Re: PEAP vs TLS
>Do you: >- Support 802.1x? - Yes. >If yes, do you: >- use EAP-PEAP on campus? - Yes. >- use EAP-TLS on campus? - No. >- What PKI/CA do you use: - GlobalSign. >- If only PEAP, are you planning EAP-TLS? - No. When 801.1x was launched here, PEAP was the lowest common denominator for machine-based authentication across the fleet of BYOD clients. PEAP continues to be deemed 'good enough' for our needs. A project proposal to deploy EAP-TLS continues to be difficult to justify resource allocations to proceed vs. other service improvements and operational fires. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Re: WLC Mobility Groups
FWIW, our Keele campus has twelve WLC5508's which together support approx. 4900 APs. We have a single Mobility Group configured for all APs located at this campus. The campus has daily peaks of approx. 25K concurrent devices associated. We are not aware of any operationally 'bad' system behaviour related to mobility group configuration which is impacting the ability of our end-users to successfully use the service. Perhaps we aren't paying enough attention to the relevant metrics? We are presently running v8.0.152.0 and are pre-production testing v8.5 due to imminent deployment of AP1815w's in residence buildings. Eriks Rugelis, Manager, Network Development York University, Toronto ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Re: Wireless services in your Stadiums and Arenas
For the Toronto 2015 Pan American Games, AmpThink was retained by the TO2015 organizing committeee to create the (several) designs for games venue Wi-Fi coverage. One of those venues is on-campus next to the building I am in now. At the time, AmpThink's billing rate for engagement seemed to be much more reasonable than the number we were given by Cisco Advanced Services. I have since retained AmpThink for Wi-Fi design of another building (presently under construction.)I have no relationship to AmpThink other than as a paying customer. You can find them at: http://www.ampthink.com/ Eriks ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Guest WLAN capabilities/policies
Happy New Year to all! York University needs to create a guest WLAN service suitable for use by: a) individuals enrolled in on-campus 1-day to 5-day professional development courses but they bring their own locked-down corporate laptops for which the end-user has no administrative rights (making it difficult for them to configure their 802.1x supplicant) b) VIP guests (potential donors to the University) visiting the campus for the day c) suppliers visiting for the day to make presentations or to provide support for products and services used by the University d) prospective students (and parents) visiting the campus for the day e) guests of on-campus conferences (using residences and meeting spaces rented by our hotel operation) We intend to have the guest user self-register for time-limit (12 hours at a stretch) access via email address or mobile phone number (which may be reached via SMS.) We have an existing temporary/sponsored account mechanism which is suitable for use by individuals who require 'full WLAN service' and whose arrival is pre-arranged. However, this does not support self-registration and is perceived by our clientele as too cumbersome for use by this group of users. We have eduroam deployed but most of the users in the target market do not have high-education userids elsewhere and thus are not able to leverage that service. Our corporate IT policies are such that we prefer to have all users with a long-term relationship to the University (enrolled students, faculty, staff, researchers) use our standard 802.1x authenticated service which is tied to our corporate ID management systems. This permits us to link any abuse or data breach back to a particular individual and apply one of a number of standard response procedures to mitigate the malware found in the client device or the in head of the end-user as appropriate. How does your institution define guest WLAN service vs. corporate WLAN services? How does your institution encourage use of the corporate WLAN service vs. Guest WLAN service by those individuals who are known to corporate ID management? How do the capabilities of your Guest WLAN service differ from those of the corporate WLAN service? (e.g. throughput limits? restricted TCP/UDP ports? application restrictions? other?) Thanks in advance for any and all input. Eriks "In God we trust; all others must bring data." - attributed to W. Edwards Deming --- Eriks Rugelis | Manager, Network Development | University Information Technology 010 Steacie Science and Engineering Library | York University | 4700 Keele St. , Toronto ON Canada M3J 1P3 T: +1.416.736.5756 | F: +1.416.736.5830 | er...@yorku.ca | www.yorku.ca York UIT will NEVER send unsolicited requests for passwords or other personal information via email. Messages requesting such information are fraudulent and should be deleted. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Re: Per room wireless
Since August 2013 we have deployed about 1680 AP702W's into undergrad residence rooms. Since we enable and support the wired access ports on these APs, we also relocated all outlet boxes to just above desk height. Eriks Rugelis --- Manager, Network Development York University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: point to point wireless bridge
Bruce Entwistle wrote: > We have been running a pair of Bridgewave GE60 units for several years to > link to some remote buildings. We recently learned > that these units are reaching/reached EOL, so it is time to begin looking at > replacing this hardware. I was looking to see what >others have used for this type of link. The distance between the two units is >about 200 feet and the bridge units are connecting to > 1Gb ports on the switches at each end. We too are using GE60's. In our case for two different links, one is approx. 520m and the other approx. 640m. We have been very happy with them but they came at a premium price point. For a distance of <100m I would consider low-cost options such as MikroTik and others. About 3 years ago I deployed 6 pairs of MikroTik SXT 5 units (these date from before 11ac was released) at the self-help yacht club where I keep my sailboat. The shot distances are: 1x 45m, 1x 75m, 4x 95m. The SXT's have survived two of the nastiest winters in recent memory and they continue to work today. Except as a customer, I have no other interest in MikroTik. More info here: http://i.mt.lv/routerboard/files/antenas-160404123306.pdf Good hunting! --- Eriks Rugelis Manager, Network Development, University Information Technology York University, Toronto ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: FreeRADIUS server scaling for 802.1x
Victoria Poncini wrote: > Question: are you using radius proxies to front end controller auth requests > to a Load balancer that sits in front of the Radius > backend servers? Is the problem the bottleneck at the wlan controllers or the > Radius servers regarding concurrent loading? We do not have a separate RADIUS proxy between the WLC's and the RADIUS service clusters. The Active-Active LB cluster diagram (slide 18) shows all the active components in the system now operating here. On slide 18 we call out the behaviour of Cisco WLC's w.r.t. selecting which RADIUS server to use. That is to say, the WLC sends all requests to only the first RADIUS server in the authentication server list configured on the WLC. If the WLC determines that first RADIUS server is unresponsive, it will then send all requests to the next RADIUS server in its list.It is THIS behaviour of the WLC which caused us to employ a RADIUS load-balancer to reliably and seamlessly distribute RADIUS workload across multiple RADIUS servers. Wi-Fi infrastructure by suppliers other than Cisco may distribute RADIUS workload differently. They may be better served by a different deployment architecture for RADIUS services. Does this help? Eriks ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: FreeRADIUS server scaling for 802.1x
Curtis K. Larsen wrote: > Nice slides. This is pretty similar to what we do. We're also using > PacketFence/FreeRADIUS. The > graphing of the authentications is key to understanding/scaling things in my > opinion. Actually, with respect to our current deployment architecture, we are standing on your shoulders. I want to thank you for that and also for driving Inverse to implementing the activity and performance graphs in Packetfence. I cannot overstate how valuable we find the ability to track and correlate authentication workload, authentication server performance and back-end (Active Directory) server performance! --- Eriks Rugelis Manager, Network Development, University Information Technology York University, Toronto ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: FreeRADIUS server scaling for 802.1x
David, For what it is worth, here is a presentation on scaling of Wi-Fi authentication which we created for this year's CANHEIT conference. https://canheit-hpcs2016.exordo.com/files/papers/145/presentation_files/1/CANHEIT2016_AuthBigWiFi.pptx We use Packetfence, which uses FreeRADIUS under the covers but adds a layer of context switching which you wouldn't otherwise have if using only FreeRADIUS by itself. Feel free to ask questions, either on the list or directly via email. --- Eriks Rugelis Manager, Network Development, University Information Technology York University, Toronto ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
WLAN planning strategy for new buildings?
I would like to hear opinions from this community about how to approach WLAN planning for new construction projects. We are in the midst of a constructing a series of new buildings and I am not pleased with the early results. 1. Do you take a stab at a best-guess predictive survey from construction drawings (AutoCAD) and then do post-build survey and adjustments? (Can result in sub-optimal initial deployment requiring re-work. How do you estimate the re-work cost?) 2. Do you wait until the new building is standing to create a post-build survey and deployment? (Can be costly in terms of implementation budget as well as elapsed time to running service.) FWIW, we have several years of internal experience with Ekahau Site Survey for predictive surveys. However, our ESS-literate staff resources are spread very thin. So far, we have had trouble identifying competent contractors to hire for creation predictive surveys on our behalf. It seems most of them do not understand high-density client workloads such as are found in typical university buildings. Worse, some do not really understand Wi-Fi at all. 3. If you use ESS: a) Can you describe your experience with making use of its auto-import feature for reading AutoCAD files? b) Can you describe your experience/success with obtaining AutoCAD models (from your facilities dept.) which classify building materials into unique layers to ease auto-import by ESS? The latest Big Think in the construction industry is BIM (Building Information Modeling.) Our Facilities Development department has adopted AutoDesk's Revit tool for creating/managing BIM for new buildings. While Revit has an export function to create AutoCAD .dwg files, there is a terrifying degree of flexibility in how this export can be done. 4. Do you have any experience in creating AutoCAD exports from Revit BIM which are suitable for import by Ekahau Site Survey? Thanks in advance for your input. Eriks "In God we trust; all others must bring data." - attributed to W. Edwards Deming --- Eriks Rugelis | Manager, Network Development | University Information Technology 010 Steacie Science and Engineering Library | York University | 4700 Keele St. , Toronto ON Canada M3J 1P3 T: +1.416.736.5756 | F: +1.416.736.5830 | er...@yorku.ca | www.yorku.ca York UIT will NEVER send unsolicited requests for passwords or other personal information via email. Messages requesting such information are fraudulent and should be deleted. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: backhaul wifi comparison/suggestions
FWIW, Three years ago I designed and implemented Wi-Fi coverage for the yacht club where we keep our sailboat. The design required the creation of 6 mounting poles linked by a total of 5 pairs of point-to-point radios shooting distances of 100m to 200m. Virtually all equipment is mounted outdoors and is fully exposed to the weather. I selected MikroTik equipment. To-date, the system has survived 3 Toronto winters without failures. The total solution cost was very affordable. RouterOS software is arcane and a bit twisted but ultimately usable. The PoE implementation is non-standard. For point-to-point links we use the SXT5HP http://routerboard.com/RBSXT5HPnDr2 This product has evolved since we purchase it. There are a wider variety of options available today. I have no interest in MikroTik other than being a satisfied customer. Eriks "In God we trust; all others must bring data." - attributed to W. Edwards Deming --- Eriks Rugelis | Manager, Network Development | University Information Technology 010 Steacie Science and Engineering Library | York University | 4700 Keele St. , Toronto ON Canada M3J 1P3 T: +1.416.736.5756 | F: +1.416.736.5830 | er...@yorku.ca | www.yorku.ca York UIT will NEVER send unsolicited requests for passwords or other personal information via email. Messages requesting such information are fraudulent and should be deleted. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: Wireless-LAN session - EDUCAUSE Annual Conference 2015 (Indianapolis)
Brian, I was unable to attend the EDUCAUSE conference in Indianapolis. For that reason am grateful for being able to read the proceedings of the Wireless-LAN session on this mailing list. Thank you for posting this summary. Eriks "In God we trust; all others must bring data." - attributed to W. Edwards Deming --- Eriks Rugelis | Manager, Network Development | University Information Technology 010 Steacie Science and Engineering Library | York University | 4700 Keele St. , Toronto ON Canada M3J 1P3 T: +1.416.736.5756 | F: +1.416.736.5830 | er...@yorku.ca | www.yorku.ca York UIT will NEVER send unsolicited requests for passwords or other personal information via email. Messages requesting such information are fraudulent and should be deleted. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Web archive of this list ceased as of 2014 Jan 16?
When I visit the EDUCAUSE website to view archives of this discussion group, there are no messages visible after Jan. 16. I've been looking here: http://www.educause.edu/discuss/networking-and-emerging-technologies/wireless-local-area-networking-constituent-group There's a 'Guidelines and Contact' box on the front-page of the archive that asks for problems with the listserv to be reported to c...@educause.edu. I did so a couple of weeks ago but it still there are no additions to the archive. Is it just me? Is there a better place to report such an issue and get attention on it? Thanks, Eriks In God we trust; all others must bring data. - attributed to W. Edwards Deming --- Eriks Rugelis | Manager, Network Development | University Information Technology 010 Steacie Science and Engineering Library | York University | 4700 Keele St. , Toronto ON Canada M3J 1P3 T: +1.416.736.5756 | F: +1.416.736.5830 | er...@yorku.ca | www.yorku.ca York UIT will NEVER send unsolicited requests for passwords or other personal information via email. Messages requesting such information are fraudulent and should be deleted. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Are Apple iPhones and other mobile devices misbehaving on Wi-Fi?
I just came across this article: http://revolutionwifi.blogspot.ca/2012/05/are-apple-iphones-misbehaving-on-wi-fi.html It reports that Wi-Fi interfaces on some mobile devices may be behaving in a manner which is not conducive to fair and efficient sharing of the RF channel in a high-density setting. Has anyone else heard of this issue? Thanks, Eriks In God we trust; all others must bring data. - attributed to W. Edwards Deming --- Eriks Rugelis | Manager, Network Development | University Information Technology 010 Steacie Science and Engineering Library | York University | 4700 Keele St. , Toronto ON Canada M3J 1P3 T: +1.416.736.5756 | F: +1.416.736.5830 | er...@yorku.ca | www.yorku.ca York UIT will NEVER send unsolicited requests for passwords or other personal information via email. Messages requesting such information are fraudulent and should be deleted. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Practical support of high-density WiFi client environments for business-critical services?
In our environment, we are seeing: - faculty beginning to rely upon WiFi network access for the purpose of delivering course content and getting feedback in real-time to lecture halls filled with WiFi clients (100's at a time) - we have some faculty who are now depending upon WiFi for delivery and collection of exams - increasingly bandwidth-hungry applications delivered via WiFi network access - an increasing number of client-radios-per-person-on-campus resulting in drive-by associations and flash-crowd effects (libraries and study areas, buildings filled with lecture halls, student centre, cafeteria/mall areas) We have concerns about how to plan our deployment of 802.11abgn to ensure effective management of congestion among RF channels and among AP radios, in settings where there is a high-density of WiFi clients. We have heard anecdotal evidence on this list and elsewhere that load-balancing of clients across multiple RF channels in the same high-density area is a technical challenge which has not been adequately addressed by the suppliers of WiFi infrastructure equipment. Our own experience is that certain technical approaches seem to offer load-balancing solutions which perform quite well in themselves but at the cost of poor interoperability with some client-side chipsets and driver software versions. How are you approaching the problem of high-density WiFi service for business-critical applications at your institution? Do you rely upon band-steering to 5GHz? Do you rely upon load-balancing among RF channels/AP radios to manage RF congestion and association count-per-AP? How satisfied are you with your infrastructure vendor's implementations of bandsteering and load-balancing techniques? Does your institution express technical requirements of the WiFi clients? (e.g. must support 802.11n operation in both 2.4GHz AND 5.0GHz bands; other?) What other means (not mentioned here) do you employ to plan for and manage high-density WiFi service environments? Thanks, Eriks In God we trust; all others must bring data. - attributed to W. Edwards Deming --- Eriks Rugelis | Manager, Network Operations | University Information Technology 010 Steacie Science and Engineering Library | York University | 4700 Keele St. , Toronto ON Canada M3J 1P3 T: +1.416.736.5756 | F: +1.416.736.5830 | er...@yorku.ca | www.yorku.ca York UIT will NEVER send unsolicited requests for passwords or other personal information via email. Messages requesting such information are fraudulent and should be deleted. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
