Re: [WIRELESS-LAN] Wi-Fi Guest/Visitor Network
All, After figuring out that Survey Monkey is real-time, there is no reason to hold back on releasing the dashboard link of the results. I’ve also taken the liberty of also publishing some of the comments that were received as they might be beneficial to all. A big thanks to all that responded and I fully expect to use the results as part of our discussion on designing the service we will be rolling out in the next few months. Survey Dashboard link here: https://www.surveymonkey.com/stories/SM-ZFKWT2Z7/ Regards, Craig Craig Simons Network Operations Manager Simon Fraser University | Water Tower 224 University Dr., Burnaby, B.C. V5A 1S6 T: 778.782.8036 | M: 604.649.7977 | www.sfu.ca/itservices<http://www.sfu.ca/itservices> [signature_1920458599] From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Craig Simons Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv Date: Monday, January 20, 2020 at 9:12 AM To: The EDUCAUSE Wireless Issues Constituent Group Listserv Subject: Re: [WIRELESS-LAN] Wi-Fi Guest/Visitor Network All, Thanks to all that have responded to our survey request on Guest networking, it has been a really good result so far (60+). I’m planning on summarizing the results in the next day or so, so if anyone else on the list is interested in responding, now is the time. Thanks! Regards, Craig Craig Simons Network Operations Manager Simon Fraser University | Strand Hall University Dr., Burnaby, B.C. V5A 1S6 T: 778.782.8036 | M: 604.649.7977 On Jan 8, 2020, at 12:41 PM, Craig Simons wrote: Fellow peers, Simon Fraser University is planning on deploying a guest network to supplement our existing eduroam service. We are anticipating this service to be used by parents, short term contractors, and the general public. Obviously, we are mindful of how opening up our networks to a wider range of users may present security and support challenges despite the benefits it brings. To gain a better understanding from those who’ve perhaps done this before, I’ve created a very short survey. I would greatly appreciate if you would consider taking 3-4 minutes of your time to have a look (even if your institution doesn’t have a guest network!). I am hoping your experiences will help shape how we approach the design of the service. After a week or two I will summarize the results and post to the group, so the more the merrier! https://www.surveymonkey.com/r/8CV82TV Thanks! Craig Simons Network Operations Manager Simon Fraser University | Strand Hall University Dr., Burnaby, B.C. V5A 1S6 T: 778.782.8036 | M: 604.649.7977 SFU SIMON FRASER UNIVERSITY IT SERVICES ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Re: [WIRELESS-LAN] Wi-Fi Guest/Visitor Network
All, Thanks to all that have responded to our survey request on Guest networking, it has been a really good result so far (60+). I’m planning on summarizing the results in the next day or so, so if anyone else on the list is interested in responding, now is the time. Thanks! Regards, Craig Craig Simons Network Operations Manager Simon Fraser University | Strand Hall University Dr., Burnaby, B.C. V5A 1S6 T: 778.782.8036 | M: 604.649.7977 On Jan 8, 2020, at 12:41 PM, Craig Simons wrote: Fellow peers, Simon Fraser University is planning on deploying a guest network to supplement our existing eduroam service. We are anticipating this service to be used by parents, short term contractors, and the general public. Obviously, we are mindful of how opening up our networks to a wider range of users may present security and support challenges despite the benefits it brings. To gain a better understanding from those who’ve perhaps done this before, I’ve created a very short survey. I would greatly appreciate if you would consider taking 3-4 minutes of your time to have a look (even if your institution doesn’t have a guest network!). I am hoping your experiences will help shape how we approach the design of the service. After a week or two I will summarize the results and post to the group, so the more the merrier! https://www.surveymonkey.com/r/8CV82TV Thanks! Craig Simons Network Operations Manager Simon Fraser University | Strand Hall University Dr., Burnaby, B.C. V5A 1S6 T: 778.782.8036 | M: 604.649.7977 SFU SIMON FRASER UNIVERSITY IT SERVICES ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Re: [WIRELESS-LAN] Wi-Fi Guest/Visitor Network
Philippe, I’ve looked at the ANYROAM material, and also the CANARIE run “eVA” initiative (https://www.canarie.ca/identity/eduroam/eduroam-visitor-access/) which is along the same lines here in Canada. The advantage of using either of these two systems is that they are already up and running, have some measure of support attached to them, and are free. However, we do have a great deal of capability with our Aruba ClearPass platform, which depending on how we design our guest/visitor service might be administratively easier from a “single pane of glass” perspective. But I must say, for those without an existing guest management platform, ANYROAM (and eVA) should definitely be given consideration. Thanks for your feedback! Craig Craig Simons Network Operations Manager Simon Fraser University | Water Tower 224 University Dr., Burnaby, B.C. V5A 1S6 T: 778.782.8036 | M: 604.649.7977 | www.sfu.ca/itservices<http://www.sfu.ca/itservices> [signature_1218646200] From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Philippe Hanset <005cd62f91b7-dmarc-requ...@listserv.educause.edu> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv Date: Wednesday, January 8, 2020 at 1:37 PM To: The EDUCAUSE Wireless Issues Constituent Group Listserv Subject: Re: [WIRELESS-LAN] Wi-Fi Guest/Visitor Network Hello Craig, Have you tested the ANYROAM guest service ? (It’s free and runs on the eduroam SSID … specifically designed for parents etc… same functionality as eduroam but relies on phone number for authentication) About 40-50 schools use it. https://www.anyroam.net/node/6808 You can check the way it works at www.anyroam.net<http://www.anyroam.net> …under ANYROAM :) Let me know if you have questions, Philippe Philippe Hanset, CEO www.anyroam.net<http://www.anyroam.net> Operator of eduroam-US +1 (865) 236-0770 GPG key id: 0xF2636F9C On Jan 8, 2020, at 3:41 PM, Craig Simons mailto:craigsim...@sfu.ca>> wrote: Fellow peers, Simon Fraser University is planning on deploying a guest network to supplement our existing eduroam service. We are anticipating this service to be used by parents, short term contractors, and the general public. Obviously, we are mindful of how opening up our networks to a wider range of users may present security and support challenges despite the benefits it brings. To gain a better understanding from those who’ve perhaps done this before, I’ve created a very short survey. I would greatly appreciate if you would consider taking 3-4 minutes of your time to have a look (even if your institution doesn’t have a guest network!). I am hoping your experiences will help shape how we approach the design of the service. After a week or two I will summarize the results and post to the group, so the more the merrier! https://www.surveymonkey.com/r/8CV82TV Thanks! Craig Simons Network Operations Manager Simon Fraser University | Strand Hall University Dr., Burnaby, B.C. V5A 1S6 T: 778.782.8036 | M: 604.649.7977 SFU SIMON FRASER UNIVERSITY IT SERVICES ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Wi-Fi Guest/Visitor Network
Fellow peers, Simon Fraser University is planning on deploying a guest network to supplement our existing eduroam service. We are anticipating this service to be used by parents, short term contractors, and the general public. Obviously, we are mindful of how opening up our networks to a wider range of users may present security and support challenges despite the benefits it brings. To gain a better understanding from those who’ve perhaps done this before, I’ve created a very short survey. I would greatly appreciate if you would consider taking 3-4 minutes of your time to have a look (even if your institution doesn’t have a guest network!). I am hoping your experiences will help shape how we approach the design of the service. After a week or two I will summarize the results and post to the group, so the more the merrier! https://www.surveymonkey.com/r/8CV82TV Thanks! Craig Simons Network Operations Manager Simon Fraser University | Strand Hall University Dr., Burnaby, B.C. V5A 1S6 T: 778.782.8036 | M: 604.649.7977 SFU SIMON FRASER UNIVERSITY IT SERVICES ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Re: [WIRELESS-LAN] Radius certificate length vs. onboarding opinions
Rich, Thank you for your detailed response. I should state that our certificate challenges were in fact due to the issuer chain changing (SHA-1 to SHA-2). Perhaps in the near-term, another certificate in the same chain would not be a repeat of last time. Still, with >60% of our mobile devices being Mac OSX/iOS based, I’m nervous that Apple will do something we don’t expect. In the end, any OnBoarding tool can only manipulate the APIs presented by the OS and each flavour of OS may have a different outcome. I have taken your analysis to heart and it would appear that option 3 is probably the best way forward and we just need to ensure our support resources are set up to handle potential issues. Option 4 is a good long-term strategy, but for different reasons other than simply avoiding short term certificates. Thanks, Craig > On Oct 31, 2017, at 2:53 PM, Richard Nedwich wrote: > > Hi Craig, > > I'm not sure if anyone from Cloudpath already advised you, but I did forward > your question to Kevin Koster, Cloudpath Founder and Chief Architect, for his > opinion of the pros/cons of these options. I thought I would share them, in > case this forum found it useful. > > Best, > Rich > -=-=-=-=-=-=-= > > Option 1: Using a self-signed/private PKI and a 10 year cert. Onboard with > "verify server certificate" enabled > Pros: You control the issuing CA, so you control if/when you change the > issuing CA. Client will validate the RADIUS server certificate, thereby > protecting the user’s password and prevent device from connecting to > man-in-the-middle. > Cons: Need to generate the private CA (ie need CA tool or openssl skills). > Need to install private CA on end-user devices (ie need onboarding tool). > > Option 2: Removing all traces of “verify server certificate” from OnBoard > configuration and use 2-year certs from CAs > Pros: “It just works.” > Cons. This disables all security built into WPA2-Enterprise. Device will > give the password to any network, real or fake. Device will join evil twins. > > Commentary: With validation disabled, credentials are so at-risk that the > network’s attempt to authenticate wifi users becomes moot. If you use this > model, you would do less damage to your end-users by using PSK (or even > better, Dynamic PSK) or having everyone use a static password (like > “password”). > > Option 3: Use 2-year CA certificates, enable “verify server certificates” and > educate/prepare every two years for connection issues. > Commentary: This is essentially “use a public CA and be prepared to deal > with issues when issuer chain changes”. This normally occurs when protocols > become obsolete (1024 to 2048, SHA-1 to SHA-2, etc), but can potentially > occur anytime. For 802.1X, these changes are impactful to (properly > configured) end-users. Unfortunately, most revenue for public CAs is from > web server certificates (which are not affected by issuing CA changes), so > they don’t always see chain changes as something to be avoided. > Pros: Like #1, credentials are protected. > Cons: Requires client configuration. If CA changes its chain, the network > will break for the device. > Work-Around: The impact of this can be reduced by buying 2-year certificates > every 12 months. Then, if the chain does change, you have a 12 month window > to transition. This doesn’t change the need to transition, but it does > provide a window to make life easier. > > Option 4 (probably the best long-term answer): Move to private PKI and > EAP-TLS. > Commentary: While EAP-TLS has benefits beyond this particular issue, EAP-TLS > does not change this particular issue. The following scenarios with EAP-TLS > would map to 1-3 above: > - Using EAP-TLS with a RADIUS cert from private CA would be similar to #1. > - Using EAP-TLS with a RADIUS cert from public CA would be similar to #3. > - Using EAP-TLS with server cert validation disabled would be similar to #2 > (user would be still exposed to connecting to evil twins but the cleartext > password wouldn’t be leaked). > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Re: [WIRELESS-LAN] Radius certificate length vs. onboarding opinions
These are very helpful and thoughtful points to consider. I think of this issue using the angel and devil on the shoulder analogy. On one shoulder, as a security conscious engineer (and technophile) I see why shorter certificates (I believe the maximum is 39 months now?) with all allowances made for security are the necessary evil. On the other, we want the campus WiFi experience to be easy, simple and as painless for the user (and Service Desk people) as possible. In many ways, a good onboarding tool lets you have your cake and eat it too... but our recent experience has shown us that even this has it’s limits. I suppose the “correct” answer is the one that is supportable. This requires the Service Desk/Desktop Support people to be willing and able to handle the hordes when they arrive in the interests of security “tough love”. However, I still believe there is a large role to play for EAP-TLS in the future. In the IoT world, the willingness of users to put their personal credentials on low-end devices is a security threat before even getting to the certificate conversation. Thanks to all that replied! Craig Simons Network Operations Manager Simon Fraser University | Strand Hall University Dr., Burnaby, B.C. V5A 1S6 T: 778.782.8036 | M: 604.649.7977 SFU SIMON FRASER UNIVERSITY IT SERVICES > On Oct 30, 2017, at 1:19 PM, Mike Atkins wrote: > > We are option 3 with 3 year certs. We were in the same boat as Craig just > over a year ago. We moved to a different onboarding utility and different > CA. It is a long story so feel free to hit me up offline. That said, in the > future we will likely end up using both options 3 & 4 to be flexible with > device/owner/use. > > > > Mike Atkins > Network Engineer > Office of Information Technology > University of Notre Dame > Phone: 574-631-7210 > > > .__o >- _-\_<, >--- (*)/'(*) > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Craig Simons > Sent: Monday, October 30, 2017 2:22 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > Subject: [WIRELESS-LAN] Radius certificate length vs. onboarding opinions > > All, > > I know the subject has been broached on the list a few times before, but I’m > looking for informal opinions/survey about how you are deploying your Radius > EAP certificates for PEAP/TTLS users (non-TLS). We use Cloudpath to onboard > users, but recently went through a difficult renewal period to replace our > expiring certificate. As we had configured all of our clients to “verify the > server certificate” (as you should from a security perspective), we found > that iOS/MacOS and Android clients did not take kindly to a new certificate > being presented. This resulted in quite a few disgruntled users who couldn’t > connect to WiFi as well as a shell-shocked Service Desk. To help prevent this > in the future (and because we are moving to a new Radius infrastructure), > what is the consensus on the following strategies: > > Option 1: Using a self-signed/private PKI and a 10 year cert. Onboard with > "verify server certificate" enabled > > Option 2: Removing all traces of “verify server certificate” from OnBoard > configuration and use 2-year certs from CAs > > Option 3: Use 2-year CA certificates, enable “verify server certificates” and > educate/prepare every two years for connection issues. > > Option 4 (probably the best long-term answer): Move to private PKI and > EAP-TLS. > > Opinions? > > Craig Simons > Network Operations Manager > > Simon Fraser University | Strand Hall > University Dr., Burnaby, B.C. V5A 1S6 > T: 778.782.8036 | M: 604.649.7977 | www.sfu.ca/itservices > <http://www.sfu.ca/itservices> > > > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss <http://www.educause.edu/discuss>. > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss <http://www.educause.edu/discuss>. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Radius certificate length vs. onboarding opinions
All, I know the subject has been broached on the list a few times before, but I’m looking for informal opinions/survey about how you are deploying your Radius EAP certificates for PEAP/TTLS users (non-TLS). We use Cloudpath to onboard users, but recently went through a difficult renewal period to replace our expiring certificate. As we had configured all of our clients to “verify the server certificate” (as you should from a security perspective), we found that iOS/MacOS and Android clients did not take kindly to a new certificate being presented. This resulted in quite a few disgruntled users who couldn’t connect to WiFi as well as a shell-shocked Service Desk. To help prevent this in the future (and because we are moving to a new Radius infrastructure), what is the consensus on the following strategies: Option 1: Using a self-signed/private PKI and a 10 year cert. Onboard with "verify server certificate" enabled Option 2: Removing all traces of “verify server certificate” from OnBoard configuration and use 2-year certs from CAs Option 3: Use 2-year CA certificates, enable “verify server certificates” and educate/prepare every two years for connection issues. Option 4 (probably the best long-term answer): Move to private PKI and EAP-TLS. Opinions? Craig Simons Network Operations Manager Simon Fraser University | Strand Hall University Dr., Burnaby, B.C. V5A 1S6 T: 778.782.8036 | M: 604.649.7977 | www.sfu.ca/itservices <http://www.sfu.ca/itservices> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Re: [WIRELESS-LAN] Canadian colleges and universities Wi-Fi
Simon Fraser ~1200 APs, 24k concurrent (Fall semesters) devices, mix of 802.11n, Wave 1 AC. 35k FTE, 5K staff/faculty. SFU SIMON FRASER UNIVERSITY Network Services Craig Simons Network Operations Manager Phone: 778-782-8036 Cell: 604-649-7977 Email: craigsim...@sfu.ca <mailto:craigsim...@sfu.ca> Twitter: simonscraig <http://www.twitter.com/simonscraig> > On May 18, 2017, at 6:15 AM, Edward Ip wrote: > > Oh forgot to give the AP counts > > Perth Campus – 44 APs (recently upgraded all to Aruba AP325) > Pembroke Campus – 95 APs (all Aruba AP225) > Woodroffe Campus – 1320 APs (about 80% are Aruba AP 225, with the rest > consisting of Aruba AP 135, AP125 and AP105. The plan is to upgrade all the > non 802.11ac APs to AP325 and AP335 in the near future). > > Edward Ip > Algonquin College | 1385 Woodroffe Avenue | Room C316 | Ottawa | Ontario | > K2G 1V8 | Canada > algonquincollege.com <http://algonquincollege.com/> > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Edward Ip > Sent: Thursday, May 18, 2017 9:07 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Canadian colleges and universities Wi-Fi > > Yes. Our main campus is the one in Nepean and a small training facility > downtown. We also have a campus in Pembroke and in Perth. Here is some > wireless stats I recently compiled. > > Perth Campus > Avg Users: 16 clients > Max Users: 104 clients > Unique # of Users: 587 clients > Max Internet bandwidth Usage: 47.63 Mbps > > Pembroke Campus > Avg Users: 338 clients > Max Users: 939 clients > Unique # of Users: 228 clients > Max Internet bandwidth Usage: 42.93 Mbps > > Woodroffe Campus > Avg Users: 6875 clients > Max Users: 15233 clients > Unique # of Users: 190019 clients > Max Internet bandwidth Usage: 1.805 Gbps > > Regards, > Edward Ip > Algonquin College | 1385 Woodroffe Avenue | Room C316 | Ottawa | Ontario | > K2G 1V8 | Canada > algonquincollege.com > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Manon Lessard > Sent: Thursday, May 18, 2017 9:00 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > Subject: Re: [WIRELESS-LAN] Canadian colleges and universities Wi-Fi > > You guys still have the Nepean and Downtown campus? > > Manon Lessard > Technicienne en développement de systèmes > CCNP, CWNA, CWDP > Direction des technologies de l'information > Pavillon Louis-Jacques-Casault > 1055, avenue du Séminaire > Bureau 0403 > Université Laval, Québec (Québec) > G1V 0A6, Canada > 418 656-2131, poste 12853 > Télécopieur : 418 656-7305 > manon.less...@dti.ulaval.ca <mailto:manon.less...@dti.ulaval.ca> > www.dti.ulaval.ca <http://www.dti.ulaval.ca/> > Avis relatif à la confidentialité | Notice of Confidentiality > <http://www.rec.ulaval.ca/lce/securite/confidentialite.htm> > > > > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Edward Ip > Sent: 18 mai 2017 08:57 > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > Subject: Re: [WIRELESS-LAN] Canadian colleges and universities Wi-Fi > > At Algonquin College on our main campus, we have about 1300 Aruba APs (Mostly > AP-225 Wave 1 AC) and our top concurrent user count is a bit over 15K in 19 > buildings this year. Wireless traffic takes up to 75% (or more on some days) > of our internet bandwidth during the year. > > Our college moved to a hybrid model for program delivery where portions of > courses are provided in an e-learning format to complement traditional > methods a few years ago. Thus, more and more of our programs are requiring > students to use their own laptops for their courses. Each year our college is > reducing computer labs in favor of mobile lounges to allow students to work > and collaborate anywhere on campus with wireless access. > > Regards, > Edward Ip > Algonquin College | 1385 Woodroffe Avenue | Room C316 | Ottawa | Ontario | > K2G 1V8 | Canada > algonquincollege.com > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Manon Lessard > Sent: Wednesday, May 17, 2017 3:23 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > <mailto:WIRELESS-LAN@L
Re: [WIRELESS-LAN] Beacon Intervals
Yes, that’s a large part of the problem… The other is being on top of a shopping mall… I briefly went down the rf coating investigation, but this would also block cell signals as well… which would be a deal killer. - Craig > On May 27, 2016, at 1:36 PM, Jeffrey D. Sessler > wrote: > > Craig, > > Does your downtown campus have a lot of externally-facing windows? If so, > consider having a low-e-coating film added to all of them. Yes, there is an > expense involved, but it’s an effective way to reduce/cutoff/eliminate the > urban WiFi influencers. > > Jeff > > From: "wireless-lan@listserv.educause.edu" > on behalf of Craig Simons > > Reply-To: "wireless-lan@listserv.educause.edu" > > Date: Friday, May 27, 2016 at 12:44 PM > To: "wireless-lan@listserv.educause.edu" > Subject: Re: [WIRELESS-LAN] Beacon Intervals > > Jason, > > Thanks for the reply. Actually the link you mention is what got me going on > this in the first place. Our downtown campus is situated in a very busy urban > environment - hotels, coffee shops, apartments, you name it. Several places > in the building can see 25+ SSIDs, of which only 3 are ours. I’ve done as > much tuning as I can to limit co-channel interference on 2.4, the minimum > data rate is 12 (I could boost to 24 I suppose), so I’m just looking for more > tricks to try. > > - Craig > >> On May 26, 2016, at 6:38 PM, Jason Cook > <mailto:jason.c...@adelaide.edu.au>> wrote: >> >> My understanding is you really don’t want to be playing with this, perhaps >> if all other avenues have been exhausted it can be investigated…. >> >> Reduce your SSID’s, disable lower data rates, reduce co-channel AP’s (your >> own and neighbours) >> >> If you haven’t seen it play with this tool (Changing the beacon Rate shows >> the variations) >> http://www.revolutionwifi.net/revolutionwifi/p/ssid-overhead-calculator.html >> <http://www.revolutionwifi.net/revolutionwifi/p/ssid-overhead-calculator.html> >> >> >> -- >> Jason Cook >> Technology Services >> The University of Adelaide, AUSTRALIA 5005 >> Ph: +61 8 8313 4800 >> >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Britton Anderson >> Sent: Friday, 27 May 2016 10:10 AM >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >> <mailto:WIRELESS-LAN@listserv.educause.edu> >> Subject: Re: [WIRELESS-LAN] Beacon Intervals >> >> Hey Craig, >> >> It really depends on how dense your environment is. Keep in mind, the longer >> your beacon interval, the slower the roaming time clients take between APs. >> In my mind, the overhead that beacons introduce is far less of an issue than >> mobile clients dropping connections when they're roaming through the >> network. Especially considering the vast majority of cell carriers using >> WiFi calling now. >> >> --Britton >> >> >> >> Britton Anderson <mailto:blanders...@alaska.edu> | >> Senior Network Communications Specialist | >> University of Alaska <http://www.alaska.edu/oit> | >> 907.450.8250 >> >> >> On Thu, May 26, 2016 at 4:16 PM, Craig Simons > <mailto:craigsim...@sfu.ca>> wrote: >>> Hello Group, >>> >>> On most vendor products that I’ve seen, the beacon intervals for SSIDs by >>> default are set to ~100ms. Has anyone gone to the lengths of increasing >>> this default in an effort to combat overhead? >>> >>> - Craig >>> >>> >>> >>> SFU >>> SIMON FRASER UNIVERSITY >>> Network Services >>> Craig Simons >>> Network Operations Manager >>> >>> Phone: 778-782-8036 >>> Cell: 604-649-7977 >>> Email: craigsim...@sfu.ca <mailto:craigsim...@sfu.ca> >>> Twitter: simonscraig <http://www.twitter.com/simonscraig> >>> >>> >>> >>> >>> ** Participation and subscription information for this EDUCAUSE >>> Constituent Group discussion list can be found at >>> http://www.educause.edu/groups/ <http://www.educause.edu/groups/>. >> >> >> ** Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/groups/ <http://www.educause.edu/groups/>. >> ** Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/groups/ <http://www.educause.edu/groups/>. > > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/ <http://www.educause.edu/groups/>. > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/ <http://www.educause.edu/groups/>. > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Beacon Intervals
Thanks for the suggestion. I don’t have access to these settings unfortunately, but I agree it would be a helpful tool in the belt. - Craig > On May 27, 2016, at 1:06 PM, GT Hill wrote: > > Craig, > > Changing the data rate will only affect how YOU interfere with them, but not > in reverse. When an AP (well, any Wi-Fi device) hears a Wi-Fi signal of any > data rate it will defer (not transmit). > > I don’t know your Wi-Fi vendor but a trick to try is to reduce your AP > receive sensitivity. SOME vendors allow this, sometimes only in CLI. This is > a very advanced and rare feature because it can be messed up in a hurry. But, > it has some awesome advantages in the right environment. > > To completely understand this, there is one component that isn’t always > understood. A Wi-Fi device CAN hear multiple Wi-Fi signals and still get the > data without a failure. Let’s say there are two Wi-Fi APs even of different > SSIDs. They both transmit at the same time and a single client device hears > both. Its commonly understood that this would result in a failed transmission > because the resulting signals to the client would interfere with each other. > BUT, if the signals have enough delta in signal strength, the client will > still get the stronger data. As an example, the client receives a signal at > –80dBm and another at the same time at –60dBm that’s still a 20dB SNR and the > client won’t have a problem at all discerning the two. It will receive and > process the stronger signal with no errors. > > The problem is, your AP isn’t transmitting as often as it could because it > hears too much. But, you can configure SOME APs to not defer until a certain > signal strength. This allows the AP to transmit more often and could provide > more downstream data to your client devices. > > Sorry that’s such a long explanation but hope it helps. > > GT > > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Craig Simons > mailto:craigsim...@sfu.ca>> > Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv > <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> > Date: Friday, May 27, 2016 at 2:44 PM > To: <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> > Subject: Re: [WIRELESS-LAN] Beacon Intervals > > Jason, > > Thanks for the reply. Actually the link you mention is what got me going on > this in the first place. Our downtown campus is situated in a very busy urban > environment - hotels, coffee shops, apartments, you name it. Several places > in the building can see 25+ SSIDs, of which only 3 are ours. I’ve done as > much tuning as I can to limit co-channel interference on 2.4, the minimum > data rate is 12 (I could boost to 24 I suppose), so I’m just looking for more > tricks to try. > > - Craig > >> On May 26, 2016, at 6:38 PM, Jason Cook > <mailto:jason.c...@adelaide.edu.au>> wrote: >> >> My understanding is you really don’t want to be playing with this, perhaps >> if all other avenues have been exhausted it can be investigated…. >> >> Reduce your SSID’s, disable lower data rates, reduce co-channel AP’s (your >> own and neighbours) >> >> If you haven’t seen it play with this tool (Changing the beacon Rate shows >> the variations) >> http://www.revolutionwifi.net/revolutionwifi/p/ssid-overhead-calculator.html >> <http://www.revolutionwifi.net/revolutionwifi/p/ssid-overhead-calculator.html> >> >> >> -- >> Jason Cook >> Technology Services >> The University of Adelaide, AUSTRALIA 5005 >> Ph: +61 8 8313 4800 >> >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Britton Anderson >> Sent: Friday, 27 May 2016 10:10 AM >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >> <mailto:WIRELESS-LAN@listserv.educause.edu> >> Subject: Re: [WIRELESS-LAN] Beacon Intervals >> >> Hey Craig, >> >> It really depends on how dense your environment is. Keep in mind, the longer >> your beacon interval, the slower the roaming time clients take between APs. >> In my mind, the overhead that beacons introduce is far less of an issue than >> mobile clients dropping connections when they're roaming through the >> network. Especially considering the vast majority of cell carriers using >> WiFi calling now. >> >> --Britton >> >> >> >> Britton Anderson <mailto:blanders...@alaska.edu> | >>
Re: [WIRELESS-LAN] Beacon Intervals
Jason, Thanks for the reply. Actually the link you mention is what got me going on this in the first place. Our downtown campus is situated in a very busy urban environment - hotels, coffee shops, apartments, you name it. Several places in the building can see 25+ SSIDs, of which only 3 are ours. I’ve done as much tuning as I can to limit co-channel interference on 2.4, the minimum data rate is 12 (I could boost to 24 I suppose), so I’m just looking for more tricks to try. - Craig > On May 26, 2016, at 6:38 PM, Jason Cook wrote: > > My understanding is you really don’t want to be playing with this, perhaps if > all other avenues have been exhausted it can be investigated…. > > Reduce your SSID’s, disable lower data rates, reduce co-channel AP’s (your > own and neighbours) > > If you haven’t seen it play with this tool (Changing the beacon Rate shows > the variations) > http://www.revolutionwifi.net/revolutionwifi/p/ssid-overhead-calculator.html > <http://www.revolutionwifi.net/revolutionwifi/p/ssid-overhead-calculator.html> > > > -- > Jason Cook > Technology Services > The University of Adelaide, AUSTRALIA 5005 > Ph: +61 8 8313 4800 > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Britton Anderson > Sent: Friday, 27 May 2016 10:10 AM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Beacon Intervals > > Hey Craig, > > It really depends on how dense your environment is. Keep in mind, the longer > your beacon interval, the slower the roaming time clients take between APs. > In my mind, the overhead that beacons introduce is far less of an issue than > mobile clients dropping connections when they're roaming through the network. > Especially considering the vast majority of cell carriers using WiFi calling > now. > > --Britton > > > > Britton Anderson <mailto:blanders...@alaska.edu> | > Senior Network Communications Specialist | > University of Alaska <http://www.alaska.edu/oit> | > 907.450.8250 > > > On Thu, May 26, 2016 at 4:16 PM, Craig Simons <mailto:craigsim...@sfu.ca>> wrote: > Hello Group, > > On most vendor products that I’ve seen, the beacon intervals for SSIDs by > default are set to ~100ms. Has anyone gone to the lengths of increasing this > default in an effort to combat overhead? > > - Craig > > > > SFU > SIMON FRASER UNIVERSITY > Network Services > Craig Simons > Network Operations Manager > > Phone: 778-782-8036 > Cell: 604-649-7977 > Email: craigsim...@sfu.ca <mailto:craigsim...@sfu.ca> > Twitter: simonscraig <http://www.twitter.com/simonscraig> > > > > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/ <http://www.educause.edu/groups/>. > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/ <http://www.educause.edu/groups/>. > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/ <http://www.educause.edu/groups/>. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Beacon Intervals
Hello Group, On most vendor products that I’ve seen, the beacon intervals for SSIDs by default are set to ~100ms. Has anyone gone to the lengths of increasing this default in an effort to combat overhead? - Craig SFU SIMON FRASER UNIVERSITY Network Services Craig Simons Network Operations Manager Phone: 778-782-8036 Cell: 604-649-7977 Email: craigsim...@sfu.ca Twitter: simonscraig <http://www.twitter.com/simonscraig> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Interactive Teaching - Top Hat, Clickers, etc
Thanks for the tip Jeff. I have little control over which services get used, so at this point I'm interested how others have dealt with the expectation of at least WiFi portion "always working." This type of issue is often discussed in various ways on this forum - usually in the context of high density theatres. To me the nature of these interactive teaching tools puts a unique type of demand on the system - a demand that's very difficult to fully address with unlicensed wireless frequency. - Craig > On May 12, 2016, at 5:54 PM, Jeffrey D. Sessler > wrote: > > Take a look at poll everywhere https://www.polleverywhere.com/ > > It works across a lot of services including SMS, and it has very little IT > involvement. > > Jeff > > From: "wireless-lan@listserv.educause.edu" > on behalf of Craig Simons > > Reply-To: "wireless-lan@listserv.educause.edu" > > Date: Thursday, May 12, 2016 at 3:08 PM > To: "wireless-lan@listserv.educause.edu" > Subject: [WIRELESS-LAN] Interactive Teaching - Top Hat, Clickers, etc > > All, > > Does anyone have any stories to share about supporting emerging interactive > teaching technologies, such as Top Hat and iClicker? I’m interested in how > you’ve both deployed your classroom or lecture theatres as well as how you > been able to manage end-user/departmental/professor expectations. > > My own personal bias is that bursty “vote now” wireless traffic in a large > lecture theatre scenario in a BYOD environment - even with the slickest > wireless deployment - will never achieve 100% success. However, I’d like to > be either proven wrong or comforted in my well founded suspicions… > > Regards, > Craig > > > SFU SIMON FRASER UNIVERSITY > Network Services > Craig Simons > Network Operations Manager > > Phone: 778-782-8036 > Cell: 604-649-7977 > Email: craigsim...@sfu.ca > Twitter: simonscraig > > > > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Interactive Teaching - Top Hat, Clickers, etc
All, Does anyone have any stories to share about supporting emerging interactive teaching technologies, such as Top Hat <https://tophat.com/> and iClicker <https://www1.iclicker.com/>? I’m interested in how you’ve both deployed your classroom or lecture theatres as well as how you been able to manage end-user/departmental/professor expectations. My own personal bias is that bursty “vote now” wireless traffic in a large lecture theatre scenario in a BYOD environment - even with the slickest wireless deployment - will never achieve 100% success. However, I’d like to be either proven wrong or comforted in my well founded suspicions… Regards, Craig SFU SIMON FRASER UNIVERSITY Network Services Craig Simons Network Operations Manager Phone: 778-782-8036 Cell: 604-649-7977 Email: craigsim...@sfu.ca Twitter: simonscraig <http://www.twitter.com/simonscraig> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Best practices for 802.1x (TTLS/PEAP) certificates
We're nearing the expiry of our current 802.1x certificate and we need to generate a new signing request. I see a reference on one page (https://confluence.terena.org/display/H2eduroam/eduroam+IdP) about configuring additional certificate properties. Not being a certificate guru, I'm normally just content to find whatever openssl command example to generate a new key and csr and have it signed, but it looks as though I might be missing some important details. Does anyone have any best practices or examples of how to properly generate an 802.1x signing request or are these things that are done through the CA interface? Regards, Craig SFU SIMON FRASER UNIVERSITY Network Services Craig Simons Network and Systems Administrator Phone: 778-782-8036 Cell: 604-649-7977 Email: craigsim...@sfu.ca Twitter: simonscraig ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Eduroam technical questions
Our approach is to block MAC addresses of banned machines directly on the switch port using vendor specific features on our switching gear. However, as the Radius requests are still created by your own equipment (which would presumably have MAC address Calling-Station-Id information), you could still reject outer EAP tunnel requests before they are proxied to the user's home institution. - Craig On 2012-11-14, at 12:45 AM, Arran Cudbard-Bell wrote: > The problem comes in implementing the ban. > > Some institutions allow an anonymous outer identity for the EAP tunnel, > which, so long as it contains enough information for routing can contain an > arbitrary user id. You ban one and the user can just change it and still get > access. You never get to see the inner id unless the homeserver has been > configured to send it back in the Access-Accept. > > The best solution is to contact the home institution directly and get their > guys to ban the user. This will be easier once more institutions have adopted > CUI as then there'll be a definitive linking value between a user and a > session. Even without CUI it should still be possible to figure out the inner > ID using timestamps and attributes included in the authentication request(s), > it's just harder to automate the process. > > If you're using FreeRADIUS you might want to take a look at the example CUI > configurations, and implement them at the same time as the your eduroam > service. > > -Arran > > > >> Ah. You clever fella. >> >> Thanks for turning on the light. >> >> Lee H. Badman >> Network Architect/Wireless TME >> ITS, Syracuse University >> 315.443.3003 >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >> [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Hanset, Philippe C >> [phan...@utk.edu] >> Sent: Tuesday, November 13, 2012 10:48 AM >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >> Subject: Re: [WIRELESS-LAN] Eduroam technical questions >> >> Lee, >> >> Your campus only terminates EAP sessions for YOUR users. >> For visitors, you take the initial TLS negotiation (with the outer tunnel >> identity e.g. lhbad...@syr.edu, or anonym...@syr.edu, or @syr.edu ) and you >> pass it to the top level. >> You never deal with the EAP-type for visitors. >> In your RADIUS server you basically have a switch: pass to top level OR >> terminate locally. >> Take a look at some config examples: >> http://www.eduroamus.org/radius_configuration >> >> Philippe >> >> >> On Nov 13, 2012, at 10:12 AM, Lee H Badman >> wrote: >> >>> Thanks, Phillipe- >>> >>> I'm talking more from supplicant config side. So we use Xpressconnect to >>> configure our supplicants to only use MS-CHAPv2 /PEAP while disabling the >>> other EAP types, and in RADIUS only have this single EAP type enabled. So >>> if our Eduraom SSID required this EAP type, and someone showed up and hit >>> our EDUROAAM with their supplicant configured for EAP-TLS for EDUROAM, a >>> reconfiguration would be required, no? Or am I really missing something >>> important? >>> >>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv >>> [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Hanset, Philippe C >>> [phan...@utk.edu] >>> Sent: Tuesday, November 13, 2012 10:01 AM >>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU >>> Subject: Re: [WIRELESS-LAN] Eduroam technical questions >>> >>> Lee, >>> >>> eduroam is EAP agnostic. >>> All that the roaming does is pass the initial SSL/TLS tunnel to the home >>> institution. >>> Then in the tunnel, exchanges occur between your device and your home >>> institution >>> So, as long as your institution does a tunneled EAP, your are done. The >>> visited institution >>> has nothing to do with oyur EAP -method. >>> >>> EAP-TTLS, PEAP, EAP-TLS ... all tunneled will work >>> >>> Philippe >>> >>> On Nov 13, 2012, at 9:52 AM, Lee H Badman >>> wrote: >>> I have read through the most recent docs, not quite grasping: - If we use MS-CHAPv2 w PEAP on our campus, and that's all we want to use, does that exclude us from Eduroam? - If not, what happens when I roam to another campus that uses TLS, or visa versa? The goal is autoconnection, with no reconfig, but is everyone on Eduroam really and truly using the same EAP with no need to reconfigure as you roam campus to campus? Sorry to be thick, I realize a lot of time went in to the documents. Lee H. Badman Network Architect/Wireless TME ITS, Syracuse University 315.443.3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. >>> >>> ** Participation and subscription information for this EDUCAUSE >>> Constituent Group discussion list can be found at >>> http://www.educause.edu/groups/. >>> ** Participation and subscription information for this
WiFi Direct
How does everyone plan on dealing with Wi-Fi Direct from both a policy and a
technology perspective? From an RF management point of view, I can't imagine a
situation where it would be possible to individually manage all devices,
printers, projectors, etc that can create Wi-Fi direct networks. And while an
official policy might be able to steer frequency usage, it would be pretty
tough to enforce without an existing sensor/countermeasures infrastructure in
place (of which I would also assume 802.11w will eventually make useless
anyway).
Yet, part of me wants to recommend it as the "official solution" for
screencasting (ie Miracast ) rather than fight a losing fight with AirPlay and
mDNS over wireless.
My sense is that all TVs, projectors, printers, and BYOD type devices will
eventually support it and managing the impacts it will be inevitable. I'd be
interested in what each of you are planning and whether or not anyone has done
any testing in a production environment.
Regards,
Craig
SFU SIMON FRASER UNIVERSITY
Network Services
Craig Simons
Network and Systems Administrator
Phone: 778-782-8036
Cell: 604-649-7977
Email: craigsim...@sfu.ca
Twitter: simonscraig
**
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Disabling 802.11b speeds
We dropped 802.11b this time last year. I haven't received one complaint, and
the performance increase was dramatic. Your mileage may vary, but I found that
APs would go into b/g protection mode if they thought an 11b client "might" be
around. What resulted was a situation where about half of our APs were in
protection mode at any given time, even though not a single 802.11b client was
connected.
- Craig
SFU SIMON FRASER UNIVERSITY
Network Services
Craig Simons
Network and Systems Administrator
Phone: 778-782-8036
Cell: 604-649-7977
Email: craigsim...@sfu.ca
Twitter: simonscraig
- Original Message -
From: "Todd M. Hall"
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Sent: Thursday, 27 September, 2012 05:54:59
Subject: [WIRELESS-LAN] Disabling 802.11b speeds
This has been discussed in the past, but it has been a long time.
We're at the point that we have to turn off the lower connection rates on our
campus. I'm curious what other schools have done and the positive/negative
results from the changes. We have disabled 1, 2, 5.5, and 11 Mbps in some of
our buildings with great success, but some might argue to just eliminate 1 & 2
Mbps rates. Also, I'd be interested to hear from schools that have not disabled
these rates and why not.
--
Todd M. Hall
Sr. Network Analyst
Information Technology Services
Mississippi State University
t...@msstate.edu
**
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
**
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] FreeRADIUS performance question
Using HiPath/Radiator Radius. Today is the first real day of classes though, so I would expect things to go higher. 34 ns-ryu.its.sfu.ca 34 ns-ryu.its.sfu.ca 35 ns-ryu.its.sfu.ca 36 ns-ryu.its.sfu.ca 40 ns-ryu.its.sfu.ca 41 ns-ryu.its.sfu.ca 42 ns-ryu.its.sfu.ca 45 ns-ryu.its.sfu.ca 47 ns-ryu.its.sfu.ca 50 ns-ryu.its.sfu.ca Regards, Craig SFU SIMON FRASER UNIVERSITY Network Services Craig Simons Network and Systems Administrator Phone: 778-782-8036 Cell: 604-649-7977 Email: craigsim...@sfu.ca Twitter: simonscraig - Original Message - From: "Danny Eaton" To: WIRELESS-LAN@listserv.educause.edu Sent: Wednesday, 5 September, 2012 09:09:47 Subject: Re: [WIRELESS-LAN] FreeRADIUS performance question Here at Rice -bash-3.00$ cat today | tr -s " " | cut -d " " -f 4 | uniq -c | sort -n | tail -10 65 net3 68 net3 72 net3 74 net3 74 net3 76 net3 76 net3 78 net3 82 net3 107 net3 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Rodkey Sent: Wednesday, September 05, 2012 10:49 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] FreeRADIUS performance question 16 19:11:44 18 04:36:17 18 04:43:12 18 05:45:12 18 06:26:13 18 07:22:07 18 08:18:46 20 01:58:49 20 03:28:29 23 03:46:02 On 9/5/12, Walter Reynolds wrote: > Ok, we all have different usage patters and number of users. So can > we do a quick check of what sort of authentications our servers are > doing per second. Yes this does not filter out failures and logs > and. But at least it is an idea of how we stand to compared to others. > > cat radius.log-[DATE] | tr -s " " | cut -d " " -f 4 | uniq -c | sort > -n | tail -10 > > > I did this for yesterday (first day of classes) and got the following. > > 61 13:03:03 > 62 13:01:03 > 62 13:05:03 > 62 14:50:11 > 64 11:29:29 > 64 12:50:13 > 65 12:47:03 > 65 12:50:08 > 65 15:59:33 > 68 13:02:58 > > > Wondering what others get. Thanks. > > > > Walter Reynolds > Principal Systems Security Development Engineer Information and > Technology Services University of Michigan > (734) 615-9438 > > > On Wed, Aug 22, 2012 at 7:31 PM, Gogan, James P > wrote: > >> A question for folks with relatively large 802.1x (greater than >> 15,000 unique clients) wi-fi deployment (EAP-TTLS) with a FreeRADIUS >> infrastructure using Kerberos as the backend authentication ... >> >> ** ** >> >> - how many FreeRADIUS servers do you deploy?, and >> >> - have you changed any of the default eap.con/radius.conf performance >> parameters/values? >> >> ** ** >> >> The good news is that we've started the year with a lot more folks >> finally using the 802.1x network than the last academic year. >> >> The bad news is that we're getting long delays in >> connecting/authenticating -- not just a wireless issue as we're also >> getting lots of "RADIUS server FAILED" traps from our VPN >> concentrators throughout the day since the semester started (using >> the same RADIUS servers as the 1x wireless deployment) >> >> ** ** >> >> We've also been seeing in the last three days HUGE numbers of: >> >> Aug 22 19:25:00 calvin radiusd[21691]: Discarding duplicate request >> from client Wireless8021XResNET port 32769 - ID: 76 due to unfinished >> request >> 253745 >> >> Aug 22 19:25:00 calvin radiusd[21691]: Discarding duplicate request >> from client Wireless8021XResNET port 32769 - ID: 140 due to >> unfinished request >> 253705 >> >> Aug 22 19:25:00 calvin radiusd[21691]: Discarding duplicate request >> from client Wireless8021XResNET port 32769 - ID: 85 due to unfinished >> request >> 253758 >> >> and >> >> Aug 19 03:30:14 calvin radiusd[3507]: Login incorrect: [anonymous] >> (from client Wireless8021XResNET port 29 cli 68-a8-6d-ae-fc-5d) >> >> Aug 19 03:31:15 calvin radiusd[3507]: Login incorrect: [anonymous] >> (from client Wireless8021XResNET port 29 cli 28-6a-ba-6a-9d-6e) >> >> Aug 19 03:31:35 calvin radiusd[3507]: Login incorrect: [anonymous] >> (from client Wireless8021XResNET port 29 cli c8-bc-c8-2e-52-13) >> >> Aug 19 03:32:13 calvin radiusd[3507]: Login incorrect: [anonymous] >> (from client Wireless8021XResNET port 29 cli 10-40-f3-29-60-2c) >>
Re: [WIRELESS-LAN] Betr.: Re: [WIRELESS-LAN] Wireless Client Subnet sizing
This is what we've been doing for years (except we're using /22s). The issue that we see now is that with near 100% wireless coverage on our main campus, there are no dead spots or bad roaming areas. Users authenticate in on area and move to the next area. Take the following scenario: 100 students attend a lecture in building "A". 25 of these students authenticated to wireless on the east side of campus on controller 1 (they received an IP in the range assigned that controller). Another 25 of those students authenticated on the north side of campus on controller 2, 25 more on the south side on controller 3, etc. Now, as they all walk to their lecture, their wireless session roams until they sit down in the theatre. At this point the APs in the lecture theare are servicing 4 separate networks (on the same SSID). To me, it's really a moot point to discuss the wasted airtime of management frames, broadcast, etc. Functionally speaking, all of the users are sharing the radio spectrum as if they were on the same IP subnet. Even though the students can only "see" the broadcast frames of their own network, they still have to wait for the air to be clear. This scenario is something we see all across the board in all areas of our campus. So, as we don't have any VLAN pooling features and have to balance our IPs manually so that none of the controllers "run out of IPs", my thinking is why not just make it easier on ourselves and move to /21s and save the hassle of balancing? Regards, Craig SFU SIMON FRASER UNIVERSITY Network Services Craig Simons Network and Systems Administrator Phone: 778-782-8036 Cell: 604-649-7977 Email: craigsim...@sfu.ca Twitter: simonscraig - Original Message - From: "Kees Pronk" To: WIRELESS-LAN@listserv.educause.edu Sent: Wednesday, 1 August, 2012 23:05:49 Subject: [WIRELESS-LAN] Betr.: Re: [WIRELESS-LAN] Wireless Client Subnet sizing Aruba networks advises to keep the subnets /23 (for big campuses) because of wasted airtime due to increased management (beacons and mgt frames). I agree Cisco has excellent technical content, but imho for WLAN specifically, Aruba is better. http://www.arubanetworks.com/wp-content/uploads/DG_HighDensity_VRD.pdf Regards, Kees Pronk Netwerk admin & engineer Avans University of Applied Sciences Diensteenheid ICT en Facilitaire Dienst (DIF) - ICT-Beheer Bezoekadres: Hogeschoollaan 1, Kamer HG204 4818 CR Breda, The Netherlands Postadres: Postbus 90116 4800 RA Breda E: cl.pr...@avans.nl T: @rovinguser >>> Tristan Rhodes 8/1/2012 11:12 >>> Like it was mentioned by Anders, this excellent material is freely available after a registration. Funny though, it seems that you can access the file directly: Design and Deployment of Enterprise WLANs (BRKEWN-2010) http://d2zmdbbm9feqrf.cloudfront.net/2012/usa/pdf/BRKEWN-2010.pdf Cisco has the most technical content available, compared to any other network vendor that I am aware of. Cheers! Tristan -- Tristan Rhodes Network Engineer Weber State University (801) 626-8549 >>> On 7/31/2012 at 5:01 PM, in message >>> , Mark >>> Duling wrote: Luke, it looks like that presentation isn't public. Can you say more about Cisco's recommendations on that? Or are they simply saying /21 is the maximum recommended size? I'd also be interested in anything they said about mcast as it relates to size. I've setup vlan select on a test WLAN with the intent of breaking up my /21 into smaller pieces for the fall, but I've had no problems with it (though mcast is off). But I thought I would use smaller subnets since our wireless use has gone up quite a bit in recent years and doing it is so simple to do now. I've heard conflicting info, and to my surprise one time a TAC engineer suggested they should be no larger than /24, which I think is erroneous. Mark On Tue, Jul 31, 2012 at 2:43 PM, Luke Jenkins wrote: What type of gear are you using? Cisco is now recommending using /21s for their unified wireless gear (Sujit Ghosh, Cisco Live US 2012 BRKEWN-2010, Slide 75). -Luke =-=-=-=-=-=-=-=-=-=-=-= Luke Jenkins Network Engineer Weber State University On Jul 31, 2012, at 11:59 AM, Craig Simons wrote: > All, > > We are looking at re-engineering our wireless networking IP space and I'm > wondering what type of boundaries other have pushed their networks to. We are > currently using /22 networks (14 of them) most of which during a busy period > of the day will run around 75-80% utilization (at least as far as DHCP > assignments go). When I look at most APs during the day, I see that most APs > have users belonging to several networks (roaming), and as we have multicast > disabled, it would seem that t
Re: [WIRELESS-LAN] Wireless Client Subnet sizing
Good to know. We use Enterasys HiPath. But with the realities of wireless
networking (APs being more hub than switch) and the replies I've received off
list, it certainly seems like /21s is by no means out of the ordinary. Perhaps
I'm still jaded from the good ol' days of bridged wired segments that would
cause all sorts of spanning tree fun - stuff that doesn't really apply here.
Regards,
Craig
SFU SIMON FRASER UNIVERSITY
Network Services
Craig Simons
Network and Systems Administrator
Phone: 778-782-8036
Cell: 604-649-7977
Email: craigsim...@sfu.ca
Twitter: simonscraig
- Original Message -
From: "Luke Jenkins"
To: "Craig Simons"
Cc: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Sent: Tuesday, 31 July, 2012 14:43:06
Subject: Re: [WIRELESS-LAN] Wireless Client Subnet sizing
What type of gear are you using?
Cisco is now recommending using /21s for their unified wireless gear (Sujit
Ghosh, Cisco Live US 2012 BRKEWN-2010, Slide 75).
-Luke
=-=-=-=-=-=-=-=-=-=-=-=
Luke Jenkins
Network Engineer
Weber State University
On Jul 31, 2012, at 11:59 AM, Craig Simons wrote:
> All,
>
> We are looking at re-engineering our wireless networking IP space and I'm
> wondering what type of boundaries other have pushed their networks to. We are
> currently using /22 networks (14 of them) most of which during a busy period
> of the day will run around 75-80% utilization (at least as far as DHCP
> assignments go). When I look at most APs during the day, I see that most APs
> have users belonging to several networks (roaming), and as we have multicast
> disabled, it would seem that the advantages of segregating wireless networks
> on the basis of limiting broadcast domain are moot. Is anyone running /21
> networks or larger?
>
> We've investigated NAT, but accurately logging internal-external IP address
> assignments for our users has proven difficult. Our vendor also doesn't
> currently support any type of "VLAN pooling" feature.
>
> Interested in your opinions,
> Craig
>
>
>
> --
> Craig Simons
> Network Operations
> Simon Fraser University
> Burnaby BC, Canada
> em. craigsim...@sfu.ca
> ph. 778-782-8036
> ce. 604-649-7977
> tw. twitter.com/simonscraig
> --
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found
> athttp://www.educause.edu/groups/.
**
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
Wireless Client Subnet sizing
All, We are looking at re-engineering our wireless networking IP space and I'm wondering what type of boundaries other have pushed their networks to. We are currently using /22 networks (14 of them) most of which during a busy period of the day will run around 75-80% utilization (at least as far as DHCP assignments go). When I look at most APs during the day, I see that most APs have users belonging to several networks (roaming), and as we have multicast disabled, it would seem that the advantages of segregating wireless networks on the basis of limiting broadcast domain are moot. Is anyone running /21 networks or larger? We've investigated NAT, but accurately logging internal-external IP address assignments for our users has proven difficult. Our vendor also doesn't currently support any type of "VLAN pooling" feature. Interested in your opinions, Craig ---------- Craig Simons Network Operations Simon Fraser University Burnaby BC, Canada em. craigsim...@sfu.ca ph. 778-782-8036 ce. 604-649-7977 tw. twitter.com/simonscraig -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Disappointing numbers of 5ghz clients
As a comparison, we have dual band radios in all locations. We have disabled
802.11b and enabled band preferencing on all APs. I manually manage radio
transmit power settings and as a general rule, the 5G radio is set to operate
3dbm higher than the 2.4G one. As I type, this is how our network breaks down
today:
bgn: 38%
g: 20%
a/n: 22%
a: 2%
unknown: 18% (clients that are no longer active but haven't timed out of our
system yet)
I too am disappointed that dual band is not the standard. However, as we're
really only trying to get a 50-50 split between 2.4 and 5g, I suppose the
optimist in me says we're half way there at 24%. My stats also tell me that 60%
of all our associated users this week had an Apple OUI, which presumably means
dual band capable (iPhone 3gs and up/iPad are dual band as well as recent
MacBook Pros). I think there are more gains to be made in rf design (beefing up
the relative strength of 5g signal strengths), but mostly waiting for the
market to catch up like everyone else.
Regards,
Craig
SFU SIMON FRASER UNIVERSITY
Network Services
Craig Simons
Network and Systems Administrator
Phone: 778-782-8036
Cell: 604-649-7977
Email: craigsim...@sfu.ca
Twitter: simonscraig
- Original Message -
From: "Rich Fulton"
To: WIRELESS-LAN@listserv.educause.edu
Sent: Monday, 26 September, 2011 08:32:09
Subject: Re: [WIRELESS-LAN] Disappointing numbers of 5ghz clients
Is anyone using the various band steering methods to nudge clients over to the
5ghz band?
On Mon, Sep 26, 2011 at 10:14 AM, Brian Helman < bhel...@salemstate.edu >
wrote:
I think the newer Macs and iOS devices are dual band. The problem is you can’t
tell them which band to use, so they connect to the strongest signal.
Unfortunately, that doesn’t always mean the “better” signal.
-Brian
From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU ] On Behalf Of Coehoorn, Joel
Sent: Sunday, September 25, 2011 10:11 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Disappointing numbers of 5ghz clients
There was another thread on this same listserv -a month or two back basically
complaining about the lack of consumer laptops with 5ghz radios. When your
average student or parent goes to buy a laptop for college, pretty much
everything they see is still 2.4Ghz. Even if they're looking for 5Ghz (and few
do), most laptops just advertise for b/g/n and don't otherwise tell you what
spectrum it will use. The result is exactly what you're seeing: the cleaner
5Ghz band is barely used, and students complain about throughput on 2.4Ghz.
Hopefully by next year's buying season we're seeing more 5Ghz laptops in the
market, but even then it will take a while before your upperclassmen have the
technology.
Joel Coehoorn
IT Director
402.363.5603
On Sun, Sep 25, 2011 at 9:05 AM, Jennifer Francis Wilson <
jfwils...@uclan.ac.uk > wrote:
Anyone happy with the numbers of 5ghz clients connecting to their networks,
compared to 2.4ghz clients?
I'm only seeing around 25% of clients on 5ghz, despite having a decent density
of dual radio 2.4/5ghz APs with band select switched on.
A reasonable percentage of the 5ghz clients are from laptops we loan out which
we know connect to 5ghz most of the time.
Most clients seem to either not be 5ghz capable or their wireless NICs/drivers
aren't choosing the 5ghz signal.
(we have 802.11n on both 2.4 and 5ghz, with 20mhz channels on 5ghz and use the
same ssids on both bands)
Jen.
**
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/ .
** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/ . ** Participation and subscription
information for this EDUCAUSE Constituent Group discussion list can be found at
http://www.educause.edu/groups/ .
--
/rf
** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
**
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wifi Support Staff
I would summarize our deployment as follows: Network: 750 APs , 4 controllers, 6000 concurrent users during a busy day. Staff: - 1 wireless expert (me!) that spends about 75% of the time on wireless related tasks. I do the systems design, architecture, and evaluate new equipment. I also write both the user documentation and support staff training documentation. - 1-2 "backup" members in the group that have good working knowledge of the system to do most tasks required from day to day. They don't do any systems design but they're smart people and are probably only a weekend crash course away from earning the "expert" badge. They spend very little overall time on wireless, let's call it 10-15%. - 7-8 technicians/operators that do basic things like install APs, test AP runs, etc. They are jack-of-all-trades types that don't specifically work on wireless but rather network troubleshooting and installs. However, they currently do walkaround site surveys at night to check wireless coverage which is a good resource to have. Collectively they probably spend about 5% of their time on wireless though. - Contractors: Install the APs and run the cable. - User support: We have desktop support staff (under the IT Services umbrella but a different department from mine) that deal with anything that comes their way, much of which is probably basic wireless setup. They don't troubleshoot any infrastructure problems with the wireless system but rather fix and configure user devices to work with the network. Anything wireless related they can't find a solution for usually ends up on my desk. Like most others on the list, we could certainly use more resources. I'm convinced that with a little more effort, we could really nail down some of the rf inefficiencies in our setup. However, I think everyone in IT could say the same thing about what they do too... Regards, Craig SFU SIMON FRASER UNIVERSITY Network Services Craig Simons Network and Systems Administrator Phone: 778-782-8036 Cell: 604-649-7977 Email: craigsim...@sfu.ca Twitter: simonscraig - Original Message - From: "Brian Deem Williams" To: WIRELESS-LAN@listserv.educause.edu Sent: Monday, 25 July, 2011 22:33:17 Subject: [WIRELESS-LAN] Wifi Support Staff Hi guys, Just as an inquiry I would like to know what kind of support staff other universities have for their Wi-Fi environment. Is there a formula that you use (i.e. X number of users = Y number of staff, or X number of access points = Y number of staff)? We have grown almost exponentially in the last couple of years (From 300 access points to 1000+ access points, 2000+ access points total planned within the next 12 months) and I’m curious as to the number of staff members dedicated to supporting the wifi (both from an engineering standpoint and from a helpdesk point of view) that other educational facilities have deemed necessary. Any input would be greatly appreciated! Thanks, Brian D Williams Network Engineering IS&T – Georgia State University bwilli...@gsu.edu 404.413.4450 “The definition of insanity is doing the same thing over and over again and expecting different results” - Einstein ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Active Directory authentication for loaned out laptops over wireless
All, Our library signs out XP laptops for student use. These laptops are set for "authenticate as computer when computer information is available" and should reauthenticate with the user's credentials once they log into the machine. However, we've had frequent complaints that AD is not reachable over wireless, rendering the laptop unusable (it's a loaned laptop that has not been used previously by the user and thus does not have any cached credentials). If the machine is shelved for 10 minutes or so and rebooted, it seems to clear the problem. Our library is a very dense and challenging area to cover with wireless, and while there is adequate area coverage, there are density issues that are no doubt present. That being said, I'm not convinced that this is entirely a wireless problem, but more a Windows/AD problem with a wireless component to it. Does anyone have any experience with this type of situation and could offer some advice? Regards, Craig ------ Craig Simons Network Operations Simon Fraser University Burnaby BC, Canada em. craigsim...@sfu.ca ph. 778-782-8036 ce. 604-649-7977 tw. twitter.com/simonscraig -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] iOS devices on wireless
An additional complication, at least in our deployment, is that a user is
placed on a vlan at the time of authentication (or association if not using
802.1x). So if the same SSID exists on campus and at residence, the user's vlan
may be the one they got at the bus stop or hallway on the way back home from
class. This a small consideration if your deployment allows the user's session
to roam across your campus, but potentially a support issue ("I can only see my
home devices SOME of the time).
Regards,
Craig
------
Craig Simons
Network Operations
Simon Fraser University
Burnaby BC, Canada
em. craigsim...@sfu.ca
ph. 778-782-8036
ce. 604-649-7977
tw. twitter.com/simonscraig
--
- Original Message -
From: "Jeffrey Sessler"
To: WIRELESS-LAN@listserv.educause.edu
Sent: Wednesday, 22 June, 2011 13:30:25
Subject: Re: [WIRELESS-LAN] iOS devices on wireless
Bruce,
You could, by any number of technical solutions, ensure that students within a
given residential space were all on the same L2 network. That is to say, if a
given residence hall is made up of 200 students, then it's not technically
difficult to ensure all the residential wireless devices within that area are
placed in the same VLAN. Or, at a minimum, to ensure that a user's device(s)
will always be in the same L2 network so that they can see each other. If one
can't do that, then I wouldn't consider the wireless solution to be very
flexible, especially given the trend in devices wanting/needing to talk to each
other.
On my campus, students spend four years of their life in what we consider a
residential setting, and it seems only logical to me that the experience
should, to the extent possible, mimic home life. That is, it's reasonable to me
to expect a student's wireless devices to see each other, and that they should
be able to share/collaborate with the other users within their residential
hall.
I know that if I was back in college, I'd expect that level of functionality,
and If it wasn't there, I'd probably make it happen using my own gear...
exactly what you don't want happening.
Jeff
>>> "Osborne, Bruce W" 6/22/2011 4:55 AM >>>
We here at Liberty University have about 8000 students in our residences, the
vast majority using wireless.
That would be a *huge* L2 network.
Bruce Osborne
Wireless Network Engineer
IT Network Services
(434) 592-4229
LIBERTY UNIVERSITY
40 Years of Training Champions for Christ: 1971-2011
-Original Message-
From: Jeffrey Sessler [mailto:j...@scrippscollege.edu]
Sent: Tuesday, June 21, 2011 3:05 PM
Subject: Re: iOS devices on wireless
Mike,
I take it you are not able to reference housing data and then place all
students/student devices from the same residential hall into the same VLAN?
Jeff
>>> Michael Dickson 6/21/2011 11:18 AM >>>
On Jun 21, 2011, at 2:04 PM, Jeffrey Sessler wrote:
> My belief is that a student should be able to have a similar experience when
> in a residential hall as they would at home. That requires supporting
> everything under the sun including Bonjour.
Unfortunately our enterprise network is sufficiently different enough that the
user cannot have a similar experience as they would at home.
At home all of their devices are segregated in an L2 network. All their
neighbors devices are in their own L2 network, etc. They can browse and
discover all the devices in their house but not (hopefully) the devices in
their neighbors. Here at UMass their L2 domain is huge and includes mostly
unknown devices. Plus, thanks to vlan pooling, it is likely that all of their
devices are not in the same L2 subnet. So the "similar to home" experience is
not a reality for us.
Personally I think students should not think of an enterprise network as
similar to their home network. That's a dangerous concept given most students
turn on every sharing feature and protocol they can find at home - with
relative (L2) protection from the outside world - in an effort to make all of
their music and videos work in harmony across all devices.
My understanding is that Bonjour only discovers devices at L2, not across L3.
If that is correct and our enterprise wireless network offers no less than a
dozen L2 networks per SSID in a vlan pool configuration (Aruba), then users
aren't discovering their devices in most cases anyway.
-Mike
**
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
**
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
**
Participation and subscription informat
Re: [WIRELESS-LAN] Wireless design
Bruce,
For administrative reasons, we find it very helpful to have all our wireless
users contained to "wireless only" IP ranges. This way, we can configure our
IPS/IDS sensors, packet inspectors, etc to keep a more suspicious eye on
wireless users (ie unmanaged, potentially dirty laptops) . We also don't have
to worry about ensuring there are enough free IP addresses in each particular
location to handle any potential transient surges (like during a large
conference for example).
Regards,
Craig
SFU SIMON FRASER UNIVERSITY
Network Services
Craig Simons
Network and Systems Administrator
Phone: 778-782-8036
Cell: 604-649-7977
Email: craigsim...@sfu.ca
Twitter: simonscraig
- Original Message -
From: "Mike King"
To: WIRELESS-LAN@listserv.educause.edu
Sent: Wednesday, 8 June, 2011 18:15:06
Subject: Re: [WIRELESS-LAN] Wireless design
The real short answer is that it does not matter what the IP address of the AP
is, as long as it has good stable communications with the controller.
What I personally try to do is what you are proposing, put the APs for each
building/floor it's own subnet.
Good luck
Mike
On Wed, Jun 8, 2011 at 6:54 PM, Entwistle, Bruce < bruce_entwis...@redlands.edu
> wrote:
We will soon be migrating our wireless network from Cisco autonomous 1231 APs
to a combination of Cisco 3502i along with some of the existing 1231 APs
converted to lightweight. As we prepare for this we are looking at how to best
architect the new network. The new network will cover the entire campus which
consists of approx 50 buildings, with each building having its’ own VLAN.
The initial idea was to install the APs so the IP address of the AP would be a
part of the local building VLAN. This is the IP the AP would use to talk back
to the controller. For user connections there would be two VLANs created which
would be accessed through a single SSID. The users would then be dynamically
assigned to one of the two VLANs based on their logon credentials. Currently
all users are placed on the same VLAN after authentication, as our current
installation is not capable of dynamic VLAN assignment. There is currently only
a single SSID in place.
I would be interested to know what other have done and how successful it was.
Thank you
Bruce Entwistle
Network Manager
University of Redlands
** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/ .
** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
**
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Dual radio APs, .11n on 2.4ghz radios or not?
Well, you learn something new everyday. Gaming consoles are already a sore point being as they don't support WPA2-Enterprise, just PSK. In our case, thankfully, the connectivity for our residences is provided by a 3rd party, so it's someone else's problem... However, it's good to know there are more repercussions to disabling higher data rates other than smaller cells sizes. Taking steps to properly provide guaranteed bandwidth (I use the term "guaranteed" loosely of course) to a large lecture theatre full of dignitaries will ultimately trump the need to allow gaming devices in my opinion. But that's me talking, not my CIO ;) ------ Craig Simons Network Operations Simon Fraser University Burnaby BC, Canada em. craigsim...@sfu.ca ph. 778-782-8036 ce. 604-649-7977 tw. twitter.com/simonscraig -- - Original Message - From: "Toivo Voll" To: WIRELESS-LAN@listserv.educause.edu Sent: Friday, 27 May, 2011 14:05:16 Subject: Re: [WIRELESS-LAN] Dual radio APs, .11n on 2.4ghz radios or not? We’re also running into similar issues with purpose-built PDAs, of the type used to scan tickets and inventory etc. Also, I seem to recall that Nintendo DS will not associate if it doesn’t see the 1 Mbps rates. How other universities are dealing with discontinuing support to existing devices would be interesting to hear – or if there’s a technical solution someone has devised for this. Toivo Voll Network Administrator Information Technology Communications University of South Florida From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeremy Brake Sent: Friday, May 27, 2011 16:29 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Dual radio APs, .11n on 2.4ghz radios or not? Rick, What are you doing for Wii users? The last time I checked they required the lowest G speeds in order to associate. Please tell me they fixed it with a new code release for the Wii’s…. http://www.networkworld.com/community/blog/dropping-legacy-80211-support-your-infrastruc Jeremy From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Rick Brown Sent: Thursday, May 26, 2011 2:07 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Dual radio APs, .11n on 2.4ghz radios or not? Craig, Enabling N on the 2.4 is not a lost cause and will help improve performance if the coverage has been designed properly. As of June 1st we are disabling 11B and all 11G rates below 12Mbps. In order to help steer people to the 5Ghz band we have created an SSID that is only broadcast in that band and publicized it as higher performance. Rick ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Dual radio APs, .11n on 2.4ghz radios or not?
Design question for you all: Currently we have b/g enabled on our 2.4ghz radios and a/n on our 5ghz radios as carrot to entice users to buy/use a 5ghz capable wireless adapter. However, even with band preferencing enabled (or steering depending on the vendor), we still have a 75/25% split of 2.4 to 5 users. So my question is this, is there any point of enabling .11n on the 2.4 radio given that it will be in protection mode most of the time? As I can't really enable channel bonding on the 2.4 band to get the real speed increases of .11n, will users still get better performance overall. More importantly, would I get better performance in a user dense environment (more packets transmitted by .11n clients in the same time-slice thereby freeing up the channel for other clients, etc)? I'm of the opinion that guaranteeing great wireless performance is a lost cause on the 2.4 band, but I'd like to tweak as many things as possible to get the best performance in dense areas. Regards, Craig ------ Craig Simons Network Operations Simon Fraser University Burnaby BC, Canada em. craigsim...@sfu.ca ph. 778-782-8036 ce. 604-649-7977 tw. twitter.com/simonscraig -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] How is the surge in Wi-Fi equipped mobile devices impacting the WLAN?
John, In short, yes it's real. Our student headcount (not FTE) is just over 28,000. Just under 26,000 of these students successfully authenticated to our wireless network at least once during the Spring 2011 semester (Jan - Apr). In a given week we'll have ~20,000 unique users authenticate to wireless at least once. I've mined our Radius logs and here is a typical result for a given week: Users seen with from one MAC address only: 13,948 Users seen with two MAC addresses: 5,380 Users seen with three MAC addresses: 1036 Users seen with four MAC addresses: 235 Users seen with five or more MAC addresses: 153 Obviously statistics don't tell the whole story but they illustrate a trend. There is some good news, however. I think we've pretty much hit the wall in respect to the number of actual warm-bodied people who are connecting to our wireless network. I think the growth now is going to be institutional machines (projectors, printers, etc) and additional devices per user like phones, tablets, etc. I actually expect things to get a bit better in the next while, even if we don't change a thing in our wireless deployment strategy. At the busy part of our day we have about ~9000 concurrent users across ~730 dual radio a/b/g/n APs, and it's rare to see more than one or two .11b clients. As laptops and and phones turn over and .11n chipsets become cheaper and more commonplace, I expect the 5Ghz band to become much more utilized. I expect this will help solve the increased number of clients for the near future. Where I think our plans will shift is in our auditoriums and lecture theatres. Our largest is only 500 seats, but most are in the 50-250 seat range. We've always been able to get by with brute force coverage without the need for directional antennae or "picocell" designs. With increased bandwidth expectations and additional devices, we're going to have to revisit some of our high density deployments and tune them better. Otherwise, in the near future we'll probably doing easy things like disable .11b, block chatty protocols (multicast, broadcast), better tune our AP transmit power. This should be enough for students to check their Facebook pages and twitter feeds when they should be paying attention in class ;) Regards, Craig -- Craig Simons Network Operations Simon Fraser University Burnaby BC, Canada em. craigsim...@sfu.ca ph. 778-782-8036 ce. 604-649-7977 tw. twitter.com/simonscraig -- - Original Message - From: j...@nww.com To: WIRELESS-LAN@listserv.educause.edu Sent: Thursday, 19 May, 2011 13:18:34 Subject: [WIRELESS-LAN] How is the surge in Wi-Fi equipped mobile devices impacting the WLAN? Dear folks, At Interop, it was striking to repeatedly hear about the surge in Wi-Fi clients on WLANs, with one user often having several devices (smartphone, tablet, game console, and so on). It finally struck me that Higher Ed must be ground zero for this? Is this Wi-Fi client surge affecting your WLAN, or possibly other network services? And if so, how? (capacity or coverage issues? bandwidth management? IP addresses etc?) Is this growth causing you to rethink WLAN design/deployment? If so, how? Or is this all just hype from vendors flogging their products? Regards, John Cox __ J o h n C o x Senior Editor Main: 508.766.5301 | Direct: 508.766.5422 Office at home: 978-834-0554 NETWORK WORLD Maximize Your Return on IT 492 Old Connecticut Path | Framingham, MA 01701-9002 Mail: P.O. Box 9002, Framingham, MA 01701-9002 __ NetworkWorld.com | 2009 Media Guide | Conferences and Events ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
