Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?

2020-01-09 Thread David Morton 
Ryan, we have been experiencing some of the very same issues. Since installing 
515s and resulting 8.5.x code in our offices (always our first step to any 
migration) we too have experienced unexplained periods of no connectivity. In 
most or all the cases I’ve personally experienced, I believe that I remain 
connected at an 802.11 standpoint but will have that 30 seconds to a couple of 
minutes of no IP connectivity. We have now deployed 515s and 8.5.x in one of 
our residence halls so I am concerned about their experience as well. Just 
before the holiday break we had a series of very high-profile outages that 
impacted our students leading up to and during finals week. The issue got so 
bad that our CIO had to issue a letter to students explaining the problem and 
what we are doing about it. This is the first time that this level of 
communication was needed in my 15 years at the UW using Aruba.

We too are a heavy Juniper shop and have recently received a MIST demo kit. We 
haven’t done anything with it yet due to lack of resources, but if things 
continue on the current path we may give it a more serious look.

David


David Morton
Director, Network & Telecom Design/Architecture
University of Washington
dmorton @uw.edu
tel 206.221.7814

PS I am currently on medical leave so if you wish to reply off-list, please 
direct it to Amel Caldwell, amelc@ uw.edu<http://uw.edu>

On Jan 9, 2020, at 8:15 AM, Turner, Ryan H 
mailto:rhtur...@email.unc.edu>> wrote:

All:

We’ve been an Aruba shop for a very long time and have around 10,000 access 
points.  While every relationship with vendors have their ups and downs, my 
frustration with the Aruba is finally peaking to the point that I am 
considering making the enormous move to choose a different vendor.  The biggest 
reason is with the 8.X code train, and bugs that we just don’t consider 
appropriate to use in production.  It has been one thing after the other, and 
my extremely talented and qualified Network Architect (Keith Miller) might as 
well be on the Aruba payroll as much work as he has been doing for them to 
solve bugs.  Just when we think we have one fixed, another one crops up.

The big one as of late is with 515s running 8.5 code train.  We have them 
deployed in one of our IT buildings.  Periodically, people that are connected 
to these APs in the 5G band will stop working.  To the user, they are browsing 
a site, then it becomes unresponsive.  If they are on their phone, they will 
disconnect from wifi and everything works fine on cell.  Nothing makes an 
802.11 network look worse than switching to cell and seeing a problem resolve.  
Normally, if the users disconnect then reconnect, their problems will go ahead 
(but I think they end up connecting in the 2.4G band).   We’ve been working on 
this problem with them for months.  It always seems as though we have to prove 
there is a real issue.  I’m fed up with it.  We are a sophisticated shop.  If 
we have a problem, 9 times out of 10 when we bring it to the vendor, it is a 
real problem.  I’m extra frustrated that due to issues we’ve seen in ResNet on 
the 8.3X train that we don’t want to abandon our 6 train on main campus.  To 
Aruba’s credit, we purchased around 1,000 515s last year (I think around 
February).  When they could not get good code to support them on, Aruba bought 
back half of them.  I asked for them to buy back half because I thought for 
sure with the 315s that we would have instead, the issues would be fixed by the 
time the 315s ran out.  Not looking to be the case.

So, with that rant over, we are seriously considering looking to move away from 
Aruba (unless they get their act together really soon).  There are other bugs 
I’m not even mentioning here.  For those of you that made the switch to another 
vendor, I would be curious how long the honeymoon lasted, what were your 
motivators, and were you happy with the overall results?  Of course, this is a 
great opportunity to plug your vendor.  As I see it, we have 3 choices….  
Something from Cisco (we had Cisco long ago and dumped them for bugs), 
something from Extreme (we are a huge Extreme shop so this makes sense), 
something from Juniper (Mist).

Thanks,
Ryan Turner
Head of Networking
The University of North Carolina at Chapel Hill
+1 919 445 0113 Office
+1 919 274 7926 Mobile
r...@unc.edu<mailto:r...@unc.edu>


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription infor

Re: [WIRELESS-LAN] Offline/Spare Gear Inventory Size

2018-02-26 Thread David Morton 
We are on Aruba and keep very little in planned, offline inventory. Most APs 
have a lifetime warranty and we don’t seem many storm related failures. Much 
like Chuck, our normal deployment stocks can provide spares when needed. We 
will then send any defective units back to Aruba for warranty replacement.

David




On Feb 26, 2018, at 10:20 AM, Trinklein, Jason R 
mailto:trinkle...@cofc.edu>> wrote:

Hi All,

I’m curious to know the size of your spare gear inventories. Do you keep a 
percentage of each model of AP in inventory, and what is your reasoning? 
Storms? Last minute/emergency wireless coverage needs?

What percentage of your live gear do you keep as offline inventory? (100 live 
APs with 1 inventory AP = 1% offline inventory).

With Xirrus, we had an offline inventory of more than 10% of live inventory. We 
kept that inventory to cover the high failure rate of the equipment, the 
incidence of hurricanes and lightning strikes in our area, the broad range of 
AP models on campus, and last minute large events in low coverage areas.

We are evaluating the minimum offline inventory for our new Aruba gear as we 
finish up the vendor switch. I have been thinking 1-2%, but I want to see what 
you guys do first, and why.

Thank you,
--
Jason Trinklein
Wireless Engineering Manager
College of Charleston
81 St. Philip Street | Office 311D | Charleston, SC 29403
trinkle...@cofc.edu | (843) 300–8009

DID YOU KNOW? The Princeton Review selected the College of Charleston as one of 
50 schools focused on providing students with practical experiences that take 
their academics to the next level.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] PEAP vs TLS

2018-02-26 Thread David Morton 
Thanks Bruce.

David



On Feb 26, 2018, at 8:31 AM, Curtis, Bruce 
mailto:bruce.cur...@ndsu.edu>> wrote:



On Feb 23, 2018, at 10:58 AM, David Morton 
mailto:dmor...@uw.edu>> wrote:

We currently use EAP-PEAP for our eduroam/802.1x, but are now considering 
adding EAP-TLS to the mix. We have several potential PKIs that we could use, 
but all of them will take some work to get them ready for a production launch. 
Given that resources are limited, I’m looking for some data points about others 
who have moved, are thinking of moving or have decided not to adopt EAP-TLS.

To help gather some data can you please answer this short survey?

Do you:

- Support 802.1x? -

Yes.


If yes, do you:

- use EAP-PEAP on campus? -

Yes.


- use EAP-TLS on campus? -

Yes.

- What PKI/CA do you use: -

- If both, why and is one preferred? -

We were mainly using EAP-TLS with some devices using EAP-TTLS.

We will be turning off EAP-TTLS soon.

We enabled EAP-PEAP recently because our help desk reported a significant 
percentage of Android devices had issues with EAP-TLS.

Also a smaller percentage of Windows machines had problems with EAP-TLS but it 
was decided to use EAP-PEAP for Windows devices.

We continue to use EAP-TLS for Apple devices, both iOS and Mac OS.

EAP-TLS has the advantage that a man in the middle attack can not steal a 
password, even if a user turns off the “check server certificate” verification.
Also with EAP-TLS devices do not have to be reconfigured if a password is 
changed.

So EAP-PEAP is installed on Android and Windows devices by default with 
CloudPath and EAP-TLS is installed by default on Apple devices with CloudPath.
People still have the option of configuring EAP-TLS for Android and Windows 
devices and EAP-PEAL for Apple devices but that requires that they configure 
that manually rather than with the installer.

- If only PEAP, are you planning EAP-TLS? -

Brief description of why you’re doing what you’re doing and anything else that 
might be helpful:



Thank you in advance


David




David Morton
Director, Networks & Telecommunications
Services: Wi-Fi, Wired, Telephony, Mobile & HuskyTV
University of Washington
dmor...@uw.edu<mailto:dmor...@uw.edu>
tel 206.221.7814

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.


---
Bruce Curtis 
bruce.cur...@ndsu.edu<mailto:bruce.cur...@ndsu.edu>
Certified NetAnalyst II701-231-8527
North Dakota State University


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

PEAP vs TLS

2018-02-23 Thread David Morton 
We currently use EAP-PEAP for our eduroam/802.1x, but are now considering 
adding EAP-TLS to the mix. We have several potential PKIs that we could use, 
but all of them will take some work to get them ready for a production launch. 
Given that resources are limited, I’m looking for some data points about others 
who have moved, are thinking of moving or have decided not to adopt EAP-TLS.

To help gather some data can you please answer this short survey?

Do you:

- Support 802.1x? -

If yes, do you:

- use EAP-PEAP on campus? -

- use EAP-TLS on campus? -
- What PKI/CA do you use: -

- If both, why and is one preferred? -

- If only PEAP, are you planning EAP-TLS? -

Brief description of why you’re doing what you’re doing and anything else that 
might be helpful:



Thank you in advance


David




David Morton
Director, Networks & Telecommunications
Services: Wi-Fi, Wired, Telephony, Mobile & HuskyTV
University of Washington
dmor...@uw.edu<mailto:dmor...@uw.edu>
tel 206.221.7814


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Nyansa vs 7Signal vs ?

2017-07-25 Thread David Morton 
I'm a fan of Netinsight (aka Rasa) from Aruba. We get some very useful and 
actionable data that we haven't seen before. I think they are very close to 
official launch.

Recommend looking at them.

David Morton
Director, Networks & Telecommunications
Services: wired, mobile, telecom, HuskyTV, Wi-Fi
University of Washington, UWIT
dmor...@uw.edu<mailto:dmor...@uw.edu>

On Jul 25, 2017, at 9:33 AM, James Andrewartha 
mailto:jandrewar...@ccgs.wa.edu.au>> wrote:

Hi Jason,

No comments, but Nyansa and Cape (another hardware-based wifi monitoring 
company, but perhaps US-only since they use T-Mobile uplinks?) are at Mobility 
Field Day 2 this week. You’ve reminded me to take another look at 7Signal 
though; per Caston’s post, we already have a solution that overlaps with Nyansa 
so I won’t be investigating that. Also because my budget is capital-focused 
currently which means I need physical items to stick asset tags on, and 11ac 
Wave 2 APs don’t excite me at all (the only MU-MIMO capable device on campus is 
my personal phone).

Thanks,

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Jason Cook 
mailto:jason.c...@adelaide.edu.au>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Tuesday, 25 July 2017 at 3:02 pm
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: [WIRELESS-LAN] Nyansa vs 7Signal vs ?

Hi All,

There’s been plenty of positives mentioned about Nyansa in recent discussions. 
I’m wondering if anyone out there has experience at both 7signal and Nyansa or 
any other systems that do wireless monitoring/alerting in a more detailed way 
than vendor provided gear. The approach for these 2 are obviously quite 
different with I guess varying advantages. Don’t need much detail, just general 
thoughts is good.

Regards

Jason

--
Jason Cook
Technology Services
The University of Adelaide, AUSTRALIA 5005
Ph: +61 8 8313 4800
e-mail: 
jason.c...@adelaide.edu.au<mailto:jason.c...@adelaide.edu.au<mailto:jason.c...@adelaide.edu.au%3cmailto:jason.c...@adelaide.edu.au>>

CRICOS Provider Number 00123M
---
This email message is intended only for the addressee(s) and contains 
information which may be confidential and/or copyright.  If you are not the 
intended recipient please do not read, save, forward, disclose, or copy the 
contents of this email. If this email has been sent to you in error, please 
notify the sender by reply email and delete this email and any copies or links 
to this email completely and immediately from your system.  No representation 
is made that this email is free of viruses.  Virus scanning is recommended and 
is the responsibility of the recipient.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Nyansa

2017-02-10 Thread David Morton 
I’d like to join as well.

David




David Morton
Director, Network & Telecom Design/Architecture
Service Owner: Wi-Fi, Wired, Telephony, Mobile & HuskyTV
University of Washington
dmor...@uw.edu<mailto:dmor...@uw.edu>
tel 206.221.7814

On Feb 10, 2017, at 12:10 PM, Chuck Enfield 
mailto:chu...@psu.edu>> wrote:

Please reply if you’d like to join the call.  Doug and Lee are the guests of 
honor, but I’ll do my best to accommodate as many other schedules as possible.

From: Sullivan, Don [mailto:dsulli...@samford.edu]
Sent: Friday, February 10, 2017 3:08 PM
To: Chuck Enfield mailto:chu...@psu.edu>>; 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: RE: [WIRELESS-LAN] Nyansa

I’m game.

Don Sullivan
Network Administrator
205-726-2111
dsulli...@samford.edu<mailto:dsulli...@samford.edu>

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Chuck Enfield
Sent: Friday, February 10, 2017 2:06 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Nyansa

Any chance we could make it a conference call?  I’ll set up a bridge.

Chuck Enfield
Manager, Wireless Engineering
Enterprise Networking & Communication Services
The Pennsylvania State University
110H, USB2, UP, PA 16802
ph: 814.863.8715
fx: 814.865.3988

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Sullivan, Don
Sent: Friday, February 10, 2017 3:03 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Nyansa

Lee,

I would be happy to have a chat with you about it. Probably better off list for 
me.

Don Sullivan
Network Administrator
205-726-2111
dsulli...@samford.edu<mailto:dsulli...@samford.edu>

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Friday, February 10, 2017 1:58 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Nyansa

Looking to talk with other schools that have objectively evaluated Nyansa with 
an installed appliance. Curious how what criteria you used to decide whether it 
was bringing you value, and if you bit on it, did it continue to bring value 
after the purchase.

I have it in test and am aware of the feature set and what it promises to do, 
but am looking for testimonials on what it has really exposed that you could 
take action on, how it fits with other tools that you have, and whether you 
have found it to be worth the cost.

On or off list is fine.

Thanks!

Lee Badman

Lee Badman | Network Architect

Adjunct Instructor | CWNE #200
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu<http://its.syr.edu>
SYRACUSE UNIVERSITY
syr.edu<http://syr.edu>



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss&d=DwMFAg&c=GTxgfYI6i4KYikqC6GK_Jzn2mYGEh-v4HEPYCyQcJzU&r=gESFfxkz83JEIAAPJ78hwRDbYXa0egqYOhaeRMDNKZQ&m=qsyU3o10Cz6rvcuJmP6iOgTUc5LXLn7vL89B3UnNKL0&s=L0lwB9QE1L_CiE0-RRb2MBFIPutBT5uWGn2BMCd0Y9c&e=>.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss&d=DwMFAg&c=GTxgfYI6i4KYikqC6GK_Jzn2mYGEh-v4HEPYCyQcJzU&r=gESFfxkz83JEIAAPJ78hwRDbYXa0egqYOhaeRMDNKZQ&m=vyHlJgM5ChtmMXhqIWBMZrL-Plak8Gn69iU7dTZFW0I&s=UdTpl0ouKE1m9fC3CVLiD7LZlBjsFAtMkcloEnMXFrs&e=>.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss&d=DwMFAg&c=GTxgfYI6i4KYikqC6GK_Jzn2mYGEh-v4HEPYCyQcJzU&r=gESFfxkz83JEIAAPJ78hwRDbYXa0egqYOhaeRMDNKZQ&m=vyHlJgM5ChtmMXhqIWBMZrL-Plak8Gn69iU7dTZFW0I&s=UdTpl0ouKE1m9fC3CVLiD7LZlBjsFAtMkcloEnMXFrs&e=>.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] FreeRADIUS server scaling for 802.1x

2016-07-20 Thread David Morton 
Thank you Eriks and Curtis, this information is very helpful.

We aren’t using Packetfence, but rather a mix of ClearPass and a customized 
FreeRADIUS. As we move from a relatively small numbers of eduroam users on 
campus to actively promoting it for on-campus use we have been running various 
models to predict load and we don’t have a good way to determine the load 
capacity of the FreeRADIUS portion of the architecture.

Anyone else who has thoughts or suggestions, please feel free to chime in.

David


David Morton
Director, Mobile Communications
Service Owner: Wi-Fi, Mobile & HuskyTV
University of Washington
dmor...@u.washington.edu<mailto:dmor...@u.washington.edu>


On Jul 19, 2016, at 8:42 AM, Eriks Rugelis 
mailto:er...@yorku.ca>> wrote:

Curtis K. Larsen wrote:
Nice slides.  This is pretty similar to what we do.  We're also using 
PacketFence/FreeRADIUS.  The
graphing of the authentications is key to understanding/scaling things in my 
opinion.

Actually, with respect to our current deployment architecture, we are standing 
on your shoulders.   I want to thank you for that and also for driving Inverse 
to implementing the activity and performance graphs in Packetfence.

I cannot overstate how valuable we find the ability to track and correlate 
authentication workload, authentication server performance and back-end (Active 
Directory) server performance!
---
Eriks Rugelis
Manager, Network Development, University Information Technology
York University, Toronto

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

FreeRADIUS server scaling for 802.1x

2016-07-18 Thread David Morton 
I am curious how folks are calculating peak load and number of RADIUS servers 
needed to support your eduroam & other 802.1x usage. We currently have a peak 
of around 65k of concurrent users across our network. Most of those users are 
using a MAC based auth captive portal.

As we begin to steering users to eduroam for on campus use, we are trying to 
model load and the number of FreeRADIUS needed to support that load. I know 
that there are a lot of variables in answering this question, but I’d really 
like to get input and better understand what others are doing.

Feel free to reply either on or off list depending on what you are willing to 
share publicly.

Thank you

David



David Morton
Director, Mobile Communications
Service Owner: Wi-Fi, Mobile & HuskyTV
University of Washington
dmor...@u.washington.edu<mailto:dmor...@u.washington.edu>



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Wireless Printers/Wi-Fi Direct, couple of other devices

2011-02-16 Thread David Morton 
FYI, we have roughly:

12,977 iPhones
8,783 iPod touches
3,880 Androids
1,852 iPads
338 Win Mobile
804 Blackberry
330 Symbian
19 Palm OS

You can see more stats at www.freshlymobile.com

We gather these stats from our wifi registration system. It looks at the 
browser user agent when they register.

David





David Morton
Director, Mobile Communications
University of Washington
dmor...@u.washington.edu
tel 206.221.7814


--
www.freshlymobile.com
 a fresh look at mobility
--
On Feb 16, 2011, at 1:39 PM, Marcelo Lew wrote:

> "At the moment, I have two Nintendos, 44 XBoxen, 373 iPods, 787 iPhones,
> 144 iPads, 14 Palms, 183 Androids, 37 Playstations, 9 Windows Mobile devices, 
> 11 Nokias, and 34 Blackberries on my network, that I know of..."
> 
> How are you getting these specific stats?
> 
> Marcelo Lew
> Wireless Enterprise Administrator
> University Technology Services
> University of Denver
> Desk: (303) 871-6523
> Cell: (303) 669-4217
> Fax:  (303) 871-5900
> Email: m...@du.edu
> 
> 
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Cal Frye
> Sent: Wednesday, February 16, 2011 8:13 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Wireless Printers/Wi-Fi Direct, couple of other 
> devices
> 
> On 2/16/11 7:45 AM, Brian Helman wrote:
>> We are trying to avoid adding non-workstation systems to the wireless
>> network.  My philosophy is, if the system isn't mobile, it should be
>> wired.  That's why my XBox and Wii have ethernet cables at home too!
> 
> Of course, that's a large exception ;-)
> 
> At the moment, I have two Nintendos, 44 XBoxen, 373 iPods, 787 iPhones,
> 144 iPads, 14 Palms, 183 Androids, 37 Playstations, 9 Windows Mobile
> devices, 11 Nokias, and 34 Blackberries on my network, that I know of...
> 
> -- 
> Best regards
> -- Cal Frye, Network Administrator, Oberlin College
>   Mudd Library, x.56930 -- CIT will NEVER ask you for your password!
> 
>   www.calfrye.com,  www.oberlin.edu/cit/
> 
> "Life is a long lesson in humility." -- James M. Barrie.
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> .

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Wireless Bakeoff

2010-10-04 Thread David Morton 

Did they solve a high density problem that the others couldn't? My impression 
with Xirrus is that might be a solution to consider to in a larger open space 
with higher density, but that a solution with multiple APs with decent auto 
radio management capabilities would solve the issue as well (and perhaps 
better).

David




_
David Morton
Director, Mobile Communications
University of Washington
dmor...@u.washington.edu
tel 206.221.7814

 
> 
> On Oct 4, 2010, at 11:00 AM, heath.barnhart wrote:
> 
>> Same here.
>> 
>> Heath
>> 
>> On 10/4/2010 12:50 PM, Ammar Abdulahad wrote:
>>> 
>>> We are using Xirrus in our entire campus including residential halls. 
>>> Xirrus really solved the issues we were having in high density areas.
>>>  
>>>  
>>> Ammar Abdulahad
>>> IT Service Delivery
>>> Lawrence Technological University
>>> 
>>> 
>>>  
>>> On Mon, Oct 4, 2010 at 12:35 PM, Huels, Chris  wrote:
>>> All,
>>> 
>>> Currently Washington University uses Meru for wireless. In order to migrate 
>>> to 802.11n, we will have to replace all of the access points and look at 
>>> replacing the controllers to accommodate the throughput. This has given us 
>>> the opportunity to go back and assess other vendors that offer enterprise 
>>> wireless solutions. The vendors that we are looking into are Meru, Aruba, 
>>> and Cisco. I would like to get input from this group on some pros and cons 
>>> of each, or are there other vendors that have been working well? Any input 
>>> would be helpful.
>>> 
>>> Thanks
>>> Chris
>>> ** Participation and subscription information for this EDUCAUSE 
>>> Constituent Group discussion list can be found at 
>>> http://www.educause.edu/groups/.
>>> 
>>> ** Participation and subscription information for this EDUCAUSE 
>>> Constituent Group discussion list can be found at 
>>> http://www.educause.edu/groups/.
>>> 
>> 
>> 
>> -- 
>> Heath Barnhart, CCNA
>> Network Administrator
>> Information Systems and Services
>> Washburn University
>> Topeka, KS 66621
>> ** Participation and subscription information for this EDUCAUSE 
>> Constituent Group discussion list can be found at 
>> http://www.educause.edu/groups/.
>> 
> 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Sr. Network Engineer - Wifi focused

2010-09-24 Thread David Morton 
We are looking for a Sr. Network Engineer in our Technology Management group at the University of Washington. The UW is a dynamic environment with the opportunity to work on many interesting projects. I've posted the text of the job description below or you can view it and apply via the following link: https://uwhires.admin.washington.edu/eng/candidates/default.cfm?szCategory=JobProfile&szOrderID=67444&szlocationID=88If you have any questions, please let me know.David_David MortonDirector, Mobile CommunicationsUniversity of Washingtondmor...@u.washington.edutel 206.221.7814  www.freshlymobile.com                   a fresh look at mobilityNETWORK ENGINEER-Wireless  Req #:67444Department:UW INFORMATION TECHNOLOGYAppointing Department Web Address:https://www.washington.edu/uwit/index.htmlJob Location:Seattle CampusPosting Date:08/26/2010 Closing Info:Open Until Filled Salary:Salary is commensurate with experience and education. The University of Washington (UW) is proud to be one of the nation’s premier educational and research institutions. Our people are the most important asset in our pursuit of achieving excellence in education, research, and community service. Our staff not only enjoys outstanding benefits and professional growth opportunities, but also an environment noted for diversity, community involvement, intellectual excitement, artistic pursuits, and natural beauty. UW Information Technology has an outstanding opportunity for a Network Engineer. Responsibilities: A Network Engineer is expected to be a network professional with experience in complex data and telecommunications systems design, development, management, and evaluation. Domain expertise ranges from Radio Frequency, WLAN, Layer 2/3, WLAN controller design, implementation, protocols and architecture. Position Complexities: Must have in depth knowledge to architect, design, implement and maintain 802.11a/b/g/n wireless networks and supporting hardware, security mechanisms, wireless data technologies, RF analysis equipment, network sniffers, and protocols. Experience with wireless site surveys, RF design and behaviors, access points, networking setup and troubleshooting skills are essential. Experience working with RF analysis equipment, power meters, spectrum analyzers, and/or signal generators is required. In addition to wireless technologies, the applicant must have complete understanding of layer 2/3 networking, from network design and implementation to troubleshooting complex wired ethernet networks, as support of campus wired networks is required. A Network Engineer is expected to have expertise in contemporary network technologies and protocols including TCP/IP, OSPF, IPv4, QoS, and VoIP. Duties: Network Engineers are responsible for data communication system planning, design, development, installation and operations, as well as escalated technical support for the Network Operations Center staff. They provide consultation to the University on data and telecommunications network services and systems, participate in requirements definition process, design and implement appropriate solutions, and identify and solve operational problems relating to networks and distributed communication systems and servers. Other characteristic responsibilities include: identify existing and emerging technologies and evaluate their applicability to UW's needs, and participate in projects to deploy state-of-the-art networks. As a UW employee, you will enjoy generous benefits and work/life programs.  For detailed information on Benefits for this position, click here. Requirements: Bachelor's degree, or equivalent experience, in communication engineering, computer science or related field. Required Minimum Work Experience: Four years experience in network engineering, implementation, or operations. Additional Minimums: A highly disciplined troubleshooting methodology, paying close attention to detail, maintaining detailed configuration and testing documentation, with good verbal and written communication skills. Experience must include design, deployment, and support of a large WLAN infrastructure, testing wireless products including access points and client devices for evaluation, documentation, integration, customer support documentation, and product development. Experience with AAA, IP mobility (Moble IP), SNMP, IP network security, VLAN, and IP utilization management. Excellent understanding of interconnection and troubleshooting techniques for WAN/LAN hardware to include routers, LAN switches, wireless access points.    Equivalent education/experience will substitute for all minimum qualifications except when there are legal requirements, such as a license/certification/registration. Desired: Experience with ArubaOS software and associated Aruba WLAN infrastructure.Working within a hospital or healthcare environment.Condition of Employment:Must be able to respond to network outag

Re: [WIRELESS-LAN] 802.1X accounting, PEAP outer identity

2006-06-01 Thread David Morton 
You and Julian are, of course, right about both Radiator and SBR. I  
was thinking about the problem from a different angle, where the PEAP/ 
TTLS session was terminating on a foreign system (as is the case with  
roaming, commercial service providers or a distributed education  
environment).


Thanks setting the record straight. This topic also reminds me of  
Benard Aboba's excellent site on related subjects at http:// 
www.drizzle.com/~aboba/IEEE?


David


On Jun 1, 2006, at 4:18 PM, Michael Griego wrote:

If, in the RADIUS Access-Accept, a User-Name attribute is included,  
then, according to the spec, the NAS *must* use that value in any  
accounting records.  So, if you can get your RADIUS server to  
return the User-Name used in the inner exchange as the User-Name in  
the final Access-Accept, then the NAS should use that in the  
accounting records.


FreeRADIUS does this by way of a "use-tunneled-reply" option in the  
PEAP module setup.


--Mike


On Jun 1, 2006, at 5:27 PM, Julian Y. Koh wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

How are people handling accounting records for your 802.1X  
wireless networks?
 We're in the process of rolling out EAP-PEAP, and everything is  
fine in
terms of our RADIUS accounting records from the APs as long as the  
users
leave the "Outer Identity" field blank - we end up with their real  
usernames
in the accounting records.  However, as soon as they fill in  
anything for
"Outer Identity" (Mac OS X) or "Roaming Identity" (Intel Wireless  
utility),
that text is what ends up in our accounting records.  Obviously  
this is
suboptimal in terms of relying on our accounting records for true  
accounting

of who was where on our network.  Is there any way around this?

FWIW, we're using Cisco 1200 APs with a WLSM/WLSE combo, Steel  
Belted RADIUS

talking to an Active Directory back end.

Thanks in advance!


-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.0.6 (Build 6060)
Comment: 

iQA/AwUBRH9ptA5UB5zJHgFjEQKANgCcDrXkDHD7v+CDJmulrxHcTtVWSdsAn0sj
GgvPA4nr9fM5cY5s0cNVuNly
=TiAV
-END PGP SIGNATURE-

--
Julian Y. Koh  

Network Engineer   847-467-5780>
Telecommunications and Network Services Northwestern  
University
PGP Public Key:


**
Participation and subscription information for this EDUCAUSE  
Constituent Group discussion list can be found at http:// 
www.educause.edu/groups/.



**
Participation and subscription information for this EDUCAUSE  
Constituent Group discussion list can be found at http:// 
www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] 802.1X accounting, PEAP outer identity

2006-06-01 Thread David Morton 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Unfortunately it is the design of PEAP (and TTLS) to offer separate  
inner and outer identities. There has been a lot of discussion in the  
IEEE about how to better support service provider billing in these  
instances, but I don't know what came of those discussions. Perhaps  
someone else on the list knows.


David


David Morton
Director, Security Solutions
Technology Engineering, C&C
University of Washington
[EMAIL PROTECTED]
http://staff.washington.edu/dmorton/blog
tel 206.221.7814



On Jun 1, 2006, at 3:27 PM, Julian Y. Koh wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

How are people handling accounting records for your 802.1X wireless  
networks?
 We're in the process of rolling out EAP-PEAP, and everything is  
fine in
terms of our RADIUS accounting records from the APs as long as the  
users
leave the "Outer Identity" field blank - we end up with their real  
usernames
in the accounting records.  However, as soon as they fill in  
anything for
"Outer Identity" (Mac OS X) or "Roaming Identity" (Intel Wireless  
utility),
that text is what ends up in our accounting records.  Obviously  
this is
suboptimal in terms of relying on our accounting records for true  
accounting

of who was where on our network.  Is there any way around this?

FWIW, we're using Cisco 1200 APs with a WLSM/WLSE combo, Steel  
Belted RADIUS

talking to an Active Directory back end.

Thanks in advance!


-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.0.6 (Build 6060)
Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html>

iQA/AwUBRH9ptA5UB5zJHgFjEQKANgCcDrXkDHD7v+CDJmulrxHcTtVWSdsAn0sj
GgvPA4nr9fM5cY5s0cNVuNly
=TiAV
-END PGP SIGNATURE-

--
Julian Y. Koh  
<mailto:[EMAIL PROTECTED]>
Network Engineer   847-467-5780>
Telecommunications and Network Services Northwestern  
University
PGP Public Key:<http://bt.ittns.northwestern.edu/julian/ 
pgppubkey.html>


**
Participation and subscription information for this EDUCAUSE  
Constituent Group discussion list can be found at http:// 
www.educause.edu/groups/.


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFEf2tdv56EHSc/epsRArhhAJ9XU4+IWMvAt8YUdGpzXncVY7HLSwCff9cb
baU9+fqnNrGzb8KUk7LK3o0=
=0EIY
-END PGP SIGNATURE-

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Spectrum Analyzer for interference detection

2006-04-04 Thread David Morton 
I agree with the cognio and also recommend the yellowjacket from Berkley Veritronics (http://www.bvsystems.com/Products/WLAN/Yellowjacket/yellowjacket.htm).However you may be able to find the problem with less expensive means. As Dwight pointed out often the cause of such interference is something like a microwave or maybe a cordless phone or camera. The latter two tend to be frequency hopping and often result in decreased throughput rather than killing connections. Is there a pattern to the drops? After the drops are the users able to get right back on? Another possibility is that someone is actively disassociating the users from the AP. There are a number of tools that can do this. A packet sniffer and debugs on the AP may help you understand what is happening.DavidDavid MortonDirector, ITI Security SolutionsUniversity of Washington[EMAIL PROTECTED]tel 206.221.7814On Apr 4, 2006, at 1:24 PM, Emerson Parker wrote:  Cognio is the way to go.   http://www.cognio.com/     I've used this several times and large installations at it will save your butt.  Cameras and wireless phones will sweep across the entire b/g spectrum and kill everything.  The software costs about 3k and vary intuitive to use.  That's a lot better than paying someone to come out.   -Emerson   From: Robinson, Ronald [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 04, 2006 3:58 PMTo: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUSubject: [WIRELESS-LAN] Spectrum Analyzer for interference detection Greetings listers, We have a suspected interference problem in a particular classroom that causes all the wireless connections to drop at the same time.  There are two APs in the classroom, and only one other AP in the building (that can be seen with NetStumbler), all are on non-overlapping channels.  It only appears to affect one particular class, but that class has 23 students all trying to use the wireless simultaneously.  I have replaced the single Cisco 350 access point with two 1200 series and have the same reported symptom.  I am beginning to suspect a wireless card in one of these students laptops as a possible source of the problem, hence my request...   Any advice on the best tools or procedures for determining if there is actually an interference problem in an 802.11B/G environment?Would a Spectrum Analyzer be of any use in tracking this down? Anyone have experience with any software based Spectrum Analyzers? Thanks -- Ron Robinson, Network Architect, Bradley University 1501 West Bradley Ave.  |   E-Mail: [EMAIL PROTECTED] Morgan Hall Room 205F   |   Phone:  (309) 677-3350 Peoria, Illinois 61625  |   FAX:    (309) 677-3460 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. **
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Paint that attenuates Radio Signals

2006-02-09 Thread David Morton 
While I haven't tried that particular product, I have use other types  
of paint to attenuate RF (don't recall the commercial names).  They  
worked fairly well, but since they blocked a pretty wide range of  
frequencies you might have unintended consequences. For example, cell  
phones signals were also attenuated.


David




On Feb 9, 2006, at 1:17 PM, Stephen Holland wrote:


Has anybody heard of a product from Force Field Wireless that can be
painted on walls to attenuate Radio Signals like WiFI?.

I happened to find a link to it by accident and I'm curious as to how
effective it is.

Thanks

Steve Holland
Network Engineer
Northeastern University

**
Participation and subscription information for this EDUCAUSE  
Constituent Group discussion list can be found at http:// 
www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Vivato

2005-12-19 Thread David Morton 
At a previous employer, we look to products from Ottawa based Belair networks (http://www.belairnetworks.com/) among others. They don't currently make use of smart antenna technology, but build a good, solid product that provided a fairly large coverage area.David David MortonDirector, ITI Security SolutionsUniversity of Washington[EMAIL PROTECTED]tel 206.221.7814 On Dec 19, 2005, at 7:47 AM, Ryan Lininger wrote:I'm surprised by this news.  I thought that Vivato had a pretty good product.  We are looking for a solution to implement wireless campus wide and Vivato looked pretty good until this news hit the stands Friday.  Are there any other companies out there that can compete with Vivato's product?  We have been looking at another company called 5G wireless (http://www.5gwireless.com) but I've read mixed reviews and my interactions with the company have been mixed.What other companies do people recommend for indoor and outdoor wireless deployments?Ryan LiningerNetwork Systems EngineerDenison University[EMAIL PROTECTED]King, Michael wrote: I just got an email from a contact at Vivato.  He forwarded this to me,with the note that his doors close tommorrowLast Call for Vivato? 12.15.05Everyone is talking about rumors of the imminent demise of Vivato Inc.,one of the startups that originally kick-started the wireless LAN switchmovement.Multiple sources [ed. note: It's even on the message-board!] have toldUnstrung that the company is expected to close down by the end of theyear, with December 20 looking like the most likely date.We spoke to Vivato last week when these rumors first got too loud toignore, and a spokesman denied them then. No one has yet replied tocalls today.The firm is said to be looking for a buyer, but it is not clear whatprospects are out there.Of course, Vivato has been pronounced dead in the water before and comeback. But the wireless whisperers we've spoken to insist that theinvestor community is now saying that Vivato will close its doors soon.Vivato's closure could be seen as something of an end of an era for theWLAN market. The firm was one of the first to promote the idea of acentrally-managed "wireless LAN switch" network for enterprise users.(See Vivato Plans Ambitious WLAN.)But unlike successful startups, such as Airespace and Aruba WirelessNetworks that followed in its wake, Vivato proposed to "light up"offices with one powerful box that used "beam-steering" technology toprovide radio coverage over hundreds of square feet. (See WLAN Switches:The Brains Behind 802.11?.) The other players in this space preferred touse a central switch to manage a network of "dumb" access points. (SeeVivato's Switch Bitch and Switch Tiff Heats Up .)But in practice, providing coverage in an office-space filled with cubesand other radio-dampening obstacles proved to be a tricky task for theVivato. So the firm repositioned itself as a company that could providecoverage for stadiums, conference centers, and outdoor areas. (SeeVivato's New Broom and Vivato Goes Wide.)But despite winning some contracts, the company has remained troubled.In April, the firm hired a new "crisis CEO" to restructure the company.(See Vivato Hires Crisis CEO.)Since its foundation in December 2000, Vivato has scored around $67million in funding from investors like Intel Capital and U.S. VenturePartners.- Dan Jones, Site Editor, UnstrungCopyright (c) 2000-2005 Light Reading, Inc. - All rights reserved.www.unstrung.com**Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.  **Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. **
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] [SCFN] VoIP eavesdropping (fwd)

2005-12-18 Thread David Morton 
I want to echo John's comments about the need for better VoIP  
security and 802.11r is still at least 18 months away. It is worth  
noting that there are some proprietary solutions from Cisco and  
others if you need something in the mean time.  The standard  
disclaimers about proprietary solutions apply, but they are available  
if they fit your environment.


David


David Morton
Director, ITI Security Solutions
University of Washington

On Nov 29, 2005, at 2:02 PM, Jonn Martell wrote:


Agreed. There are a couple of important components.
The first is 802.1x but as important is fast roaming (secure  
handoffs between APs).  IEEE 802.11r is still a work in progress.  
PMK-caching  is the way to facilitate secure fast roaming in  
current generation products but it's likely not going to appear for  
WPA devices (not sure exactly why?)


It appears the handset vendors will have to support WPA2. We're  
seeing a number of interesting handsets which are starting to just  
now support WPA but not WPA2. In many cases WPA2 will require brand  
new handsets which have yet to see the light of day.  Needless to  
say, we aren't buying a lot of expensive VOIP wireless handsets  
right now but we are testing several... :-)


Our VOIP over Wireless pilot uses WPA-PSK and we won't release  
devices that exposes the PSK. I think that's the best way to deploy  
secure VOIP over wireless in the short term. Not ideal, as Frank  
says, vendors aren't very far along.


My prediction is that secure VOIP (at the application layer) will  
open the floodgates on all VOIP (including VOIP over wireless)...   
We're already starting to see this with Skype... The days for  
insecure VOIP are numbered IMHO.


... Jonn Martell, Manager UBC Wireless (Wireless and VOIP Project  
Manager)


on 11/29/2005 1:41 PM Frank Bulk said the following:

Hear-hear, but the Wi-Fi handset vendors are by far and large not  
that far

long in the thought process

Frank
-Original Message-
From: Michael Griego [mailto:[EMAIL PROTECTED] Sent: Tuesday,  
November 29, 2005 2:33 PM

To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [SCFN]  VoIP eavesdropping  
(fwd)


This highlights the exact reasons that VoFi systems *should* use  
802.1x
authentication with per-station keys.  That way, each handset has  
its own
key to encrypt its traffic over the air with, stopping the easy  
sniffing of

traffic passing through the air.  This, of course, does nothing for
beyond-the-AP sniffing, but it is presumed that is handled by  
other security

measures in the environment.

--Mike

---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas



Lee Barken wrote:


Any comments?  (Originally sent to socalfreenet.org)

-- Forwarded message --
Date: Tue, 29 Nov 2005 09:20:11 -0800 (PST)
From: Lee Barken <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: [SCFN]  VoIP eavesdropping

This is somewhat offtopic for a wireless list-- but kinda  
relevent considering our plans to implement VoIP in our wireless  
clouds


VoIP, in essence, uses CLEARTEXT protocols... making passive  
capture trivial in a wireless environment. (?)  What is the  
risk that somebody will capture unauthorized recordings of voice  
communication?  Is there a legal precendent for prohibiting  
wiretapping in a digital



environment?


http://oreka.sourceforge.net/

"The open source, cross-platform audio stream recording and  
retrieval system Oreka is a modular and cross-platform system for  
recording and retrieval of audio streams. The project currently  
supports VoIP and sound device based capture. Recordings metadata  
can be stored in any mainstream database.  Retrieval of captured  
sessions is web based."


"Record VoIP RTP sessions by passively listening to network  
packets. Both sides of a conversation are mixed together and each  
call is logged as a separate audio file. When SIP or Cisco Skinny  
(SCCP) signalling is detected, the associated metadata is also  
extracted."


Take it easy,
  -Lee


___
SoCalFreeNet.org General Discussion List To unsubscribe, please  
visit: http://socalfreenet.org/mailman/listinfo/ 
discuss_socalfreenet.org


**
Participation and subscription information for this EDUCAUSE  
Constituent


Group discussion list can be found at http://www.educause.edu/ 
groups/.


**
Participation and subscription information for this EDUCAUSE  
Constituent
Group discussion list can be found at http://www.educause.edu/ 
groups/.


**
Participation and subscription information for this EDUCAUSE  
Constituent Group discussion list can be found at http:// 
www.educause.edu/groups/.




**
Participation and subscription information for this EDUCAUSE  
Constituent Group discussion list can be found at http:// 
www.educause.edu/gr

Re: [WIRELESS-LAN] 802.1x authentication on wired network

2005-12-01 Thread David Morton 
If you're not using ACS, there are three Radius attributes that can  
be used to put a user in a particular VLAN. I don't recall the  
attribute numbers off the top of my head, but I am sure you can find  
them on Cisco's web site.  I know that they are also in the Microsoft  
Wireless Provisioning Server documentation (which you can find on  
Microsoft's web site.)


David


David Morton
Director, Security Solution
University of Washington


On Nov 28, 2005, at 5:14 AM, David Warner wrote:


Matt,

Inside the Cisco ACS server(and other radius servers I assume) you  
can specify which vlan a group should be associated with.  The  
dot1x configuration on the switch will then use that information to  
set the vlan when a user successfully authenticates.


dave warner


At 09:50 AM 11/25/2005, Matt Ashfield wrote:
Just out of curiosity, what is the mechanism that places the user  
in the
specified vlan? Namely, which component sets the switch port to be  
part that

a specified vlan?

Thanks

Matt
[EMAIL PROTECTED]

-Original Message-
From: David Warner [mailto:[EMAIL PROTECTED]
Sent: November 21, 2005 4:53 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] 802.1x authentication on wired network

I've been testing the 802.1x authentication on Cisco catalyst  
switches with
the ACS radius server with an Active Directory authentication  
database and
a Microsoft windows XP client machine.  I would like to  
authenticate users

based on AD info and place the computer in the authorized vlan.

I have found that I am unable to use the windows credentials for  
dot1x
authentication when a new user is using a machine.  The process of  
logging
into the machine and changing the user's vlan often causes the  
machine to
be unable to obtain an IP address through DHCP.  Cisco has  
recommended to
not use the Windows credentials and use the separate dot1x  
authentication

but we were hoping to avoid multiple logins.

Another issue is that the current windows xp implementation stores  
the
dot1x credentials in the registry.  The username, password and  
domain are
all cached in  current_user\software\microsoft\eapol\UserEapInfo.   
Unless

this entry is deleted it is always used to determine the user
credentials.  This is also a problem when a different person tries  
to use

the same machine in a lab or classroom shared machine.

Has anyone encountered these problems on the wired side of the  
network and

found a workaround.

TIA

**
Participation and subscription information for this EDUCAUSE  
Constituent
Group discussion list can be found at http://www.educause.edu/ 
groups/.


**
Participation and subscription information for this EDUCAUSE  
Constituent Group discussion list can be found at http:// 
www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE  
Constituent Group discussion list can be found at http:// 
www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Radius Authentication

2005-11-30 Thread David Morton 
Depending upon the network and other variables I have seen it take anywhere from under one to several seconds.DavidOn Nov 30, 2005, at 7:41 AM, Tom Klimek wrote:Trying to determine an acceptable length of time it takes to authenticate a user from an AP to a Radius server. Length of time from radius Access-Request to Access-Accept ?  Our experience is 1 - 2.5 seconds. Is this typical ? --Tom KlimekUniversity of Notre Dame** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.**
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] 802.1x authentication on wired network

2005-11-21 Thread David Morton 
As I recall, there was an issue with XP SP2  where after getting  
switched to a new VLAN, it doesn't release the old IP address and  
will try to renew the old address. Depending upon your setup the ACS  
may be rejecting that request as it is coming over the wrong VLAN. If  
this is the case, the user would not get a proper address until the  
old lease expires. So if you have a long lease time


I think that this behavior was improved (changed) with SP2 or maybe  
one of the security updates.


David

David Morton
Director, ITI Security Solutions
University of Washington
[EMAIL PROTECTED]


On Nov 21, 2005, at 1:13 PM, Phil Trivilino wrote:

The caching of user credentials is a problem - I have not used the  
802.1x for wired connections yet, but assumed the situation would  
be the same as in the wireless.
I wonder, if you used  Microsoft IAS to authenticate against your  
AD database, if you would have the same issues with new users and  
DHCP?
I am very pleased with our implementation of 802.1x on our wireless  
network.


Phil Trivilino
Manager of Network Infrastructure
St. Lawrence University

David Warner wrote:

I've been testing the 802.1x authentication on Cisco catalyst  
switches with the ACS radius server with an Active Directory  
authentication database and a Microsoft windows XP client  
machine.  I would like to authenticate users based on AD info and  
place the computer in the authorized vlan.


I have found that I am unable to use the windows credentials for  
dot1x authentication when a new user is using a machine.  The  
process of logging into the machine and changing the user's vlan  
often causes the machine to be unable to obtain an IP address  
through DHCP.  Cisco has recommended to not use the Windows  
credentials and use the separate dot1x authentication but we were  
hoping to avoid multiple logins.


Another issue is that the current windows xp implementation stores  
the dot1x credentials in the registry.  The username, password and  
domain are all cached in  current_user\software\microsoft\eapol 
\UserEapInfo.  Unless this entry is deleted it is always used to  
determine the user credentials.  This is also a problem when a  
different person tries to use the same machine in a lab or  
classroom shared machine.


Has anyone encountered these problems on the wired side of the  
network and found a workaround.


TIA

**
Participation and subscription information for this EDUCAUSE  
Constituent Group discussion list can be found at http:// 
www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE  
Constituent Group discussion list can be found at http:// 
www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.