Re: [WIRELESS-LAN] FreeRADIUS 3 and expired passwords

[Danner, Mearl]

Probably be best to contact the freeradius folks. Here's the url for the 
mailing lists.


https://wiki.freeradius.org/project/Mailing-list

Mearl Danner

Get Outlook for Android


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Mike King 
Sent: Wednesday, January 17, 2018 2:03:49 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] FreeRADIUS 3 and expired passwords

It's been 10 years since I touched FreeRADIUS.  But maybe this is still true?

http://support.microsoft.com/kb/906305



On Wed, Jan 17, 2018 at 11:16 AM, Trinklein, Jason R 
> wrote:
We have been having issues with various user devices not prompting for new 
passwords after the old one expires in AD. Instead, the user simply gets a 
message that they are “unable to connect to network”. This requires the user to 
remove the network from their device and re-associate. Sometimes in Windows, 
the user must delete and reinstall the wireless adapter.

I’m unsure if there is something wrong with our FreeRADIUS configuration that 
is improperly communicating the nature of the authentication failure to the 
user devices. Does anyone have any suggestions? We are running FreeRADIUS 3 on 
Ubuntu with winbind (not ntlm_auth) connections to our Active Directory server. 
It may have nothing to do with our FR3 servers…is anyone else facing similar 
password expiration challenges?
--
Jason Trinklein
Wireless Engineering Manager
College of Charleston
81 St. Philip Street | Office 311D | Charleston, SC 
29403
trinkle...@cofc.edu | (843) 
300–8009
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: [WIRELESS-LAN] Turning off 2.4 on a select SSID?

[Danner, Mearl]

That's a good point Phillipe. Had to recently shop for a laptop for a relative 
to use at school. Had to open up Device Manager to find the wireless card 
description.

It appears that at about the $400 price point is the split between single band 
and dual band wireless cards.

Mearl

Sent from my Android phone using Symantec TouchDown (www.symantec.com)

-Original Message-
From: Philippe Hanset [phan...@anyroam.net]
Received: Thursday, 07 Apr 2016, 9:37AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
Subject: Re: [WIRELESS-LAN] Turning off 2.4 on a select SSID?

My ears have been burning…

I understand Hector's comment about the spirit of eduroam, but like Ryan I have 
also be tempted in the past to only support 5 GHz in certain areas
because 2.4 GHz was becoming too much of a pain (e.g. Dormitories).  The 
eduroam Compliance Statement requires 802.11, no frequency mentioned.

eduroam users with 2.4GHz devices will just not see the available SSID if a 
school decides to only offer it at 5 GHz in certain locations.
In a sense it is no different than schools only offering eduroam in certain 
locations.

Now, if the entire eduroam SSID for all locations at the school is on 5 GHz, it 
might be challenging.

But how many clients REALLY can’t support 5 GHz?
The stats showing 2.4 GHz VS 5 GHz usage can be deceiving. Is it a client with 
both radios and a poor selection of spectrum,
or is it really 2.4 Ghz only capable devices? It seems that the best way to 
know if 5 GHz only is fine for your community is to “just do it”.

I checked cheap laptops at BestBuy and under specifications you find 
“Wireless-AC” or “Wireless-B, G, N". No reference to the type of radio.
Those darn marketing people, they will get you every time.

Philippe

Philippe Hanset
www.anyroam.net
www.eduroam.us
+1 (865) 236-0770

GPG key id: 0xF2636F9C






On Apr 7, 2016, at 10:04 AM, Turner, Ryan H 
> wrote:

I don't think so.  I think anytime a university enforces a uniform policy that 
applies to all folks, it shouldn't be an issue.  Of course, we are a long way 
from actually doing this.  We'll involve Phillipe if we move forward.

Sent from Outlook Mobile




On Thu, Apr 7, 2016 at 7:01 AM -0700, "Hector J Rios" 
> wrote:

I would go back to Jason's comment and reference eduroam's policy. I personally 
think that only allowing 5GHz on eduroam goes against the spirit the global 
availability of eduroam. My 2 cents.

Hector Rios
Louisiana State University

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Matthew Newton
Sent: Thursday, April 07, 2016 8:54 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Turning off 2.4 on a select SSID?

On Thu, Apr 07, 2016 at 01:27:04PM +, Joseph M. Karam wrote:
> We offer 2.4 and 5 GHz service.  When we have conflicts, we work with
> departments to give them a channel in the 2.4 GHz space, then we take
> that channel out of our central infrastructure.
> So, for example we gave engineering channel 6 for all of their labs,
> and we took that out of our central infrastructure.  So far it has
> worked well and we can play together nicely

What do you do after you've given the last remaining free 2.4Ghz channel to the 
third department that requests one and you've got none left for yourselves?

And presumably Engineering have lots of CCI because all of their APs are on the 
same frequency?

Not critcising, just trying to understand! :)

Matthew


--
Matthew Newton, Ph.D. >

Systems Specialist, Infrastructure Services, I.T. Services, University of 
Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, 
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Wireless and health issues

[Danner, Mearl]

If you run into a wall while checking email...

Sorry. Just couldn't resist.

Considering all the RF in any environment - cell, tv, radio, etc. - I'd think 
wifi would be of minimal impact. Not sure if there are any studies, though.

Mearl

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Craig Eyre
Sent: Monday, January 07, 2013 11:15 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Wireless and health issues


Hi All,

I recently had a staff member ask for a report or document stating how 
dangerous wireless is to their health. Has anyone else been asked this before 
and can you direct me or send me the info that you provided to that person or 
department?

Thanks for any help or info on this subject.


Craig Eyre
Network Analyst
IT Services Department
Mount Royal University
4825 Mount Royal Gate SW
Calgary AB T2P 3T5

P. 403.440.5199
E. ce...@mtroyal.camailto:ce...@mtroyal.ca

The difference between a successful person and others is not a lack of 
strength, not a lack of knowledge, but rather in a lack of will.  Vincent T. 
Lombardi




This communication is intended for the use of the recipient to which it is 
addressed, and may
contain confidential, personal, and or privileged information. Please contact 
the sender
immediately if you are not the intended recipient of this communication, and do 
not copy,
distribute, or take action relying on it. Any communication received in error, 
or subsequent
reply, should be deleted or 
destroyed.__
This communication is intended for the use of the recipient to which it is 
addressed, and may contain confidential, personal, and or privileged 
information. Please contact the sender immediately if you are not the intended 
recipient of this communication, and do not copy, distribute, or take action 
relying on it. Any communication received in error, or subsequent reply, should 
be deleted or destroyed.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: PEAP cert signed by 3rd party CA

[Danner, Mearl]

Are you using IAS? On W2K3 servers we had to export the cert with key after 
using the Verisign signup, then delete the cert and import it using the 
exported pfx file.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hurt,Trenton W.
Sent: Tuesday, December 11, 2012 3:59 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] PEAP cert signed by 3rd party CA

What 3rd party CA's are people using for their PEAP server side certificate?  I 
have previously used verisign because they have a specialized wlan radius cert 
that included the correct EKU's for server authentication, 1.3.6.1.5.5.7.3.1.  
I cannot get the cert from verisign to work and I'm now looking at possibly 
changing CA's.  My server requires the CSR be generated from the actual server 
itself, and it requires a .pem file and a private key file along with the 
private key passphrase when importing.

  Any suggestions, tips, tricks on this process is immensely appreciated.

Thanks
Trent


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Domain Logon Over Wireless

[Danner, Mearl]

If you've got Windows IAS (or NPS) it's easy to create a policy that allows 
access to members of the Domain Computers group (or any group of computers you 
want to allow). Put it at the top so that reads the computer login policy 
before it gets to the ones for the user based wireless users.

You can contact me off list if you need details.


Mearl Danner
Systems Programmer
Samford University Technology Services
jmdanner at samford.edu
http://www.samford.edu



-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Case, Brandon J
Sent: Monday, July 30, 2012 2:55 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Domain Logon Over Wireless

Has anyone out there tried doing domain logons over a 1x-enabled network? We 
have a request in from one department (and potentially others) to offer such a 
service. Their goal is to create learning lab environments where students can 
use laptops that are dedicated just for the room the lab is in. However, they 
also want to be able to join these laptops to their departmental domain in 
order to do patching etc. so the machines have to be able to log on to the 
network while no user is logged on to the machine. 

Google searches until my eyes are bloodshot all say it can only be done with 
EAP-TLS and machine certificates, which always leads to using Microsoft 
Certificate Services. I'm no Windows Server buff so all the magic that happens 
between laptop and domain controllers is smoke and mirrors to me. Even if that 
can be side-stepped somehow, the thought of private PKI management isn't one I 
relish. Any hints anyone can offer would be wonderful.

Thanks,
--
Brandon Case
Network Engineer, ITaP
Purdue University
ca...@purdue.edu
Office: (765) 49-67096
Mobile: (765) 421-6259
Fax:(765) 49-46620

PGP Fingerprint:
99CB 02D6 983C 1E2A 015F  205C C7AA E985 A11A 1251

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Apple Petition- Some Starting Media Coverage

[Danner, Mearl]

Well said Lee.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Friday, July 13, 2012 8:35 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Apple Petition- Some Starting Media Coverage

http://www.networkcomputing.com/wireless/240003500?token=a19039bbc22ec2cf1b6068849d80a189

FYI



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Apple Petition- Mid-Week Sanity Check

[Danner, Mearl]

Since we're a networking group I think we need to keep the focus on networking 
issues. More specifically service advertisement (Bonjour) and wireless 
authentication (lack of support for WPA2-Enterprise).

What Apple hasn't understood that is while creating great devices for homes our 
students' homes away from home are on an enterprise network. If they're able 
to come to an understanding of that maybe their RD will be more likely to take 
that into account.

I don't know if Apple knows, or even cares, how many of their devices touch 
enterprise networks. They normally only hear complaints on a single device (or 
from a single institution) at a time. We could possibly give them a count that 
might get their attention.

Mearl Danner
Systems Programmer
Samford University Technology Services
http://www.samford.edu



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Peter P Morrissey
Sent: Thursday, July 12, 2012 10:01 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Apple Petition- Mid-Week Sanity Check

I understand why there is a benefit to keeping the scope focused, but I agree 
that there is some merit in at least making some more general statements about 
the difficulties of running Apple products in the enterprise.

Pete Morrissey

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]mailto:[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Kellogg, Brian D.
Sent: Thursday, July 12, 2012 10:43 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Apple Petition- Mid-Week Sanity Check

I don't use facebook so I think this would be a good move.

After discussing this with a colleague at another university I believe a 
broader approach than just addressing Bonjour is justified.  Apple does have 
many deficiencies to address in the enterprise.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Garry Peirce
Sent: Thursday, July 12, 2012 1:26 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: Apple Petition- Mid-Week Sanity Check

Hearing that some do not use FB that wish to sign, perhaps moving it to a site 
like http://www.change.orghttp://www.change.org/ is a possibility, or perhaps 
a page could be hosted on the Educause website itself?

The petition's main statement reads:

We the undersigned academic and research institutions request that Apple 
provide support for Bonjour/Airplay technology in enterprise networks.
Might I suggest a possible refinement to:

We the undersigned academic and research institutions request that Apple 
collaborate with us to improve Bonjour/Airplay technologies in enterprise 
networks.

For me, if DNS-SD worked for Airplay (as it does for printing) , my current 
hurdle would largely be solved.
That would also require the AppleTV concession made to content-providers 
relaxed or removed.
Perhaps they could make an alternative AppleTV image that allows DNS-SD to 
work, but removes the content-provider features (?).

If one needs both the content services and Airplay across subnets, that seems 
the immediate problem we'd like Apple to help solve in lieu of other 
proprietary solutions.





From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]mailto:[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Jesse Rink
Sent: Wednesday, July 11, 2012 7:34 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Apple Petition- Mid-Week Sanity Check

So for those of us without Facebook, no way of signing it?

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]mailto:[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Lee H Badman
Sent: Wednesday, July 11, 2012 8:14 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Apple Petition- Mid-Week Sanity Check

Folks,

Those interested seem to agree that we'd discuss specific pain points regarding 
those other Apple devices like AppleTv and any AirPlay/Bonjour-dependent 
gadgets until Friday, at which point we'd firm up the petition and find a place 
to host it. Then would come signatures, and ultimately presenting it to Apple, 
possibly via each of our Apple reps.

Neil Johnson has started the companion Facebook group, and has drafted the 
early version of what everyone appears to want from Apple development in 
petition form at https://www.facebook.com/groups/enterpriseairplay with 72 
members joining thus far. (Thanks, Neil)

We have at least one CIO interested, and interested in sharing it with other 
CIOs via Educause if petition is done in a constructive, fact-based way.

We also have a bit 

RE: Apple Petition

[Danner, Mearl]

But it's still link-local and requires management of an enterprise-wide flat 
VLAN architecture. No IP addresses I can see. Just the hardware address.

Don't we want something IP based similar to dynamic DNS? Microsoft provided 
WINS and then Active Directory to allow their OSes to move from local subnet 
broadcast based discovery. Novell used SLP when they moved from IPX to IP.

Don't we want Apple to provide us with something similar?

Mearl

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kellogg, Brian D.
Sent: Tuesday, July 10, 2012 8:03 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Apple Petition

I might be misunderstanding something; if so please correct me.  When I setup a 
Linux MDNS server the bonjour devices all auto registered with the DNS server 
so there were no entries I had to manually create.  I used a subdomain to keep 
them from cluttering up the our root domain for all bonjour devices, but I only 
tested with a handful of devices and found that some devices would not query 
MDNS for the resource records.

-Brian

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Neil M 
[neil-john...@uiowa.edu]
Sent: Tuesday, July 10, 2012 8:41 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: Apple Petition

My concern is that certain fields appear to contain dynamic information like 
the software version (see srcvers=120.2) and other information (what does 
35CF2488F02660B1 mean ?).

The only way it seems to collect this information is to connect the device to 
local net, run Bonjour Browser or run dns-sd -Z command on a MAC and copy and 
paste results into your DNS configs.

If certain data is dynamic then, you are out of luck.

-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
Mobile: 319 540-2081
E-Mail: neil-john...@uiowa.edu


From: Joel Coehoorn jcoeho...@york.edumailto:jcoeho...@york.edu
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Date: Tuesday, July 10, 2012 7:22 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Apple Petition

If those entries work, and are all that is needed, then we're not far from full 
support. It seems like we could get a tool or set of scripts to automate 
creating/modifying the needed records.

Sent from my iPad

On Jul 10, 2012, at 7:11 PM, Johnson, Neil M 
neil-john...@uiowa.edumailto:neil-john...@uiowa.edu wrote:

We looked into DNS-SD,   but with entries like this (example taken from an 
earlier e-mail from Oscar Silva at the Univ. or Texas , and confirmed by our 
own testing):


_airplay._tcp  PTR utnet-appletv._airplay._tcp



utnet-appletv._airplay._tcp SRV 0 0 7000 
utnet-appletv.bonjour.utexas.eduhttp://utnet-appletv.bonjour.utexas.edu. ; 
Replace with unicast FQDN of target host

utnet-appletv._airplay._tcp TXT deviceid=28:E7:CF:DB:6E:E0 features=0x39f7 
model=AppleTV2,1 pw=1 srcvers=120.2



_raop._tcpPTR 
28E7CFDB6EE0@utnet-appletv._raop._tcpmailto:28E7CFDB6EE0@utnet-appletv._raop._tcp



28E7CFDB6EE0@utnet-appletv._raop._tcpmailto:28E7CFDB6EE0@utnet-appletv._raop._tcp
 SRV 0 0 49152 
utnet-appletv.bonjour.utexas.eduhttp://utnet-appletv.bonjour.utexas.edu. ; 
Replace with unicast FQDN of target host

28E7CFDB6EE0@utnet-appletv._raop._tcpmailto:28E7CFDB6EE0@utnet-appletv._raop._tcp
 TXT txtvers=1 ch=2 cn=0,1,2,3 da=true et=0,3 md=0,1,2 pw=true 
sv=false sr=44100 ss=16 tp=UDP vn=65537 vs=120.2 am=AppleTV2,1 
sf=0x4



_appletv-v2._tcp  PTR 35CF2488F02660B1._appletv-v2._tcp

35CF2488F02660B1._appletv-v2._tcp   SRV 0 0 3689 utnet-

appletv.bonjour.utexas.eduhttp://appletv.bonjour.utexas.edu. ; Replace with 
unicast FQDN of target host


35CF2488F02660B1._appletv-v2._tcp TXT txtvers=1 
hG=-06f6-4f5d-0171-0bcc51d34d14 MniT=167845888 fs=2 
Name=utnet-appletv PrVs=65538 DFID=2 EiTS=1 MiTPV=196611



_sleep-proxy._udp PTR 70-35-60-63\032utnet-appletv._sleep-proxy._udp



70-35-60-63\032utnet-appletv._sleep-proxy._udp SRV 0 0 55597 
utnet-appletv.bonjour.utexas.eduhttp://utnet-appletv.bonjour.utexas.edu. ; 
Replace with unicast FQDN of target host

70-35-60-63\032utnet-appletv._sleep-proxy._udp  TXT 



required for every Apple TV  (and no direction from Apple on what 
entries/fields are actually required) our DNS admins  were ready with pitch 
forks and torches if we attempted saddle them with the the responsibility of 
trying to maintain records for 100's such devices (not to mention printers, 
etc.).

-Neil

--
Neil Johnson
Network Engineer
The University of Iowa

RE: [WIRELESS-LAN] Android wifi continually receiving data bursts

[Danner, Mearl]

Ditto that. I've seen that on both my current Android and the Palm I had 
previously.

One other thing concerning wireless. We use WPA2 Enterprise. My Droid (HTC 
Incredible) had a credentials storage password. Every reboot required that I 
enter that password before the 802.1X credentials were provided for wireless. 
Continually trying to associate and failing before I entered that password 
would drain my battery quickly. That behavior seems to have changed on one of 
the recent updates.

Mearl

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ethan Sommer
Sent: Monday, July 09, 2012 7:39 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android wifi continually receiving data bursts

My experience would also point to low cellular signals rather than wifi. Ask 
him to turn off wifi for a day and see if battery life improves, my guess is 
that it won't be much better.


On 07/08/2012 10:26 PM, Scott Smith wrote:
I have not seen such an issue, yet.  I have seen that our campus buildings 
suck the battery life as the cellular signal levels are very low and in-turn 
the Android device is searching their primary signal carrier all day.  I'm not 
at all dismissing your question or the possibility of this happening, I'm just 
putting out there what I've seen so far in our buildings.  If I get other 
reports I'll let you know.
On Sun, Jul 8, 2012 at 6:12 PM, Wright, Don 
donald_wri...@brown.edumailto:donald_wri...@brown.edu wrote:
  I've heard this same complaint from a user on our campus.  He claims his 
droid lasts all weekend on his home wireless, but runs down in a day on our 
campus.  I'm not sure why this would be, assuming he runs the same apps all the 
time.  My only thought was that his wi-fi driver was actively scanning 
(aggressive roaming) the other access points he would see here looking for 
better signal.  Anyone have any other ideas ?
-
Don Wright
Brown University


Please consider the environment before printing this email.

`·.¸¸.·´¯`·.¸.·´¯`·...¸ º`·.¸¸.·´¯`·.¸.·´¯`·...¸º

On Tue, Jul 3, 2012 at 5:07 PM, Hurt,Trenton W. 
trent.h...@louisville.edumailto:trent.h...@louisville.edu wrote:
I have started getting complaints from users regarding battery life on android 
devices when connected to our campus wifi.  The issue is being seen when you 
install a type of bandwidth meter app on the device.  The one I use is  android 
status and I look at the network section to see the Rx and Tx statistics.  Once 
connected to wireless the device still receives bursts of traffic, at least 
according to the app on the device.  We are cisco wifi shop and I'm running 
7.2mr1 code on the wlc's.  Has anyone else heard or seen this issue?


I found this post  http://forum.xda-developers.com/showthread.php?t=1738171   
which states...

This is simply because your wifi antenna still hears the data going through 
the wireless network on which you are connecter. Even if your phone doesn't 
asks for any data at the moment the traffic there is on the network will still 
be counted by the wifi chip on your phone.

It will be the same on any public network or if you have another phone or a 
computer connecter on the same wireless router and generating traffic.


I have tried to increase the DTIM setting on one of the wlans and it didn't 
help.  Any suggestions?

Thanks
Trent



Trenton Hurt, CWNA, CCNP(W), CCNA(W), CCNA(V), CCNA(R/S)
Wireless Network Administrator
University of Louisville
Phone (502) 852-1513tel:%28502%29%20852-1513
FAX (502) 852-1424tel:%28502%29%20852-1424
[Description: Description:
C:\Users\twhurt01\AppData\Local\Temp\XPgrpwise\IMAGE_19.BMP]

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.




--

Ethan Sommer

Associate Director of Core Services

Gustavus Technology Services

507-933-7042
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

inline: image001.png

RE: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support for instructors.

[Danner, Mearl]

Most Mac users have partaken of the Kool-Aid. They believe Apple – not us!!

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of jkaf...@utica.edu
Sent: Thursday, July 05, 2012 8:11 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support 
for instructors.

Has anyone tried not supporting Bonjour and directing users who complain to 
Apple?  Perhaps if we all did that it would get Apple's attention.

John Kaftan
Infrastructure Manager
Utica College

- Reply message -
From: Andy Voelker avoel...@email.wcu.edumailto:avoel...@email.wcu.edu
Date: Thu, Jul 5, 2012 8:23 am
Subject: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support for 
instructors.
To: 
WIRELESS-LAN@listserv.educause.edumailto:WIRELESS-LAN@listserv.educause.edu

Ours completely denied the existence of a possible issue.  Of course, you could 
see in his eyes that his answer was somewhat forced...

-- Andy Voelker
Manager of Student Computing in the Technology Commons
WCU Staff Senator
Western Carolina University
Check the status of your IT requests at any time at http://help.wcu.edu/ !


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]mailto:[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Kellogg, Brian D.
Sent: Tuesday, July 03, 2012 5:48 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support 
for instructors.

I did and it was less productive than spitting into the wind.  They really 
don't care and have the attitude that the consumer demand will dictate others 
find solutions to their protocol deficiencies.  At least that was my 
impression.  It still befuddles me you just can't plug in a FQDN or IP address 
for Airplay to connect to.

Brian


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman 
[lhbad...@syr.edu]
Sent: Tuesday, July 03, 2012 10:15 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: You knew it was coming...Airplay/Apple TV support for instructors.

Has anyone else attempted to voice concern to their Apple reps about their 
non-business-class features and reliance on Bonjour on these gadgets? I know 
they seem to listen to no one, and given their market share likely feel like 
they don't have to. But is anyone making the attempt to get feedback to Apple?

The thought of architecting around non-standards-based toys just feels 
unpleasant.

-Curious in Syracuse



Lee H. Badman

Wireless/Network Engineer

Information Technology and Services

Adjunct Instructor, iSchool

Syracuse University

315 443-3003




-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]mailto:[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Hanset, Philippe C
Sent: Tuesday, July 03, 2012 10:03 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support 
for instructors.

Mike,

For a one off and minimal investment, I would bring up an Open-WRT or DDRT AP 
(or any affordable AP that is capable of doing WPA2-enterprise) independent 
from your regular infrastructure and make people join a dedicated subnet for 
that room (use NAT, and WPA2-enterprise).
Connect the Apple TV to the wired port of the AP and broadcast a dedicated SSID.
With WPA2-enterprise joining your RADIUS server you can make it secure.

It is a dirty solution, electromagnetically speaking, but quick.

If the conference room has too may users for one AP, create a dedicated SSID 
just for that conference room on your existing infrastructure and terminate the 
VLAN of that SSID on the same VLAN as the AppleTV

Philippe Hanset
Univ. of TN
www.eduroamus.orghttp://www.eduroamus.org

On Jul 3, 2012, at 9:06 AM, Mike King wrote:

 So I have Cisco Wireless, and I've just been asked to make Airplay work in a 
 conference room.  We do not have multicast enable (anywhere).

 Asking for details, I've been told it's only this one conference room.
 (I someone believe this, as it the only one that has a projector that
 get's any use)

 Suggestions for this as a one off?  I have idea's one what to do for a 
 campus wide deployment, but that will take me significantly longer to deploy, 
 and my boss is asking me to have this done this week.

 Right now, we have a single WPA2/enterprise SSID, and the apple TV
 will most likely be wired (not required)

 Mike
 ** Participation and subscription information for this EDUCAUSE 
 Constituent Group discussion list can be found at 
 

RE: [WIRELESS-LAN] ATT WiFi

[Danner, Mearl]

Verizon's new contracts have no unlimited plans - as of July 17 IIRC. 2 gig is 
the base smartphone plan. Found that out when daughter graduated to smartphone 
;o)

Sprint still advertises unlimited plans.

Mearl


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanset, Philippe C
Sent: Thursday, July 21, 2011 1:11 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] ATT WiFi

Shouldn't Universities foot the Wi-Fi bill and make ATT pay to carry the SSID?
(ATT needs that capacity anyway if they want to service those thousands of 
people
with smartphones)
That will give Universities the freedom to carry additional services when the 
time comes.

Another thing to remember: ATT has limits on their 3G data plan of 2 Gigs (or 
4 Gigs if you a have the hotspot plan)
(with the exception of grandfathered customers that have unlimited plans)

Verizon and Sprint provide unlimited data over 3G on smartphones.

So, it is in the interest of ATT customers to join Wi-Fi if they don't want to 
exhaust their quotas and pay $10/extra Gig.
Looking at these 2 cost models (Sprint/Verizon VS ATT),  it looks like ATT 
needs the Wi-Fi capacity to sustain the demand.
Or is it that they just want to provide a better experience on 3G and offload 
data as much as possible to Wi-Fi
by providing incentives?

I experienced a few days ago an interesting problem: I was trying to download 
an iTunes album
and received a message warning me that files larger than 20 Mbytes have to be 
downloaded over Wi-Fi.
This was with an iPhone on ATT.
Not being in proximity of a free Wi-Fi hotspot, I had to turn on the hotspot 
feature of my iphone, and use iTUnes
on my laptop, over the same 3G network. No limit this time ;-)

Why is ATT so afraid of data usage?

Philippe




On Jul 21, 2011, at 1:30 PM, Dewitt Latimer wrote:


The stadium DAS projects with WiFi where the lead integrator is covering the 
cost of the WiFi are usually locked down in one form or another.  The lead 
integrator would have no way to recover their investment if it was left wide 
open. Most schools have not built out WiFi in stadiums except in limited ways 
(eg ticket scanners, POS, other locked-down infrastructure needs). You get the 
occasional club boxes that have WiFi that is locked with a common key (usually 
give us more money). So unless the school is going to foot the WiFi cost for 
7 days a year (which they're not), I don't see what the big deal is for stadium 
WiFi being parceled out to the carriers.

I also don't fault ATT for being out in the lead for having a pretty well 
branded WiFi hotspot service. I wish the others would catch up!

-d

On Thu, Jul 21, 2011 at 1:20 PM, Holland, Ryan C. 
holland@osu.edumailto:holland@osu.edu wrote:
To answer Lee's question, yes, there has been value. The transient users that 
use the attwifi service are the responsibility of ATT and not the university. 
This is a value-add for us.


==
Ryan Holland
Network Engineer, Wireless
Office of the Chief Information Officer
The Ohio State University
614-292-9906tel:614-292-9906   holland@osu.edumailto:holland@osu.edu

Submit a Kudos to an OCIO 
employee!http://www.surveygizmo.com/s/514095/giveociokudos

On Jul 21, 2011, at 1:08 PM, Lee H Badman wrote:


This is where I gotta plug our Bluesocket box for guest access. They worked 
with us to develop a simple SMS you your password mechanism, and I can't 
imagine a simpler guest portal for people to use. The ATT model does seem 
interesting, but to Phillipe's point, I'm not digging the single carrier thing.



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Hanset, Philippe C
Sent: Thursday, July 21, 2011 1:01 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] ATT WiFi

Overlaying ATT Wi-Fi over the wireless network to me seems like the same 
problem as
a vendor specific DAS.
Only ATT customers can really use the infrastructure unless you are willing to 
pay a la carte for the service.
What's next? Verizon Wi-Fi, Sprint Wi-Fi... or a web page where you have to 
pick the vendor of your choice
in a long list (highly sensitive to MITM).
With models like eduroam, at least all RE people can join the network while 
traveling around.

What we really need is eduroam for other users as well! (I'm working on it ;-)

Philippe

Philippe Hanset
Univ. of TN, Knoxville
www.eduroamus.orghttp://www.eduroamus.org/



On Jul 21, 2011, at 12:28 PM, Dewitt Latimer wrote:

As a person who travels to many campuses, I can tell you that having my iPhone 
auto-associate with a campus WiFi is a whole lot nicer than having to bug my 
hosts to sponsor me for a guest wireless account.

So I think the real way to look at this is (1) how many guests do you have to 
your campus, (2) do you care 

RE: [WIRELESS-LAN] Active Directory authentication for loaned out laptops over wireless

[Danner, Mearl]

Is “Always wait for the network at computer startup and logon” set as shown in 
the link below?

http://support.microsoft.com/kb/305293


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Craig Simons
Sent: Wednesday, July 20, 2011 1:34 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Active Directory authentication for loaned out laptops 
over wireless

All,

Our library signs out XP laptops for student use. These laptops are set for 
authenticate as computer when computer information is available and should 
reauthenticate with the user's credentials once they log into the machine. 
However, we've had frequent complaints that AD is not reachable over wireless, 
rendering the laptop unusable (it's a loaned laptop that has not been used 
previously by the user and thus does not have any cached credentials). If the 
machine is shelved for 10 minutes or so and rebooted, it seems to clear the 
problem. Our library is a very dense and challenging area to cover with 
wireless, and while there is adequate area coverage, there are density issues 
that are no doubt present.

That being said, I'm not convinced that this is entirely a wireless problem, 
but more a Windows/AD problem with a wireless component to it.

Does anyone have any experience with this type of situation and could offer 
some advice?

Regards,
 Craig

--
Craig Simons
Network Operations
Simon Fraser University
Burnaby BC, Canada
em. craigsim...@sfu.camailto:craigsim...@sfu.ca
ph. 778-782-8036
ce. 604-649-7977
tw. twitter.com/simonscraig
--

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] iOS devices on wireless

[Danner, Mearl]

Amen to that!!

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Friday, June 24, 2011 11:54 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] iOS devices on wireless

Would be nice if Apple updated Bonjour or ditched it and got with the fact that 
enterprise networks are not built on Airports and single subnets...




From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey Sessler 
[j...@scrippscollege.edu]
Sent: Thursday, June 23, 2011 2:53 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] iOS devices on wireless

Bruce,

I'm not sure I'm advocating large wireless networks at all... At the minimum, 
ensuring a given user's devices are all in the same L2 network doesn't change 
your desire to use smaller /23 subnets, it only requires additional back-end 
support to ensure those devices are placed together. Probably more work for IT 
staff, and potentially less efficient IP pool use, but I'd argue it will 
provide a better customer experience.

Even the desire to group devices within a given residential hall together 
doesn't mandate a change in the size of your subnets, although I suspect that 
would depend more on the size of your housing units. Our residential halls are 
80-100 beds, so an easy fit within smaller subnets.

Jeff

 Osborne, Bruce W bosbo...@liberty.edu 6/23/2011 5:32 AM 
Jeff,

Large wireless subnets increase airtime consumed by broadcast traffic. That is 
why we use a VLan pool of /23 subnets.

The clients are distributed automatically based on a hash of the mac address  
the number of subnets in the pool, so we cannot easily control which subnet a 
user gets.

Changing the number of subnets in the pool recalculates everybody's subnet too, 
so we make sure we have plenty of capacity.


Bruce Osborne
Wireless Network Engineer
IT Network Services

(434) 592-4229

LIBERTY UNIVERSITY
40 Years of Training Champions for Christ: 1971-2011


-Original Message-
From: Jeffrey Sessler [mailto:j...@scrippscollege.edu]
Sent: Wednesday, June 22, 2011 4:30 PM
Subject: Re: iOS devices on wireless

Bruce,

You could, by any number of technical solutions, ensure that students within a 
given residential space were all on the same L2 network. That is to say, if a 
given residence hall is made up of 200 students, then it's not technically 
difficult to ensure all the residential wireless devices within that area are 
placed in the same VLAN. Or, at a minimum, to ensure that a user's device(s) 
will always be in the same L2 network so that they can see each other. If one 
can't do that, then I wouldn't consider the wireless solution to be very 
flexible, especially given the trend in devices wanting/needing to talk to each 
other.

On my campus, students spend four years of their life in what we consider a 
residential setting, and it seems only logical to me that the experience 
should, to the extent possible, mimic home life. That is, it's reasonable to me 
to expect a student's wireless devices to see each other, and that they should 
be able to share/collaborate with the other users within their residential hall.

I know that if I was back in college, I'd expect that level of functionality, 
and If it wasn't there, I'd probably make it happen using my own gear... 
exactly what you don't want happening.

Jeff


 Osborne, Bruce W bosbo...@liberty.edu 6/22/2011 4:55 AM 
We here at Liberty University have about 8000 students in our residences, the 
vast majority using wireless.

That would be a *huge* L2 network.

Bruce Osborne
Wireless Network Engineer
IT Network Services

(434) 592-4229

LIBERTY UNIVERSITY
40 Years of Training Champions for Christ: 1971-2011

-Original Message-
From: Jeffrey Sessler [mailto:j...@scrippscollege.edu]
Sent: Tuesday, June 21, 2011 3:05 PM
Subject: Re: iOS devices on wireless

Mike,

I take it you are not able to reference housing data and then place all 
students/student devices from the same residential hall into the same VLAN?

Jeff

 Michael Dickson mdick...@nic.umass.edu 6/21/2011 11:18 AM 
On Jun 21, 2011, at 2:04 PM, Jeffrey Sessler wrote:

 My belief is that a student should be able to have a similar experience when 
 in a residential hall as they would at home. That requires supporting 
 everything under the sun including Bonjour.

Unfortunately our enterprise network is sufficiently different enough that the 
user cannot have a similar experience as they would at home.

At home all of their devices are segregated in an L2 network. All their 
neighbors devices are in their own L2 network, etc. They can browse and 
discover all the devices in their house but not (hopefully) the devices in 
their neighbors. Here at UMass their L2 domain is huge and includes mostly 
unknown devices. Plus, thanks to 

RE: Wireless design

[Danner, Mearl]

We have a separate address space (Class B private) for wireless. We also use 
IAS policies on 802.1x to place students in a separate subclass within it. The 
student wlan has an ACL that protects our AD domain resources from unprotected 
machines.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Entwistle, Bruce
Sent: Wednesday, June 08, 2011 5:55 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Wireless design

We will soon be migrating our wireless network from Cisco autonomous 1231 APs 
to a combination of Cisco 3502i along with some of the existing 1231 APs 
converted to lightweight.   As we prepare for this we are looking at how to 
best architect the new network.The new network will cover the entire campus 
which consists of approx 50 buildings, with each building having its' own VLAN.

The initial idea was to install the APs so the IP address of the AP would be a 
part of the local building VLAN.  This is the IP the AP would use to talk back 
to the controller.  For user connections there would be two VLANs created which 
would be accessed through a single SSID.  The users would then be dynamically 
assigned to one of the two VLANs based on their logon credentials.  Currently 
all users are placed on the same VLAN after authentication, as our current 
installation is not capable of dynamic VLAN assignment.  There is currently 
only a single SSID in place.

I would be interested to know what other have done and how successful it was.


Thank you
Bruce Entwistle
Network Manager
University of Redlands


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] option 43 for finding master controller

[Danner, Mearl]

We use it globally for our Cisco LWAPPs, but not per scope. The ISC server is a 
bit ticky about using class declarations. I worried with it (not pertaining to 
LWAPPS) several years ago. The manner of declaring and using them is not 
intuitive. 

Could you show us relevant areas of your dhcpd.conf (obfuscated if necessary)? 
Might bring back an unfond memory of the struggle.

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ken Connell
Sent: Thursday, June 02, 2011 7:42 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] option 43 for finding master controller

Is any one using this on a per-scope basis with an ISC DHCP server ?

We're an Aruba shop an currently find our masters via dns, but are also 
exploring giving the master controller address via DHCP option 43. 

We currently have this working on a limited basis and have it defined in a 
particular scope, but have found that its seems to be working as a global 
option. 

So, and AP that gets DHCP from this server via a different subnet and therefore 
a different scope that does not have the subclass details for the master 
controller defined, in the end still gets the IP address as defined in a 
different scope.

I wondering if this is just how it works ? or can a define different master 
controllers on a per-scope basis ?

   
Ken Connell
Intermediate Network Engineer
Computer  Communication Services
Ryerson University
350 Victoria St
RM AB50
Toronto, Ont
M5B 2K3
416-979-5000 x6709

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] option 43 for finding master controller

[Danner, Mearl]

Here's ours - at the top of dhcpd.conf. We got it from:

 
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808714fe.shtml

option space Cisco_LWAPP_AP;
option Cisco_LWAPP_AP.server-address code 241 = string;

class Cisco AP c1130 {
   match if option vendor-class-identifier = Cisco AP c1130;
   option vendor-class-identifier Cisco AP c1130;
   vendor-option-space Cisco_LWAPP_AP;
   option Cisco_LWAPP_AP.server-address 
ac:1e:00:0d:ac:1e:00:96:ac:1e:00:97:ac:1e:00:98:ac:1e:00:99;
}

My assumption would be to declare the class definitions at the top and move the 
option line to the scope.

Can't remember why we hex encoded the controller addresses.

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ken Connell
Sent: Thursday, June 02, 2011 10:11 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] option 43 for finding master controller

The following is at the top of my dhcpd.conf:
option serverip code 43 = ip-address;
class vendor-class {
match option vendor-class-identifier;
}
.
.
.
Scope is as follows:
subnet 10.16.0.0 netmask 255.255.254.0
{
option broadcast-address 10.16.1.255;
option domain-name rbb.ryerson.ca;
option domain-name-servers 141.117.100.1, 141.117.100.4;
option routers 10.16.0.1;
range 10.16.0.5 10.16.0.9;
default-lease-time infinite;
max-lease-time infinite;
subclass vendor-class ArubaAP {
option vendor-class-identifier ArubaAP;
#
# option serverip loopback-IP-address-of-master-controller
#
option serverip 10.10.10.1;
}
}



Ken Connell
Intermediate Network Engineer
Computer  Communication Services
Ryerson University
350 Victoria St
RM AB50
Toronto, Ont
M5B 2K3
416-979-5000 x6709

- Original Message -
From: Danner, Mearl jmdan...@samford.edu
Date: Thursday, June 2, 2011 9:48 am
Subject: Re: [WIRELESS-LAN] option 43 for finding master controller
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU


 We use it globally for our Cisco LWAPPs, but not per scope. The ISC 
 server is a bit ticky about using class declarations. I worried with 
 it (not pertaining to LWAPPS) several years ago. The manner of 
 declaring and using them is not intuitive. 
  
  Could you show us relevant areas of your dhcpd.conf (obfuscated if 
 necessary)? Might bring back an unfond memory of the struggle.
  
  -Original Message-
  From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ken Connell
  Sent: Thursday, June 02, 2011 7:42 AM
  To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
  Subject: [WIRELESS-LAN] option 43 for finding master controller
  
  Is any one using this on a per-scope basis with an ISC DHCP server ?
  
  We're an Aruba shop an currently find our masters via dns, but are 
 also exploring giving the master controller address via DHCP option 
 43. 
  
  We currently have this working on a limited basis and have it defined 
 in a particular scope, but have found that its seems to be working as 
 a global option. 
  
  So, and AP that gets DHCP from this server via a different subnet and 
 therefore a different scope that does not have the subclass details 
 for the master controller defined, in the end still gets the IP 
 address as defined in a different scope.
  
  I wondering if this is just how it works ? or can a define different 
 master controllers on a per-scope basis ?
  
 
  Ken Connell
  Intermediate Network Engineer
  Computer  Communication Services
  Ryerson University
  350 Victoria St
  RM AB50
  Toronto, Ont
  M5B 2K3
  416-979-5000 x6709
  
  **
  Participation and subscription information for this EDUCAUSE 
 Constituent Group discussion list can be found at 
 http://www.educause.edu/groups/.
  
  **
  Participation and subscription information for this EDUCAUSE 
 Constituent Group discussion list can be found at 
 http://www.educause.edu/groups/.
  

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Experiences with Cypress Envirosystems wireless product?

[Danner, Mearl]

From 
http://www.cypressenvirosystems.com/wp-content/uploads/2010/07/Wireless-Pneumatic-Thermostat-Wireless-and-Server-FAQ.pdf

Q. What is the RF transmit output power of the WPT?
A. The peak output power is +20dBm (100mW).

Q. Does the WPT radio cause interference with other existing wireless devices?
A. Extensive testing has shown that our wireless solution has no discernable 
impact on
other wireless technologies, such as Bluetooth and Wi-Fi. One of the key 
reasons is the
low duty cycle of 1/6. The WPT only transmits for 1ms out of every 60 
seconds
maximum. Most applications transmit only 1ms every 15 minutes. Another reason is
that the WPT radios detect the presence of RF energy from other sources, and
automatically change channels to find a part of the spectrum that is unused

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeff Paynter
Sent: Tuesday, May 24, 2011 9:27 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Experiences with Cypress Envirosystems wireless 
product?

It would be interesting to know what the maximum power level is for these 
radios, 1mW, 10mW, 100mW?  Also are these radios using the entire spectrum from 
2.407GHz to 2.467GHz or are they using some type of frequency hopping?  Either 
way it will be noise for the Wi-Fi 802.11b/g/n 2.4GHz, just how much?  
Unfortunately the only way to verify the amount of noise would be to setup a 
lab test environment with a spectrum analyzer.  Wonder if there are any other 
vendors using a frequency outside of the 2.4GHz range?

Thanks,

Jeff Paynter
Senior IT Analyst
Duke University Health System


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dave Barr
Sent: Tuesday, May 24, 2011 9:37 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Experiences with Cypress Envirosystems wireless 
product?

I second this request, our facilities folks at Cornell are considering doing 
the same; one is an installation of Cypress in a large building with 100% Wi-Fi 
coverage that where the primary means of network access is Wi-Fi.   The 
building will require installing 110 thermostats and 8 repeaters.Does 
anyone have an installation Cypress of this size on their campus?   Other 
wireless thermostat vendor that is working out well with your Wi-Fi system?  
Maybe on the 900MHz ISM band?  

Thanks,

Dave Barr

***
Cornell Information Technologies   http://www.cit.cornell.edu

David Barr - Information Technology Specialist  
Email: d...@cornell.edu
Phone:  607 255-4703

***



-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Gogan, James P
Sent: Monday, May 23, 2011 2:59 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Experiences with Cypress Envirosystems wireless product?

Our Utilities folks are looking at deploying the Cypress Envirosystems Wireless 
Pneumatic Thermostat system on campus for remote temperature monitoring and 
control. As is so often (too often?) the case with systems like these, (a) 
they use the 2.4GHz DSSS band (frequencies from 2.407 to 2.467 Ghz) and (b) 
they're not 802.11/Wi-Fi technologies, but rather their own wireless technology.

Their literature maintains that Extensive testing has shown that our wireless 
solution has no discernable impact on other wireless technologies, such as 
Bluetooth and Wi-Fi, but for some reason, I tend to discount vendor testing 
that doesn't include all of their test methodologies or results.

So, have any of you all had any experience with these devices and, if so, seen 
any impacts either from these devices on wi-fi or from wi-fi systems on these 
devices?   (We get the blame no matter which way the impact.)  According to the 
vendor, these systems are deployed at UCal-Berkeley, Clemson, Stanford and 
UCLA, so if there are any folks from those institutions out there, please let 
me know your experiences (or if you were even aware that these were out there).

As always, thanks in advance!

-- Jim Gogan
Director, Networking / ITS
University of North Carolina at Chapel Hill

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription 

Spectrum Analyzer

[Danner, Mearl]

Has anyone used MetaGeek's Wi-Spy DBx tool?

If not other suggestions would be appreciated.

Thanks

Mearl Danner
Systems Programmer
Samford University Technology Services
http://www.samford.edu

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Unknown Interfering Device

[Danner, Mearl]

Radio control cars and airplanes use FHSS on 2.4 Ghz also. Exactly how the 
frequencies are chosen depends on manufacturers. Airplane transmitters are for 
up to 1.5 miles and usually around 100 mw.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Barber, Matt
Sent: Tuesday, April 19, 2011 11:34 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Unknown Interfering Device

Hi all,

I am currently troubleshooting an issue in one of our residence halls that 
appears to be related to some kind of non-802.11 wireless device. Cognio (now 
Cisco of course :) ) Spectrum Expert shows an unknown 2.4 GHz device, sometimes 
taking up to 90% of the duty cycle on seemingly random channels in 2.4 GHz. It 
has affected every channel between 1 and 13, and is always very strong and busy.

I have seen cordless phones, video cameras, and microwaves interfere in the 
past, but this doesn't quite look like those. Cognio doesn't match it to a 
signature either. Anybody seen anything like this, especially recently? This 
problem apparently started a few weeks ago, so I am wondering if someone 
brought something new and shiny back after spring break.

Thanks!

Matt Barber
Network and Systems Manager
Morrisville State College
315-684-6053

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Active Directory and LDAP at the same time. Or... just LDAP with 802.1x.

[Danner, Mearl]

What kind of AAA server are you using? If IAS a possibility would be to set up 
a freeradius server to proxy the AD requests to IAS and handle the LDAP 
requests locally. I'm not sure if the configuration options in freeradius allow 
that configuration, but perhaps some of the Wireless Lan members that use 
freeradius can chime in.

Disclaimer - We've been wholly IAS since we moved all  of our users from 
eDirectory to AD and haven't used freeradius since.

Mearl

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman
Sent: Tuesday, October 12, 2010 2:09 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Active Directory and LDAP at the same time. Or... just 
LDAP with 802.1x.

Here's the backdrop for my questions:

For 802.1x authentication on the WLAN, we use PEAP w/ MS-CHAPv2, against our AD 
environment. This works wonderfully and always has.

The rub- we have a set of users not in AD- they are in our ED (LDAP). I'll 
thank you not to ask why.

These LDAP credential folk cannot use the 802.1x setup as it is, as they are 
not in AD. LDAP lookups aren't possible because PEAP w /MS-CHAPv2 doesn't work 
with LDAP.

Potential options:

-  add support for TTLS/PAP against LDAP on a new SSID (yuck)
-  add support for TTLS/PAP on current SSID to make it support two EAP 
types (never done it here)
-  insist that everyone be AD (politics)
-  insist that everyone be in LDAP and go to TTLS/PAP globally

This is not a terribly important issue right now, but looking down the road it 
will come up and so I'd like to get my thoughts lined up.

Does anyone else use a single SSID with two EAP types? Or have AD and LDAP both 
at play in any other way? Anyone using TTLS/PAP that can comment on it's 
suitability and reliability versus PEAP w/ MS-CHAPv2?


Thanks-

Lee Badman

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Palm Pre Plus Wireless 802.1x connection

[Danner, Mearl]

I get an association failed on the Palm. I’ve imported the full certificate 
chain from our IAS/Radius server.

I wonder if it’s because we’re still using 802.1x WEP rather than WPA. There 
don’t seem to be many configuration options that I can find on the Palm.

Mearl


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Chad Burnham
Sent: Monday, September 13, 2010 9:53 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Palm Pre Plus Wireless 802.1x connection

HI Mearl,

We have it working - I use a Palm Pre myself – WPA2-ENT
I am on 1.4.5 it worked fine on 1.4.X

Also, we had to fingerprint the device/WebOS with Impulse (use that for our 
NAC).

Chad

Chad D Burnham
Network Planner
University of Denver
University Technology Services
2100 South High Street
Denver CO 80208
303-871-4441 = Desk
303-520-5657 = PCS/Mobile



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Danner, Mearl
Sent: Monday, September 13, 2010 7:37 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Palm Pre Plus Wireless 802.1x connection

Anyone out there have any experience connection a Palm Pre Plus using 802.1x to 
your wireless networks?

It’ll connect to WPA personal, but not to our 802.1x using WEP.

WebOS version is 1.4.1.1


Mearl Danner
Systems Programmer
Samford University Technology Services
http://www.samford.edu




** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Cutting way back on Cisco APs- turns out they have a lot more potential output than we thought

[Danner, Mearl]

Good! We can get rid of all of ours and use yours!!!

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Chuck Enfield
Sent: Monday, August 30, 2010 10:19 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cutting way back on Cisco APs- turns out they have 
a lot more potential output than we thought

Evaporating all nearby clients should also help reduce the number of trouble 
calls.  RF design made easy!

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman
Sent: Monday, August 30, 2010 11:05 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cutting way back on Cisco APs- turns out they have a 
lot more potential output than we thought

Hopefully the graphic makes it... turns out we have the capability of getting a 
little better than 3.9 Million kilowatts out of our Cisco APs, so we may just 
install one in the middle of campus and pretty much cover the entire western 
hemisphere and parts of numerous galaxies:

[cid:image001.jpg@01CB482D.AC2F2490]


-Lee Badman


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

inline: image001.jpg

RE: [WIRELESS-LAN] Aruba vs HP vs Meraki

[Danner, Mearl]

 
 I just don't like the this one feels hefty so it must be more
 reliable line of reasoning. I would rather see test numbers and

I recall, in a past lifetime, disassembling a TI calculator that felt more 
substantial and finding a non-functional (except for the weight) steel plate 
under the keyboard.

Mearl

RE: AD over wireless

[Danner, Mearl]

Lee,

We have started using computer authentication as the preferred method with 
domain joined laptops. We set up a policy in our IAS servers to allow computer 
logons to connect to our 802.1x networks. It appears to work pretty well. We do 
change one setting in the local computer policy to make drive mappings more 
consistent.

Set Local Computer Policy\Computer Configuration\Administrative 
Templates\System\Logon\

Always wait for the network at computer startup and logon to enabled

That should take care of the software install issues. GPOs seem to work also. 
The computer will logon to wireless, pickup the computer policies and the user 
policies will run after the user logs on.

Seems to be a bit less bother to join them using a wired connection. You can 
also push the wireless configuration  with a GPO but we aren't doing so yet.

Vista versus XP has some differences so dependent on OS (especially with UAC on 
Vista) there might be a few headaches to line out.

Here's a thread the talks about some of it.

http://forums.techarena.in/vista-administration/705222.htm

Mearl





From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman
Sent: Wednesday, April 07, 2010 7:32 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] AD over wireless

We have been doing big, secure wireless for a number of years, but have yet to 
really explore AD over the WLAN. We are using PEAP w/ MS-CHAPv2 for EAP, and 
are starting a conversational collaboration between our AD and security folks 
and us on the network side.
Early questions that have come up (we've done no testing yet):


1.   Does the network stack come up in time to allow for domain laptops to 
get GPO policies and software installs that occur right away on startup?

2.   Can computer authentication instead of user authentication be done in 
our environment?

I know that some of you have gone ahead of the rest of us on AD over wireless, 
and so I appeal to your experience for some perspective.

As always- thanks.

-Lee Badman



Lee H. Badman
Wireless/Network Engineer
Information Technology and Services
Adjunct Instructor, iSchool
Syracuse University
315 443-3003



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: wireless labs

[Danner, Mearl]

Hve you tried in gpedit.msc (can be done with GPO also) to set:

Computer Configuration\Administrative Templates\System\Logon

Always wait for the network at computer startup and logon enabled

It's supposed to be an XP setting, but is shown in gpedit in Vista. It's worked 
on our XP machines, but I personally haven't tried it on Vista.

Mearl


 -Original Message-
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv
 [mailto:wireless-...@listserv.educause.edu] On Behalf Of John York
 Sent: Wednesday, January 20, 2010 4:01 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: [WIRELESS-LAN] wireless labs
 
 Hi
 We are moving some of our labs from wired to wireless, but running into
 problems with the windows client.  (We run Vista in our labs now,
 hopefully will change to 7 before long.)  At present the machines
 autologin with cached credentials, then they authenticate to the
 wireless network.  This causes problems in drive mapping and running
 group policies.  We're trying to find a way to authenticate to the
 wireless at the machine level before any of the user level stuff runs.
 Years ago we did this with the Funk Odyssey client.  Is there a way to
 do that through windows, or does it still require a third-party client?
 Thanks
 John
 
 **
 Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] NAT Advice

[Danner, Mearl]

We use very few public addresses. Mostly for our core servers. All workstations 
are translated from private address spaces (10.x.x.x,172.x.x.x) to several 
public addresses based on their IP subnet range. Public IP addresses are only 
available to VLANS in the datacenter.

We like the added security of our workstations not using publicy routed 
addresses. If we have one that needs a public address we can establish a static 
mapping public-to-private with our ASA.

We translate at the edge using our ASA firewall. Translations are logged to a 
syslog server. We retain logs for 90 days.

We also scripted saving a history of leases from our ISC dhcp server to help us 
match inside addresses to translated addresses.

So far we haven't found a need to get more sophisticated.

Mearl

 -Original Message-
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv
 [mailto:wireless-...@listserv.educause.edu] On Behalf Of William John
 Bigelow
 Sent: Tuesday, December 01, 2009 7:41 AM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] NAT Advice
 
 Heath,
 
 The clients are currently using public IP's.  As for the logging, we
 wish to be able to track all translations and perhaps hone it as
 necessary.
 
 Thanks,
 
 Bill
 
 -Original Message-
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv
 [mailto:wireless-...@listserv.educause.edu] On Behalf Of heath.barnhart
 Sent: Monday, November 30, 2009 2:33 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] NAT Advice
 
 Bill,
 
 So I'm understanding correctly, you are going to be NATing within your
 own network? Are your clients currently getting private or public IPs?
 What level of logging are you wanting to store (informational, all
 translations, etc)? Not sure I can offer much as we are just NATing at
 the perimeter, but these might be questions others might ask to help
 you.
 
 --
 Heath Barnhart
 Asst. Systems and Networking Admin
 Information Systems and Services
 Washburn University
 Topeka, KS 66621
 
 
 
 William John Bigelow wrote:
 
  Good morning,
 
  We are considering implementing NAT in our wireless network in order
  to conserve address space. We run a Cisco controller based WLAN and
  need to support approximately 6000+ users. I was hoping some of you
  could share your experiences.
 
  1. Thoughts regarding the best way to store logs (space allocation
  particularly comes to mind).
 
  2. Best practices for NAT implementation (we will probably use
 Juniper
  FW's).
 
  3. Pros/Cons of natting at the controller/subnet level vs. border
  firewall.
 
  4. Issues with NAT only on the residential WLAN.
 
  I look forward to your replies.
 
  - Bill
 
  ** Participation and subscription information for this
  EDUCAUSE Constituent Group discussion list can be found at
  http://www.educause.edu/groups/.
 
 
 **
 Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.
 
 **
 Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] radius reporting

[Danner, Mearl]

Because using SQL for IAS accounting was so convoluted - not to mention
badly documented - we experimented with sending auth to IAS and
accounting info to freeradius - using daloradius to view stats.

 

It worked, but didn't get enough interest in having the accounting info
to complete the project.

 

Mearl

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Tupker, Mike
Sent: Tuesday, February 24, 2009 1:22 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] radius reporting

 

I did see that one but I am still holding out hope of finding something
a little more robust or at least open source. J If I can't find an OSS
solution or something better I will probably go with IASviewer.

 

By the way, when I rant the trial version of iasviewer I tried it on
2008 and it seemed to work just fine.

 

Mike Tupker

Systems Administrator

Mount Mercy College

Office: (319) 363-1323 x1401

Mobile: (319) 538-1644

If you need assistance with an computer issue please contact the
helpdesk at x4357 or http://help.mtmercy.edu.

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Scholz, Greg
Sent: Tuesday, February 24, 2009 1:10 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] radius reporting

 

I've been using IASViewer for our IAS server. I am not sure if it works
for 2008 version. I also don't know if it can send notices but it does
allow for many report options.

http://www.deepsoftware.com/iasviewer/

 

 

_

Thank you,

Gregory R. Scholz

Director of Telecommunications

Information Technology Group

Keene State College

(603)358-2070

 

--If you don't have time to do it right, when will you have time to do
it over?

--Do not let what you cannot do interfere with what you can do.

- John Wooden

 

 

 

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Tupker, Mike
Sent: Tuesday, February 24, 2009 1:09 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] radius reporting

 

We are using server 2008 network policy server for 802.1x
authentication. I was wondering if anyone knows of any good reporting
tools that can look at the MS radius logs and generate usage reports and
or send notices when specific users sign on to the network? Currently
I'm just been opening up the log files in notepad but that is getting a
little annoying, especially with large log files.

 

Mike Tupker

Systems Administrator

Mount Mercy College

Office: (319) 363-1323 x1401

Mobile: (319) 538-1644

If you need assistance with an computer issue please contact the
helpdesk at x4357 or http://help.mtmercy.edu http://help.mtmercy.edu .

 

 

 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] no db handles message on FreeRADIUS

[Danner, Mearl]

Seems I've seen topics about that on the freeradius list. Search the
archives or join and ask. There's a lot more experience available there.

 

http://www.mail-archive.com/[EMAIL PROTECTED]/

 

Mearl

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Hector J Rios
Sent: Wednesday, November 05, 2008 12:20 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] no db handles message on FreeRADIUS

 

Those of you running FreeRADIUS, have you ever run across this message
in your radius.log file? If so, were you able to solve the issues
associated with that message?

 

Info: rlm_sql (sql): There are no DB handles to use! skipped 0, tried to
connect 0

 

Thanks, 

 

Hector Rios

Louisiana State University

 

 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Cisco lightweight APs and non-IOS DHCP for controller discovery

[Danner, Mearl]

And if you speak hex:

option space Cisco_LWAPP_AP;
option Cisco_LWAPP_AP.server-address code 241 = string;

class Cisco AP c1130 {
   match if option vendor-class-identifier = Cisco AP c1130;
   option vendor-class-identifier Cisco AP c1130;
   vendor-option-space Cisco_LWAPP_AP;
   option Cisco_LWAPP_AP.server-address
ac:1e:00:0d:ac:1e:00:96:ac:1e:00:97:ac:1e:00:98:ac:1e:00:99;
}

You don't need to prepend the f1 and length to the string. The ISC
server takes care of that.

Mearl

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Randall C
Grimshaw
Sent: Friday, October 31, 2008 10:38 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco lightweight APs and non-IOS DHCP for
controller discovery

This is the ISC DHCP configuration that we use to supply Cisco LWAPP
AP's with their controller address.

option space LWAPP;
option LWAPP.controller code 241 = ip-address;
class LWAPP {
  match option vendor-class-identifier;
}
subclass LWAPP Cisco AP c1130
{
  vendor-option-space LWAPP;
  option LWAPP.controller 10.1.0.9;
}
subclass LWAPP Cisco AP c1200
{
  vendor-option-space LWAPP;
  option LWAPP.controller 10.1.0.9;
}
subclass LWAPP Cisco AP c1240
{
  vendor-option-space LWAPP;
  option LWAPP.controller 10.1.0.9;
}
subclass LWAPP Cisco AP c1241
{
  vendor-option-space LWAPP;
  option LWAPP.controller 10.1.0.9;
}

Randall Grimshaw, Syracuse University, [EMAIL PROTECTED]

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Sylvain
Robitaille
Sent: Friday, October 31, 2008 11:23 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cisco lightweight APs and non-IOS DHCP for
controller discovery


posted to comp.dcom.sys.cisco and alt.internet.wireless, and mailed
to The EDUCAUSE Wireless Issues mailing list, with apologies to any
who see multiple copies as a result ...

This message is long (262 lines), and I apologize in advance for that.
However, I hope that it will provide missing information for anyone
having trouble getting Cisco lightweight wireless access points to
locate
their controllers, using the DHCP vendor-specific option (option 43)
from third-party DHCP servers (such as ISC's dhcpd).

I am posting this on my last day in my current position as a wireless
network administrator (I'm moving on to a new systems-oriented job),
so I will be able to participate in any followups that will not include
further experimentation with configuration of the access points, or DHCP
attributes specific to them.

In the interest of (attempted) brevity (which I realize I failed to
accomplish!), I assume that the reader understands the sequence used
by the access points for LWAPP Discovery Protocol, and understands DHCP
and DNS.  I don't claim to be an expert on any of the above (please
don't
email me directly with specific questions; there are mailing lists and
netnews groups for that, populated by folks who know a lot more than I
do), but I have successfully (and finally!) gotten this to work as it
should, using ISC's dhcpd running on Linux.

I struggled with this for more than a year, continually running into
a roadblock, and falling back to using a DNS resource-record for
CISCO_LWAPP_CONTROLLER.${domain}, which is fine for a relatively small
installation (our installation isn't very small, though).  Our
consultants
(not from Cisco, but they would themselves consult with Cisco) were at
a loss for a proper solution to this problem, and frequently resorted
to pre-configuring access-points (allegedly on Cisco's recommendation)
with controller addresses.  Again, this approach is not unreasonable for
a small installation, but is simply does not scale to larger
installations
with lots of wireless access points.

We started working with lightweight access-points late summer 2007,
when we started deploying a mesh network to surround our campuses,
and recently started upgrading our (approximately 360) stand-alone IOS
access-points (a mix of 350s, 1130s, 1230s, 1240s, and recently 1250s)
to lightweight AP1250s.  For controllers we have a mix of 4400-series
controllers and Wism blades.

We intended to configure our setup such that each campus would have
its own set of primary and secondary controllers, with a fail-over
to a controller normally serving another campus, and the outdoor
mesh network (AP1500 series access points) would have its own set
of controllers.  For this reason, using the DNS resource-record
(CISCO_LWAPP_CONTROLLER.${domain}) was deemed to be an unsuitable
approach to having our APs find their controllers (the DNS domain is
the same across our campuses).

The APs are not all on the same network segments that the controllers
are on, so the layer 3 broadcast approach to controller discovery
isn't suitable for us.  There are more access-points than is reasonable
for manual pre-configuration of each, and we are 

RE: [WIRELESS-LAN] User Tracking with IAS

[Danner, Mearl]

We're experimenting with using IAS for authorization/authentication and
sending the accounting packets to a freeradius server. Dialupadmin or
daloradius can give reports. Since the accounting info is stored in a
MySQL database it'd be relatively easy to get some web reports.

 

The IAS SQL is pretty complicated if you are running multiple IAS
servers. They only log to a local SQL server and you'd need another SQL
server to consolidate the local databases.

 

Mearl

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Urrea, Nick
Sent: Tuesday, June 24, 2008 1:11 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] User Tracking with IAS

 

I am looking for a solution to perform user tracking using an IAS
server.

We will be rolling out WPA2/802.1x this summer and I would like to do
user tracking.

I would like to poll all the user logins/logoffs into a
database/application.

Any ideas of software/solutions?  

 



Nicholas Urrea

Information Technology 

UC Hastings College of the Law

[EMAIL PROTECTED]

x4718

 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] RADIUS server software options

[Danner, Mearl]

We used freeradius against eDirectory, but moved to IAS when we became a
Microsoft shop. Freeradius was quite stable and worked well for us. If
you don't have the Microsoft cals it's an inexpensive and effective
solution.
 
Since we have IAS available we thought it made an easier integration
since the majority of our clients are Microsoft. It seemed that the
freeradius/samba method would require more maintenance. Especially if a
Microsoft update broke the Samba authentication.
 
We're testing freeradius as a radius accounting server though. It
appears lot easier that the IAS/SQL method. If it works out we'll have
the NAS's sending auth requests to our IAS servers and accounting to
freeradius/MySQL.

Mearl

 -Original Message-
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv
 [mailto:[EMAIL PROTECTED] On Behalf Of Michael
 Kaegler
 Sent: Wednesday, May 21, 2008 12:48 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: [WIRELESS-LAN] RADIUS server software options
 
 Presently our wireless network is wide open with a VPN overlay. Users
 authenticate to the VPN which uses RADIUS which checks LDAP (our
 primary source).
 
 We're now looking to move in a more WPA/PEAP/MSCHAPv2 direction, and
 nows the time to consider our RADIUS server software (presently
 freeradius).
 
 Has anyone used freeradius successfully in a WPA/PEAP/MSCHAPv2
 scenario?
 Is there a better [more stable, more user-friendly] option?
 
 TIA!
 -porkchop
 
 --
 Michael Porkchop Kaegler, Sr. Network Analyst
 (845) 575-3061 Marist College, Poughkeepsie, NY
 
 **
 Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Strange Vista Wireless problems

[Danner, Mearl]

Have you tried upgrading/downgrading the card drivers/firmware?

We've seen similar issues that changing either would fix. Including the
Atheros card in my old T41 Thinkpad.

Mearl
 
 




From: Nathan Hay [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, October 03, 2007 3:40 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Strange Vista Wireless problems


This one has me stuck, so I thought I'd see if anyone else has
run into it.
 
I have two Vista laptops with different models of wireless cards
that will not work on any SSID on our Meru wireless network.  However,
they will work on a Linksys WRT54G I have in my office for testing.
I've updated drivers, removed all wireless profiles, disabled firewall,
etc with no success.  We have a couple hundred other Vista machines on
our Meru wireless network that work fine.
 
One is a Dell Inspiron 1420 with a Dell 1390 WLAN Mini-Card, the
other is an Everex with an Atheros AR5005G.
 
The laptops will associate to the AP, get an IP address, and
then do nothing.  According to the Network and Sharing Center, the
laptop is connected to an Unidentified Network with Local Only
access.  I can't ping anything or do any DNS lookups, but ipconfig shows
all the correct information.
 
A packet capture shows the laptop sending out large amounts of
ARP broadcasts, trying to find the default gateway MAC of the VLAN, but
it never gets any responses.
 
Another strange thing... If I do a Status on the network
connection, it shows 0 packets sent and a varying number received.
 
Anyone have any thoughts?
 
Nathan
 
 
Nathan P. Hay
Network Engineer
Computer Services
Cedarville University
www.cedarville.edu http://www.cedarville.edu/  **
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Integrating Freeradius and Novell eDirectory

[Danner, Mearl]

Best take this up with the freeradius listserve.

A complete debug trace to them will probably be all it takes.

Mearl



From: Nathan Hay [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 24, 2007 1:38 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Integrating Freeradius and Novell eDirectory

We've been trying to integrate Freeradius with Novell eDirectory to 
authenticate our users on our Meru wireless network.
 
We have eDirectory 8.7.3.7 and Freeradius 1.1.0
 
I've spend much time pouring over all the Novell and Freeradius docs on how to 
do this, but we still get the following error from Freeradius:
 
rlm_ldap: Error reading Universal Password.Return Code = -1635
 
I've verified that the Universal Password setup is correct on my test user with 
the Universal Password utility.
 
Any ideas?
 
Thanks in advance,
 
Nathan
 
 
 
 
 
 
 
 
 
 
 
 
Nathan P. Hay
Network Engineer
Computer Services
Cedarville University
www.cedarville.edu

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] 802.1x Troubles with Vista...

[Danner, Mearl]

If you're using Freeradius it requires 1.1.4.

We get successful authentication by Vista and XP boxes using eDirectory
as a backend.

We do have one issue. After it's been running several hours
authentication fails until it's restarted. The ldap console on the
Novell box shows -669 errors.  I haven't been able to debug it because
we wouldn't be able to trap all the debug info for 14 or so hours before
it fails.

Running RedHat on an IBM P615 BTW. 

We just restart it every morning at 5AM.

Mearl


-Original Message-
From: Christopher Davis [mailto:[EMAIL PROTECTED] 
Sent: Friday, March 09, 2007 2:56 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] 802.1x Troubles with Vista...

We're having no success getting Vista's WiFi client to play with our 
WPA/802.1x environment. It is able to associate with the AP but cannot 
authenticate.  XP with the same hardware has no problems.  Has anyone 
else had similar problems and (hopefully) found a solution? 

We are using Cisco 1200 APs connecting back to FreeRADIUS for 
authentication.  Security settings are WPA/TKIP and PEAP/MS-CHAPv2.  
Vista provides better logging of errors than XP, but I haven't been able

to track down a reference that says what the specific error codes mean.

One particular item in the log that seems odd is the entry for 
Authentication Mode  in the connection info.  I'd expect it to say 
something like MS-CHAPv2, not the cryptic Invalid (4).

Any insight you can offer would be helpful.  Thanks.

Chris

Information for Connection ID 14
Connection started at: 2007-02-15 12:59:10-473
 Auto Configuration ID: 10
 Profile: XXX
 SSID: XXX
 SSID length: 7
 Connection mode: Infra
 Security: Yes
 Pre-Association and Association
  Connectivity settings provided by hardware manufacturer (IHV): No
  Security settings provided by hardware manufacturer (IHV): No
  Profile matches network requirements: Success
  Pre-association status: Success
  Association status: Success
   Last AP:  00-16-46-XX-XX-XX
 Security and Authentication
  Configured security type: WPA-802.1X
  Configured encryption type: TKIP
  802.1X protocol: Yes
   Authentication mode: Invalid (4)
   Number of 802.1X restarts: 1
   Number of 802.1X failures: 2
   802.1X status: Fail 0x80420105
   802.1X reason code: 0x00050005
  Key exchange initiated: No
  Number of security packets received: 5
  Number of security packets sent: 4
  Security attempt status: Fail 0x00050005

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] 802.1x authentication using LDAP

[Danner, Mearl]

Might be best to ask the freeradius folks.

List archives at http://lists.freeradius.org/pipermail/freeradius-users/

Join up at:

http://lists.freeradius.org/mailman/listinfo/freeradius-users

I'd help but we're using freeradius agains eDirectory and the passwords
aren't in cleartext.

Mearl Danner
Systems Programmer
Samford University
http://www.samford.edu


 

-Original Message-
From: Matt Ashfield [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, July 12, 2006 11:41 AM
To: Danner, Mearl; WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] 802.1x authentication using LDAP

Hi All,

First off, thanks. I've gotten many responses from my original posting
and that's been great. I am still finding it quite difficult to get this
setup, so I was hoping that someone with the same/similar environment as
myself might shed some light on how to configure things.

I'd like to allow for windows clients to authenticate via 802.1x using
Freeradius and with their user credentials stored in cleartext on an
LDAP directory. Is anyone doing this setup? If so, I'm hoping to learn
how you've set it up.

Thanks

Matt
[EMAIL PROTECTED] 


-Original Message-
From: Emerson Parker [mailto:[EMAIL PROTECTED]
Sent: July 11, 2006 6:22 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] 802.1x authentication using LDAP

I've actually gotten an 802.1x eap client to auth against LDAP. It's not
fun. 

 You CANT use normal PEAP on the MSFT client because the credentials are
passed via MSCHAPv2 in the PEAP tunnel.  LDAP cant read MSCHAPv2.  The
Funk/juniper odyssey client has a way of doing PEAP-GTC (generic Token
Card).  Basically, the credentials are not encrypted inside the tunnel.
This is for using secureID tokens and such.  You can take advantage of
GTC's unencrypted user/password to then proxy the credentials over to an
LDAP server.  Of course, EAP requires some sort or RADIUS server to
terminate the 802.1x EAP-PEAP outer tunnel and then it must be able to
query an LDAP server with the clear text stuff.  Some wireless vendors
integrate this RADIUS offload or terminate the PEAP tunnel and then
directly query LDAP.
This eliminates the need for an external RADIUS server.

-Emerson




-Original Message-
From: Mark Linton [mailto:[EMAIL PROTECTED]
Sent: Tue 7/11/2006 8:29 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] 802.1x authentication using LDAP
 
 From what I can tell, the only way to deal with plaintext passwords
 stored
 in LDAP and still have username/password authentication is to go with 
 EAP-TTLS and use the secure2 client.
 
 But I just saw the post by Tom Zeller and he's saying the hashed 
 password does NOT go over the network with MS-CHAP. So I'm starting to

 get a bit confused.

Some background might help clarify here.

The phrase EAP-TTLS, while being the correct name for the EAP type,
does not fully qualify the implementation.

TTLS is Tunneled TLS. TLS being Transport Layer Security, which by
itself creates a tunnel. So we have two tunnels here. The one created by
TLS
-- sometimes called the outer tunnel -- and the unspecified inner
tunnel.

In the case of Tom Zeller's message, earlier, the inner tunnel was
formed by MS-CHAPv2. Some people write this as EAP-TTLS-MSCHAPv2.

The clear-text password version of EAP-TTLS uses the Password
Authentication Protocol (PAP) to form the inner tunnel. Some people
write this as EAP-TTLS-PAP.

So, Tom was correct in the context of Tom's discussion, and the people
talking about username/password authentication were also correct. They
were simply assuming different implementations of EAP-TTLS. Both are
perfectly valid and each has their pros and cons.

Sincerely,

Mark Linton
[EMAIL PROTECTED]
www.personal.psu.edu/mhl100
814-865-4698 
 -Original Message-
 From: Matt Ashfield [mailto:[EMAIL PROTECTED]
 Sent: Monday, July 10, 2006 1:53 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] 802.1x authentication using LDAP
 
 Hi All,
 
 Thanks for all the responses. It's great to be part of a useful 
 mailing list like this!
 
 Just to clarify a few things:
 our passwords are stored in cleartext on the ldap server.
 We are using SunOne for LDAP and FreeRadius for radius.
 We have no desire to have individual client certificates and would 
 prefer to do username/password against the LDAP server.
 
 From what I can tell, the only way to deal with plaintext passwords
 stored
 in LDAP and still have username/password authentication is to go with 
 EAP-TTLS and use the secure2 client.
 
 But I just saw the post by Tom Zeller and he's saying the hashed 
 password does NOT go over the network with MS-CHAP. So I'm starting to

 get a bit confused.
 
 Any thoughts? Does anyone here have this same situation and have it 
 working?
 
 Thanks
 
 Matt Ashfield
 [EMAIL PROTECTED]
 
 
 -Original Message-
 From: Michael Griego [mailto:[EMAIL PROTECTED]
 Sent: July 7, 2006 4:24 PM
 To: [EMAIL PROTECTED