket scanners, classroom touch panels, etc. that ONLY support WEP and/or TKIP to upgrade their devices. In some cases, the response has been we'll upgrade if you pay for it; we keep telling them they're going to be screwed when the vendors drop support for those protocols. Oh, well - such is life with responsibility without authority. -- jg From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman Sent: Wednesday, November 28, 2012 9:28 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] interesting design recommendation from .. Seems like there should be a bit more to the discussion… power levels, designing for 5 GHz and disable a 2.4 GHz radio or three along the way if too many, etc- expected % of clients expected in 5 vs 2.4 versus just a number of clients, etc. -Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Gogan, James P Sent: Wednesday, November 28, 2012 9:23 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] interesting design recommendation from .. We currently have a mix of Cisco (legacy) and Aruba (last two years) APs (although we're good at keeping any given building single brand, as much as possible). We've generally gone with an engineering rule of thumb of 20-30 clients per access point. We've noticed issues with channel flapping and inadequate load balancing on our Aruba APs in large classrooms where we have, based on our client per AP engineering, large numbers of APs.After an on-site visit from an Aruba engineer, his comment was that we have TOO MANY APs in our classrooms and high density areas.His recommendation (using the Aruba AP135s) was that we design based on 80 clients per AP (minimum 50, average 80, max 100), and to design based on 50 clients per AP for the older AP125s. I'd be curious to know what others think about that recommendation -- seems pretty significantly different from everything we've been told and designed for in the past. (BTW, the engineer also noted that he's not a sales guy and the sales guys would suggest differently -- figures). Thoughts? -- Jim Gogan ITS-Networking Univ of North Carolina at Chapel Hill ** Participation and subscription information
Re: [WIRELESS-LAN] Wii U
Anyone heard anything about the Wii U? All I can find is that it'll be 802.11b/g/n Wi-Fi, plus optional Ethernet connection via USB dongle. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] See you at Educause...(Denver, CO)
Yes, we deal with robotic devices not having support for 802.1x as well, but also the lower end video and ereaders, like Nooks and Roku (there's a $50 version that is wireless only and the lower Kindle version - not fire). We use EAP-TTLS and the Nooks took out the certificate support (since our bookstore is BN, it doesn't help matters). We haven't heard of too many complaints about the lack of 802.1x support for printers (I think students have decided it's not worth supplying their entire floor color ink cartridges these days). And Wii hasn't been an issue (we haven't supported data rates lower than 11 for years - we tell them to plug in their Wii and most gaming consoles). At this point, we need to figure out better long term strategies for these types of devices, which is why I was trying to see if it could be added to the discussion. With the advent of refreshing wireless hardware for new standards like 802.11ac and the next generation, I want to get us to a point where we able to have good options moving forward. Given all that, I wanted to assess where others were with location based services. We have everything setup here to maintain the same IP address as you roam across campus. We are looking to see if we can start to tie that into building resources like location based printing. Also, we had IPv6 enabled for all of our wireless networks but the L3 mobility piece wasn't ready yet, so we are waiting for some other fixes. I would love to hear a measurement of where others are with IPv6 support. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Frank Sweetser Sent: Tuesday, November 06, 2012 6:42 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] See you at Educause...(Denver, CO) One other related category that we've run into a few times is research equipment, most notably robotics. I just recently dealt with a brand new, state of the art $200k robot that only supports PSK - no 802.1x support at all. While they're not that dissimilar from the consumer grade devices (in the above robot, I suspect it's wireless was in fact provided by a consumer grade belkin adapter), the critical academic research classification and the amount of research money behind them effectively means they have to get treated very differently than my Wii can't stream netflix complaints. Frank Sweetser fs at wpi.edu| For every problem, there is a solution that Manager of Network Operations | is simple, elegant, and wrong. Worcester Polytechnic Institute | - HL Mencken On 11/5/2012 8:46 PM, Hanset, Philippe C wrote: Colleen, - What are others doing to support home networking products in the enterprise (besides just Apple products)? Ways to do this without having to completely adapt a vendor solution be locked into an end to end solution. Could you (or anyone on the list) give a few examples of home networking products that you have in mind and the challenges that come with them I can think of: Printers (interference, security, being on same layer 2) the slew of Apple products (and equivalent products) (the challenges of mDNS) Game consoles (the ones that cannot do 802.1x) What else? - Any good success stories with IPv6 on wireless? Or location based authZ on wireless? Any specific use case for Location based AuthZ on Wi-Fi? I know I'll have access to login after the conference is over to review the session, so I hope these will be discussed! The session is not recorded but we will try to provide a good summary of the discussion back on the list Thanks, Philippe Colleen Szymanik University of Pennsylvania On Nov 5, 2012, at 2:44 PM, Entwistle, Bruce bruce_entwis...@redlands.edu wrote: I am unable to attend but would be interested in comments related to the topics mentioned. Bruce Entwistle Network Manager University of Redlands -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanset, Philippe C Sent: Friday, November 02, 2012 4:25 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] See you at Educause...(Denver, CO) The Wireless-LAN session is on Wednesday Nov 7, from 10:30 till 11:20 Mountain Time, room 402. Topics that come to mind: -802.11AC Why wait? Why jump? -How to empower users with Bonjour needs? (or consequences for not doing it) -Is Wireless management slowly moving to the switch? What does it mean for us? (Will it all work with openflow seamlessly?) Any other topic you want us to discuss? Thanks, Have a good Weekend, Philippe Univ. of TN ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription
Re: [WIRELESS-LAN] See you at Educause...(Denver, CO)
I am interested in hearing about these topics as well, but I'm not @ Educause this week either. A couple other things I'd love to hear about from others: - What are others doing to support home networking products in the enterprise (besides just Apple products)? Ways to do this without having to completely adapt a vendor solution be locked into an end to end solution. - Any good success stories with IPv6 on wireless? Or location based authZ on wireless? I know I'll have access to login after the conference is over to review the session, so I hope these will be discussed! Colleen Szymanik University of Pennsylvania On Nov 5, 2012, at 2:44 PM, Entwistle, Bruce bruce_entwis...@redlands.edu wrote: I am unable to attend but would be interested in comments related to the topics mentioned. Bruce Entwistle Network Manager University of Redlands -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanset, Philippe C Sent: Friday, November 02, 2012 4:25 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] See you at Educause...(Denver, CO) The Wireless-LAN session is on Wednesday Nov 7, from 10:30 till 11:20 Mountain Time, room 402. Topics that come to mind: -802.11AC Why wait? Why jump? -How to empower users with Bonjour needs? (or consequences for not doing it) -Is Wireless management slowly moving to the switch? What does it mean for us? (Will it all work with openflow seamlessly?) Any other topic you want us to discuss? Thanks, Have a good Weekend, Philippe Univ. of TN ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Our Apple Request Tracking ID
We did the same thing @ University of Pennsylvania as well. Our goal is to attack the issue on multiple fronts: Apple, our vendors and this petition. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Neil M Sent: Thursday, August 02, 2012 10:41 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Our Apple Request Tracking ID Our authorized Apple support person opened a feature request/trouble ticket for me. The ID is as follows: [386504] AirPlay/Apple TV Enhancement Request Basically we submitted a truncated version of the petition. Feel free to quote this ID in your requests to Apple support. -Neil -- Neil Johnson Network Engineer The University of Iowa Phone: 319 384-0938 Fax: 319 335-2951 Mobile: 319 540-2081 E-Mail: neil-john...@uiowa.edumailto:neil-john...@uiowa.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Aruba user-table and split DHCP scopes
We have a similar setup (split DHCP scopes) running AOS 6.1.3.2 without major issue. We've seen some intermittent client connectivity issues, mostly from Macs, but nothing wide scale they aren't specific to our AOS version. Are you using vlan pooling? We aren't I was trying to see what the differences are. Colleen Szymanik --- University of Pennsylvania On Jul 27, 2012, at 9:40 AM, Kellogg, Brian D. bkell...@sbu.edumailto:bkell...@sbu.edu wrote: We are just installing our new Aruba wireless stuff and have run into an issue caused by split DHCP scopes. We split our scopes in half between two DHCP servers for redundancy. What happens is the Aruba user-table will get two entries in it due to the fact that whichever DHCP server responds first wins. When this happens the clients will get intermittent connectivity issues if they can connect at all. We are running ArubaOS 6.1.3.3. I’ve done split scopes for years without issue. Just wondering if anyone else has run into this and if there is a fix without abandoning split scopes? Thanks, Brian ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Aruba user-table and split DHCP scopes
I am aware of the Mac client hiberation issue and not getting a DHCP address. I believe if you press Aruba, you can get a cbuild to fix (since they are aware of the open issue as well). It should be released GD soon. Colleen Szymanik -- University of Pennsylvania Network Engineer From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Kellogg, Brian D. [bkell...@sbu.edu] Sent: Friday, July 27, 2012 1:24 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aruba user-table and split DHCP scopes Yeah, it's probably the clients that initiate power save mode more often that will see the issue first and more frequently. For now we stopped doing split scopes for our Aruba client VLANs in order to avoid this issue. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of David Gillett Sent: Friday, July 27, 2012 12:58 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: Aruba user-table and split DHCP scopes I have seen this on our Aruba controllers here. A client is shown with two entries, with the same MAC address, authentication, and duration, but with IP addresses from different scopes. This was one of several issues with the controller web interface that I've reported to them -- they weren't very helpful. I don't have reports that users experience connectivity issues when this happens, but they probably should... For a while I kept manual records, trying to see if the problem was limited to specific kinds of clients. I never saw that it was -- sooner or later, every common type of client encountered this situation. David Gillett CISSP CCNP From: Kellogg, Brian D. [bkell...@sbu.edu] Sent: Friday, July 27, 2012 9:48 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aruba user-table and split DHCP scopes I've seen the issue with pooling and without. It's cropped up only on Android and IOS devices so far. It appears to manifest after the device has awoken from deep sleep or if the wifi adapter was disabled and re-enabled. The device will pick up the first DHCP offer it sees even if it already has a leased IP on the other server. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Colleen Szymanik [c...@isc.upenn.edu] Sent: Friday, July 27, 2012 12:47 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: Aruba user-table and split DHCP scopes We have a similar setup (split DHCP scopes) running AOS 6.1.3.2 without major issue. We've seen some intermittent client connectivity issues, mostly from Macs, but nothing wide scale they aren't specific to our AOS version. Are you using vlan pooling? We aren't I was trying to see what the differences are. Colleen Szymanik --- University of Pennsylvania On Jul 27, 2012, at 9:40 AM, Kellogg, Brian D. bkell...@sbu.edumailto:bkell...@sbu.edu wrote: We are just installing our new Aruba wireless stuff and have run into an issue caused by split DHCP scopes. We split our scopes in half between two DHCP servers for redundancy. What happens is the Aruba user-table will get two entries in it due to the fact that whichever DHCP server responds first wins. When this happens the clients will get intermittent connectivity issues if they can connect at all. We are running ArubaOS 6.1.3.3. I've done split scopes for years without issue. Just wondering if anyone else has run into this and if there is a fix without abandoning split scopes? Thanks, Brian ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] World IPV6 Day
We have taken a different approach to the World IPv6 Launch @ UPenn. We have enabled IPv6 on all of our 802.1X campus subnets for wireless. So far, things look good. We use 12 Aruba M3 controllers to support about 3000 APs on campus and we turned on RA-guard on our controllers since enabling IPv6. Every day we run some scripts to take snapshots on IPv6 concurrent user counts. Since campus is pretty empty right now, we only see about 700 users at a time, but I imagine that when fall comes, it'll be interesting to see how that fares. We have different L3 subnets for each building on campus, so we run a very large IP mobility deployment here. I have done some extensive testing with mobility and roaming with respect to IPv6 - so far things still work well. I'd be interested in hearing some other people's experiences on this. Colleen Szymanik -- University of Pennsylvania Network Engineer From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mike King Sent: Monday, June 04, 2012 2:46 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] World IPV6 Day Wolrd IPV6 Day is this Wednesday. http://news.cnet.com/8301-1001_3-57445316-92/internet-powers-flip-the-ipv6-switch-faq/?tag=mncol;morePosts The big change is that they aren't shutting it off after the test. We're making / expecting no changes for Wednesday, as we're still taking the head in the sand approach. (As the summer progresses, we'll be looking at IPV6 pilots) Mike ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Radius Load-balancing and Aruba
We use FreeRadius and we manually load balance. We try to keep things simple with good naming schemes since, at this point, we have 7 Aruba M3 production controllers with 4 backups supporting over 3000 APs. We have 8 RADIUS server groups (4 physically different RADIUS servers with 2 instances of FreeRadius running on each of them). What we decided to do was run each main controller to have a different primary RADIUS server. We use EAP-TTLS(PAP) - it's single threaded to a backend Kerberos system, so we needed the extra servers to handle the load (we were peaking over 17K clients on the system at a time this past spring, and who knows what fall will bring). It was easier for us to do this manually - one less thing to worry about failing and we run reports from our RADIUS servers to make sure we are ok. We were also running scripts on our controllers to make sure we didn't get server timeouts as well. Hope this helps - good luck! Colleen Szymanik University of Pennsylvania From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Michael Hulko Sent: Tuesday, May 15, 2012 2:06 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Radius Load-balancing and Aruba We are attempting to create a load-balance farm of Radius servers for our 802.1x authentication. The foundation is: Citrix Netscalars 9000s Aruba M3 controllers Radiator radius server (currently 3) on a Windows platform. We have been unable to successfully get authentication to work. We are getting Aruba involved, but they do not seem to have an answer yet. Any comments/suggestions if you are already doing this or have alternatives would be greatly appreciated. Thanks [cid:image001.gif@01CD3341.6C9C5D10] Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.camailto:mihu...@uwo.ca mailto:mihu...@uwo.ca ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. inline: image001.gif
Re: [WIRELESS-LAN] Radius Load-balancing and Aruba
We use the same certificate on all. Much easier! On May 16, 2012, at 3:03 PM, Michael Hulko mihu...@uwo.camailto:mihu...@uwo.ca wrote: So to continue the thought... How are you managing the server certificates. Does FreeRadius require a certificate per server instance or can you use a single server certificate for all instances? I can see where having the number of servers providing authentication could give users a challenge where they roam between controllers and have to accept another certificate until they have accepted them all.. your thoughts... Thanks again. MH On 2012-05-16, at 8:54 AM, Colleen Szymanik wrote: We use FreeRadius and we manually load balance. We try to keep things simple with good naming schemes since, at this point, we have 7 Aruba M3 production controllers with 4 backups supporting over 3000 APs. We have 8 RADIUS server groups (4 physically different RADIUS servers with 2 instances of FreeRadius running on each of them). What we decided to do was run each main controller to have a different primary RADIUS server. We use EAP-TTLS(PAP) – it’s single threaded to a backend Kerberos system, so we needed the extra servers to handle the load (we were peaking over 17K clients on the system at a time this past spring, and who knows what fall will bring). It was easier for us to do this manually – one less thing to worry about failing and we run reports from our RADIUS servers to make sure we are ok. We were also running scripts on our controllers to make sure we didn’t get server timeouts as well. Hope this helps – good luck! Colleen Szymanik University of Pennsylvania From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Michael Hulko Sent: Tuesday, May 15, 2012 2:06 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Radius Load-balancing and Aruba We are attempting to create a load-balance farm of Radius servers for our 802.1x authentication. The foundation is: Citrix Netscalars 9000s Aruba M3 controllers Radiator radius server (currently 3) on a Windows platform. We have been unable to successfully get authentication to work. We are getting Aruba involved, but they do not seem to have an answer yet. Any comments/suggestions if you are already doing this or have alternatives would be greatly appreciated. Thanks image001.gif Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.camailto:mihu...@uwo.ca mailto:mihu...@uwo.ca ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. western-logo-sm2.gif Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.camailto:mihu...@uwo.ca mailto:mihu...@uwo.ca ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. inline: western-logo-sm2.gif
RE: [WIRELESS-LAN] Odd issue with Aruba wireless...
We saw similar issues. User table entries had usernames associated with our DNS servers. We did a great deal of debugging with traces, Aruba TAC and other customer discussions. We have validuser ACL entries setup to prevent all this. It seems that occasionally devices can echo packets and inject into the user table. Without protections such as validuser, it could cause connectivity issues depending on the role these entries receive. The cleanest thing we've seen done is to define variables with all your validuser entries as a white list and everything else should be denied. Colleen Szymanik Sr. Network Engineer ISC Networking Telecommunications University of Pennsylvania -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brooks, Stan Sent: Wednesday, December 07, 2011 3:45 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Odd issue with Aruba wireless... Jeff - Besides the only affects Win7 comment, this sounds like it could be an Aruba validuser ACL issue. If you've modified that ACL from the default of allow all IP addresses, it would block all but the specific allowed addresses. The symptoms are user gets a valid IP address from DHCP, then all their traffic it blocked because their IP is not in the validuser ACL. I get bit by that problem every time I add a subnet can forget to add it to the list of valid networks in our validuser ACL. Just a thought... - Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.com GoogleTalk: wlans...@gmail.com From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Jeff Kell [jeff-k...@utc.edu] Sent: Wednesday, December 07, 2011 2:36 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Odd issue with Aruba wireless... Having a strange issue with our wireless today... wondered if it rings any bells... seems to just be affecting Win7... Clients associate with access points fine, but shows limited internet connectivity. Mouse-over wireless icon and it shows unidentified network (same in network and sharing center); although list of SSIDs shows the same expected SSID as Connected. Client RADIUS works fine (verified controller and radius server), dropped on production role. DHCP transaction is normal, request received and ACKed. Wireless router shows MAC address in expected vlan, and ARP entry shows expected IP address with the MAC. ipconfig /all shows correct IP, mask, gateway, DNS, and DHCP servers. No stray IPv6 or tunnel adapters. route print shows all expected correct entries for wireless. No stray IPv6 (other than loopback and link-local). Default points to default gateway IP. arp -a does *NOT* show an entry for the default gateway, and client is unable to ping the default gateway. I'm baffled :) Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Apple Support
We are trying to establish the same thing here. The latest venue that we are exploring is asking for internal Apple contacts from our current wireless vendor, Aruba, in hopes that we can gain a better support channel as well. I'd be very interested to hear about others' experiences as well. Colleen Szymanik Network Engineer University of Pennsylvania From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman Sent: Tuesday, April 12, 2011 1:30 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Apple Support Beyond being in for-fee development programs (must suppress salty language at this juncture) has anyone established a support channel with Apple for things like complex wireless/authentication problems that even remotely comes close to being acceptable and reasonable to an enterprise customer? If so, can you share how you got there? Currently, we're on some bizarre $700 a call sham plan that thus far is yielding nothing of value, and the double bonus is that only one person out of our entire network and computing environment is supposedly allowed to talk with Apple's *ahem* tech support. Love your show, Bewildered in Upstate Lee H. Badman Wireless/Network Engineer Information Technology and Services Adjunct Instructor, iSchool Syracuse University 315 443-3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Frequent reassociations/reauthentications in 802.1x WLAN
Jorge, Thanks for the response. We are using Cisco AP 1131 and AP 1242 - we don't use a controller, only WLSE to manage. We have the basic default radio settings enabled. We tried turning off the non-aironet extensions and the problem still persists. The intervals seem to be regular - for some it's about every 30 sec and for others it's about every few minutes. We have dynamic channels set so the AP will search for the least congested channel. And the strange thing is that this problem occurs on some APs and not on others with some clients and not with all of them. We have been trying the driver update and that seems to only fix the problem for a little while and then it comes back. Colleen Szymanik University of Pennsylvania Network Engineer Jorge Bodden wrote: Shumon, We used to have the same problem when we had the Aironet solution a couple of years back. It was actually due to the APs sending a re-association packet/frame to the device, even if that device was directly underneath the AP. What type of platform are you currently running your infrastructure on? How dense is your environment? Do you have dynamic channel/power assignment or are you doing it statically? Then we had a similar problem, when we deployed to the Airespace solution, which was due to 2 bugs; one on the controller and another on the router. Those are things you might want to look at a little bit. Although the authentication mechanism is what is being impacted, it does not seem to be the source of your problem, for the simple fact that people are authenticating. Have you sniffed the air? You could try running some tests by leaving a device connected and monitoring it and what type of traffic it is receiving. Look to see what is happening with the device when it is disconnecting. Check to see if it is happening at random intervals, or the intervals are more periodic. Whatever you do, do not ignore it because there are no complaints. I am sure that are many of us here in the group whom in ignoring small problems have gotten burnt. Let us know how it works out. Thanks. Jorge Shumon Huque wrote: We rolled out a WPA/802.1x authenticated WLAN to our student residences this semester. We're using EAP-TTLS with PAP as the inner authentication protocol. The EAP servers are a set of centralized RADIUS servers that perform Kerberos5 password verification to our KDCs in the backend. We've noticed several problems that we didn't observe when we had it running on a much smaller scale in our own offices. A large number of users seem to be repeatedly authenticating, some of them as frequently as every 30 seconds or every few minutes. Some debugging revealed that these users are frequently oscillating their associations between a number of different access points. A smaller number of users keep reassociating with the same access point. This is causing a very large load on the authentication server infrastructure, which we've temporarily worked around by load balancing the APs across additional RADIUS servers. However, we're also assuming that this is causing lots of user visible performance problems due to roaming latency (scan, reassociate, authenticate, 802.11i handshake, DHCP address acquisition etc). Surprisingly, not many users have complained. Perhaps they are only browsing the web or using other non- interactive apps which can tolerate delay. Or they might simultaneously have a wired ethernet connection. Is frequent reassociation the normal behavior in a dense deployment of APs? I can understand that it might be for highly mobile stations like wireless VoIP phones. But our environment is composed of mostly stationary wireless laptops in student rooms. My assumption was that roaming typically happened when a user moves towards a stronger signal AP and at some configured signal quality threshold, the station started scanning for a better AP. Am I wrong? Or is this more likely something in our radio environment or insufficient coverage etc? Our wireless LAN engineers are currently investigating this, but I'd be interested to hear the experience of others. Do we need a fast roaming solution to deal with this? Having access points and stations able to cache the PMK (Pairwise Master Key) would probably help the best, as that would allow them to often establish a secure association without conducting a heavyweight authentication dialog with the RADIUS server. But I'm not sure if access points or typical endstations support this. TLS session resumption will probably help a bit also (if supported). We use cisco aironet 1200/1100 access points. The clients are mostly PCs running SecureW2, Macs running with the built-in EAP-TTLS/802.1x support in Mac OS X, and a smaller number of Linux machines. Thanks for any advice! --- Shumon Huque3401 Walnut Street, Suite 221A, Network EngineeringPhiladelphia, PA 19104-6228
Re: [WIRELESS-LAN] Midspand PoE?
Steve, We are also using the PowerDSine MidSpans and are happy with them so far. Colleen Szymanik Network Engineer University of Pennsylvania Greene, Chip wrote: Steve, We are using a combination of the Cisco POE Switches (WS-C3750-48P), Cisco POE Blades (WS-X4548-GB-RJ45V), and the PowerDSine MidSpans (6006, 6012) (http://www.powerdsine.com/Products/Midspan/) The 3750 is used where we need 12 or more powered ports and were currently using the 3750 stack, the 4548 was used when we had a 4506 installed and needed power, and the PowerDSine was used when we needed less than 12 powered ports. We have had no issues with any of these units and would recommend them all, based on the individual usages. Chip Greene Network Specialist University of Richmond -Original Message- From: Steve Fletty [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 08, 2006 10:45 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Midspand PoE? What are people doing for PoE? Any midspan switch recommendations? -- Steve Fletty Network Engineer Networking and Telecommunications University of Minnesota [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Bluesocket....
Zack, We are using centrally managed Bluesocket WG 2100s at the University of Pennsylvania currently. Right now, we have 4 WG 2100s deployed with managed vlans on each box. We are using a central RADIUS server for authN and we are using a central DHCP server as well (not local on the 2100) and we are running the 4.0 software with BluePatch version 1.4 with no encryption. We have anywhere from 10-20 vlans on each 2100 with average usage to be around 200 concurrent users. We have had around 400 users at a time and it seems a little slow, but still held up. Colleen Szymanik University of Pennsylvania Network Engineer Zackary O'Donnell wrote: We are working on implementing a centrally managed Bluesocket 2100 to replace our home-grown authentication/firewall for our small but growing wireless network. Our long term goal is to move to 802.1x deployment from a smart AP, but also to have the Bluesocket portal as a backup and as guest access. When we talked to vendors, over a year ago, we had 200 per day on the network. Now were are seeing 200 simultaneous users during the busy hour. I have read on this listserv that many of you use the 2100 and can support over 1000 users. Bluesocket recommends the 2100 for 400 simultaneous users tops, but admits many campuses are doing much more. What is your take on simultaneous users? Are you using bandwidth restriction to up the numbers? We are trying to determine if we need to buy a bigger box or if we are seeing a little too much marketing from Bluesocket. Thanks Zack Zackary O'Donnell Communications Resources University of California One Shields Ave PH: 530.752.5947 Davis, CA 95616 FX: 530.754.9747 Telecommunications: Be careful how you use it. -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] Behalf Of Christopher R. Hertel Sent: Friday, October 10, 2003 9:43 AM To: [EMAIL PROTECTED] Subject: Re: [WIRELESS-LAN] Bluesocket On Fri, Oct 10, 2003 at 11:10:54AM -0400, Sean Che wrote: : 802.1x traffic should NOT pass through AP. What I said is that 802.1x can pass through Bluesocket. In this case, the link between authenticator(AP) and authentication server ( Radius Server) is transparent, even thought bluesocket box sits between them. FYI, here's the authentication process of 802.1x: * The client may send an EAP-start message. * The access point sends an EAP-request identity message. * The client's EAP-response packet with the client's identity is proxied to the authentication server by the authenticator. * The authentication server challenges the client to prove themselves and may send its credentials to prove itself to the client (if using mutual authentication). * The client checks the server's credentials (if using mutual authentication) and then sends its credentials to the server to prove itself. * The authentication server accepts or rejects the client's request for connection. * If the end user was accepted, the authenticator changes the virtual port with the end user to an authorized state allowing full network access to that end user. * At log-off, the client virtual port is changed back to the unauthorized state. Think about that. In order for that to work all of the APs must support the system completely. Consider: * The APs that do support 802.1x are more expensive, which makes a difference when you multiply by 1000 APs. (...and that's just for starters. We have a big campus.) * There are hundreds if not thousands of APs on my campus already that don't support 802.1x. Folks just pop out on their lunch hour and buy a new AP at the discount store for $70 or less. They get back and plug it in. It's hard enough convincing them to use the standard SSID and hook up the auth server. Many of these APs won't be upgradable to run 802.1x. * The more APs I have the more APs I have to manage. The more features the AP has the more of a pain it is to manage it. I want my APs dumb and simple. If I could get APs that were little more than a transceiver that would be very, very nifty. * On the client side, all of the clients would have to support 802.1x in order to make it a viable solution. We have a diverse client population that includes MacOS, *BSD, Linux, PalmOS, Symbian, even MS-Windows... I'm sure there are more. Until all of these (and those I've missed) support 802.1x I cannot deploy it. I would be blocking access based on the user's client platform choice and that just wouldn't fly. (We tried recently to block all Windows filesharing ports to prevent virus/worm spread, but there was this small, vocal minority...) In short, 802.1x is currently impractical on my campus. Instead, we have tried to move complexity in the wireless network toward the center. Our goal is to make it easier to manage the network, easier to accomodate a wider variety of clients and APs, easier to make changes
[WIRELESS-LAN] Authentication Gateways and Pre-Authenticated Devices
We are currently using Bluesocket WG 2100 gateways for our wireless network at Penn. The setup is relatively simple with a few WG2100s around campus using school/department vlans on a central DHCP server and RADIUS authentication. We have has requests recently to pre-authenticate devices (most of these devices do not have web browsers to authenticate to the Bluesocket) via hardware address and/or IP address. I was wondering if anyone else is doing this? With the security consideration of allowing a MAC address into the protected network without login aside, capacity planning is high on my list. My main concerns are if there are any limitations via performance and/or resources after a certain number of devices are added and if it makes much of a difference to configure these devices globally on each WG or else with a MAC and IP on each vlan. Any thoughts or comments are appreciated. Colleen Szymanik -- University of Pennsylvania Network Engineer 215-573-2628 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/.
Re: [WIRELESS-LAN] Comaprison of Bluesocket and Reefedge
We used Reefedge for about a year with many continuous problems. Scott Weeks wrote: Good Morning Everyone, This does help. We would be using it in a very similar configuration (transparent mode to our LDAP server, etc). How long did you use the Reefedge and how long have you used Bluesocket? I imagine they're in a nearly exact setup and load condition? Thanks! scott On Mon, 16 Feb 2004, Colleen Szymanik wrote: : We have experience with both the Bluesocket and Reefedge systems. While : both of them are similar in functionality, the performance thus far has : been extremely disappointing for the Reefedge system. I'm not sure how : you are planning on using these systems, but we we are only using the : wireless gateway to authenticate against our existing RADIUS/Kerberos : authentication services. The wireless gateway acts as a DHCP passthrough : only, and no VPN or DHCP services are terminated on the either an edge : device or a wireless gateway. All users are put into the same role. : While using the Reefedge system, we have had repeated failures in the : field, mostly all seem to be a result of load related issues. We did : work very closely with the vendor to address these issues, but they : still were not able to fix their system. I have heard that the system : is much better if being used in a NAT mode (we have been using : transparent). So, we have now moved on to using primarily Bluesocket : only and have not had the load issues so far. Hope this helps. : : Colleen Szymanik : : University of Pennsylvania : Network Engineer : : : Scott Weeks wrote: : : Hello Everyone, : : It appears that Bluesocket and Reefedge do the same thing. Has anyone : done a comparison/contrast of the two systems? : : Thanks, : scott : : ** : Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/. : : : : ** : Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/. : ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/.
