Re: WPA2 Key Sharing
Hi Jonathan, With a simple protocol analyzer (Wireshark, OmniPeek, AirMagnet, CommView for Wi-Fi, etc), if you have the PSK that others are using, you can see their traffic in the clear if you capture their 4-way handshake. To do this, you need only deauthenticate them (spoof a deauthentication frame) from their AP. They will reauthenticate and do a 4-way handshake, which will allow them to see your traffic, provided your sniffing tool has this functionality (CommView for Wi-Fi has it built in). Devin Yes, TKIP cannot be relied upon. The PSK isn't widely publicised, although it can't be assumed to be private. It's only given out to people who have paid for the games console service, authenticated and registered their console. I don't pretend for a second that this is a high-security solution, but it's all that the games consoles can do. It's a little better than using an open network, though. On 11/24/2010 07:41 PM, heath.barnhart wrote: Wasn't TKIP broken recently? Don't remember for sure, but if it has, and your PSK is public, then what security do you have? Heath On 11/24/2010 10:34 AM, Jonathan Gazeley wrote: Hi Bruce, We want to discourage use of the PSK network as much as possible. If it's too easy to use, people will probably start using their laptops with this instead of with the 802.1x network. An open network doesn't provide any barrier to entry, nor any encryption. Joe Public can wander past a student hall and sniff traffic, which may be personal/sensitive since lots of games consoles can now be used for Facebook, online purchases of Xbox points, etc. Using widely-known PSK is not ideal, but it helps. It keeps outsiders off, stops trivial sniffing of packets. Using TKIP, even if two users are authenticated with the same key, they won't be able to read each other's traffic in the clear. I also think it's pretty confusing if we are doing MAC authentication for registered console on an otherwise open network - it might look broken for users and cause confusion. Cheers, Jonathan On 24/11/10 12:15, Osborne, Bruce W wrote: Jonathan, We are just starting our migration from open/NAC network to 802.1x with NAC. For non-802.1X devices, what do you see as the advantages of WPA2-PSK with a widely known key instead of open? Obviously there is more work involved supporting the PAS, especially when the key is changed. Thanks, Bruce Osborne Wireless Design Engineer Liberty University -Original Message- From: Jonathan Gazeley [mailto:jonathan.gaze...@bristol.ac.uk] Sent: Tuesday, November 23, 2010 5:40 AM Subject: Re: WPA2 Key Sharing Hi Mike, We use a WPA2-802.1x network wherever possible, but we do provide a WPA2-PSK network for use with games consoles in halls of residence. We built a home-grown system where a user has to register the MAC address of their console in our web interface. The MAC is validated and the user is given the WPA2 key on their screen. Only registered MAC addresses can connect to the SSID. We change the key once per academic year, since the vast majority of students live in halls for just one year so it causes minimal inconvenience to users. Cheers, Jonathan Jonathan Gazeley Systems Support Specialist ResNet | Wireless VPN Team Information Services University of Bristol On 18/11/10 20:46, Hanson, Mike wrote: Hello, For those of you using WPA2 personal encryption on your wireless network, how do you provide the encryption key to your end users? And how often do you change the key? Thank you for your input. Mike Hanson Network Security Manager The College of St. Scholastica Duluth, MN 55811 mhan...@css.edumailto:mhan...@css.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: Meraki?
Lee,
Good blog. The problem is that nobody can post. The capcha doesn't seem to be
working properly.
thanks!
Devin
I'm a Meraki fan, but then I gain I like aspects of BlueSocket, Aruba, and
Cisco as well. Meraki did announce several new features today- the traffic
shaping in particular is pretty slick:
http://meraki.com/technology/traffic_shaper/
*Warning-shameless self-promotion ahead
I just blogged about these at:
http://www.networkcomputing.com/wireless/meraki-boosts-cloud-based-wlan-with-traffic-control-other-new-features.php
Cheers!
-Lee Badman
-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Miles Davis
Sent: Wednesday, August 11, 2010 1:52 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Meraki?
On Aug 11, 2010, at 09:19, Marcelo Lew wrote:
I was wondering if somebody on the list is using (or considered) using the
Meraki System?
Yup, we use Meraki for Stanford CS. I'm quite happy with the hosted (I gag a
little if I say 'cloud') controller and management interface, and even happier
that they've implemented every feature I've asked for ('real' VLAN tagging,
RADIUS-based vlan assignment, a few others).
My only complaint (nothing to do with Meraki) is that I have to I run this in
in parallel with other networks competing for spectrum, in a building that I
believe was designed to absorb the 2.4-5GHz range. :)
--
// Miles Davis - mi...@cs.stanford.edu - http://www.cs.stanford.edu/~miles
// Computer Science Department - Computer Facilities
// Stanford University
**
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
**
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
**
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
Re: Band Steering?
Aruba uses Atheros radios, and they aren't software-limited, but rather hardware-limited. That means that their (and everyone else's) radios will have to be upgraded in order to support 3 spatial streams. The third radio can be used in various ways, e.g. for a 3rd receiver in MRC to make reception more robust and using algorithms such as Cyclic Shift Diversity (CSD) for transmit gain smoothing. There are others, but the net effect is modest on transmit, but decent on receive. Devin K. Akin Chief Wi-Fi Architect Aerohive Networks E: de...@aerohive.com That is my understanding as well. I believe if a vendor’s AP has a third antenna, it can provide some diversity in that the two best of the three can be used at any given time for the two available spatial streams on receive. I have no idea though, how much of a real benefit that translates to in practice. Pete Morrissey From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Marcus Burton Sent: Wednesday, August 11, 2010 4:32 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Band Steering? The Aruba 120 series APs are 3x3 (3 TX x 3 RX radio chains), but they are software-limited to 2 spatial streams. The number of radio chains is not always proportional to the spatial stream capabilities. Marcus Burton Dir. Of Product Development CWNP For the 120 – you sure? On their documentation they show 3X3. We don’t have any 120’s or 121’s, just 60’s 61’s 105’s, 124’s and 125’s, so I can’t say from a testing perspective. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Ryan Holland Sent: Wednesday, August 11, 2010 2:14 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Band Steering? Just to add clarification, both the AP-120 series and AP-105s only support two (2) spatial streams, despite the additional antenna on the AP-120 series. FYI. == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland@osu.edu On Aug 11, 2010, at 4:01 PM, Greg Williams wrote: Ethan, sorry to not be of much help, but we've never had a problem with Band Steering. We have a pretty dense deployment so maybe that's why. But one thing you mentioned is you are using AP 105's. I can't remember 100% but I did see a degradation in signal using the 105's on 5ghz vs 2.4ghz vs. AP 125 when in a classroom, walled type environment. The AP 105's only have a 2X2 spatial stream not a 3X3. We are using the AP 105's in more open areas for that reason and 125's in the classroom type environments. Greg Williams IT Security Principal University of Colorado at Colorado Springs -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Ethan Sommer Sent: Wednesday, August 11, 2010 1:30 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Band Steering? We are upgrading part of our network using Aruba AP-105s and a pair of 3600 controllers. We've found an annoying problem when we have band steering turned on. We've create two SSIDs. Lets call them BandSteering and NoBandSteering. When users are relatively close to an access point, they can connect to either. My MacBook will usually connect using 2.4 Ghz on NoBandSteering and will always connect using 5ghz to BandSteering. When a user is further away from the access point, however, they can connect fine to NoBandSteering (obviously it is slower than when they were closer) but can't connect at all to the BandSteering SSID. It doesn't fail back to 2.4ghz, and the clients don't recognize that they can't connect and connect to NoBandSteering if that's lower in their preferred networks list. The effect is that, understandably, users will select the NoBandSteering SSID because it is more reliable. (Even though it is slower in most cases.) Aruba suggested that I try setting the 5ghz ARM profile to always max out the 5ghz radio, which helps some but does not eliminate the areas where 2.4ghz works and 5ghz doesn't. So, my questions are: 1. Are people using band steering? 2. Have you found the same problem? 3. Is there a way to fix it? (Other than turning off bandsteering.) 4. I suppose a related question is, is there a way to make client computers prefer 5ghz more? I guess we'll probably just not use band steering if we can't find a solution, but it would be a shame not to better utilize the 5ghz spectrum better. Thanks for any suggestions! Ethan -- Ethan Sommer Associate Director of Core Services Gustavus Technology Services somm...@gustavus.edu 507-933-7042 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription
Re: Guest Wireless Questions
http://www.zcorum.com/caleafaq.php http://www.askcalea.com/calea/103.html Here's a couple of helpful links on CALEA. Devin Devin K. Akin Chief Wi-Fi Architect Aerohive Networks E: de...@aerohive.com C: +1.404.483.2681 O: +1.770.854.8554 W: www.Aerohive.com Sorry it is the Communications Assistance for Law Enforcement Act. tn From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Peter P Morrissey Sent: Friday, July 02, 2010 12:08 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Guest Wireless Questions The CA in CALEA stands for “Computer Access.” We interpret that to mean providing a way for them to tap into our network to access any network traffic. Our understanding is that if you do your best to provide that and cooperate, it isn’t a big deal. We also track IP to user mappings for lots of reasons, that we could certainly make available under the correct legal proceedings. Peter Morrissey From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Trent Fierro Sent: Friday, July 02, 2010 9:23 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Guest Wireless Questions Out of curiosity regarding CALEA, do you need to provide law enforcement with a way to view where a user goes on your network while using wireless? Or do you just need to provide login details? I know that for telephony that you need to provide a way to tap a line, etc. but haven’t paid much attention to CALEA requirements recently. Trent Trent Fierro Dir of Marketing 408.748.0902 x116 www.avendasys.com http://twitter.com/Avenda_Systems Security without Boundaries From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Daniel Eklund Sent: Friday, July 02, 2010 6:10 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Guest Wireless Questions We provide free guest access, but not open access. Guests must be vouched for by a faculty or staff member and that person takes responsibility for the actions of the guest while they use the network. We have a simple online process that the faculty or staff member uses to create a temporary ID and password for their guest. They can create as many IDs as they need and the ID can be requested to have a lifetime up to 1 week. After that time the ID is deleted. -- Daniel Eklund Director, Networking Wayne State University 313-577-5558 - Tom Neiss tne...@uamail.albany.edu wrote: Are you providing free guest wireless access on your campus? How are you dealing with CALEA if you are? Do you use your edu address? Thanks, Thomas R. Neiss Director of ITS Telecommunications University at Albany 1400 Washington Ave Albany, NY 1 (518) 437-3803 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: Aruba vs HP vs Meraki
Hi Lee, From what I can tell, and since I haven't touched it I could be wrong, Bluesocket's vWLAN solution is a software controller that can run on a server of your choosing. If that's correct, I'm wondering how it's any different than a controller-appliance-based implementation (other than just using a x86 server instead of a custom appliance to host the software). Am I misunderstanding their solution? Thanks, Devin Devin K. Akin Chief Wi-Fi Architect Aerohive Networks E: de...@aerohive.com C: +1.404.483.2681 O: +1.770.854.8554 W: www.Aerohive.com I did look at Meraki early on- you are correct that I saw them before they added rogue detection. I will also add that I am gaining a much better familiarization with BlueSocket's vWLAN architecture (outside of my university duties), which I would describe in simplest terms as living somewhere between Meraki in the cloud and the heavy controller vendors. It is a very interesting system as well, with some distinct competitive advantages, and I would say that if you are open minded enough to be looking beyond the major players, BlueSocket is worth throwing in the mix. -Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [wireless-...@listserv.educause.edu] On Behalf Of John Rodkey [rod...@westmont.edu] Sent: Friday, April 02, 2010 11:19 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aruba vs HP vs Meraki Reading Lee's review of Meraki, it appears that he demo'ed the system prior to their introduction of rogue detection. On Fri, Apr 2, 2010 at 8:01 PM, John Rodkey rod...@westmont.edumailto:rod...@westmont.edu wrote: We moved from Aruba to Meraki within the last year. We were able to get considerably more saturation of the campus with wireless using Meraki than would have been possible for the same cost with Aruba. Administration of the access points was much more intuitive with Meraki than our experience with Aruba, and the functionality provided by the cloud-based controller is quite extensive. Deployment is very much plug and play: the WAPs auto-configure themselves. We've also used the mesh capability built into the Meraki products to extend coverage where we have power but no network connections. Meraki has been very responsive to us in dealing with the problems we have encountered. In retrospect, most of the problems were either Radius configuration or client computer problems. The few that weren't client/config problems were addressed quickly and professionally. We're happy with the results. Stats: we have 270 802.11N APs deployed, 2393 distinct clients. On Fri, Apr 2, 2010 at 11:21 AM, Ethan Sommer somm...@gac.edumailto:somm...@gac.edu wrote: We are considering replacing our 200+ AP wireless infrastructure with a controller based 802.11n system. I believe we have narrowed it down to Aruba, HP Procurve (we use HP switch gear), and Meraki. I have two questions: 1. Are there any hidden costs we should watch out for with any of these (particularly Aruba.) Will we hit major costs other than the up front cost for the APs and the controllers? 2. I know a lot of schools are very happily using Aruba, but I haven't heard of any schools using HP and very few using Meraki. Are there any schools who have gone with Aruba and regretted it? If so, why? Are there any schools out there using HP Procurve (formerly Colubrius) or Merkai? What do you think of them? Did you have any surprises after you deployed? Ethan -- Ethan Sommer Associate Director of Core Services 507-933-7042 somm...@gustavus.edumailto:somm...@gustavus.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: Aruba vs HP vs Meraki
I would consider making a list of characteristics/features that you're looking for, and then see which of the three vendors can deliver most of them, with emphasis on the critical features, within your budget. Devin K. Akin Chief Wi-Fi Architect Aerohive Networks E: de...@aerohive.com C: +1.404.483.2681 O: +1.770.854.8554 W: www.Aerohive.com What I personally find interesting is the wide choice not from a manufacturing point of view but more from a Wi-Fi technology point of view. Aruba – Controller based (aka controller based) All data goes through the controller, centralized architecture. HP – decentralized (Controller in not directly essential) Data path is separated from the management path. Meraki – Cloud computing Centralized Cloud, not having to own controller hardware inside your own network. All three very different solutions. I’m looking forward to follow this email threat with the comments, thanks for sharing. I would recommend writing down a proof of concept and invite the vendors of your choice. In this way you’ve tested your requirement (out of your proof on concept) therefore convinced around the solution you buy is the right one. Good luck... Mike Hydra Cell: +31 6 29 07 18 96 Tel: +31 252 62 61 20 Fax: +31 252 68 88 37 E-mail: mhy...@2fast4wireless.com Skype: Flying-Wireless-Dutchman Web: www.2fast4wireless.com From: Peter P Morrissey ppmor...@syr.edu Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Date: Fri, 2 Apr 2010 22:47:26 +0200 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: Aruba vs HP vs Meraki OK, so I'll ask. Why did you eliminate Cisco already? Pete M. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Ethan Sommer Sent: Friday, April 02, 2010 2:21 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Aruba vs HP vs Meraki We are considering replacing our 200+ AP wireless infrastructure with a controller based 802.11n system. I believe we have narrowed it down to Aruba, HP Procurve (we use HP switch gear), and Meraki. I have two questions: 1. Are there any hidden costs we should watch out for with any of these (particularly Aruba.) Will we hit major costs other than the up front cost for the APs and the controllers? 2. I know a lot of schools are very happily using Aruba, but I haven't heard of any schools using HP and very few using Meraki. Are there any schools who have gone with Aruba and regretted it? If so, why? Are there any schools out there using HP Procurve (formerly Colubrius) or Merkai? What do you think of them? Did you have any surprises after you deployed? Ethan -- Ethan Sommer Associate Director of Core Services 507-933-7042 somm...@gustavus.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. The information in this e-mail is confidential and may be legally privileged. If you have received this e-mail in error, please reply to its sender indicating received in error in the subject line, then delete the e-mail and destroy any copies of it. If you are not its intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on this e-mail, is prohibited and may be unlawful. Internet communications are not considered secure. Information might be intercepted, amended, lost, destroyed, arrive late or incomplete, or might contain viruses. 2 Fast 4 Wireless and/or 2 Fast 4 Wireless Corporation (USA) will not accept any liability with respect to the contents of this email and its attachments. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: Aruba vs HP vs Meraki
Ethan, Was the narrowing process done based on specs or perhaps a list of criteria that they had to meet? Obviously there are lots of methods of buying (best of breed, best of brand, bake-off/performance-test, etc)...so I was just curious as to how you narrowed it down (since someone else was asking about 'why not Cisco') thanks! Devin K. Akin Chief Wi-Fi Architect Aerohive Networks E: de...@aerohive.com C: +1.404.483.2681 O: +1.770.854.8554 W: www.Aerohive.com/isc (See our Infinitely Scalable Controller!) We are considering replacing our 200+ AP wireless infrastructure with a controller based 802.11n system. I believe we have narrowed it down to Aruba, HP Procurve (we use HP switch gear), and Meraki. I have two questions: 1. Are there any hidden costs we should watch out for with any of these (particularly Aruba.) Will we hit major costs other than the up front cost for the APs and the controllers? 2. I know a lot of schools are very happily using Aruba, but I haven't heard of any schools using HP and very few using Meraki. Are there any schools who have gone with Aruba and regretted it? If so, why? Are there any schools out there using HP Procurve (formerly Colubrius) or Merkai? What do you think of them? Did you have any surprises after you deployed? Ethan -- Ethan Sommer Associate Director of Core Services 507-933-7042 somm...@gustavus.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: Aruba vs HP vs Meraki
ABC. :) SWEET. I know lots of folks who leverage their relationship with HP because of the Ethernet gear. Nothing wrong with that really...as long as HP gives you a system that can do what you're looking to do with Wi-Fi. Cool. Devin Devin K. Akin Chief Wi-Fi Architect Aerohive Networks E: de...@aerohive.com C: +1.404.483.2681 O: +1.770.854.8554 W: www.Aerohive.com/isc (See our Infinitely Scalable Controller!) We are an anti cisco shop. We moved away to hp and didn't look back. Their smartnet philosophy just doesn't work in our environment. We are looking at hp primarily because we use hp swittch gear. Then we chose a sampling of other brands we know other schools are happy with. We are open to considering other brands with good references, who will let us demo 10 aps, that will cost us about 100k for a 200 ap system. -- Sent from my Palm Pre On Apr 2, 2010 5:01 PM, Devin Akin de...@aerohive.com wrote: Ethan, Was the narrowing process done based on specs or perhaps a list of criteria that they had to meet? Obviously there are lots of methods of buying (best of breed, best of brand, bake-off/performance-test, etc)...so I was just curious as to how you narrowed it down (since someone else was asking about 'why not Cisco') thanks! Devin K. Akin Chief Wi-Fi Architect Aerohive Networks E: de...@aerohive.com C: +1.404.483.2681 O: +1.770.854.8554 W: www.Aerohive.com/isc (See our Infinitely Scalable Controller!) We are considering replacing our 200+ AP wireless infrastructure with a controller based 802.11n system. I believe we have narrowed it down to Aruba, HP Procurve (we use HP switch gear), and Meraki. I have two questions: 1. Are there any hidden costs we should watch out for with any of these (particularly Aruba.) Will we hit major costs other than the up front cost for the APs and the controllers? 2. I know a lot of schools are very happily using Aruba, but I haven't heard of any schools using HP and very few using Meraki. Are there any schools who have gone with Aruba and regretted it? If so, why? Are there any schools out there using HP Procurve (formerly Colubrius) or Merkai? What do you think of them? Did you have any surprises after you deployed? Ethan -- Ethan Sommer Associate Director of Core Services 507-933-7042 somm...@gustavus.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: Meru Redundancy
Hi Chris, There are two ways (currently) to approach full redundancy, one a bit more redundant than the other. The first is to have a controller cluster, such as is found with Motorola and Trapeze, with some of the clustered controllers are located in a physically different location than the others (but still connected via Gigabit). For a distributed scenario like this (in case a building goes down), this scenario is a bit of a pain and costs quite a bit, as you might can guess, but it should still work. The second way to do this is via a controller-less architecture (e.g. Aerohive), where APs talk to each other using protocols much akin to routing protocols such as OSPF. Without controllers, and with failover/failback and beth-path forwarding, full redundancy can be achieved at minimum complexity and cost. This is the reason that others (Motorola, Ruckus, and others are already moving toward a controller-less architecture. Hope this helps, Devin K. Akin Chief Wi-Fi Architect Aerohive Networks E: de...@aerohive.com C: +1.404.483.2681 O: +1.770.854.8554 W: www.Aerohive.com I work for a University that is starting to rely on the wireless more and more. I am currently using the meru wireless system with the Nplus1 technology. This works great as long as you don’t have more than one controller go down at a time, but if you would lose a whole building or more than one controller there will be an outage. I was wondering what other universities are doing to get true redundancy? Are you buying a nplus1 controller for every production controller? Thanks in advance, Chris Huels Network Engineer Washington University in St. Louis ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: Migrating from WPA1 to WPA2- any tales of woe?
Good info James. On the Win7/Vista comment, once a client is associated to an AP, it's supposed to use that cipher suite until it reassociates to another AP or is disconnected and reconnects (for whatever reason) to that same AP. Cipher suite selection is based on a per-association basis, and CCMP should always be preferred when the AP is announcing both in beacons and probes for Wi-Fi certified clients. Hope this helps, Devin Devin K. Akin Chief Wi-Fi Architect Aerohive Networks E: de...@aerohive.com C: +1.404.483.2681 W: www.Aerohive.com --On Tuesday, January 05, 2010 09:21:35 AM -0500 Lee H Badman lhbad...@syr.edu wrote: Has anyone made the move from WPA1/TKIP-only to WPA2/AES-only in the WLAN? Did you find a significant (or insignificant) percentage of client devices that couldn't make the change? Did you make any attempts to otherwise accommodate the user devices that couldn't make the jump? Any other details of the transition worth mentioning? Hi Lee, We have nearly completed this (we have a second SSID that is still WPA/TKIP, but that will be turned off in July. It has very few users.) * XP SP2 will need SP3 or hotfix KB917021 * Many laptops ship with very old wireless drivers. Many of these proved to be unstable or not support WPA2, so our helpdesk have local copies or direct links to all the common drivers. * We don't sell kit direct to users, but we keep a list of cheap and cheerful USB wireless adapters if a laptops lack of WPA2 can not be fixed with a driver update. * For the smaller mobile devices, we haven't had problems - All that support 802.1x, tended to support WPA2 as well. * Ubuntu / Mac OS / Blackberry / iPhone can auto detect the change from WPA/TKIP to WPA2/AES and just work (with the same SSID name), but Vista and Win 7 can't. ...I can see the advantages of being able to enforce WPA2/AES client side though. Regards, James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: Migrating from WPA1 to WPA2- any tales of woe?
Good point! You're certainly correct. Nice attention to detail. :) --On 05 January 2010 10:11 -0500 Devin Akin de...@aerohive.com wrote: Good info James. On the Win7/Vista comment, once a client is associated to an AP, it's supposed to use that cipher suite until it reassociates to another AP or is disconnected and reconnects (for whatever reason) to that same AP. Cipher suite selection is based on a per-association basis, and CCMP should always be preferred when the AP is announcing both in beacons and probes for Wi-Fi certified clients. With Vista and Win 7, you can setup multiple wireless network profiles for the same SSID (as long as the profile names are different). So you could set up one SSID XYZ profile to be WPA/TKIP and one SSID XYZ profile with WPA2/AES. If you do this, then indeed, the client will decide based on what it can 'see' and should pick the WPA2/AES if it can see both. My point was that, unless you have already setup the two profiles, the clients will only have a profile for the SSID as it is now. The client will not connect if you change the wireless encryption, without manual interaction from the user. -James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
