Re: [WIRELESS-LAN] [EXT] Re: [WIRELESS-LAN] Aruba Wi-Gi 6 APs

2019-10-15 Thread Frans Panken
And wouldn’t it be great if companies would actually certify their products 
with such an organization..??? (e.g., the last iphone certified by wi-fi 
alliance was the iphone 4S, in 2011)

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu>
Reply to: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Thursday, 10 October 2019 at 19:11
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] [EXT] Re: [WIRELESS-LAN] Aruba Wi-Gi 6 APs

Wouldn’t it be awesome if there was a group… some kind of ORGANIZATION maybe, 
like an ALLIANCE that did interoperability testing to keep stuff like this at 
bay? Maybe a group made up wireless product manufacturers…

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu w its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of John Rodkey
Sent: Thursday, October 10, 2019 12:24 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [EXT] Re: [WIRELESS-LAN] Aruba Wi-Gi 6 APs

Not only does the Intel wireless card problem on Windows computers prevent them 
from attaching, our experience is that none of the SSIDs are even visible to 
Windows computers when ax is turned on, even though ac and n are also turned 
on.  So from their point of view, the WAPs are broken, and we hear about it 
when the parents of students call people on the executive team wondering why IT 
is so incompetent they can't provide a wireless network similar to the one they 
rolled out in their home in a matter of minutes.  Now it's public relations and 
a political problem.

The only solution that we've found apart from going to each computer and hand 
installing the new drivers is turning off 802.11ax on our new, expensive WAPs, 
and waiting for , what? 2 years? , until either Microsoft makes these wireless 
upgrades mandatory security patches (unlikely), or the population of old 
Windows computers diminishes to only a handful.

John Rodkey
Director of Servers and Networks
Westmont College

On Wed, Oct 9, 2019 at 5:48 PM Sweetser, Frank E 
mailto:f...@wpi.edu>> wrote:
In theory, yes - I doubt that anyone is going to deploy 11ax with earlier 
standards disabled (except for base 11b data rates, anyway).  The problem is 
there's a bug in commonly deployed Intel driver versions which prevents the 
client from attaching to the network if 11ax rates are enabled at all:

https://www.intel.com/content/www/us/en/support/articles/54799/network-and-i-o/wireless-networking.html

Frank Sweetser
Director of Network Operations
Worcester Polytechnic Institute
"For every problem, there is a solution that is simple, elegant, and wrong." - 
HL Mencken

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Jennifer Minella mailto:j...@cadinc.com>>
Sent: Wednesday, October 9, 2019 6:23 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] [EXT] Re: [WIRELESS-LAN] Aruba Wi-Gi 6 APs


I don’t believe ClearPass Device Insight shows driver details – I just skimmed 
through endpoint details page and attributes and don’t see it.

At the risk of asking a dumb question, is there a reason not to simply deploy 
the 500-series with backwards compatibility enabled? That would allow you to 
offer a seamless experience for clients in a mixed-PHY-standard environment and 
support current clients on n/ac and even a/b/g etc.



Cheers!

-jj

___

Jennifer Minella, CISSP, HP MASE

VP of Engineering & Security

Carolina Advanced Digital, Inc.

www.cadinc.com

j...@cadinc.com

919.460.1313 Main Office

919.539.2726 Mobile/text

[CAD LOGO EMAIL SIG]





From: The EDUCAUSE Wireless Issues Community Group Listserv 
 
on behalf of Michael Davis 
Sent: Wednesday, October 9, 2019 7:57 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 

Subject: [EXT] Re: [WIRELESS-LAN] Aruba Wi-Gi 6 APs



We currently have the Wi-Fi 6 extensions disabled because of the Intel
Driver issues
(https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.intel.com%2Fcontent%2Fwww%2Fus%2Fen%2Fsupport%2Farticles%2F54799%2Fnetwork-and-i-o%2Fwireless-networking.html&data=02%7C01%7

Re: [WIRELESS-LAN] Li-Fi Projects?

2018-03-21 Thread Frans Panken
We have a Li-Fi setup running (bought from purelifi). Do not expect larger 
speeds than 30 Mb/s in the up- downstream directions while one or two clients 
are connected (we only have equipment for two clients). Nice thought for demo 
purposes. No line-of-sight, no network connection. I think upstream works with 
IR. We are in the process of installing two lamps in a small meeting room.
-Frans

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Jason Cook 

Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 

Date: Wednesday, 21 March 2018 at 01:54
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: [WIRELESS-LAN] Li-Fi Projects?

Howdy,

Has anyone been involved in any Li-Fi installs? We’ve been asked to investigate 
it under a green projects idea.

It seems these are the main vendors.
https://purelifi.com/
http://vlncomm.com

That’s about all I have at the moment, just interested to see how things have 
gone if you have or if any obvious things to note.

Regards

Jason

--
Jason Cook
Information Technology and Digital Services
The University of Adelaide, AUSTRALIA 5005
Ph: +61 8 8313 4800
e-mail: 
jason.c...@adelaide.edu.au>

CRICOS Provider Number 00123M
---
This email message is intended only for the addressee(s) and contains 
information which may be confidential and/or copyright.  If you are not the 
intended recipient please do not read, save, forward, disclose, or copy the 
contents of this email. If this email has been sent to you in error, please 
notify the sender by reply email and delete this email and any copies or links 
to this email completely and immediately from your system.  No representation 
is made that this email is free of viruses.  Virus scanning is recommended and 
is the responsibility of the recipient.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.



Re: [WIRELESS-LAN] Offline/Spare Gear Inventory Size

2018-02-28 Thread Frans Panken

I have a background in mathematics and addressed this question scientifically. 
The number of spares depend on the mean-time-between-failures of an AP 
(provided by vendors; e.g., Cisco’s 3702 APs have a MTBF of 325000 hours), the 
number of days it takes to order a new AP (k) and the risk you are accept to 
take that you have no spare AP available. If n is the spare factor (1 spare AP 
for every n active APs) and  is the risk you accept that you have no spare AP 
available, this number can be computed as follows:

[cid:image004.png@01D3B074.6EE80270]

Here “ln” is the natural log, ln(2,71828…) = 1. So, in the case of Cisco AP3700 
and you accept an availability of 0.95 (5% of the time you have n spare AP) and 
it takes 6 days to order a new AP, you need one spare on every 116 APs.
-Frans

P.S. I was reluctant to spam you with the derivation; please send me an e-mail 
if you are interested in how derived this formula.



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Greg Briggs 
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 

Date: Wednesday, 28 February 2018 at 00:06
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] Offline/Spare Gear Inventory Size

I solve replacement items (of many kinds) with a formula that works for small 
and large deployments.  It works for everything from switches to toilet paper 
so I have used it for more than my day job.  It can and can be expressed in a 
spreadsheet like this "=CEILING(N1*M1,1)" where N is a column with the 
calculated need and M is a rate at which you need spares, or it is consumed 
before your next purchase.  The formula is sometimes calculated on a 
spreadsheet and sometimes it is just a rough estimate in my head.  Here are 
some example starting values for the M column.  Optionally you can add a field 
for the ceiling value to reflect things that are only available in quantities 
greater than one.  For example 10 for hotdogs and 8 for hotdog buns.  The 
formalization of this formula is adapted from one my manager used, so credit is 
due to David Allen.


  *   1.1 for something like a new line of APs you don't already have a 
deployment of.  This allows for 10 spares in a deployment of 100 in case some 
arrive DOA or I find a flaw in my plan after the order/ post install.  I would 
be more conservative if I didn't think I was ever going to need that model of 
APs elsewhere, and just take the heat if I end up short.
  *   1.01 for the subsequent deployment of APs if spares are already on hand.
  *   1.1 for something that is mission critical but we only have a few of.
  *   1 for expensive things that have a high availability feature and are 
under a reasonably quick turnaround service/replacement contract.
  *   1.2 for items that we ran out of quickly last time we made an annual 
purchase.
  *   1.05 for inexpensive things that would save some time to have spares of, 
but are only a minor inconvenience if you run out.
Modify the value for subsequent orders based on current inventory or if you 
find that the failure (or consumption) rate is higher than expected.  Another 
reason to modify the value is if replacements can be found locally, or if you 
can count a similar model of item that you have spare of as a replacement.  
MTBF is another variable to consider.

Using this formula also helps determine the support level because you can 
calculate what you need to make the cheaper support levels a better value with 
an acceptable and/or similar risk.

Greg Briggs
Network Manager
Pacific Lutheran University


On Tue, Feb 27, 2018 at 8:23 AM, Jeffrey D. Sessler 
mailto:j...@scrippscollege.edu>> wrote:

  *   Look at the turn-around time for warranty replacement. The free 
limited-lifetime may take longer than if the AP is under an extended contract.
  *   Evaluate your deployment plan. If your deployment is coverage-based, 
where the loss of a single AP could be devastating to clients, then keep more 
spares. If you have a dense deployment where the loss of one or more APs is of 
little consequence, keep less.
  *   Spares are technology collecting dust with the same life-cycle as those 
in production. If you have 5000 APs and spare 2%, that’s 100 APs that would 
likely cover a moderately sized building, and provide a lot of in-fill.
  *   If you keep spares, make sure to cycle them into production i.e. always 
install them into a new project, and put new APs back on the spare shelf.
  *   When you upgrade controller code, pull those spares out and let them 
upgrade too, then test that they still work.

Jeff

From: 
"wireless-lan@listserv.educause.edu" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Trinklein, Jason R" 
mailto:trinkle...@cofc.edu>>
Reply-To: 
"wireless-lan@listserv.educause.edu" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Monday, February 26, 2018 at 10:21 AM
To: 
"wir

Re: [WIRELESS-LAN] Bandwidth/Throughput/Latency Tester

2018-02-20 Thread Frans Panken
Hi Fishel,

I always use iperf3 for that purpose (see: https://iperf.fr/iperf-doc.php). 
Note the various iperf3 servers in the tab on the site that you can try first 
before setting up a VM within your domain. There are many apps on phones that 
implement iperf3. My personal favourite (on Android): “Aruba untilities” (even 
when you have no Aruba environment, like me).
-Frans

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Fishel Erps 
<0030ecf871d2-dmarc-requ...@listserv.educause.edu>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 

Date: Tuesday, 20 February 2018 at 18:56
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: [WIRELESS-LAN] Bandwidth/Throughput/Latency Tester

Hello everyone.

I’m curious to find out what other universities are doing to test throughput, 
internally, to proof their networks.  I’m looking for something that functions 
like Ookla’s Speedtest.net (browser-based, no required 
clients) , but that runs internally (I have already contacted them directly, 
and been told that they only provide products that are alive on the public net).

As we all know, % of utilization and available throughput are not 
one-in-the-same, and I need a way to address and diagnose legitimate 
performance complaints, live.

__
__


Fishel Erps,
Sr. Network & Infrastructure Engineer
School of Visual Arts

136 W 21st St., 8th Floor

New York, NY, 10011

LL: 212-592-2416
F:  646-845-6150
E:  fe...@sva.edu
___

Please excuse any typographical
errors as this e-mail has been sent
from my mobile device
___


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.



Re: [WIRELESS-LAN] Printing to a wired printer from wireless

2018-02-01 Thread Frans Panken
Seems like that requires follow-me printing. 
Something to consider in realizing this, is looking at the bigger picture: yet 
another applet on the institution's smart card that can be hosted in the 
SIM-slot. With a little shame, I point you to a blog I recently wrote about 
this: https://blog.surf.nl/en/e-sim-one-card-for-printing-access-and-calling/
-Frans

On 01/02/2018, 19:03, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Christina Klam"  wrote:

All,

I knew this day would come...  People want to print to our network printers 
from their mobile devices.  We have enable mDNS on our wireless network so that 
anyone on the wireless SSIDs can print to any printer on the wireless network.  
For us, this means people can register their printer on one of the SSIDs and 
print to it.  This works fine in our ResNET environment.  Now, people want to 
print to the enterprise wired network printers while on campus. 

What is everyone using to allow mobile devices printing capabilities to the 
enterprise printers or print servers?  One of the schools is looking at 
PrinterLogic.  Another Presto.  I will be guiding everyone towards agreeing to 
a single idea, whatever that may be.

Thank you for your help,
Christina Klam
Network Engineer

**
Participation and subscription information for this EDUCAUSE Constituent 
Group discussion list can be found at http://www.educause.edu/discuss.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.



Re: [WIRELESS-LAN] AW: [WIRELESS-LAN] Eduroam and Govroam

2018-01-08 Thread Frans Panken

This is an initiative in the UK; SURFnet is based in NL. In contrast to 
eduroam, govroam rules may differ per country. Please follow the link provided 
on the site if you want to participate or if more information is needed: 
https://www.london.gov.uk/what-we-do/business-and-economy/science-and-technology/connectivity/information-digital-connectivity

-Frans
SURFnet

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of "Jerkan, Kristijan" 

Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 

Date: Thursday, 4 January 2018 at 22:57
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: [WIRELESS-LAN] AW: [WIRELESS-LAN] Eduroam and Govroam

@SURFnet, did Your legal department take a look at this and could we quote them?
I remember an order to strictly separate EDU and not-EDU usage, when some 
students asked for permission to extend the wireless to a refugee housing 
project. The reason that was given to us at the time (about a year ago) was the 
EU aid law, prohibiting cross-subsidization between funds for EDU and funds for 
local government.
At least in Germany EDU institutions are also instructed to keep a closed user 
circle (in order not to become a Telco).


Von: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] Im Auftrag von Fredrik L. Andersen
Gesendet: Donnerstag, 4. Januar 2018 15:44
An: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Betreff: Re: [WIRELESS-LAN] Eduroam and Govroam

Hi,

Govroam is built on same principle as Eduroam, but it’s to be used in public 
sector.

https://govroam.nl/english/
Brgs



Fredrik L. Andersen
+ 47 930 888 15



Sendt fra min iPhone

4. jan. 2018 kl. 14:48 skrev Lee H Badman 
mailto:lhbad...@syr.edu>>:
First I've heard of the Govroam program. We have a campus in London, but not 
sure why anyone would just add Govroam to their Eduroam spaces. The writer says 
both are "free" which discounts capacity and bandwidth needed to provide the 
services. We already see huge amounts of Eduroam "squatters", not in a hurry to 
donate network to the government as well.

-Original Message-
From: Mike Atkins [matk...@nd.edu]
Received: Thursday, 04 Jan 2018, 8:34
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
Subject: [WIRELESS-LAN] Eduroam and Govroam
Does anyone have more detail on this?

More public Wi-Fi across London with Eduroam & Govroam
https://wifinowevents.com/news-and-blog/public-wi-fi-across-london-eduroam-govroam/




Mike Atkins
Network Engineer
Office of Information Technology
University of Notre Dame
Phone: 574-631-7210


   .__o
   - _-\_<,
   ---  (*)/'(*)

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.



Re: [WIRELESS-LAN] IPv6 drains battery of mobile devices?

2017-10-08 Thread Frans Panken
Thanks Bruce for the nice overview and +1 for the last remark.

A search for battery drain and IPv6 gives you tons of hits. I tested the RA 
myth one year ago by two SSIDs with different RAs (1 SSID with 500 RA/h and the 
other 30/h). Outcome: hardly any effect. (inspite of the RFC on this topic 
where Cisco and Google blame IPv6: https://www.rfc-editor.org/rfc/rfc7772.txt)

My experience is that mainly Samsung devices (upto but not including the S7) 
suffer from battery drain with IPv6. I saw no significant effects on iPhones, 
HTC devices and windows phones. I found an article that confirm this, blaming 
Samsung for choosing their own firmware and doing a bad job (sorry, cannot find 
the article any more). 

See also: https://issuetracker.google.com/issues/36949115
-Frans 




On 06/10/2017, 18:34, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Curtis, Bruce"  wrote:

>
>This is an issue with the configuration on that particular WiFi network and 
>not an architectural issue with IPv6.
>
>http://www.ibtimes.co.uk/why-your-smartphone-battery-being-drained-google-cisco-blame-ipv6-network-misconfiguration-1544393
>
>
>IPv4 with NAT does have some architectural issues.
>
>https://www.computerworld.com/article/2494064/internet/ipv6-can-boost-mobile-performance--battery-life--proponents-say.html
>
>
>  Measurements on properly configured networks show little difference in 
> power.  But these measurements were during active use.
>
>https://tools.ietf.org/html/draft-petrescu-v6ops-ipv6-power-ipv4-00
>
>
>Cloudfare’s view:
>
>"That means that a v6-only mobile phone (looking at you, T-Mobile users) can 
>establish a clean path to any site or mobile app behind Cloudflare instead of 
>doing an expensive 464XLAT protocol translation as part of the connection 
>(shaving milliseconds and conserving very precious battery life)."
>
>https://blog.cloudflare.com/always-on-ipv6/
>
>
>
>https://blog.wirelessmoves.com/2008/03/why-ipv6-will-b.html
>
>Check out the slide titled “IPv6 brings savings in battery life” about 8 
>minutes into the video.
>
>https://www.youtube.com/watch?v=o5RbyK0m5OY
>
>
>Another RFC for network administrators.
>
>https://tools.ietf.org/html/rfc7772
>
>
>So if you find that a specific WiFi network accelerates battery drain send 
>some of the info mentioned in this thread to your local WiFi network 
>administrators but don’t tell the world to turn off IPv6.
>
>
>> On Oct 6, 2017, at 7:32 AM, Mike King  wrote:
>> 
>> So I saw this on Reddit this morning. What do you guys think of this?
>> 
>> 
>> https://www.reddit.com/r/LifeProTips/comments/74jt7s/lpt_if_youre_in_student_halls_campus_or_hotel/
>>  ** Participation and subscription information for this EDUCAUSE 
>> Constituent Group discussion list can be found at 
>> http://www.educause.edu/discuss.
>> 
>
>---
>Bruce Curtis bruce.cur...@ndsu.edu
>Certified NetAnalyst II701-231-8527
>North Dakota State University
>
>
>**
>Participation and subscription information for this EDUCAUSE Constituent Group 
>discussion list can be found at http://www.educause.edu/discuss.
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.



Re: [WIRELESS-LAN] eduroam AUP question

2017-07-14 Thread Frans Panken
Well, it is a matter of “who do you trust?” Using a VPN is only a good advice 
if you trust the VPN server. There are plenty of free VPN service providers. 
However, you pay them with your privacy instead of your money. After all, ALL 
traffic passes their servers. So simply advising users to “use any VPN because 
then you are save” is something I recommend to reconsider.
I trust the EDU community, so I use eduroam without a VPN as it always encrypts 
the radio path.
-Frans


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Hunter Fuller 
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 

Date: Friday, 14 July 2017 at 20:09
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] eduroam AUP question

But, when you say to advise them, "when you need access to trusted resources 
when off campus, please use the VPN" - that's the same advice we give them. 
There's no difference in that advice just because their home network is eduroam.

We emphasize the difference just as you did - "when you are not at UAH, use 
VPN." The difference in network names doesn't really come up, in my experience.

On Fri, Jul 14, 2017 at 1:07 PM Oliver, Jeff 
mailto:jeff.oli...@uleth.ca>> wrote:
While that may be true, it does not address the social aspect of the 
implementation.

Even if we were to configure the SSID in the back so that my users connect 
internally when they use eduroam on my campus and external users get connected 
to whatever network and services I configure for the externals, it leads to a 
support issue. Trying to support my users when they go off campus and suddenly 
do not have access to some service that they need without a VPN poses a 
problem. The very fact that not all institutions have different implementations 
of what they allow creates this dichotomy of how eduroam works from a layer 7/8 
perspective. If I required my own users to VPN when on campus, well let’s say 
that it would not go well for me.

Much simpler to have an on-campus (preferred network) for when they are at home 
and eduroam configured on their client for when they are not. And then say when 
you need access to trusted resources when off campus, please use the VPN. 
Regardless of what the network is – eduroam, starbucks, home.


Cheers,
Jeff

---

Jeffrey L. Oliver
Manager, Network and Telecommunications
Information Technology Services
The University of Lethbridge
4401 University Drive, Lethbridge, Alberta, T1K 3M4

Tel: 403.329.5162
Mob: 403.315.4461

URI:   jeff.oli...@uleth.ca<mailto:jeff.oli...@uleth.ca>
Web:http://www.uleth.ca/information-technology/

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>]
 On Behalf Of Frans Panken
Sent: Friday, July 14, 2017 11:58 AM

To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] eduroam AUP question


eduroam uses WPA2-enterprise (= RADIUS). A fundamental component of RADIUS is a 
client's validation of the RADIUS server's identity. As a consent to the 
supplicant, the user must check that identity. The authentication ALWAYS occurs 
end-to-end, at every institution you visit. Your OS stores the server’s 
certificate. Your supplicant will ask you to validate another RADIUS server 
when the certificate does not match. That is when all bells and whistles should 
go off. Part of a user’s lessons of ICT, next to checking the certificate in a 
browser.
The exception for user’s/client’s validation is Android but the eduroam 
community fixed that with the CAT tool.
-Frans


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Oliver, Jeff" mailto:jeff.oli...@uleth.ca>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, 14 July 2017 at 19:47
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] eduroam AUP question

Seconded.


Cheers,
Jeff


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Friday, July 14, 2017 11:30 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] eduroam AUP question

I fundamentally disagree with this.

I’d argue that by using eduroam as your default, users are put at risk because 
they no longer have a key determiner for trusting/not trusting the SSID they’ve 
connected to. There is no guarantee that eduroam operates the same at each 
campus, nor is there any guarantee that the user’s connection/data is safe whe

Re: [WIRELESS-LAN] eduroam AUP question

2017-07-14 Thread Frans Panken

eduroam uses WPA2-enterprise (= RADIUS). A fundamental component of RADIUS is a 
client's validation of the RADIUS server's identity. As a consent to the 
supplicant, the user must check that identity. The authentication ALWAYS occurs 
end-to-end, at every institution you visit. Your OS stores the server’s 
certificate. Your supplicant will ask you to validate another RADIUS server 
when the certificate does not match. That is when all bells and whistles should 
go off. Part of a user’s lessons of ICT, next to checking the certificate in a 
browser.
The exception for user’s/client’s validation is Android but the eduroam 
community fixed that with the CAT tool.
-Frans


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of "Oliver, Jeff" 

Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 

Date: Friday, 14 July 2017 at 19:47
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] eduroam AUP question

Seconded.


Cheers,
Jeff


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Friday, July 14, 2017 11:30 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] eduroam AUP question

I fundamentally disagree with this.

I’d argue that by using eduroam as your default, users are put at risk because 
they no longer have a key determiner for trusting/not trusting the SSID they’ve 
connected to. There is no guarantee that eduroam operates the same at each 
campus, nor is there any guarantee that the user’s connection/data is safe when 
away from your home campus i.e. it’s no different that Starbucks.

While you can setup eduroam at your home campus to be the same as your 
“MyCollege” SSID, can you attest to that when they are at another participating 
EDU? You simply can’t, and from the user’s perspective, they’ve now been lured 
into trusting eduroam no matter where they go – to me that’s a bad design. You 
now have to tell your users two stories i.e. When on campus trust eduroam, when 
off campus, best use a VPN or else. That’s simply poor user implementation 
since the user will likely forget the “or else” part.

In keeping eduroam as a “guest” network, you tell users one story. When on 
campus, use the “MyCollege” SSID, and when traveling, use eduroam and a VPN 
client. The user now has a clear understanding of how to trust eduroam.

Jeff

From: 
"wireless-lan@listserv.educause.edu" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Davis, Kevin" mailto:keda...@davidson.edu>>
Reply-To: 
"wireless-lan@listserv.educause.edu" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, July 14, 2017 at 10:15 AM
To: 
"wireless-lan@listserv.educause.edu" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] eduroam AUP question

With modern network architecture, it’s fairly easy and I would argue a 
preferred design to use “eduroam” as the SSID for everything, while on the back 
end segmenting your students/faculty/staff to access levels and experience 
identical to whatever “MyCollege” SSID you had before.

No impact to them functionally; easy to implement; reduces SSIDs for you; helps 
users recognize and trust eduroam when they travel; and their devices roam 
automatically in the future.

Kevin



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Elizabeth Shannon mailto:esh...@ksu.edu>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, July 14, 2017 at 12:54 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] eduroam AUP question

Not that I am disagreeing with Jeff, but is the intent of the eduroam network 
simply as a guest network. I see many benefits of eduroam, but I would like to 
understand the intent of eduroam, so that our constituents have a more 
consistent experience as they utilize eduroam. We have guests on our campus, 
but we have no way of easily finding a guest and having a conversion with them 
if necessary. With eduroam, I can contact the host institution and they can 
decide if they are going to allow their user to continuing the use of eduroam. 
If we truly need to speak with the user, they can facilitate our interaction 
with the user. Perhaps, I am in the minority. Thanks.

--
Elizabeth Shannon, CIPT
Kansas State University
Information Security and Compliance
785.532.2540


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Jeffrey D. Sessler" 
mailto:j...@scrippscollege.edu>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELE

Re: [WIRELESS-LAN] eduroam AUP question

2017-07-14 Thread Frans Panken
I think Jeff’s statement is a rather outdated opinion. The era that people 
thought that separate SSIDs are needed to distinct user groups is fortunately 
gone. There is no merit of having multiple SSIDs.
If you want your users to successfully use eduroam when they visit another 
institution, I encourage you to configure and let it use it while they are at 
home. After all, that is the best time you can help them if there are problems.

The institution’s core asset is knowledge. And knowledge can me multiplied by 
dividing it. That motivates people to visit other institutions and eduroam 
eases to gain access to the Wi-Fi when they do. With all respect but that is 
substantially different from paying a visit to Stargbucks or McDonalds.
-Frans

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of "Jeffrey D. Sessler" 

Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 

Date: Friday, 14 July 2017 at 18:29
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] eduroam AUP question

As eduroam is really a guest network, I would never make it the primary network 
for my users. Best to treat/deploy it is as a slightly better version of the 
WiFi you can get at Starbucks or McDonalds.

Jeff

From: "wireless-lan@listserv.educause.edu"  
on behalf of Michael Davis 
Reply-To: "wireless-lan@listserv.educause.edu" 

Date: Friday, July 14, 2017 at 8:14 AM
To: "wireless-lan@listserv.educause.edu" 
Subject: Re: [WIRELESS-LAN] eduroam AUP question

Seems to me that it's much easier now to just forget eduroam, remove it from 
campus, and go back to our
branded Wifi.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.



Re: [WIRELESS-LAN] Here come the LTE-U devices...

2017-02-27 Thread Frans Panken
Mmm, that module you refer to is only carrier agnostic on paper. It means that 
Cisco configures the frequencies for the carrier that wants to use it. I tried 
to use the module for unlicensed spectrum in the 1800 Mhz band but Cisco did 
not support that ;-(
FYI: many regulators in EU allow to use the DECT-guard bands as unlicensed 
indoor spectrum. Practically all phones support it; it is often used for 
private-GSM/private LTE  solutions
-Frans

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Mike King 
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 

Date: Friday, 24 February 2017 at 17:32
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] Here come the LTE-U devices...



On Wed, Feb 22, 2017 at 3:21 PM, Coehoorn, Joel 
mailto:jcoeho...@york.edu>> wrote:
Even that won't make sense until handset support is in more than just a few 
devices, though the current Apple/Samsung hegemony means the right device could 
tip that scale faster than we expect. I'm also curious if this is something 
that Cisco/Aruba/etc will build into Access Points and controllers in a 
carrier-agnostic way, so we don't need additional devices, wiring, or 
management and can spread it over a good-sized area when we know we need it.


Cisco and Apple announced a partnership last July at Cisco Live.
http://www.cisco.com/c/m/en_us/solutions/strategic-partners/apple.html

Cisco did have a MicroCelluar module in the 3600 AP that was carrier agnostic 
before.
http://www.cisco.com/c/en/us/products/wireless/universal-small-cell-5310/index.html


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.



Re: [WIRELESS-LAN] wild card certs and PEAP

2017-02-03 Thread Frans Panken
Hi Brian,
Wild card certificates should indeed be avoided as Windows clients cannot cope 
with them. This will occur on every RADIUS server and has nothing to do with 
NPS (or with eduroam).
-Frans

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Brian Helman 

Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 

Date: Friday, 3 February 2017 at 21:32
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: [WIRELESS-LAN] wild card certs and PEAP

I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our 
configurations in place to join eduroam.  Yes, I can get a temporary cert (or 
beg digicert for one, since I don’t think they have an option), but we tried to 
use a wildcard cert that we usually use for testing of services.  It 
generates/imports correctly and Android doesn’t appear to have an issue with 
it, but Win7 and Win10 don’t care for it when we try to authenticate to the 
wireless network.  It looks like Android may be ignoring the validation or 
generally fine with the wildcard.

The easier question is – will a wildcard cert work here?
The tougher question is – if yes, um .. any good references to configure it 
with S2012R2?

-Brian


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.



Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

2016-11-23 Thread Frans Panken
Guess what’s under the hood of many commercial RADIUS platforms (e.g., 
Clearpass)… indeed: FreeRadius 1.0 …
-Frans


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Lee H Badman 

Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 

Date: Thursday, 17 November 2016 at 01:37
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?


Yeah- thanks, Phillipe. I knew I wasn't phrasing that quite right, typed it as 
I was flying out the door earlier.​



-Lee






From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Philippe Hanset 

Sent: Wednesday, November 16, 2016 5:26 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Lee,

Radiator is not open source (you can buy support) but it works more smoothly on 
Unix (you can operate it on Windows).

Philippe


On Nov 16, 2016, at 4:34 PM, Lee H Badman 
mailto:lhbad...@syr.edu>> wrote:
Thanks, Phillipe. For a number of reasons we’re trying to steer away from open 
source on this.

Lee Badman | CWNE #200 | Network Architect

Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Philippe Hanset
Sent: Wednesday, November 16, 2016 12:58 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Microsoft NPS as RADIUS for 802.1X Wi-Fi?

Lee,

Not speaking from using NPS but from having to help Institutions using NPS:

It is a very “stiff” environment, and Microsoft does not want to listen to the 
eduroam community’s requests (not just US, but worldwide)

No REALM stripping
No Server Status (that one is killing us. We have to implement all kinds of 
timers to make sure that servers are responding…when the standard has a built 
in mechanism)
No support for RadSec ever mentioned.

If I were a large University with in house expertise I would do FreeRADIUS 3.0 
or Radiator (or more NAC oriented solutions if you need that)

Philippe

Philippe Hanset, CEO
www.anyroam.net
www.eduroam.us
GPG key id: 0xF2636F9C




On Nov 16, 2016, at 9:40 AM, Lee H Badman 
mailto:lhbad...@syr.edu>> wrote:

Hello to the awesome group.

We’ve used Cisco ACS with general satisfaction for many years as the RADIUS 
solution for our very, very large WLAN’s 802.1X authentication. We also have 
Aruba Clearpass in-house for guest wireless, and have poked around at ISE a 
bit. We’re weighing replacing our aging ACS environment, but as many of you 
know times are changing. When you shop for RADIUS, you have to wade through the 
fog of NAC systems because everything is getting ever more “feature rich”. For 
major vendors, RADIUS is just a slice of NAC now, and since everybody “is a 
software company!” licensing can be ugly. I’m not slamming those who find value 
in the many interesting features that the likes of ISE and Clearpass offer, but 
I also can’t help but be drawn to Microsoft NPS when I think about going 
forward with simple RADIUS.

Way back when, we avoided Microsoft in this role as the reporting wasn’t 
particularly strong when it came time to troubleshoot clients. We *may* have 
found relief to this through Splunk, and also enjoy a robust Windows server 
environment staffed by absolutely brilliant MS-minded veteran admins.

All that being said- is anyone using NPS as their RADIUS solution for a large 
secure WLAN environment? Can you share likes, dislikes, regrets, endorsements, 
horror stories, tales of success, etc?


(Any vendor reps lurking- no, I’m not open to hearing about other RADIUS 
solutions. Please, no calls or emails)


Kind regards-

Lee Badman | CWNE #200 | Network Architect

Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Pa

Re: [WIRELESS-LAN] Odd behavior on Aruba wireless network

2016-11-14 Thread Frans Panken
Hi Mark,
Is it possible that you have mulple VLANs that do not remain consistent if the 
client roams to another AP? It is mapped to another VLAN and hence requests an 
IP address for this new VLAN?
-Frans


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of "Mark McNeil [Staff]" 

Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 

Date: Monday, 14 November 2016 at 15:08
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
Subject: Re: [WIRELESS-LAN] Odd behavior on Aruba wireless network

Atanas,
  The IP addresses are on different subnets. We have the controller cycling 
through vlans. We did a test with the one lease per client and it seems to have 
reduced the distribution of multiple IP's per client. We will enable this week 
and see what happens. Unfortunately we do not have reporting on the Infoblox to 
show us the long term distribution.

Thanks for your input.

Regards

Mark

On Fri, Nov 11, 2016 at 12:32 PM, Atanas P Atanasov 
mailto:apata...@syr.edu>> wrote:
Your best bet would be to talk to Infoblox’ support.
Are the IPs your clients are getting on the same subnet?

Atanas

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Mark McNeil [Staff]
Sent: Friday, November 11, 2016 12:22 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Odd behavior on Aruba wireless network

Atanas,
  Actually it is not enabled. If I'm reading the description correctly this 
would "expire" the old lease and issue a new one to the user. This would seem 
to fix my issue. Infoblox manual says this is off by default. It would seem 
preferable to have this enabled by default. Any idea why its off by default?

Thanks

Mark

On Fri, Nov 11, 2016 at 11:02 AM, Atanas P Atanasov 
mailto:apata...@syr.edu>> wrote:
Mark,

Do you have “one lease per client” enabled?

Atanas Atanasov
Network Analyst
Syracuse University

[cid:image001.png@01D23EB3.B24A0830]

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Mark McNeil [Staff]
Sent: Friday, November 11, 2016 10:50 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Odd behavior on Aruba wireless network

I have an implementation of Alcatel/Aruba wireless. We've been trying to manage 
out DHCP pool as it hits 90 precent quite often. We are seeing this strange 
behavior in that a single user within a short period of time is associating and 
disassociating and as such gets new IP address. The DHCP server is retaining 
the old IP as being active so does not redistribute for 30 minutes. The 
examples I list below show two  to three IP addresses being given out from the 
same AP in a few minute period. We've seen IP address changes in less that 30 
seconds on a regular basis.

This issue seem to occur in areas of good coverage as well as in marginal areas.
​Lan IP Address ​  Association time   Duration  
   Avg. Speed

172.21.34.49, 172.21.52.16
​11/10/16, 4:25  PM 2 minutes  122Mps​

172.21.59.221, 172.21.45.117,

172.21.52.217
​  11/9/16, 11:57 AM 5 minutes   ​

​
DHCP server is from Infoblox

Any thoughts.

Regards
Mark

​


 ​




--

Mark McNeil
Director, Network Engineering and Operations
Fordham University | Fordham IT
Tel: 718-817-3763
Business Office: 718-817-3750
Fax: 718-817-5775
email: mcn...@fordham.edu 
http://www.fordham.edu
_
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.



--

Mark McNeil
Director, Network Engineering and Operations
Fordham University | Fordham IT
Tel: 718-817-3763
Business Office: 718-817-3750
Fax: 718-817-5775
email: mcn.

Re: [WIRELESS-LAN] edroam as main 802.1x ssid

2016-11-11 Thread Frans Panken
Using eduroam as a single SSID is a common approach in the Netherlands (and 
other countries in Europe). Using eduroam at your own institution significantly 
reduces the questions at the helpdesk when users are at a location where they 
offer eduroam. Various user groups (student/staff/extern) can easily be mapped 
on different VLANs as a result of RAIDUS attributes. All enterprise Wi-Fi 
solutions support that. A VLAN between two controllers of nearby sites is 
another way to resolve the sitution Jerry revers to. 
In the NL, we have a site that give people insight if there are problems with 
eduroam at other locations: 
https://www.eduroam.nl/netwerk-status/geen-storingen 

-Frans

On 11/11/2016, 14:03, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Manon Lessard"  wrote:

Hi

Jerry's comment reminds me: we have sites that are close to another 
university's and it has created weird things a few times where the STAs  will 
associate with the other U's Wi-Fi instead of ours and thus cannot access 
everything that's available on campus. We mitigated it by working with the 
other U to tweak coverage.


Manon Lessard
Technicienne en développement de systèmes 
CCNP, CWNA
Direction des technologies de l'information 
Pavillon Louis-Jacques-Casault
1055, avenue du Séminaire
Bureau 0403
Université Laval, Québec (Québec)
G1V 0A6, Canada
418 656-2131, poste 12853
Télécopieur : 418 656-7305
manon.less...@dti.ulaval.ca
www.dti.ulaval.ca
Avis relatif à la confidentialité | Notice of Confidentiality 
 

**
Participation and subscription information for this EDUCAUSE Constituent 
Group discussion list can be found at http://www.educause.edu/groups/.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.



Re: [WIRELESS-LAN] FreeRADIUS server scaling for 802.1x

2016-07-22 Thread Frans Panken
Hi Curtis, Eriks,

A bit off-topic but I plucked up the courage to aks you anyway: do you
also use this solution to place clients who misbehave (or likely have
viruses, malware) in quarantaine?

-Frans


Op 19/07/16 om 17:09 schreef Curtis K. Larsen:
> Nice slides.  This is pretty similar to what we do.  We're also using 
> PacketFence/FreeRADIUS.  The
> graphing of the authentications is key to understanding/scaling things in my 
> opinion.
>
>
> Thanks,
>
> Curtis
>
>
> On Tue, July 19, 2016 8:46 am, Eriks Rugelis wrote:
>> David,
>> For what it is worth, here is a presentation on scaling of Wi-Fi 
>> authentication which we created
>> for this year's CANHEIT conference.
>>
>> https://canheit-hpcs2016.exordo.com/files/papers/145/presentation_files/1/CANHEIT2016_AuthBigWiFi.pptx
>>
>> We use Packetfence, which uses FreeRADIUS under the covers but adds a layer 
>> of context switching
>> which you wouldn't otherwise have if using only FreeRADIUS by itself.
>>
>> Feel free to ask questions, either on the list or directly via email.
>> ---
>> Eriks Rugelis
>> Manager, Network Development, University Information Technology
>> York University, Toronto
>>
>> **
>> Participation and subscription information for this EDUCAUSE Constituent 
>> Group discussion list can
>> be found at http://www.educause.edu/groups/.
>>
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


Re: [WIRELESS-LAN] high density wireless improvement features

2016-01-13 Thread Frans Panken
In addition to what Sam shared (thanks!), I think Aruba did a very good
job with their very detailed description of very high density design
that is well applicable for other vendors:
http://community.arubanetworks.com/t5/Validated-Reference-Design/Very-High-Density-802-11ac-Networks-Validated-Reference-Design/ta-p/230891
-Frans

Op 13/01/16 om 17:14 schreef Samuel Clements:
> Hi all! I'm new to the list (well, I've been lurking for a while), but
> this seems to be a good time to say hi! High Density being near and
> dear to my heart - I'd give the following guidance:
>
> 1) Don't underestimate your gear if you have good equipment. It's not
> a stretch for a Cisco 2700/3700 to support 100+ active association
> (shameless self-plug: http://nsashow.com/AP2700/).
> 2) There is such a thing as too much RF. If you're not disabling all
> but 3 2.4GHz radios in a single room, you're not disabling enough of
> them. If you see two APs on the same channel (as a general rule) and
> they're both above -80dBm, you're not adding any capacity to your RF.
> In fact, you're hurting yourself.
> 3) Use narrow channels in 5GHz (20MHz), always. There is an
> overwhelming need for density of users (aggregate throughput), not
> individual throughput. This is one of the best ways to leverage the
> finite amount of air we have to use.
> 4) Use all channels in 5GHz including 2e/DFS channels. The more
> channels the better. If you're using a sane RRM product (Cisco does
> this for sure), RRM will try to avoid stacking 2e channels next to
> each other. In the event you have a client that doesn't support a
> channel you're using, this improves the likely hood that they can
> still function on a further AP.
> 5) Once you hit a number of APs that matches the number of 5GHz
> channels you have deployed, be very cautious about channel overlap
> (this is the same as rule 2, just in 5GHz and further away).
> 6) Design for RRM and enable RRM (sorry Lee!). If you know how RRM
> works (there are many and numerous white papers and Cisco Live
> sessions on the specifics of how AP layout impacts RRM), you can
> safely run it without shooting yourself in the foot. I can't speak to
> ARM since there doesn't seem to be a good guide on how it actually
> works. 99% of the time, RRM works every time. The great thing about
> Cisco RRM is that you can watch the CLI of the process and it will
> tell you exactly what it's doing and why it's doing it. Use min and
> max thresholds if you can't get it to do what you'd like.
> 7) Use RF Groups to segregate your high density areas from other areas
> of your campus. This allows you to tweak and tune your HD area without
> impacting other users.
> 8) Use RX-SOP only when you've violated rules 2 and 5 and use it
> sparingly. RX-SOP is like a brick wall. Once you hit it, your clients
> fall off into never never land.
>
> I hope that helps! There is a ton of guidance that can be given for
> designing cells (using directional antennas, stadium antennas with
> narrow beams from far away, APs under seats, in walls, etc) but those
> are covered in great detail elsewhere and all of the above advice can
> be taken regardless of antenna or location of installation.
>   -Sam
>
>
> On Tue, Jan 12, 2016 at 11:00 PM, Tariq Adnan  > wrote:
>
> Hello everyone,
>
>
> I am working on improving wireless performance in high density
> areas (lecture theaters, auditoriums etc) and doing research on
> some features. I would like to know if you people have made below
> changes and how was your experience with it ? We're using cisco
> gear (3702i/e APs, WiSM2 controllers, Prime 3.0).
>
>
> 1-set channel and power manually (not use RRM) : reduce power to
> limit coverage and disable 2.4GHz radios on every 3rd/4th AP.
>
> 2-load-balancing
>
> 3-band-select
>
> 4-RX-SOP (already deployed and happy with it, channel utilization
> is dropped)
>
> 5-optimized roaming
>
> 6-please suggest if i am missing something
>
>
> In our setup, same controller is handling APs from HD and non-HD
> (high density) environments. My concern is if i make change which
> is controller wide, for instance optimized roaming, it could
> improve performance in HD areas but what could it do to non-HD
> areas (APs far away from each other).
>
>
> I am using airmagnet PRO and Prime planning tool for survey and
> planning purposes.
>
>
> Thanks everyone for your precious time 😊
>
>
> Cheers,
>
> --
>
>
> Tariq Adnan
>
> Network Engineer
>
> NSW, Australia
>
> ** Participation and subscription information for this
> EDUCAUSE Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
>
> ** Participation and subscription information for this
> EDUCAUSE Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>


**
Participation and subscription infor

Re: [WIRELESS-LAN] It's that time of year...

2015-12-02 Thread Frans Panken
Just as all electrical devices, Christmas lights can have a negative
effect on the 2,4Ghz radio quality. I doubt that this is in the top 10
of reasons that cause bad Wi-Fi.
I do associate access points with Christmas trees but in that case the
AP is not active yet and still wrapped in paper ;-)

I think gizmodo blows up a minor part of Ofcom's article, without
realizing that it is mainly a marketing teazer for promoting Ofcom's
WiFi checker app and their main message, namely their claim that the
last few feet is the weakest link in UK's broadband connection:
http://consumers.ofcom.org.uk/news/ofcom-launches-wifi-checker/
(just as the Guardian does:
http://www.theguardian.com/technology/2015/dec/01/warning-that-christmas-fairy-lights-can-slow-your-wi-fi).


Lies, damned lies and marketing ;-)
-Frans

Op 02/12/15 om 20:03 schreef Ian McDonald:
> Hi Brandon,
>
> I'm pretty sure wideband noise from cheap and nasty electronics can
> cause havoc with most telecommunications.
>
> Whether fairy lights are any better or worse than anything else, I
> doubt it, though they are very cheaply produced, and unlikely to be
> very well designed.
>
> My Cisco 837 power supply (while still powering the router quite
> effectively) developed a S9+40 noise from 1.8MHz to 30MHz, which
> turned out to be down to the infamous bulgy caps, so it's not down to
> purchase price either ;)
>
> Best Regards,
>
> -- 
> ian
>
> Sent from my phone, please excuse brevity and/or misspelling.
> 
> From: Case, Brandon J 
> Sent: ‎02/‎12/‎2015 17:52
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> 
> Subject: [WIRELESS-LAN] It's that time of year...
>
> The holidays are officially upon us!
>
> http://gizmodo.com/can-christmas-lights-really-play-havoc-with-your-wi-fi-1745648879
>
> Has anyone else gotten wind of this yet? Seems to be making the rounds
> here.
>
> Thanks,
> --
> Brandon Case
> Senior Network Engineer
> IT Infrastructure Services
> Purdue University
> ca...@purdue.edu
> Office: (765) 49-67096
> Mobile: (765) 421-6259
> Fax:(765) 49-46620
>
> PGP Fingerprint:
> 99CB 02D6 983C 1E2A 015F  205C C7AA E985 A11A 1251
>
> **
> Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
> ** Participation and subscription information for this
> EDUCAUSE Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.



Re: [WIRELESS-LAN] Cisco Small Cell Solution

2015-11-17 Thread Frans Panken
I agree with Jeremy. For an operator, small cell may mean WiFi or usage
of high frequencies (e.g., LTE on 2,6Ghz band) in densed city areas.
WiFi calling is not restricted to the iphone6 that has it build-in (does
not require an app but only 5% of the perople own one); it is also
offered by apps (e.g. SpectrumMax) that allow  users to be reached by
their phone number while they are connected to WiFi. They probably
target prepaid users. The challenge is battery. If these apps demand
WiFi to be active all the time to be reachable, the day may end earlier
than the battery of your phone lasts.
-Frans

Op 17/11/15 om 17:49 schreef Jeremy Gibbs:
> I believe WiFi calling will be the future and these "small cell"
> systems will be phased out.  I know a network engineer at AT&T and
> they are really pushing the WiFi calling for these situations.  
>
>
>
>
> On Tue, Nov 17, 2015 at 11:28 AM, Smith, Todd  > wrote:
>
> Hello,
>
> I know that there are many Cisco wireless networks on this list
> and I wanted to see if anyone is using the Small Cell Solution
> with their existing Cisco wireless network.  Here at the
> Charleston Area Medical Center, we are an Extreme shop and have
> been happy with it for years, but increasing cellular issues and
> outright refusal of wireless carriers to participate in a DAS has
> let us few choices.
>
> One partial solution was discussed on the list, a couple of weeks
> ago under the topic of Wi-Fi Calling.  This is another approach
> which is possibly replace our existing wireless network with a
> combined Wi-Fi/Cellular system.  I am asking the list if anyone is
> currently running such a solution and how it works for them, both
> the good and the bad.
>
> I will summarize for the list if respondents want to remand
> anonymous, but I am looking to try to get some honest feedback on
> what will probably be a difficult install.  Even if it works
> perfectly, none of my network management solutions and
> purchase/service agreements will work and it would all be brand
> new.  Brand new is not a show-stopper but it is also not trivial
> either.
>
> Todd
>
>
>
> ==
>
> CONFIDENTIALITY NOTICE: The information contained in this
> message may
> be privileged and confidential. If this e-mail contains protected
> health information, you are hereby notified that any dissemination,
> distribution or copying of this communication is strictly prohibited,
> except as permitted by law. If you have received this communication in
> error, please notify the sender immediately by replying to this
> message
> and deleting it from your computer. Thank you.
>
> **
> Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
>
> ** Participation and subscription information for this
> EDUCAUSE Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.



Fwd: Opinions Needed on Mobility

2015-10-21 Thread Frans Panken
This international survey on mobility is also relevant for this group.
The deadline will be extended to November 1. Please consider filling it in.
-Frans

> *Van:* Ben Fineman  >
> *Datum:* 14 oktober 2015 21:08:20 CEST
> *Aan:* " >"  >
> *Onderwerp:* *[Megacon] Opinions Needed on Mobility*
>
> Hi all, this is a little off topic, but I think video collaboration is
> highly affected by this. Mobility, or the ability for students,
> faculty, and staff to access university technology services and
> resources seamlessly from any location, is becoming an integral part
> of the higher education experience. Internet2 is conducting a survey
> to understand our community’s needs in the mobility space, including
> cellular, wifi, and related topics. Please consider taking a few
> minutes to fill out the survey - responses from all research and
> education institutions are needed and welcome! Please fill out the
> survey no later than 10/21/15: https://goo.gl/bWL5SH
>
> Thanks,
> Ben
>
> /*---
> Benjamin J. Fineman
> Program Manager, NET+ Video, Voice, and Collaboration Services
> Internet2
>
> Request a meeting with me: https://calendly.com/benfineman
> 
>
> bfine...@internet2.edu  (email/video/chat)
> http://www.internet2.edu
>
> 734.352.4975 (desk)
> 734.417.0811 (mobile)
> ---*/
>



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.



Re: [WIRELESS-LAN] How to handle Wi-Fi Calling?

2015-10-16 Thread Frans Panken
You need at least -62db RF-plan to roam between APs without loosing a
call. Some devices are more picky than others (iphone 5c and higher give
less problems). I observed that the scanning time of Android is often
too high which makes roaming a bad user experience (but I have not
tested the latest versions).

If you have no QoS and you are surrounded by many clients, you will
experience problems in your call (either on the listening side or on the
speaking side or on both sides). Not because of the bandwith
requirements for a call but mainly because of the high sampling rate of
VoIP and the jitter caused by retransmissions and the exponential
back-off of the Wi-Fi protocol. This may result in dropping the call.
The bandwidth requirements per call depend on the codec used. The
traditional G711 codec results in a 64kbit/s connection whereas G729 is
only 8 kbit/s. Skype uses a SILK codec, using between 6 and 40 kbit/s.
Note, this is at the application layer. As a result of the overhead and
inefficiency of the Wi-Fi protocol, the data rate on the Wi-Fi layer is
much higher!
5Ghz is (much) better suitable for VoIP than 2,4Ghz. Especially with
high number of active clients per AP.

The downsize I experience from Wi-Fi calling on a smartphone is that all
phones give priority to incomming 2G/3G/4G calls. No matter what device
or app you use, your Wi-Fi calls drops if a person tries to reach you
via the cellular network. But that won't bother you if your indoor reach
is poor.

I am surprised that mobile carriers in the US allow end-user networks in
their VoIP communication path. That is unusual in the Netherlands (where
we have less need for Wi-Fi calling as we have sound coverage and
carriers are not offering Wi-Fi calling and will gladly install DAS
instead in the case of bad indoor coverage which happens often as a
result of e.g., foil on windows or because carriers move 2G/3G voice to
high frequencies which penetrate badly through walls and windows).

-Frans


Op 16/10/15 om 21:34 schreef Howard, Christopher:
> I'm honestly not surprised to hear that they are going to push wifi
> calling and nothing else.  They want to drop all cellular service
> other than data, long term, in my opinion.
>
> I have AT&T myself, and ran the iOS 9 beta from the beginning, which
> got me early access to AT&T wifi calling.  Needless to say, it has not
> been a pleasant experience.  Calls drop all the time.
>
> For our wireless we have not had to do anything.  Calls just work
> without opening inbound ports (we don't limit much going outbound).
>  My calls run about 65kbps.
>
> The pain point is something you've already mentioned - roaming.  If at
> any time you roam from wifi to cell and there is no VoLTE service in
> your area, the call dies.  We apparently don't have VoLTE in
> Chattanooga, TN.  If I stay in my office I can usually hold a call,
> and roaming from AP to AP is sometimes ok.  Sometimes the roam between
> APs is enough to drop the call.  I've also noticed that if I get more
> than 2 cell bars, the phone will want to go off of wifi calling on its
> own.  Even at home where I only have 1 AP and can be sitting 15 feet
> from it, I'll drop calls because my phone decided to roam back to cell
> during a live call.
>
> To directly answer your questions:
> 1. I don't plan on doing anything special.  We have enough free
> bandwidth to handle a large number of 65kbps calls.
> 2. Mine have been 65kbps or there about.
> 3. We run both frequencies, but my phone tends to stay 5ghz.  I don't
> think we would change anything to support wifi calling.
> 4. I'm not sure how we will get this across other than to let our
> helpdesk know what to tell people when they call in about it.  We'll
> be looking into this more I'm sure.
> 5. I'm a little surprised that carriers are being allowed to run calls
> over end user networks.  911 is a big deal, and if our wifi is up
> enough that the phone can do wifi calling, but there are issues going
> on to prevent calls, who gets blamed here?  In an emergency, it's too
> much to troubleshoot what's going on and figure out that you have to
> cut off your wireless to get a call through.  As far as I know,
> there's nothing we have to do in terms of uptime or anything.
>
> -Christopher
>
>> On Oct 16, 2015, at 2:14 PM, Smith, Todd > > wrote:
>>
>> Hello,
>>
>> Yesterday, a regional VP for AT&T Wireless told my Enterprise
>> Architect and CIO that AT&T was not interested in pursuing a
>> distributed antenna system with us and made it clear that they would
>> not be moving forward with any DAS in the future.  In seems, that
>> Wi-Fi calling is the moving forward strategy for AT&T for poor
>> cellular signal and presumably other carriers.  I wasn’t in the
>> meeting but I am confident that it has been reported accurately.
>>
>> Does this sound like anything that anyone else has heard?  If so, how
>> are other institutions handling this?  It seems silly that our
>> organization 

Re: [WIRELESS-LAN] Aruba Instant IAP-215 Wireless Access Points

2015-09-14 Thread Frans Panken
We experienced that LLDP does not work properly in the case of non Cisco
the switches.
We have 3700 APs and Juniper switches. The APs require PoE+ to function
with all MIMO capabilities (4 spatial streams). The WLC tells us that
there is no PoE+. With Cisco switches, the WLC does mention that there
is PoE+. Even with a PoE+ injector of Cisco, the WLC still mentions PoE.
This was when we used 8.0 MR1. Clients could still use 4 spatial
streams. We were told this was a Cisco bug and the problem would be
solved in MR2 (which we are not intending to use).
According to the Juniper swith, the APs use less power than you would
expect:

InterfaceAdmin   OperMaxPriority   Power  Class
 status  status  power consumption
ge-6/0/15Enabled  ON 30.0W  Low4.3W4
ge-6/0/18Enabled  ON 30.0W  Low6.7W4
ge-6/0/19Enabled  ON 30.0W  Low6.1W4
ge-6/0/20Enabled  ON 30.0W  Low6.3W4
ge-6/0/21Enabled  ON 30.0W  Low6.1W4





Jake Snyder schreef op 15/09/15 om 03:20:
> The other thing you might check is to see if you have LLDP running on the 
> switches.  This can help with Poe negotiation.
>
> Thanks
> Jake Snyder
>
>
> Sent from my iPhone
>
>> On Sep 14, 2015, at 6:53 PM, James Michael Keller  
>> wrote:
>>
>>> On 09/14/2015 11:37 AM, Ronald Loneker wrote:
>>> Good Morning -
>>>
>>> (forgive cross-postings - a member of the NETMAN list suggested this
>>> might be the place to post this question)
>>>
>>> We just had close to 90 new Aruba Instant IAP-215 wireless access points
>>> installed in our residence halls to upgrade our wireless network. 
>>> Another building is soon to be underway, and I'm managing this project.
>>>
>>> Over the last couple of weeks, it seems like random access points are
>>> shutting down wireless access.  They are not all connected to the same
>>> Cisco switch (various Cisco POE switches in two residence halls).  The
>>> access point is not ping-able, the MAC address is not found in the
>>> virtual controller's table, the switch port is up and power is being
>>> supplied to the access point.  The only way we seem to get an access
>>> point back up is to do a shut/no shut on the switch port to which it is
>>> connected. 
>>>
>>> The vendor who configured the access points hasn't been able to
>>> determine why this is happening and before we initiate an Aruba support
>>> call, I was wondering if anyone had any similar experiences like this
>>> and what you determined was the cause of the issue.  We are running into
>>> walls here.
>>>
>>> Thanks in advance for any thoughts or ideas.
>>>
>>> Ron Loneker, Jr.
>>> Director of Media Services
>>> College of Saint Elizabeth
>>> Mahoney Library
>>> 2 Convent Road
>>> Morristown, NJ  07960
>>>
>>> Phone:  973-290-4229 
>>>
>>> e-mail:  rlone...@cse.edu 
>>>
>>> /**/
>>>
>>>
>>> ** Participation and subscription information for this EDUCAUSE
>>> Constituent Group discussion list can be found at
>>> http://www.educause.edu/groups/.
>> I have seen similar with the campus APs when the PoE power is either
>> dropping below min spec either due to switch power or cable run
>> resistance.   The APs will have enough power to initialize which brings
>> up the link, but they fail to boot into ArubaOS and hang until they are
>> power cycled.  Typically the ones with cable run issues continue to fail
>> on the next cycle.  Brown out triggered ones come up fine usually, and
>> typically we see more then one on the same switch do it for PoE power
>> issues.
>>
>> -- 
>>
>> -James
>>
>>
>> **
>> Participation and subscription information for this EDUCAUSE Constituent 
>> Group discussion list can be found at http://www.educause.edu/groups/.
>>
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey

2015-09-04 Thread Frans Panken
Instead of following Starbucks' bad example, I would rather choose for
informing Starbucks and others others to choose for 802.1x instead...
(I observe a growing popularity of using Facebook accounts to login to
Wi-Fi facilities offered by city Wi-Fi and in malls)

We are part of the education community. I think it is our duty to
educate students: informing them to check certificates, checking SSL,
beign aware of the dangers to connect to an open network, etc. etc. The
teachers cannot teach this in class, if the IT department neglects these
rules on the network they offer at the institue (regardless of that is a
dorm or a classroom).
Frankly speaking, people are familiar with connecting to Wi-Fi securely.
Five years ago this was still a hassle. Regardsless of the OS, it is now
a matter of filling in your username and password and you are connected

-Frans



Jeffrey D. Sessler schreef op 04/09/15 om 23:05:
> Is the student’s “residence” in this case any different than a VP who
> travels and uses hotel WiFi, the hotel being their residence most of
> the time? Are we asking the student to do something we wouldn’t
> require of the VP in the hotel?
>
> This is why something like Areohive’s PPSK (private pre-shared key) is
> interesting to me, in that it provides something that is “good enough”
> without all the hassles around WPA-ent. We get the user off of an open
> network, but provide easy on-boarding for the user and their devices.
>
> I agree that students may not know they should care, but I’m not sure
> it’s the university’s job to educate them i.e. they are adults, and we
> don’t go round them up to make sure they attend class. Our students
> only care about connecting to the WiFi, and even if we try to explain
> why it’s better, there is only a small percentage that care… the same
> can be said for staff/faculty.
>
> I also shy away from saying, “…provide the secure option.” since it
> implies everything they do is now secure, which it is not.
>
> I do agree that providing both options is a good idea, but my own
> evidence shows that if the user’s chrome-cast is in the device-net,
> they will put their laptop there to so that they have access to it.
>
> Jeff
>
> From: "wireless-lan@listserv.educause.edu
> <mailto:wireless-lan@listserv.educause.edu>" on behalf of "Coehoorn, Joel"
> Reply-To: "wireless-lan@listserv.educause.edu
> <mailto:wireless-lan@listserv.educause.edu>"
> Date: Friday, September 4, 2015 at 1:31 PM
> To: "wireless-lan@listserv.educause.edu
> <mailto:wireless-lan@listserv.educause.edu>"
> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in
> the dorms- quick Survey
>
> The difference between us and a McDonalds or Starbucks is that we are
> the student's residence. They can't as easily just wait or go
> elsewhere in order to do things that really should not be done on an
> open wifi connection. 
>
> Additionally, this is the first encounter with the issue for many
> students. They haven't yet had a chance to know that they should care.
> Therefore, I do believe it is our responsibility to provide the secure
> option and educate our students on the importance of using it. 
>
> At the same time, college students are supposedly adults now, and
> capable of making their own decisions, and so I try to provide both
> options (we really do have an completely open SSID), along with some
> education and a nudge via SSID naming that the secure SSID may be
> "better" in some ephemeral way.
>
>
>
>
>   
>
> Joel Coehoorn
> Director of Information Technology
> 402.363.5603
> *jcoeho...@york.edu <mailto:jcoeho...@york.edu>*
>
>
>   
>
> The mission of York College is to transform lives through
> Christ-centered education and to equip students for lifelong service
> to God, family, and society
>
> On Fri, Sep 4, 2015 at 2:09 PM, Frans Panken  <mailto:frans.pan...@surfnet.nl>> wrote:
>
> Jeff,
>
> Jeffrey D. Sessler schreef op 04/09/15 om 20:55:
> > Just to turn this on it’s ear a bit...
> >
> > Why not go back to an open network for student devices, with the
> same EULA as they’d get be it at a Starbucks, McDonalds, hotel, or
> convention center? Why are we (my self included) so hell bent on
> student devices connecting via WPA-Ent and all the challenges
> associated with accommodating devices that can’t?
> Basically, because you do not know who is behind the device if
> this user
> does something that conflicts with any of the policies (e.g., security
> to name one).
> >
> >
> > Does data exist that shows all of this 

Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the dorms- quick Survey

2015-09-04 Thread Frans Panken
Jeff,

Jeffrey D. Sessler schreef op 04/09/15 om 20:55:
> Just to turn this on it’s ear a bit...
>
> Why not go back to an open network for student devices, with the same EULA as 
> they’d get be it at a Starbucks, McDonalds, hotel, or convention center? Why 
> are we (my self included) so hell bent on student devices connecting via 
> WPA-Ent and all the challenges associated with accommodating devices that 
> can’t?
Basically, because you do not know who is behind the device if this user
does something that conflicts with any of the policies (e.g., security
to name one).
>
>
> Does data exist that shows all of this overhead we’ve created has had any 
> measurable benefit (for the cost), especially when the same users aren’t 
> concerned about over-the-air security when at the above mentioned places?
Regardless of the numbers, I will tell you it was worth it.

Inmagine the blames your institute copes with if some one decides to put
a rogue access point in between that cathes all kinds of privacy data?
The end-user will blame the institue because it happended there!

Note that there are easy out-of-the-box tools that are dedicated for
these kind of attacks and easy to set-up, even for a 12 year old. For
example, have a look at pineapple: https://www.wifipineapple.com/
(very usefull to play with!)

Or Nethunter, that uses Linux Kali and is installed on a simple phone or
tablet (http://www.nethunter.com/).

>
> Why do we care so much? Is there some middle-ground that is “good enough” but 
> provides almost the same experience as at home?
Seriously, you have an open network at home?? You login with your bank?
Ever hear of SSL strip (if not, I recommend to Google it and watch that
little slot in your browser continously)

>
> Would our efforts be better spent implementing other beneficial technologies 
> such location-aware WiFi, where after the student connects all their AppleTV, 
> TimeMachine, and Chromecast devices, the network is smart enough to provide 
> them visibility of only those devices when in/near the same location e.g. 
> Location-aware bonjour?
I hope the arguments above convinced you. If not, I think I can think of
some more...

-Frans
>
>
>
> Jeff
>
>
> On 9/4/15, 7:51 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
> on behalf of Lee H Badman"  lhbad...@syr.edu> wrote:
>
>> Where it gets interesting- broadcast and single class C required. But- this 
>> is a great summary of requirements. 
>>
>> Lee Badman | Network Architect
>> Information Technology Services
>> 206 Machinery Hall
>> 120 Smith Drive
>> Syracuse, New York 13244
>> t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu
>> SYRACUSE UNIVERSITY
>> syr.edu
>>
>> -Original Message-
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Johnson, Neil M
>> Sent: Friday, September 04, 2015 10:46 AM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: Re: [WIRELESS-LAN] Supporting "those other Wi-Fi devices" in the 
>> dorms- quick Survey
>>
>> Here is my first pass at requirements:
>>
>> 1. The service must prevent or discourage devices that ARE capable of 
>> using 802.1x authentication from using the service.
>>
>> 2. The service should provide some sort of traceability of devices back 
>> to their owners.
>>
>> 3. The service must provide some method to deny access to an individual 
>> device.
>>
>> 4. The service must be easy enough to use that the average student can 
>> connect a device to the network in 10-15 minutes without requiring 
>> assistance from ITS.
>>
>> 5. The service must restrict access to only authorized University 
>> customers.
>>
>> 6. In the residence Halls, the service must support most the most common 
>> consumer devices that students might bring to campus
>>
>>
>> We are also looking at a “Device Net” for campus for other devices that may 
>> not do 802.1X (freezer monitors, digital signage, instrumentation, etc.).
>>
>> For the residence hall device net we are thinking about blocking all access 
>> to campus resources and just allowing internet access.
>>
>> For the campus device net we thinking about RFC 1918 space restricting the 
>> deivces to on campus resources only.
>>
>> -- 
>> Neil Johnson
>> Network Engineer
>> The University of Iowa
>> Phone: 319 384-0938
>> Fax: 319 335-2951
>> E-Mail: neil-john...@uiowa.edu
>>
>>
>>
>>> On Sep 4, 2015, at 6:46 AM, Osborne, Bruce W (Network Services) 
>>>  wrote:
>>>
>>> What are you calling a Device Net?
>>>
>>> We have an open SSID with a custom captive portal using the ClearPass eTIPS 
>>> API. 
>>>
>>> We use this SSID for onboarding to 802.1X with Cloudpath XpressConnect 
>>> Wizard, registering a non-8012.1X device Endpoint in ClearPass (with 
>>> AirGroup device registration for Apple-TV) and for permitting non-802.1X 
>>> network access, blocking out internal web server & blackboard servers. If 
>>> devices try to go to thes

Re: [WIRELESS-LAN] iPhone hotspots that are on when off.

2015-08-28 Thread Frans Panken
It may be related to the similar issues we see with AWDL & AirDrop. Try
switching off BT.
-Frans


Lee H Badman schreef op 28/08/15 om 15:48:
> Damn my eyes.
>  
> Just saw this first hand this morning. A young lady has an iPhone, and
> it had the hotspot feature enabled. We were picking it up as a strong
> rogue in our NMS. I asked her if she could kindly disable it, which
> she did.
>  
> But then things got weird.
>  
> She went to another building, where we happen to have high-density,
> world-class 802.11ac wireless using very small cells. And her hotspot
> was picked up again, with a connected client. As I monitored the
> situation, I couldn’t help but think that it got turned back on-
> either accidentally or deliberately.
>  
> So I reached out again, and she assured me that it’s turned off. So I
> took my curiosity to The Google. It turns out a lot of people have
> already noticed that “No” doesn’t mean “No” when it comes to Apple’s
> iPhone hotspots. It actually means “we’ll show you that it’s off, but
> other devices can turn it on”.
>  
> You can’t make this stuff up.
> _https://discussions.apple.com/thread/6616026?start=30&tstart=0_
>  
> Couple of select screenshots from the thread attached. Confirmed by an
> Apple SE to be a feature, and asked why this would ever be a problem
> (yeah, really).
>  
> So… settle in for the ride - those Apple iPhone hotspots evidently
> have a mind of their own.
>  
>  
>  
>  
>  
>  
> *Lee Badman*| Network Architect
> Information Technology Services
> 206 Machinery Hall
> 120 Smith Drive
> Syracuse, New York 13244
> *t* 315.443.3003  *f* 315.443.4325   *e* _lhbadman@syr.edu_
>  *w* its.syr.edu
> *SYRACUSE UNIVERSITY
> *syr.edu
>  
>  
>  
> ** Participation and subscription information for this
> EDUCAUSE Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.



Re: [WIRELESS-LAN] LTE over Wi-Fi spectrum sets up industry-wide fight over interference

2015-08-28 Thread Frans Panken
My observations:  the current pre-standard product suite that use the
LTE-protocol on the 5Gh band are targeting indoor, not outdoor.

All marketing and communications on LTE and 5Ghz band is around mobile
operators and their need for spectrum. From a technical perspective, I
must admit that LTE is a more efficient protocol than Wi-Fi is. So, in
addition to preventing that operators ruin the spectrum at our Wi-Fi
facilities we should also knock on the doors of our Wi-Fi vendors and
asking them how they integrate LTE-U (or another flavour) in their Wi-Fi
product offering for our benefits. Frankly speaking, I do not care
whether the radio communication uses Wi-Fi, LTE or what ever protocol as
long as it does its job well and efficiently.

-Frans



Brian Helman schreef op 28/08/15 om 03:42:
> Mike,
>
> I was just about to post the same quote, and I looked down and saw it
> in your post.  
>
> How viable is 5GHz in this situation?  I mean, we've now rolled out
> two AC buildings.  The signals go through 1 wall fine, but 2 walls or
> a single outside wall and the signal is non-existent.  If they won't
> be allowed to crank it up to 11, is it useful?  What am I missing?
>
> -Brian
> '
> 
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv
> [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Mike King
> [m...@mpking.com]
> *Sent:* Thursday, August 27, 2015 8:08 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] LTE over Wi-Fi spectrum sets up
> industry-wide fight over interference
>
>
> Quote from the article:
> T-Mobile wrote. Qualcomm said its testing
>  shows that
> Wi-Fi access points often have better throughput when sharing a
> channel with LTE-U than when sharing a channel with another Wi-Fi
> access point.
>
> Here's my comment: 
> We'll duh.   Two AP's on the same channel is something we try to
> avoid, because "It's Bad®".  How about comparing throughput of an AP
> with no interference (Cause that's what we call two AP's on the same
> channel), and a AP with LTE-U on the same channel.
>
> Mike
>
>
> On Thu, Aug 27, 2015 at 5:49 PM, Coehoorn, Joel  > wrote:
>
> The good news is that LTE-U still has the same power limitations
> as other unlicensed uses. Telecom companies won't be able to
> easily provision an LTE-U "tower" every 30 meters within our
> campus, limiting their ability to cause interference. 
>
> Instead, I see them mostly using this fill coverage gabs by
> selling wifi routers with an LTE-U service built-in for rural and
> other underserved areas. Additionally, I see them using this to
> try to push their backhaul costs onto other providers. A Verizon
> could get a Cox to help foot their transit bill by selling their
> special routers to customers at just below their cost. Consumers
> would buy these routers because they are cheaper, and suddenly
> Verizon gets some "free" spectrum in that area and can manage
> things so the call terminates at the Verizon location nearest the
> other end of the conversation.
>
> The biggest risk on our end is probably having students bringing
> routers with this ability into their residences, but we can deal
> with that the same way we've always done... well, almost,
> depending on how the whole Mariott thing turns out.
>
>
>
>   
>
> Joel Coehoorn
> Director of Information Technology
> 402.363.5603 
> *jcoeho...@york.edu *
>
>
>   
>
> The mission of York College is to transform lives through
> Christ-centered education and to equip students for lifelong
> service to God, family, and society
>
> On Thu, Aug 27, 2015 at 4:12 PM, Thomas Carter
> mailto:tcar...@austincollege.edu>> wrote:
>
> Don’t forget the WiFi SLA discussion – another source of
> interference outside of our control.
>
>  
>
> Thomas Carter
>
> Network and Operations Manager
>
> Austin College
>
>  
>
> *From:*The EDUCAUSE Wireless Issues Constituent Group Listserv
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> ] *On Behalf Of
> *Philippe Hanset
> *Sent:* Thursday, August 27, 2015 2:17 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> 
> *Subject:* Re: [WIRELESS-LAN] LTE over Wi-Fi spectrum sets up
> industry-wide fight over interference
>
>  
>
> We can now combine three threads that we have had over the
> summer on this list
>
> 5 GHz, Containment, and the LTE-U controversy (this thread
> just started)
>
>  
>
> LTE-U and Jamming…will my Wi-Fi equipment provider enable
> LTE-U “containm

Re: [WIRELESS-LAN] Exclusive 2.4 Ghz and 5 Ghz SSIDs

2015-08-11 Thread Frans Panken
Paul,
I am not a supporter of this. Mainly because I think Wi-Fi knowledge for
the end-user should be minimised. Users should just see the SSID and
connect; options to choose from should be minimized. The most important
thing users must learn is checking the correctness of the  Radius server
to whom they give their credentials. For the rest, the device and the
Wi-Fi infrastructure should do their very best in serving Wi-Fi users
optimaly.

Devices in general do a rather good job in selecting the best band.
Besides, users have insufficient knowledge in making the right choice
between the 2,4Ghz and 5Ghz bands. Note that choosing 5Ghz is simply not
always the best choice.  If you're too far away from the AP (or because
of whether channels or interference on the 5Gh band), the 2,4Ghz band
may be the better choice. Good devices switch between the frequencies,
to serve users best. You disable that function by introducing separate
SSIDs for both bands.
-Frans

Paul Sedy schreef op 11/08/15 om 22:22:
>
> Hello everyone,
>
>  
>
> We are a Cisco shop and have, up until now, employed a single SSID for
> students, supporting both 2.4 Ghz and 5Ghz connections.  During this
> summer, we have been working to develop sufficient AP density to
> ensure good 5Ghz cells throughout our dorms.  In the past, we have
> seen numerous instances of poorer performance on the 2.4 Ghz spectrum,
> but up to this point, have relied on the client to make the decision
> between these two options. 
>
>  
>
> We are thinking of deploying two separate SSIDs, a 5Ghz network and a
> 2.4 Ghz network, that are exclusive in order to promote a better
> experience for the students with devices capable of 5Ghz
> connectivity.  We would probably use the original SSID name with an
> appended (5 Ghz) or (2.4 Ghz).
>
>  
>
> Are any of you currently employing this type of configuration and how
> well has it worked for you?
>
>  
>
> We would appreciate any insights that anyone might have.
>
>  
>
> Paul Sedy
>
> The Master’s College
>
> Director of IT Operations
>
> 21726 Placerita Canyon Rd, Santa Clarita, CA 91321
>
> 661.362.2340 | rps...@masters.edu
>
> ** Participation and subscription information for this
> EDUCAUSE Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.



Re: [WIRELESS-LAN] Cisco Aironet Series

2015-08-07 Thread Frans Panken

I have have doubts when planning to use the modular slot for 802.11ac
wave 2 upgrade (mainly as 11ac W2 requires a radio re-design). However,
if you plan to do bluetooth low energy for detemining fine-grained user
location, this slot may become your not too expensive friend.
-Frans


Jeffrey D. Sessler schreef op 06/08/15 om 16:48:
> In theory, the 3702i should perform better at longer distances then
> the 2702i, especially in demanding spaces such as residential. Unless
> you setup a test bed that replicates a demanding space, you’ll never
> see the benefit i.e. Single client test against AP in open space, 15
> feet away, with minimal clients attached. Put the two AP’s in higher
> density residence hall of mixed material, a typical client load, with
> associated clients 30 feet or more away, and the 3702i will outperform
> the 2702i.
>
> We’re using the 3702i, and with discounts and promotions, I’m paying
> nearly the same price as the 2702i. For the slight cost difference, it
> wasn’t worth debating.
>
> Jeff  
>
> From: "wireless-lan@listserv.educause.edu
> " on behalf of "Deshong,
> Kenneth"
> Reply-To: "wireless-lan@listserv.educause.edu
> "
> Date: Wednesday, August 5, 2015 at 1:35 PM
> To: "wireless-lan@listserv.educause.edu
> "
> Subject: [WIRELESS-LAN] Cisco Aironet Series
>
> I have a question that I hope someone can help me with. 
>
>  
>
> In the hope of saving money, my boss wants me to look at a cheaper
> alternative to the 3702i in areas that might not need a top of the
> line Access Point. In my comparison, I find the Aironet 2702i to have
> similar specs minus the 4x4 radio. Both support 802.11ac, Client Link
> 3.0, CleanAir 2.0.  I don’t plan on using the Modular slot .
>
>  
>
> I’ve read from limited sources that say the electrons are the same,
> and performance is neck and neck.  Can anyone debunk that?   
>
> ** Participation and subscription information for this
> EDUCAUSE Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
> ** Participation and subscription information for this
> EDUCAUSE Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.



Re: [WIRELESS-LAN] AW: [WIRELESS-LAN] To provide (wireless) service, or not to provide (wireless) service...

2015-05-15 Thread Frans Panken
Wi-Fi is very much equivalent to toilet facilities; students expect it
is there.

You way want to add to the list the potential problem after the deal
with the LTE-provider ends: if you select another LTE-provider, the
nightmare of swapping all SIMs and re-registering the new ones starts.

-Frans

Lee H Badman schreef op 14/05/15 om 14:49:
>
> Chuck- you might want to add the question “Do you assume that we have
> excellent Wi-Fi connectivity?” at the top of the list. For students
> that grew up wireless, my own experience shows that this very much is
> the assumption.  They are so used to it at home they don’t give it
> much thought- until it sucks.
>
>  
>
> -Lee
>
>  
>
> Lee Badman
>
> Wireless/Network Architect
>
> ITS, Syracuse University
>
> 315.443.3003
>
> (Blog: http://wirednot.wordpress.com)
>
>  
>
> *From:*The EDUCAUSE Wireless Issues Constituent Group Listserv
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Chuck Enfield
> *Sent:* Wednesday, May 13, 2015 10:48 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] AW: [WIRELESS-LAN] To provide (wireless)
> service, or not to provide (wireless) service...
>
>  
>
> Thanks John.  FWIW, your characterization matches my experience in re
> the opinions of people in a position to know.  But every time I've
> been able to ask the basis for that opinion the evidence is either
> anecdotal or it's based on a survey of their peers.  This reeks of
> groupthink.
>
> I have my own anecdotal evidence, no more reliable than others of
> course, that suggest connectivity isn't high on the priority list of
> prospective students.  When presented with the opportunity, I've asked
> some of our Lion Ambassadors, who give campus tours to prospective
> students, what kind of questions they get about wireless and
> networking.  All four that I've asked said they don't get general
> questions about availability or performance.   They reported being
> asked about how to access the network during the tour, but that
> question was more likely to come from a parent than an applicant.
>
> I think this is a very important question, but I don't have the
> resources to pursue the answer myself.  I eagerly await credible
> evidence one way or the other.
>
> Chuck
>
> On May 13, 2015 9:06 PM, Jon Young  > wrote:
>
>  
>
> Chuck,
>
> That's a very fair question and I don't believe there is solid data to
> support (or oppose) my contention.  I can only support my claim by
> consistent anecdotal opinions of those in the institutional position
> to know - our stakeholder interviews with personnel in Admissions, Res
> Life, Student Affairs strongly favor this opinion at most residential
> institutions.  Interestingly, in my experience this is less so for
> those institutions that have a larger demographic from economically
> disadvantaged backgrounds.  I'll leave the guessing as to why that is
> so to another forum.
>
>  
>
> As you are likely aware, the ACUTA survey supports my contention but I
> am unaware of any solid data surveying student recruitment in this
> area so it is accurate to say that my opinion is based strictly on
> anecdotal (but consistent) evidence from key stakeholders at a broad
> swath of institutions. Even the ACUTA survey is based on the opinions
> of the those institutional personnel, not direct student surveys.
>
>  
>
> That said, for internal political purposes, those internal stakeholder
> opinions tend to be crucial in gaining the backing needed for
> effective wireless initiatives.  As we all also know, higher-ed has a
> strong tendency to base decisions on what peers and aspirational peers
> are doing and the ACUTA survey can be an excellent tool for this.
>
>  
>
> Thanks,
>
> Jon
>
> Vantage Technology Consulting Group
>
>  
>
> On Wed, May 13, 2015 at 5:03 PM, Chuck Enfield  > wrote:
>
> John, I’ve often heard it said that wireless is important to
> recruiting and retention, but I’ve yet to find any solid
> foundation for the claim.  This may be because those search terms
> in Google return so much unrelated information that the good data
> is hard to find, or it could be that the claim is tenuous.  Can
> you point us to any sources to substantiate it?  I’m skeptical,
> but open to evidence.  It would definitely change the way I think
> about our wireless services in relation to business needs.
>
>  
>
> Thanks,
>
>  
>
> Chuck Enfield
>
> Manager, Wireless Systems & Engineering
>
> Telecommunications & Networking Services
>
> The Pennsylvania State University
>
> 110H, USB2, UP, PA 16802
>
> ph: 814.863.8715 
>
> fx: 814.865.3988 
>
>  
>
> *From:*The EDUCAUSE Wireless Issues Constituent Group Listserv
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> ] *On Behalf Of *Jon Young
> *Sent:* Wednesday, May 13, 2015 4:43 PM
> 

Re: [WIRELESS-LAN] FlexConnect

2015-04-24 Thread Frans Panken
Jeff,
We are using Flexconnect in our pilot for wifi-as-a-service to
institutions. We have two sites operational and use a 8500 for a
centrally located controller. All APs on the sites connect to this
controller. The flexconnect configuration is not more difficult than
local mode.
Do bear in mind the side conditions (primarily: size of flexconnect
group and the corresponding maximum number of APs in one building that
support clients to roam normally between APS). This number depends on
the controller you use. For the 5500 series this is 25 APs in one
flexconnect group and for 8500 series a maximum of 100 APs. The virtual
WCL has more limitations in combination with Flexconnect. So take a
close look at the features not supported before you start (limited
support for mulitcast,  no support for multi-cast to unicast, VLAN
pooling, no support of old APs that use bridge mode, no traffic limation
when using GMP or MLD snooping). Use v8, to prevent the limitation
of RF-profiles that differ per building. Put extra effort in DHCP if you
use the internal DHCP server of the WLC,
We experience relatively more complaints when batches of students want
to associate simultaneously.
-Frans


Legge, Jeffry schreef op 24/04/15 om 00:04:
>
> I am not currently using any Aps in FlexConnect mode in any buildings
> on campus.
>
> We are building a new building and I have been asked to use
> FlexConnect mode for the Aps in this building.
>
> Is anyone using FlexConnect in campus buildings? If so why are you
> using it rather than Local mode and is it more or less difficult to
> configure.
>
>  
>
> Jeff Legge
>
> Radford University
>
> ** Participation and subscription information for this
> EDUCAUSE Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.



Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect

2015-03-18 Thread Frans Panken
Breaking IPv6 is indeed undesirable ;-) Fortunately, other vendors do
not share your opinion.
Good news for the majority on this list: the bug is limited to Cisco's
FlexConnect.
-Frans



Jake Snyder schreef op 18/03/15 om 20:19:
> It is expected from an 802.11 perspective.  May not be desirable, but
> that is how the wireless standard works.  Unicasting RAs over the air
> fixes this.
>
> Sent from my iPhone
>
> On Mar 18, 2015, at 12:42 PM, Frans Panken  <mailto:frans.pan...@surfnet.nl>> wrote:
>
>> No, it is not. The result is that it breaks IPv6 on local VLANs:
>> clients receive multiple prefixes on local VLANs.
>>
>> Jake Snyder schreef op 18/03/15 om 17:51:
>>> Leaking of RAs between VLANS is expected behavior as RA are
>>> multicast.  Because the 802.11 protocol sends multicast traffic as
>>> broadcast over the air and every device on a BSSID shares the same
>>> group key for encryption, any client can decode any multicast
>>> packet, including RAs not on the same VLAN.  Again, this is expected
>>> behavior.  The solution to this is to use multicast to unicast
>>> conversion for the RA, however i've never done this in a flexconnect
>>> deployment.
>>>
>>> This is also important in IPv4 deployments where you need to secure
>>> who can gain access to a multicast stream.
>>>
>>> On Wed, Mar 18, 2015 at 10:32 AM, Frans Panken
>>> mailto:frans.pan...@surfnet.nl>> wrote:
>>>
>>> We use FlexConnect in both central and local switched mode (v
>>> 8.110.6).
>>> We use a single SSID and distinguish various user groups,
>>> differentiated
>>> by Radius and mapped on different VLANs.
>>> We observe that VLANs leak traffic to other VLANs. This is in
>>> particular
>>> very undesired with IPv6, where router adverstisements from one
>>> VLAN is
>>> broadcast to other VLANs (this also happens on IPv4, e.g., with
>>> ARP and
>>> other broadcast traffic). Even VLANs that are only centrally
>>> accessible
>>> leak traffic to local VLANs.
>>>
>>> This is a security issue that in my oppinion does not receive the
>>> desired attention.
>>>
>>> Frans
>>>
>>>
>>>
>>> Watters, John schreef op 18/03/15 om 07:29:
>>> > Please post any results you have if/when try expand
>>> FlexConnect to your entire campus. It looks like you are close
>>> to our size (we now have about 125 buildings & about 38K
>>> students plus about 4K faculty/staff).
>>> >
>>> > Thanks.
>>> >
>>> > Sent from my iPhone
>>> >
>>> >> On Mar 17, 2015, at 4:12 PM, Hector J Rios >> <mailto:hr...@lsu.edu>> wrote:
>>> >>
>>> >> I've not performed tests to that scale yet. Plus we are only
>>> considering this for our ResHalls, of which we have 21 buildings
>>> only.
>>> >>
>>> >> -Hector
>>> >>
>>> >>
>>> >> -Original Message-
>>> >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
>>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>>> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of
>>> Watters, John
>>> >> Sent: Tuesday, March 17, 2015 11:55 AM
>>> >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>>> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
>>> >> Subject: Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect
>>> >>
>>> >> We played with FlexConnect for a number of months but still
>>> could not get what we needed it to do on a consistent basis.
>>> Essentially we wanted FlexConnect to drop users into their
>>> building VLAN so they would be able to easily interact with the
>>> same devices that the wired connections in the buildings could
>>> see. As I'm sure you know, this also resolves many of the Apple,
>>> Chromecast, etc., problems.
>>> >>
>>> >> We did have one caveat though that we just couldn't get past
>>> -- we wanted to drop faculty/staff into one VLAN and students
>>> into another (we can easily return the proper VLAN for a
>>> particular client in a particular building fro

Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect

2015-03-18 Thread Frans Panken
No, it is not. The result is that it breaks IPv6 on local VLANs: clients
receive multiple prefixes on local VLANs.

Jake Snyder schreef op 18/03/15 om 17:51:
> Leaking of RAs between VLANS is expected behavior as RA are
> multicast.  Because the 802.11 protocol sends multicast traffic as
> broadcast over the air and every device on a BSSID shares the same
> group key for encryption, any client can decode any multicast packet,
> including RAs not on the same VLAN.  Again, this is expected
> behavior.  The solution to this is to use multicast to unicast
> conversion for the RA, however i've never done this in a flexconnect
> deployment.
>
> This is also important in IPv4 deployments where you need to secure
> who can gain access to a multicast stream.
>
> On Wed, Mar 18, 2015 at 10:32 AM, Frans Panken
> mailto:frans.pan...@surfnet.nl>> wrote:
>
> We use FlexConnect in both central and local switched mode (v
> 8.110.6).
> We use a single SSID and distinguish various user groups,
> differentiated
> by Radius and mapped on different VLANs.
> We observe that VLANs leak traffic to other VLANs. This is in
> particular
> very undesired with IPv6, where router adverstisements from one
> VLAN is
> broadcast to other VLANs (this also happens on IPv4, e.g., with
> ARP and
> other broadcast traffic). Even VLANs that are only centrally
> accessible
> leak traffic to local VLANs.
>
> This is a security issue that in my oppinion does not receive the
> desired attention.
>
> Frans
>
>
>
> Watters, John schreef op 18/03/15 om 07:29:
> > Please post any results you have if/when try expand FlexConnect
> to your entire campus. It looks like you are close to our size (we
> now have about 125 buildings & about 38K students plus about 4K
> faculty/staff).
> >
> > Thanks.
> >
> > Sent from my iPhone
> >
> >> On Mar 17, 2015, at 4:12 PM, Hector J Rios  <mailto:hr...@lsu.edu>> wrote:
> >>
> >> I've not performed tests to that scale yet. Plus we are only
> considering this for our ResHalls, of which we have 21 buildings only.
> >>
> >> -Hector
> >>
> >>
> >> -Original Message-
> >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Watters,
> John
> >> Sent: Tuesday, March 17, 2015 11:55 AM
> >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> >> Subject: Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect
> >>
> >> We played with FlexConnect for a number of months but still
> could not get what we needed it to do on a consistent basis.
> Essentially we wanted FlexConnect to drop users into their
> building VLAN so they would be able to easily interact with the
> same devices that the wired connections in the buildings could
> see. As I'm sure you know, this also resolves many of the Apple,
> Chromecast, etc., problems.
> >>
> >> We did have one caveat though that we just couldn't get past --
> we wanted to drop faculty/staff into one VLAN and students into
> another (we can easily return the proper VLAN for a particular
> client in a particular building from Radius server - FreeRadius
> with a call to our LDAP server for info) but  we also need to send
> everything else back to the controller for central switching
> (e.g., police connections, special bar-code scanners that roam and
> serve to identify a user, but not being used for client traffic,
> for example, to give out free flu shots to eligible folks or let
> folks into a sporting event). We just couldn't get past having
> 95+% locally switched and the remainder centrally switched for
> over 200 buildings many with now over 100 APs each without using
> FlecConnect groups which are limited to numbers way too small for
> our campus.
> >>
> >> We can even live comfortably without roaming between buildings.
> MOst folks are not used to being able to roam between buildings
> downtown or many cannot roam between apartments off campus.
> >>
> >> How did you get around the FlexConnect group problem?
> >>
> >>
> >>
> >>
> >> ==
> >> -jcw
> >> _

Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect

2015-03-18 Thread Frans Panken
We use FlexConnect in both central and local switched mode (v 8.110.6).
We use a single SSID and distinguish various user groups, differentiated
by Radius and mapped on different VLANs.
We observe that VLANs leak traffic to other VLANs. This is in particular
very undesired with IPv6, where router adverstisements from one VLAN is
broadcast to other VLANs (this also happens on IPv4, e.g., with ARP and
other broadcast traffic). Even VLANs that are only centrally accessible
leak traffic to local VLANs.

This is a security issue that in my oppinion does not receive the
desired attention.

Frans



Watters, John schreef op 18/03/15 om 07:29:
> Please post any results you have if/when try expand FlexConnect to your 
> entire campus. It looks like you are close to our size (we now have about 125 
> buildings & about 38K students plus about 4K faculty/staff). 
>
> Thanks. 
>
> Sent from my iPhone
>
>> On Mar 17, 2015, at 4:12 PM, Hector J Rios  wrote:
>>
>> I've not performed tests to that scale yet. Plus we are only considering 
>> this for our ResHalls, of which we have 21 buildings only. 
>>
>> -Hector
>>
>>
>> -Original Message-
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Watters, John
>> Sent: Tuesday, March 17, 2015 11:55 AM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect
>>
>> We played with FlexConnect for a number of months but still could not get 
>> what we needed it to do on a consistent basis. Essentially we wanted 
>> FlexConnect to drop users into their building VLAN so they would be able to 
>> easily interact with the same devices that the wired connections in the 
>> buildings could see. As I'm sure you know, this also resolves many of the 
>> Apple, Chromecast, etc., problems.
>>
>> We did have one caveat though that we just couldn't get past -- we wanted to 
>> drop faculty/staff into one VLAN and students into another (we can easily 
>> return the proper VLAN for a particular client in a particular building from 
>> Radius server - FreeRadius with a call to our LDAP server for info) but  we 
>> also need to send everything else back to the controller for central 
>> switching (e.g., police connections, special bar-code scanners that roam and 
>> serve to identify a user, but not being used for client traffic, for 
>> example, to give out free flu shots to eligible folks or let folks into a 
>> sporting event). We just couldn't get past having 95+% locally switched and 
>> the remainder centrally switched for over 200 buildings many with now over 
>> 100 APs each without using FlecConnect groups which are limited to numbers 
>> way too small for our campus.
>>
>> We can even live comfortably without roaming between buildings. MOst folks 
>> are not used to being able to roam between buildings downtown or many cannot 
>> roam between apartments off campus.
>>
>> How did you get around the FlexConnect group problem?
>>
>>
>>
>>
>> ==
>> -jcw
>> 
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>> [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Hector J Rios 
>> [hr...@lsu.edu]
>> Sent: Tuesday, March 17, 2015 9:27 AM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: Re: [WIRELESS-LAN] ResHall Wireless
>>
>> I tested FlexConnect on 8.0.110.0. Here are my observations:
>>
>> *Great alternative to switch data locally (obviously) *No AVC Support *When 
>> controller is down, AP goes into standalone more. Must make sure that AP is 
>> not able to reach any other controller you don't want. This was fixed with 
>> an ACL.
>> *Client details page does not show client IPv6 address. Client still gets 
>> IPv6 address. (PRIME does show it if you run a report).
>> *Client details page does not show VLAN ID.
>> *Putting AP in FlexConnect mode does not require reboot (Cool!) *No IPv6 ACL 
>> support
>>
>> More testing to do, but so far so good.
>>
>> -Hector
>>
>>
>>
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hector J Rios
>> Sent: Thursday, March 12, 2015 11:13 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: Re: [WIRELESS-LAN] ResHall Wireless
>>
>> We use Cisco's wireless solution with WiSM2s and a variety of WAPs. We 
>> actually implemented the guest anchor controller solution last year with 
>> dual controllers (WLC2504) and we've been happy.
>>
>> I like Britton's idea of using FlexConnect at the dorms to switch the 
>> student data locally. However, I believe there are some limitations that 
>> would keep us from using it such as no support for AVC, and some limitations 
>> on IPv6.
>>
>> -Hector
>>
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W 
>> (Network Services)
>> Sent: Thursday, March 12, 20

Re: [WIRELESS-LAN] MAC OS X Yosemite 10.10.2 Wi-Fi issues

2015-03-03 Thread Frans Panken
Hi Walter,
Good suggestions. What is the reason you suggest to turn off IPv6 on Wi-Fi?
Do you have Cisco (we have a TAC case where IPv6 does not work well)? I
wonder which Wi-Fi degradations you prevent by turning off IPv6. Can you
explain (link to a page)?
-Frans

Walter Reynolds schreef op 03/03/15 om 13:49:
> We also have seen a huge rise in issues.  10.10.3 which is being
> tested right now seems better, but not a solution.  Here is some of
> what we tell folks who have issues.  The firts set removes all network
> settings, but seems to help the most.
>
>
> *REMOVE MACHINE NETWORKING PREFERENCES*
>
>  1. Click on the WiFi icon in the top menu bar and select: /*Turn
> Wi-Fi Off*/.
>  2. Click anywhere on the desktop.
>  3. Click on /*Go*/ on the top of your screen.
>  4. Choose /*Computer*/
>  5. Choose your hard drive (it may be named "Macintosh HD")
>  6. Choose /*Library*/
>  7. Choose /*Preferences*/
>  8. Choose /*SystemConfiguration*/
>  9. If the following items exist in the SystemConfiguration folder,
> drag them to the trash. (Note: They may not all exist.)
>   com.apple.airport.preferences.plist
>   com.apple.eapolclient.plist
>   com.apple.network.eapolclient.configuration.plist
>   com.apple.network.identification.plist
>   com.apple.wifi.message-tracer.plist

>   NetworkInterfaces.plist
>   preferences.plist
> 10. Restart your computer.
>
> **NOTE: **After doing this step, you will need to rejoin any WiFi
> networks you have at home, etc.
>
> *ADJUST WIFI NETWORK WAKE SETTINGS
> *
>
>  1. //Open the /*Energy Saver*/ system preferences (It can be found
> at /*Apple Menu > System Preferences... > Energy Saver*/)
>  2. If using a Macintosh laptop, click on the /*Power Adapter*/ button.
>  3. Uncheck /*Wake for Wi-Fi network access*/.
>
>  
>
> *ADJUST AIRDROP SETTINGS* (NOTE: This step is only for newer Macs
> having the awdl0 interface)
>
>  1. In the bottom dock, click on the /*Finder*/ icon.
>  2. In the Finder window that appears, on the left side click
> on /*AirDrop*/.
>  3. Look at the bottom of the right side of the AirDrop window.
>  4. Look for the pulldown labeled: /*Allow me to be discovered by*/
>  5. If the pulldown is there, select /*No One*/.
>
> *NOTE*: If the pulldown is not at the bottom of the AirDrop window,
> your machine does not have the awdl0 interface. You can skip this step.
>
> *
> *
>
> *TURN OFF IPv6 NETWORKING*
>
>  1. Open the /*Terminal*/ application. (It can be found
> at /*Applications > Utilities > Terminal*/)
> /**/
>  2. Type the following command: networksetup -setv6off Wi-Fi
>  3. Hit return on the keyboard. (You won't see any visible change, but
> the command has been executed.)
>  4. Close the Terminal window.
>
>
>
> 
> Walter Reynolds
> Principal Systems Security Development Engineer
> Information and Technology Services
> University of Michigan
> (734) 615-9438
>
> On Mon, Mar 2, 2015 at 8:52 AM, Kees Pronk  > wrote:
>
> Just wondering if anyone can share opinions / experience on this
> one. There is a big discussion at :
> https://discussions.apple.com/thread/6601963?tstart=0
> Our University has seen a steep rise on connectivity issues since
> 10.10.2 was released, both on our open SSID as on eduroam.
>
> Sincerely, Kees Pronk
>
> Disclaimer ( http://www.avans.nl/over-avans/e-mail-disclaimer )
>
> **
> Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
>
> ** Participation and subscription information for this
> EDUCAUSE Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.



Re: [WIRELESS-LAN] LTE-LAA...anyone?

2015-02-24 Thread Frans Panken

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

This sounds as the same thing as UMA, using GSM/UMTS. Remember,
operators to offer "home free" or "hotspot calling"? This effectively
was realized with UMA, using Wi-Fi signals to carry GSM/UMTS traffic.

An alternative for upgrading your Wi-Fi AP with a GSM/UMTS/LTE module to
offer 2G/3G/4G services (for Cisco, see
http://www.cisco.com/c/en/us/products/collateral/wireless/universal-small-cell-5000-series/datasheet-c78-730979.html).

I see it as an opportunity to solve the bad indoor coverage. As an
alternative to DAS that requires a separate coax infrastructure.
Probably the upper band of the 5Ghz spectrum is interesting for LTE-LAA,
because it allows transmitting more power.
- -Frans

Philippe Hanset schreef op 24/02/15 om 14:54:
> We could have dreamed that 5 GHz was this “clean” spectrum that all our users 
> were going to move to
and simplify our life a bit!
>
> but wait...
>
> the carriers have decided that they could use it too (ever heard of
LTE-LAA?)
>
> Why would carriers stay in their contained and expensive Licensed
Spectrum when they could use the Unlicensed one…
>
>
https://gigaom.com/2015/01/05/ericsson-unleashes-lte-over-the-wi-fi-airwaves/
>
> The theory is that LTE-LAA will play nice with Wi-Fi …. in theory!
>
> Can you hear the pitch already?
> Hello Mr CIO, we can take care of all your Wi-Fi needs for campus with
a very reliable technology.
> No upfront cost to you, no Help Desk to deal with. Just a minimal
monthly fee for all you users that
> are already our customers anyway. And we deal with DMCA...
>
> LTE-LAA sounds like that very polite good looking neighbor that moves
next door and that eventually steels your spouse!
>
> Philippe
>
> Philippe Hanset
> www.anyroam.net 
>
>
>
> ** Participation and subscription information for this
EDUCAUSE Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
>

-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org

iQEcBAEBCgAGBQJU7JVfAAoJENxLkbYMq+PBPSsIAOAPaMh52nphojHhklPeWNjl
D9OiMeauoJW4EWZnhqjEC3/5qfBGKmoEPmFrla8RGVx+9V1R0ZAiJ3pNTrWeiH1/
0edtGqn5AqChbb1gc6aYY3xogMfaGZhhfxVQYcnXVdvf7rSCzeI6gkKuPjB10EPf
SsC9V44biRID96RwFkT/fFgLkOFvVHxZQ1hdC/qQ1JX4bk0JQ7t+5eh5NCorJx3k
Rv1ZJJQSWGl3FOorlT6DJq8/Q3puO5Z1KLZDwcQ+9vbAo4GWxAZlm8Y/e8F58Cn5
DBRUp5tAU5mnf3hss7uuH3JXXWcqsJOk0ppWvX3uhDDdr/VBWKPYtDvOL6cfvbM=
=WWT4
-END PGP SIGNATURE-


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.



Re: [WIRELESS-LAN] Cisco APs flooding RTS messages

2015-02-03 Thread Frans Panken
We use 3702 APs (and run v8MR1 on the controller) and experience these
RTS-storms. The workaround proposed by Cisco reduces the duration of the
storms but do not prevent them from taking place.
-Frans

Trent Hurt schreef op 02/02/15 om 23:03:
> It says 2700 for the affected product but in title at top it
> says AP3702.  Is this just typo or is this both 2700/3700?
>
>
>
>
> On Feb 2, 2015, at 3:38 AM, Frans Panken  <mailto:frans.pan...@surfnet.nl>> wrote:
>
>> All those who installed the new 2700 series Cisco access points
>> experience the problem that APs execute a Denial of Service attack by
>> flooding RTS messages, see:
>> https://tools.cisco.com/quickview/bug/CSCus49126
>> <https://tools.cisco.com/quickview/bug/CSCus49126>
>>
>> The effect is that active clients who are associated to this AP (or a
>> one nearby) loose their Wi-Fi connection. Surprisingly, I have been told
>> that only a single case has been initiated. This also means that the
>> priority to fix this remains low.
>>
>> -Frans
>>
>> **
>> Participation and subscription information for this EDUCAUSE
>> Constituent Group discussion list can be found at
>> http://www.educause.edu/groups/.
> ** Participation and subscription information for this
> EDUCAUSE Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.



Cisco APs flooding RTS messages

2015-02-02 Thread Frans Panken
All those who installed the new 2700 series Cisco access points
experience the problem that APs execute a Denial of Service attack by
flooding RTS messages, see: https://tools.cisco.com/quickview/bug/CSCus49126

The effect is that active clients who are associated to this AP (or a
one nearby) loose their Wi-Fi connection. Surprisingly, I have been told
that only a single case has been initiated. This also means that the
priority to fix this remains low.

-Frans

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


Re: [WIRELESS-LAN] Sporadic slow page loads/stalling pages on Apple machines

2015-01-26 Thread Frans Panken
in case you use 802.1x, you may have hit the CRL/OCSP-bug. It not only
forces MACs to wait 10s in the case of a handover, it also impacts the
way it deals with DHCP.
Here is a work around: http://support.apple.com/en-us/HT203841
-Frans

Fredrik Pettai schreef op 26/01/15 om 23:59:
> Hi,
>
> I’ve also noted complaints with regards to mostly Yosemite users and sites 
> using CDNs (LinkedIn’s static.licdn.com is one of the problem hosts I’ve 
> seen). However, it doesn’t seem to be just on the wireless. Did you (or 
> anybody else) reach any conclusions regarding this issue?
>
> Re,
> /P
>
> On 17 Jan 2015, at 04:34 , Lee H Badman  wrote:
>
>> 5508, latest 8 MR1 code. We may have found our issue, will know more in few 
>> days.
>>
>> Lee H. Badman
>> Network Architect/Wireless TME
>> ITS, Syracuse University
>> 315.443.3003
>>
>> 
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>> [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Kevin McCormick 
>> [ke-mccorm...@wiu.edu]
>> Sent: Friday, January 16, 2015 5:55 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: Re: [WIRELESS-LAN] Sporadic slow page loads/stalling pages on Apple 
>> machines
>>
>> If this is only from wireless what controller and software version are
>> you using?
>>
>> Kevin McCormick
>> uTech Network Services
>> Western Illinois University
>>
>> On 1/16/2015 11:56 AM, Lee H Badman wrote:
>>> Just throwing this out to the group. Over this week, where we've had almost 
>>> 20K peak client devices on the WLAN, we're getting a couple of complaints a 
>>> day of (seemingly) Apple devices, primarily Macs, getting either slow page 
>>> loads or hung pages even though DNS resolutions are fine on those machines. 
>>> We haven't done detailed analysis yet, buts starting to feel a bit like a 
>>> trend. Seems to only happen on content-rich pages like CNN, ESPN, etc that 
>>> are Akamaized (we have local servers). Again, very circumstantial, so far.
>>>
>>> For what it's worth, we also recently put all of these of these users 
>>> behind a NAT topology using A10 technology, but thus far there's not much 
>>> to point at in the NAT itself that gives away any sense of issue.
>>>
>>> Anyone else seeing what I describe here?
>>>
>>> Thanks-
>>>
>>> Lee
>>>
>>> Lee Badman
>>> Wireless/Network Architect
>>> ITS, Syracuse University
>>> 315.443.3003
>>> (Blog: http://wirednot.wordpress.com)
>>>
>>>
>>>
>>>
>>> **
>>> Participation and subscription information for this EDUCAUSE Constituent 
>>> Group discussion list can be found at http://www.educause.edu/groups/.
>>>
>>>
>> **
>> Participation and subscription information for this EDUCAUSE Constituent 
>> Group discussion list can be found at http://www.educause.edu/groups/.
>>
>> **
>> Participation and subscription information for this EDUCAUSE Constituent 
>> Group discussion list can be found at http://www.educause.edu/groups/.
>>
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


Re: [WIRELESS-LAN] SV: [WIRELESS-LAN] Attendance

2014-11-24 Thread Frans Panken
My €0.02: your the coverage of your Wi-Fi APs must be suitable to serve
as a base for attendence: idealy a client must be seen by at least three
APs to obtain a reliable location measurement. I think too many
responses assume that using Wi-Fi for attendence is completely
automated. Investigate how the location measurements can serve as a base
for easing the life of a teacher.
-Frans


John Rodkey schreef op 24/11/14 om 19:40:
> I'd say it's a ways off, if the facial recognition on my Nexus 7 is any
> indication...  About half the time I need to enter the passcode by hand
> because it doesn't recognize or even find my face. 
> 
> John
> 
> On Mon, Nov 24, 2014 at 10:24 AM, Nilsson, Robert
> mailto:rnils...@extremenetworks.com>> wrote:
> 
> Short of the student-embedded RF-chips or NFC, apparently some
> schools have been trying to move to facial recognition to track
> attendance.
> 
> This is a Kyoto University paper on the topic
> .
> 
> This is from a University in India: FACE RECOGNITION BASED
> ATTENDANCE MARKING SYSTEM
> .
> 
> This article is from a few years back: Face-recognition technology
> to monitor school attendance
> .
> 
>  
> 
> But is still a ways off….
> 
>  
> 
> -Bob
> 
>  
> 
> Bob Nilsson | Director of Solutions Marketing
> Extreme Networks
> Mobile: 978.269.4819  | Office: 603-952-5120
>  | www.extremenetworks.com
>  
> Twitter: @RHNilsson
> 
>  
> 
> *From:*The EDUCAUSE Wireless Issues Constituent Group Listserv
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> ] *On Behalf Of *Jim
> Glassford
> *Sent:* Monday, November 24, 2014 11:33 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> 
> *Subject:* Re: [WIRELESS-LAN] SV: [WIRELESS-LAN] Attendance
> 
>  
> 
> 
> Some faculty here use the TurningPoint clickers to check attendance.
> Students walk past the classrooms during class and click in, on
> there way to the gym or the coffee house.
> 
> On 11/24/2014 11:18 AM, Anders Nilsson wrote:
> 
> Aren’t we all operating small RF-chips into our students nowadays?
> 
> Makes tracking people so much easier.  ;)
> 
> On a more serious note I totally agree with Mr. Badman here.
> 
> Getting rough stats is one thing, getting Attendance lists is a
> very different and more difficult thing.
> 
>  
> 
> Cheers
> 
> Anders Nilsson
> 
> Univ of Umeå
> 
>  
> 
> *Från:*The EDUCAUSE Wireless Issues Constituent Group Listserv
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *För *Lee H Badman
> *Skickat:* den 24 november 2014 17:01
> *Till:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> 
> *Ämne:* Re: [WIRELESS-LAN] Attendance
> 
>  
> 
> I can think of a few concerns.
> 
>  
> 
> I give you my tablet to take to class, and I’m there without
> being there.
> 
>  
> 
> I give you my credentials to put on your device- you get “seen”
> as you, then me. We’re both there without me being there.
> 
>  
> 
> Client devices may not connect to the AP in the room. There may
> be no AP in the room… how close to the room is close enough if I
> connect to the floor above/below or adjacent room/hallway? And
> who sorts it all out?
> 
>  
> 
> To me as an instructor, nothing is easier than good old paper
> sign-in. And if you didn’t sign in, you weren’t there. Period.
> 
>  
> 
> Not everything needs to have a tech edge on it, and I’m as tech
> geeky as it gets…
> 
>  
> 
>  
> 
> -Lee
> 
>  
> 
> Lee Badman
> 
> Wireless/Network Architect
> 
> ITS, Syracuse University
> 
> 315.443.3003 
> 
> (Blog: http://wirednot.wordpress.com)
> 
>  
> 
> *From:*The EDUCAUSE Wireless Issues Constituent Group Listserv
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of
> *Patrick Mauretti
> *Sent:* Monday, November 24, 2014 10:11 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> 
> *Subject:* Re: [WIRELESS-LAN] Attendance
> 
>  
> 
> Funny you should ask, as we are looking into doing the same
> thing here.  I’d love to see someone have it in place to know
> what the pitfalls might be. 
> 
>  
> 
>  
> 
> Patrick Mauretti
> 
> Sr. Network Admin
> 
>  

Re: [WIRELESS-LAN] Sample RFP / RFQ ?

2014-07-22 Thread Frans Panken
About two years ago, Gartner published an RFP template for enterprise 
WLANs, named "Toolkit: RFP Template for Wireless LAN".
-Frans

On Thu Jul 17 05:34:28 2014, John Kaftan wrote:
> Try doing a search for Wireless RFP and you will get tons of hits.
> Public entities have to post their RFPs.  After you read through 4 or
> 5 you'll get the idea.
>
> As for vendors I am pretty happy with Extreme.  They have solid
> clustering, easy upgrades and lots of topology and policy options.
> When we did our upgrade in 2010 it was between Aruba and Enterasys,
> now Extreme, and Aruba didn't have anything on Enterasys at that
> time.  Enterasys had a much better price point so they won.
>
> John
>
> On Jul 16, 2014 12:25 PM, "Thomas Carter"  > wrote:
>
> Our current wireless vendor, Juniper, is essentially getting out
> of the wireless game. They’ve made a deal with Aruba, but I don’t
> want the agreement to dictate the best vendor for my campus. So I
> find myself in the unenviable position of choosing a new vendor.
>  Is there anyone who has been through this recently who wouldn’t
> mind sharing the RFP or RFQ they used for the process? I have not
> been through this with wireless for many years and wanted to make
> sure I didn’t miss anything.
>
> __ __
>
> Thomas Carter
>
> Network and Operations Manager
>
> Austin College 
>
> 903-813-2564 
>
> AusColl_Logo_Email
>
> __ __
>
> ** Participation and subscription information for this
> EDUCAUSE Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
> ** Participation and subscription information for this
> EDUCAUSE Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


Re: [WIRELESS-LAN] Guest Network Access Policy

2014-01-17 Thread Frans Panken
I work for an NREN that connect educations to one another and to the
internet. We received questions from institutions who want to offer
non-educational guests access to their network. They use eduroam. We are
in favor of minimizing the number of SSIDs. We recently started with
experimenting a service that allows guests to make use of the eduroam
SSID. Institutions can request guest accounts with us. These guest
accounts use our Radius server to authenticate. We only grant user
accounts to the R&E community. Alternatively, users can SMS a secret
code to a dedicated number and they receive the username and password on
their smartphone, via SMS. (The advantage is that we have their phone
number and hence can find out who they are if something happens on the
network. The contact person is informed of the request via e-mail. A
conformation before the usernames and password is granted is optional)
The institutions remain liable for the behavior of their guests on the
network. All guest accounts have a limited duration.

Bottom-line: a very similar policy as David described, but no extra
SSIDs or other Wi-Fi resources or maintenance is needed to support
guests. We have limited experience with the execution of the service,
though.
-Frans

On 1/16/14 10:55 PM, Alexander, David wrote:
> We have had a policy in place for several years requiring guests to be
> sponsored by an employee in order to use our wireless network.  There
> are two types of sponsorship – short term (5 days) and long term (30
> days).  In addition, sponsored guests must register their network
> devices via MAC address registration to gain access to the network.
> 
>  
> 
> Our guest wireless implementation has caused some issues with public
> areas like our student center and event spaces which host groups of
> people who require network access, and the identity of the guests isn’t
> always known in advance.
> 
>  
> 
> I wanted to know about guest network access policy at other schools, and
> I’d appreciate your feedback on the following questions:
> 
>  
> 
> 1)  Do you allow guests on your wireless network?
> 
> a.   If you allow guests, what steps do they need to take to gain
> access to the network (eg. sponsorship, MAC registration, open network)?
> 
> b.  If you require sponsorship or device registration, can you
> explain the process or give me a pointer to your policy?
> 
> 2)  Is your wireless network completely open in any part of your
> campus (eg. Library, student center, event spaces, athletic fields, etc.)?
> 
>  
> 
>  
> 
> Thanks,
> 
> Dave
> 
>  
> 
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


Re: [WIRELESS-LAN] And so it begins... 11ac- are you using 80 MHz channels yet?

2014-01-07 Thread Frans Panken
Hi Lee,
Bold indeed. Is performance your main rationale for choosing 80 Mhz 
channels? Are the channels set statically or do the APs fall back to 40 
Mhz or 20 Mhz channels if interference is detected? Otherwise, choosing 
80 Mhz channels compromises the support of 802.11a and 802.11n clients 
on the 802.11ac APs. By choosing 80 Mhz, the number of non-overlapping 
channels reduces to 2, right? Are you using 11ac as an overlay for 11n 
coverage?  Many questions as a response on question, but I wonder about 
your rationales for choosing 80 Mhz channels.
-Frans

On Tue Jan  7 17:07:52 2014, Lee H Badman wrote:
> For the bold among us that have started with 11ac, are you yet running
> 80 MHz channels? Also, what channels have you made available in 5 GHz?
> Finally, any issues noted with RRM (or whatever your own WLAN vendor
> calls autochannel/autopower) with 11ac?
>
> Thanks-
>
> Lee Badman
>
> ** Participation and subscription information for this
> EDUCAUSE Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


Re: [WIRELESS-LAN] Any schools with European campuses using cloud-managed WLAN/LAN?

2013-11-07 Thread Frans Panken
I am also very interested in this topic (so please inlcude me in the
discussion if you reply off-list). I work for SURFnet, the (non-for
profit) NREN/ISP for higher education in NL.

We recently started a project to deliver Wi-Fi to universities and
schools. Today's carrier-grade controllers and management platforms can
support many thousands of simultaneous APs and users. Many allow that
traffic is offloaded locally, such that the controller deals with
signalling (if desired). If we install two redundant central controllers
that are shared among various universities and schools, we can offer a
good Wi-Fi network that is cheaper than if the schools do it individually.

We are at the crossroad of selecting a vendor and the cloud-based
solutions have crossed my mind. There must be a point where lines that
reflect the benefits (costs) of the controller-based architecture meets
the controller-less solutions. Any insights?

As a side request - sorry, Lee, I do not want to high-jack your topic -
are there large universities in the USA that considered one
carrier-grade controller to connect their divisions? Anyone who tried it
or gained experience with it?

-Frans

On 11/6/13 11:39 PM, Lee H Badman wrote:
> Apologies for the cross-posting for some of you who will get this twice.
> 
> I have the need to bounce a couple of questions off of any school with a
> European campus that is using cloud-based networking of any sort
> (Meraki, Aerohive, etc.).
> 
> Off-list is better.
> 
> Thanks in advance-
> 
> 
> Lee Badman
> 
> 
> 
> *Lee H. Badman*
> Network Architect/Wireless TME
> ITS, Syracuse University
> 315.443.3003
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


Re: [WIRELESS-LAN] Android tablet for wifi analysis?

2013-10-20 Thread Frans Panken
Merideth, 

Wi-spy currently requires a dongle and hence a laptop or MACbook to make it 
work. 
It gives you good insight in spectrum behavior (much better insights than Wi-Fi 
analyzer, which mainly restricts to the channels in use). Please note that you 
still need expertise to translate the Wi-spy information to actions that solve 
the RF-problems (is it caused by bluetooth, by a microwave, by people that have 
MiFis of other equipment that behave like access points, by wireless camera's 
that send periodic information..). There is a regular variant and a 
professional one. The latter is rather expensive (especialy the licenses). 

-Frans 

- Original Message -

> From: "Merideth Drudge" 
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Sent: Friday, October 18, 2013 11:08:22 PM
> Subject: Re: [WIRELESS-LAN] Android tablet for wifi analysis?

> Thanks everyone for your input on this, I appreciate it.

> Eric, right now we haven't really been using anything for RF
> interference analysis, so I have also been looking into that. Wi-spy
> looks interesting (and they plan on an Android version of their
> software, but when?) and I also found WiPry which works on iOS
> devices. Any thoughts on these devices for checking RF interference?

> Thanks,

> Merideth

> On Wed, Oct 16, 2013 at 2:57 PM, Eric Rose < ear...@salisbury.edu >
> wrote:

> > From my experience WiFi Analyzer is a quick and dirty overview of a
> > given environment but I agree it doesn’t provide enough in-depth
> > information.
> 

> > What are you using for non-wifi device interference? I’ve looked
> > into
> > AirMagnet Spectrum ES and Metageeks wi-spy.
> 

> > Eric
> 

> > From: The EDUCAUSE Wireless Issues Constituent Group Listserv
> > [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU ] On Behalf Of Andy
> > Page
> 
> > Sent: Wednesday, October 16, 2013 2:35 PM
> 
> > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> 
> > Subject: Re: [WIRELESS-LAN] Android tablet for wifi analysis?
> 

> > Merideth,
> 

> > I use ‘WiFi Analyzer’ on my android phone, and have used it on a
> > tablet before. To my knowledge, it’s the best one out there.
> 

> > With that said, I only use it for quick checking, as it doesn’t
> > provide enough in-depth information.
> 

> > Andy
> 

> > --
> 
> > Andy Page
> 
> > Network Design Professional
> 
> > University of Notre Dame
> 
> > 574.631.6592
> 

> > Go Irish!
> 

> > From: The EDUCAUSE Wireless Issues Constituent Group Listserv [
> > mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU ] On Behalf Of Merideth
> > Drudge
> 
> > Sent: Wednesday, October 16, 2013 2:29 PM
> 
> > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> 
> > Subject: [WIRELESS-LAN] Android tablet for wifi analysis?
> 

> > Hello,
> 

> > We have been using laptops with wifi scanning software when
> > checking
> > out wireless issues, usually with inSSIDer or Netstumbler
> > installed.
> > I have been considering purchasing an Android tablet (like maybe a
> > Google Nexus 7) for this purpose, and wondered if anyone else has
> > used Android devices for wifi analysis. I see that there is a
> > Android version of inSSIDer; has anyone used it, or have other apps
> > that they recommend? How about other devices that have been useful?
> 

> > Thanks!
> 

> > Merideth
> 

> > --
> 
> > Merideth Drudge
> 
> > Network and System Administrator
> 
> > Saint Mary's College
> 
> > Notre Dame, IN 46556
> 
> > ** Participation and subscription information for this
> > EDUCAUSE Constituent Group discussion list can be found at
> > http://www.educause.edu/groups/ .
> 
> > ** Participation and subscription information for this
> > EDUCAUSE Constituent Group discussion list can be found at
> > http://www.educause.edu/groups/ . ** Participation and
> > subscription information for this EDUCAUSE Constituent Group
> > discussion list can be found at http://www.educause.edu/groups/ .
> 

> --
> Merideth Drudge
> Network and System Administrator
> Saint Mary's College
> Notre Dame, IN 46556
> 574.284.4754
> ** Participation and subscription information for this
> EDUCAUSE Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.