Wi-Fi 6E Branding Rant

2021-01-18 Thread Green, William C 

"Wi-Fi 6E” is not a good branding for what 6GHz provides, in my personal 
opinion.  I hope the Wi-Fi Alliance reconsiders.

I've been discussing Wi-Fi 6E in my organization for over a year-- and nobody 
can keep that “E” in their heads.  They constantly confuse "Wi-Fi 6" as the 
same as "Wi-Fi 6E" in meetings, products, and strategies.   The whole point of 
the Alliance branding was to make things more understandable to non-technical 
audiences right?  Doesn’t 6 vs 6E fly in the face of that?  I’m not good at 
naming things, so am use to recognizing branding failures like this.

I understand most of the underlying technology is the same-- other than 6GHz 
capability.  Most people don't care about the underlying technology unless it 
accomplishes something they need.  6GHz is a once in a generation 
differentiator that will enable far more than the changes from 802.11ac to 
802.11ax, which was deserving of a new number.  Not having that capability 
reflected in a more differentiated branding is causing and will continue to 
cause unneeded confusion.

I understand the Alliance has already placed a lot into marketing of the term 
"Wi-Fi 6E", but that's sunk cost.  Pick a new branding.  Perhaps, Wi-Fi 7.  You 
can leave all 6E materials and just say its the same thing as Wi-Fi 7.  Have 
everything in the futures pipeline do a +1 on their PowerPoints.  Will the 
Alliance incur some ridicule, yes, but less than continuing with 6E in my 
personal opinion.

Do I think this rant will change anything?  No.  But naming a frustration is 
sometimes useful for dealing with it.  I’m moving on.


--
William Green, Director of Networking and Telecommunications
The University of Texas at Austin | ITS | 512-475-9295 | 
gr...@austin.utexas.edu



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: MAC Randomization, a step further...

2020-08-06 Thread Green, William C 
Yikes. I hope network operators are not asking users to disable user privacy 
protections. That is a slippery slope.

tim

User privacy is one goal.  It is not absolute.  There are many that must be 
evaluated and weighted in different environments with an institution's goals 
(e.g. security, operations, funding, etc).

The OS vendors are changing expected behavior many goals are built upon, it 
will take some time to figure out what all the implications are.


--
William Green, Director of Networking and Telecommunications
The University of Texas at Austin | ITS | 512-475-9295 | 
gr...@austin.utexas.edu


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: WIRELESS-LAN Digest - 20 Jul 2020 to 21 Jul 2020 - Special issue (#2020-88)

2020-07-20 Thread Green, William C 
Passpoint solves all of these issues.

Tim

Count me in the fan bucket when widely deployed.  But when will that be I 
wonder?  MAC rotation increases in a few months.

I recognize institutions have different relations with their guests.  For ours 
the friction/intrusiveness of onboarding processes was considered too high a 
cost.  I know I would not want to run another institutions software on my 
device to onboard it to their Wi-Fi (and for some it is prohibited).


--
William Green, Director of Networking and Telecommunications
The University of Texas at Austin | ITS | 512-475-9295 | 
gr...@austin.utexas.edu



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: MAC Randomization, a step further...

2020-07-20 Thread Green, William C 
For guests, I've been tossing around the idea of an open network. No
.1x, no PSK, no captive portal. Affiliates would be encouraged to use
eduroam via SSO nag. Columbia University had a presentation on how they
are doing the open network side of this. I suspect the most difficult
part will be getting legal on board. Who has an open network? What have
your experiences been? This is only tangentially related, so feel free
to split it into a new thread.


We run an open network for guests.  It has been wonderful for guests and they 
all like it.

The major problem has been student, faculty, staff devices connect to the guest 
network (usually unbeknown to the user).  Restrictions on that network then 
cause support calls.  Google decided the network was “good” and so Android 
devices connect by default (then VPN tunnel back to Google).  We don’t want to 
block that due to guests.

But maybe there will be a new problem.  When devices have been found infected 
on any of our networks we’ve quarantined by MAC address.  Hmmm… so for our 
users we can quarantine by their user name (much less helpful to take all their 
devices offline instead of just the one infected, but hey this progress right). 
 I don’t know what we do with infected guest devices (or as our users’ device 
decides to move to the guest network because they were blocked on the main 
network) if they are randomizing between connections.  Vendors haven’t thought 
this through.  That may push a registration method with credentials for guests 
— meaning less privacy?


--
William Green, Director of Networking and Telecommunications
The University of Texas at Austin | ITS | 512-475-9295 | 
gr...@austin.utexas.edu


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: Cisco pre-DNA Spaces Location Service, Contact Tracing

2020-06-01 Thread Green, William C 
No contact tracing queries to date, but a lot of building occupancy interests.

1)  We are investigating DNA Spaces for building occupancy and will be 
conducting tests in two buildings with I/R entrance sensors to compare.  I 
would be interested in a conversation with any school that has experiences with 
DNA Spaces in campus environments (experience > powerpoint).  Please contact me 
off list.

An expensive undertaking — but then so are the I/R solutions.  The Wi-Fi 
infrastructure is in place (watching fall quickly approaches).


2)  Home-grown, we are providing anonymized association data to our business 
intelligence group, which attempts to correlate with rough building occupancy 
(they have a nice visualization of the campus map, just building level not 
floors).  It can be difficult weeding out transients/drive-bys from actual 
people in their data analysis.  The information has been used over this period 
by our custodians and to focus various safety efforts.  In the next weeks we 
hope to compare that with reports from a building that has entrances equipped 
with entry/exit I/R cameras from the February timeframe prior to distancing.

Not as elegant as #1, because the device must be associated with our network, 
and it only gets the associated AP (as opposed to all APs hearing from a 
solution from your relevant vendor like #1).  Our open guest network pays off a 
bit here, in that Google decided it was “good”, and Android devices 
automatically connect to it and get VPN tunneled through Google without the 
user taking action to configure their device if Wi-Fi is on.


3)  Now how do you convince everyone to leave Wi-Fi turned on and not be 
creeped out by all this?


4)  If someone knows of decent services to obtain cellular location I’d also be 
interested.  Carrier account reps have not returned my queries on their 
“solutions” yet.  If figure if its good enough for marketing, it may provide a 
different less-granular metric of use.



William Green, Director of Networking and Telecommunications
The University of Texas at Austin | ITS | 512-475-9295 | 
it.utexas.edu | 
gr...@austin.utexas.edu



We are getting multiple vendor pitches these days for contact tracing 
“solutions”. From Cisco, our main network vendor, their pitch relies on DNA 
Spaces. We don’t use that yet,  and it’s no secret what is happening to many of 
our budgets.



 My question is specifically for Cisco legacy location services users. Are you 
all doing anything specific in anticipation of possibly needing to provide 
Wi-Fi location data for contact tracing? Are you being specifically asked about 
it by your management?



Lee Badman (mobile)



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: NAC/authentication implementations

2020-04-13 Thread Green, William C 

If you have a NAC solution do you do port based auth?
Units may choose to activate NAC on ports of supporting equipment (drop down 
menu for them in a web interface we provide).  It supports both 802.1x and MAC 
Address Bypass (MAB) with an on-boarding redirect portal.

To date there are only several thousand ports activated outside the residential 
network (which is all NAC).  Security initiatives will likely take that far 
higher in the coming years.


If you have a NAC solution do you do eap-tls? If so how are you handling the 
certification “push” to devices?
No, PEAP at this time for the greatest compatibility.

What were the major pain points during implementation?
802.1x:  Supplicants for wired 802.1x are not as mature as wired, but are 
getting better.

MAB:  Browsers resist redirects.  This can lead to minute/minutes timeouts for 
the end user resulting in calls to the help desk.  Also, our distributed IT 
support wish to control this interaction, and we have not implemented a portal 
for them to manages thousands of devices yet.

Windows:  most are deployed via a GPO that was painless.  What we did not do 
initially was integrate with the Active Directory to support machine 
credentials (we have a FreeRadius environment fro 802.1x given scale).  When 
users logout, the machine goes to an unauth state.  While our ACLs allowed 
access to IP ranges with management servers, the community wanted access for 
other items.  With support of the machine credentials, when users log out the 
machine logs in under its credentials and is still accessible.  However, we 
lack the Network level tracking of IP action to user auth — needing to go 
through the AD logs to see who may have been logged into a machine remotely if 
issues arise.

Mac OS: with recent versions, 802.1x is on by default and one has to go to 
efforts to shut it off.  There are issues in a shared computing environment 
(e.g. computer lab) that have not been resolved — they do not cleanly implement 
the same concepts as a Windows environment, even with local scripting.

Arriving at the right combination to have 802.1x and MAB required IBNS 2.0 IOS 
versions which limits it to 70% of switch port inventory.  We are returning 
ACLs to implement various policies.  Older switches have limited capabilities 
as to how deep those ACLs can be.  Getting the timers correct was a bit of work.

What were the major use cases you were resolving/resolved?
First we wanted automation of port configurations.  Second we expected future 
compliance would require NAC (that shoe has now dropped).  It ties in with a 
push from wireless to move inventory and information risk assessment to the end 
user (since that is now knowable and was not possible in our wired environment 
previously).


Anything you would do differently if you do it again?
We'd probably do MAB only first to get the automation piece across the entire 
inventory and wait more years for all switches to support IBNS 2.0.




William Green, Director of Networking and Telecommunications
The University of Texas at Austin | ITS | 512-475-9295 | 
it.utexas.edu | 
gr...@austin.utexas.edu


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: How does your enterprise do your wireless door locks?

2020-03-31 Thread Green, William C 
We don’t have enough such that I am aware of them, however, I did see a vendor 
document several years ago stating PSK was more power efficient than 802.1X.  
So whenever the topic comes up, suggest PPSK as the strategy.  That may have 
changed.  I expect when locks support 802.11ax, they get another bump in 
efficiency.

We use FreeRadius (with our own mods) for PPSK so don’t have the ISE licensing 
issues.  I heard that PacketFence also had mods.




William Green, Director of Networking and Telecommunications
The University of Texas at Austin | ITS | 512-475-9295 | 
it.utexas.edu | 
gr...@austin.utexas.edu


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: PoE lighting - Who is doing it?

2020-03-06 Thread Green, William C 
Taking a short break from pandemic planning efforts…

Large manufacturers have white papers and equipment out (e.g. Phillips, Cisco). 
 Still a bit pricey when I looked a year or two ago, that will change.  Their 
approach was to cable to nearby points with POE switches in the plenum (not 
back to a data closet).  The switches were plenum rated (accepting 277v as is 
often used for commercial lighting, requiring an electrician to direct wire to 
the switches — no plug to get their rating).  Lots of implications for how 
networks have traditionally be operated.

With 70 watts and higher at the end device with POE, you can drive lots of 
devices that no longer need tradition high voltage services.  Inevitable (first 
global power standard).  In new construction, that is a lot of conduit and 
skilled electrician labor potentially saved.

Related, some may have noticed bills introduced by electrician unions in a 
number of states which would require licensed electricians to install POE 
cabling over safety concerns.  Didn’t make it out of committee in Texas.  I did 
educate our legislative relations representatives on cost and delay impacts 
such a change could have given the limited skilled electricians in our market.




William Green, Director of Networking and Telecommunications
The University of Texas at Austin | ITS | 512-475-9295 | 
it.utexas.edu | 
gr...@austin.utexas.edu


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Data Consumption by Standard/Spectrum

2020-01-06 Thread Green, William C 
In the chart, I’ve added AP count by standard to the best of my abilities as 
requested from last time.  Kind of a busy chart now.  My interest has been in 
5GHz adoption by devices given the additional spectrum available in that band.

I hope 802.11ax drivers prefer 5GHz over 2.4GHz, or things will not turn out 
well for the standard.  We’d be placing thumbs on the scale (through whatever 
knobs are offered) or turning it off otherwise.  I’m a fan of IOT low power 
potential of 802.11ax at 2.4GHz, but the trains have to run.  No measurable 
802.11ax APs for us just yet to know better.

Presuming the FCC carries through with allocating a large portion of 6GHz for 
unlicensed use this quarter (Wi-Fi 6E), it will be interesting to watch the 
migration to that spectrum.  Here’s hoping for the full 1.2GHz without AFC— it 
will be needed.  Just wish it wouldn’t take so very long to be able to utilize 
the new spectrum (at least dense spaces that need it most can benefit early).

*The 802.11a anomaly from Spring 2015 in the chart was Airwave not recognizing 
the model supporting 802.11ac and reporting 802.11a.







William Green, Director of Networking and Telecommunications
The University of Texas at Austin | ITS | 512-475-9295 | 
it.utexas.edu | 
gr...@austin.utexas.edu


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


PastedGraphic-2.pdf
Description: PastedGraphic-2.pdf

Re: Feasibility of an open SSID for student use

2019-09-13 Thread Green, William C 
I won't argue for or against TLS or for other methods without understanding the 
context and use case…  What fits the risk/benefit/cost profile for a particular 
community or subset?  Observationally, eduroam reports show only 5% of visitors 
to our university utilizing TLS.

We labbed up the MITM in 2006 as part of our  802.1x deployment work (having 
concerns).  I continue to hope for better EAP implementations in the native OS 
(shouts at the heavens).

On other notes, I am disappointed in the slow rollout of WPA3 (I know there 
have been security issues).  Sometimes these features are so slow they are 
overtaken by other solutions.  For example, while we do block some services on 
our open guest SSID to discourage our community from using it, we’ve learned 
how Android will VPN tunnel through Google’s servers (unbeknownst/configured by 
the user) obviating these attempts on our part.  I guess it does secure those 
users on from any threats on those open networks and whoever operate them 
(Google, *deleted*).



William Green, Director of Networking and Telecommunications
The University of Texas at Austin | ITS | 512-475-9295 | 
it.utexas.edu | 
gr...@austin.utexas.edu


“Most need no instructions and figure it out on their own,” may not be the 
virtue you think it is.  How many of these users figuring it out on their own 
are validating your RADIUS server certs?  Self-configuration invites MiM 
attacks that can harvest account credentials.  It’s precisely the security 
weakness of 1x I cautioned about earlier.

Furthermore, providing an onboarding option that configures the devices 
correctly doesn’t prevent users from self-configuring.  A good on-boarding 
solution will be widely used and will reduce the overall risk, but it doesn’t 
eliminate the problem.  TLS is the only EAP type that doesn’t have this 
weakness.

Chuck


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: Feasibility of an open SSID for student use

2019-09-12 Thread Green, William C 
We’ve found its easier for our community to onboard to our 802.1x SSID with the 
native supplicant of the device, rather than download and run an installer (are 
dropping the installer).  Most need no instructions and figure it out on their 
own.

While we offer an iPSK SSID, it is not as easy— person must go to web site to 
enroll a MAC address and get a key.  Predominantly in the residence halls so 
far (TVs, speakers, printers, game consoles, etc).  Also a smattering of 
devices that don’t support 802.1x (making our researchers happy).  I’m waiting 
to hear how iPSK has improved battery life for IOT projects.



William Green, Director of Networking and Telecommunications
The University of Texas at Austin | ITS | 512-475-9295 | 
it.utexas.edu | 
gr...@austin.utexas.edu



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: UT Austin Biennial Network Report

2017-10-03 Thread Green, William C 
 see on page 7 the Average Building Network Grade metric.  How is this grade 
determined?


It is a weighted average based on port density (not letting poor conditions in 
a few small buildings skew scores for the average user).

The individual building grades are generated by locally developed software, 
which surveys many factors (e.g., community arrived at standards, vendor 
support, code version, age, etc).  The following box link shows the grading 
criteria if anyone is interested (page 4).
  https://utexas.box.com/s/d9h94mexabeyr83oy4s4jn9eks9r4ezs

While we are proud of the tool and the transparency it creates, the tool is 
difficult and costly to maintain.  Just another cost of our federated 
environment.


--
William C. Green  e-mail:  
gr...@austin.utexas.edu
Director, Networking and Telecommunications   phone:   +1 512-475-9295
ITS (Information Technology Services) fax: +1 512-471-2449
University of Texas
1 University Station Stop C3800
Austin, TX  78712

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: UT Austin Biennial Network Report

2017-09-28 Thread Green, William C 

Can you provide any additional information as to why the use of eduroam is 
prohibited?
Regarding local campus use, it was an opinion by university legal counsel— I 
have nothing more add.  (and this is not a listserv for legal experts)

I can comment on security for UT Austin’s use of eduroam elsewhere, and that 
would be an appropriate conversation for this list.  It is related to how our 
university has implemented credentials and wireless authentication that may not 
apply at many other institutions.

1)  Wireless at UT Austin may only be accessed via 802.1x at present, and the 
only EAP method supported is PEAPv0/EAP-MSCHAPv2.  MSCHAPv2 has 
vulnerabilities.  As long as the RADIUS infrastructure is operated securely by 
the university, we do not believe this is much of an exposure.  eduroam, 
however, is a confederation of thousands of RADIUS servers, none of which are 
operated by the university.  We think some of those could be compromised, 
providing access to exploit MSCHAPv2 weaknesses.

2)  The credential is same one used for “consistent sign-on” for almost all 
university services.  Additional factors are being added to a number of 
services, but compromise of the single credential would still be very bad.

3)  We know about alternative EAP methods, such as certificates.  It is a tool 
we would like for other use cases and benefits.  But that has not be 
prioritized for resources to date (please insert long-tail time and money here).

4)  It has been our experience that PEAPv0/EAP-MSCHAPv2 is the path of least 
resistance on the most popular platforms.  A different credential or 
alternative EAP methods for regular campus use would create too much friction 
when connecting (your campus may be different).  Yes, we are aware of current 
on-boarding products — and we use some of them.  At some point the security 
environment may change (it usually does) tipping in favor of other methods.  
Along the way native OS support may improve for other methods obviating need 
for an on-boarding step by our community (wouldn’t that be swell), or 
on-boarding tools may become better and less cumbersome.



-William

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

UT Austin Biennial Network Report

2017-09-21 Thread Green, William C 
Linked is UT Austin's biennial network report:
https://utexas.box.com/s/drckih61cw8yvom3avihe6j7c8nx972n


I encourage others to provide their operational reports for everyone’s benefit. 
 And, if you find this exciting we are hiring!
https://utdirect.utexas.edu/apps/hr/jobs/nlogon/search/0/   (hint, search for 
network)

--
William C. Green  e-mail:  
gr...@austin.utexas.edu
Director, Networking and Telecommunications   phone:   +1 512-475-9295
ITS (Information Technology Services) fax: +1 512-471-2449
University of Texas
1 University Station Stop C3800
Austin, TX  78712


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: Backup power

2017-07-20 Thread Green, William C 
We do not use UPSes generally.  Everyone’s situation is different.

Our electricity is very stable, and, for us, the UPSes cause more prolonged 
outages than the actual electrical outages.  So if a UPS is used (optional), 
the connected device must be either dual power supplied (with one bypassing the 
UPS) or an Automatic Transfer Switch must be included so there is a bypass 
around the UPS.  Yes, we’ve tried multiple brands of UPSes.  If our electricity 
were not stable, I might have a different approach.  We see UPSes mostly at 
remote sites where power is not stable.

Our university is mostly VoIP, but life-safety phones are on an analog plant.  
The hubs of that analog plant have battery and emergency power, so that 
operations can be sustained indefinitely in event of a primary electrical 
outage, or 6-8 ours for complete electrical outage (five locations instead of 
1,300 for UPSes on network equipment).  Far more time than is typically 
provided with UPSes, and more support of emergency situations.  Our university 
is fortunate to have a larger copper plant from earlier years which we reused.  
Remote sites of course don’t participate in that plant, and either have analog 
service from the local carrier, or, an analog gateway and network path with 
backup power depending on quantities/economics of the site.  I would have to 
run the numbers, but expect we’d have gateways per building before providing 
backup for all network switches if we did not have that copper plant.  [note,  
we don’t provide service to residence halls, those phones were removed years 
ago except for several employees where they are analog]

Other changing factors.  Many servers have moved to our Data Center, so there 
is less need for network when power goes in the buildings.  And the obvious 9X% 
have cell phones.


--
William C. Green  e-mail:  
gr...@austin.utexas.edu
Director, Networking and Telecommunications   phone:   +1 512-475-9295
ITS (Information Technology Services) fax: +1 512-471-2449
University of Texas
1 University Station Stop C3800
Austin, TX  78712


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: UT Austin is Hiring

2017-04-21 Thread Green, William C 
URLs that don’t require authentication:
https://utdirect.utexas.edu/apps/hr/jobs/nlogon/170421019382
https://utdirect.utexas.edu/apps/hr/jobs/nlogon/170214019382



On Apr 21, 2017, at 6:17 PM, Green, William C <gr...@austin.utexas.edu> wrote:

We’re looking for a few good senior network engineers:

1)  Wireless support for our new medical school (controllers, RADIUS proxies, 
location services, medical devices, 3rd parties):
https://utdirect.utexas.edu/hrms/rec_summ/posting.WBX?key_posting_id=170421019382
2)  Network integration and security support for building systems and related 
infrastructure (MPLS, VRFs, firewalls, IOT):
https://utdirect.utexas.edu/hrms/rec_summ/posting.WBX?key_posting_id=170214019382




Lots has happened since our last report, but you can get an idea of the 
size/scale/direction of our institution from 2015 here:
https://utexas.box.com/s/hh3lplbqoca66th2v820ougkmkexmx5v



--
William C. Green  e-mail:  
gr...@austin.utexas.edu<mailto:gr...@austin.utexas.edu>
Director, Networking and Telecommunications   phone:   +1 512-475-9295
ITS (Information Technology Services) fax: +1 512-471-2449
University of Texas
1 University Station Stop C3800
Austin, TX  78712



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

UT Austin is Hiring

2017-04-21 Thread Green, William C 
We’re looking for a few good senior network engineers:

1)  Wireless support for our new medical school (controllers, RADIUS proxies, 
location services, medical devices, 3rd parties):
https://utdirect.utexas.edu/hrms/rec_summ/posting.WBX?key_posting_id=170421019382
2)  Network integration and security support for building systems and related 
infrastructure (MPLS, VRFs, firewalls, IOT):
https://utdirect.utexas.edu/hrms/rec_summ/posting.WBX?key_posting_id=170214019382




Lots has happened since our last report, but you can get an idea of the 
size/scale/direction of our institution from 2015 here:
https://utexas.box.com/s/hh3lplbqoca66th2v820ougkmkexmx5v



--
William C. Green  e-mail:  
gr...@austin.utexas.edu
Director, Networking and Telecommunications   phone:   +1 512-475-9295
ITS (Information Technology Services) fax: +1 512-471-2449
University of Texas
1 University Station Stop C3800
Austin, TX  78712


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] 2.4 vs 5

2017-03-08 Thread Green, William C 
We are seeing many of the congestion issues of 2.4GHz ameliorating themselves 
as clients are self-selecting 5GHz.  Especially in the higher density 
environments where the 2.4GHz congestion was extreme.

On our campus, 5GHz now represents 80% of the data transferred (up from 28% six 
years ago), and 63% of the association time (up from 22%).  Even higher in high 
density environments.  I expected continued increases as we replace more EOL 
WAPs with 802.11ac capable ones (many popular clients are preferring 802.11ac).

Less dire than before.

--
William C. Green  e-mail:  
gr...@austin.utexas.edu
Director, Networking and Telecommunications   phone:   +1 512-475-9295
ITS (Information Technology Services) fax: +1 512-471-2449
University of Texas
1 University Station Stop C3800
Austin, TX  78712


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: Alternatives to AT WiFi

2016-11-30 Thread Green, William C 
Very much like your site, we’ve utilized attwifi as a third party provider for 
guests for nearly five years.

We have not received DMCA notices, as that is AT’s network, and don’t know 
how many they may have received.

Similarly for CALEA.  We would of course assist AT if they required L2 
information only our system has, but AT has never requested it.  Authorities 
did contact us once.  We are not sure why they contacted us and they were 
referred to AT (no idea if it became a CALEA request or not).




-William




**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

UT Austin -- Wireless Device Demographics

2016-04-24 Thread Green, William C 
Attached are the wireless device demographics at UT Austin for this academic 
year.

Mobile is relatively unchanged from last year.  For traditional operating 
systems, OSX picked up 10% from Windows.  With OSX 10.11 shows up taking from 
10.9 and 10.10 use.  Windows 10 also appears, taking most Windows 8 share.





Sampling method looks for self-identified web user agents from our 802.1x 
authenticated network.  There are known issues with this method of sampling.  
Nearly a third of devices authenticated to the network are missing from this 
analysis (do not present web user agent — as with many mobile apps).

--
William C. Green  e-mail:  
gr...@austin.utexas.edu
Director, Networking and Telecommunications   phone:   +1 512-475-9295
ITS (Information Technology Services) fax: +1 512-471-2449
University of Texas at Austin
1 University Station Stop C3800
Austin, TX  78712





**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.



ua_report 20160424.pdf
Description: ua_report 20160424.pdf

**
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Re: WIFI calling on iPhones with AT

2016-01-21 Thread Green, William C 

If you are concerned about being network neutral, can you still claim to be 
that if you turn on QOS for wifi calling?




-William




**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: FYI: UT Austin Biennial Network Report

2015-09-18 Thread Green, William C 
> I see that you use Cisco as the primary Core, but what do you use for edge 
> switches, wireless and controller software.

> Bradley University
> T. Shayne Ghere
Cisco edge switches (a variety of models, lately the 2960X line), WISM2 
wireless controllers in 6509s, Aruba Airwave for wireless reporting (locally 
developed software for provisioning).

> Is this related to all the various dfs bugs in the cisco wifi code?  I have 
> heard and read about others fighting false dfs events and I'm seeing dfs 
> issues as well with various code versions. 
Yes, we’ve been working closely with Cisco utilizing our “rich environment” for 
data collection and testing.



-William




**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

FYI: UT Austin Biennial Network Report

2015-09-17 Thread Green, William C 
Below is UT Austin's biennial network report.  I encourage others to provide 
their operational reports for everyone’s benefit.

https://utexas.box.com/s/hh3lplbqoca66th2v820ougkmkexmx5v



--
William C. Green  e-mail:  gr...@austin.utexas.edu
Director, Networking and Telecommunications   phone:   +1 512-475-9295
ITS (Information Technology Services) fax: +1 512-471-2449
University of Texas
1 University Station Stop C3800
Austin, TX  78712






**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: eduroam Advertising

2015-07-22 Thread Green, William C 
Philippe,

What is the support status of eduroam and 802.11u?

That might address some SSID related issues.



--
William C. Green  e-mail:  gr...@austin.utexas.edu
Director, Networking and Telecommunications   phone:   +1 512-475-9295
ITS (Information Technology Services) fax: +1 512-471-2449
University of Texas
1 University Station Stop C3800
Austin, TX  78712

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: Wireless Door Locks

2015-07-03 Thread Green, William C 
We’ve also been researching various approaches and different issues 
encountered.  Everyone’s situation is unique.  Some internal musing (not 
asserting these are facts):

Basically, we have not found one lock vendor that does everything we want.  
Meaning more support/inventory costs (like more risk of door replacement).

a)  Vendor X’s WiFi lock will do 802.1x, but it will reduce the battery time 
from 12-14 month down to 6-9 month even at low polling (once-twice per day).  
We’d have to run a WPA2 SSID to get what we believe to be acceptable battery 
time, which we are loath to do in our overcrowded spectrum.  Others mentioned 
polling— this low polling reduces ability to make changes for various reasons 
(ice day, safety emergency, schedule change), or other options while user wait 
by door.  Vendor X also has a proprietary 900MHz lock system (needs another 
radio infrastructure) — more later.

b)  Vendor Y’s has a proprietary 900MHz system, so as to avoid WiFi spectrum, 
but requires you to run another radio infrastructure.  They can poll on 30-60 
second intervals with decent battery life, some security system vendors have 
tweaked this to 10 seconds, and offer an App for the customers smartphone to 
get in if they lock themselves out (more likely to have phone).  However, for a 
particular prox brand, they only support a version of that brand which has 
published vulnerabilities.  There are more secured versions of that brand, but 
Vendor Y stated they had no schedule/plans to support it.

c)  Vendor X has a POE lock, but vendor Y does not.  POE requires that 
expensive cable run, door frame, special hinge, drilled door.  On the plus side 
it runs without batteries, which great till the power goes out (there are 
options for batteries in addition).  It doesn’t have wireless security 
issues/jamming concerns.

d)  Vendor Y has a model of autonomous use lock (no network connection/managed 
with smartphone/PDA) that aligns better with our end user's needs in some 
instances (cheaper).  Vendor Y has some modularity in their models, whereby 
those locks can start with a push button/prox autonomous, and can have modules 
traded out to their proprietary 900MHz later (no door changes).  Vendor X, not 
as good alignment/modularity (moving form their autonomous [users don’t like] 
to proprietary wireless means a new expensive lock).

e)  Vendors will sometimes have different door requirement.  So moving between 
them could mean drilling holes, or may have architectural fit issues with the 
decor.  Holes of different sizes in different places lead to plates and door 
replacements ($) — you can only drill it so many times.  And that takes more 
labor.

f)  Our facilites personnel are particular about the sturdiness of lock 
hardware, the types of cylinders (keying plans), and inventory.  I understand 
and support them on this.  All these locks are very expensive.

g)  Building security runs a decade or more behind the rest of IT. 


--
William C. Green  e-mail:  gr...@austin.utexas.edu
Director, Networking and Telecommunications   phone:   +1 512-475-9295
ITS (Information Technology Services) fax: +1 512-471-2449
University of Texas
1 University Station Stop C3800
Austin, TX  78712

Re: netflix question

2015-03-19 Thread Green, William C 
Yes we see lots of Netflix.  Whether is matters would be highly dependent on 
your situation (funding model, size, location).  Our concerns/approach on two 
levels— Internet and LAN:

Internet:
We charge for bandwidth.  The students use more BW, they have to buy more BW 
from us, we use that to purchase more BW.  No content throttles, no judgement, 
no problems.  For efficiency and to keep cost low for students, we work closely 
with our regional education network, LEARN, which has peerings with Netflix to 
reduce costs (those graphs are pretty impressive).  Some networks can justify 
their own caches with Netflix, but we can’t, yet, due to being a mostly 
commuter campus (only ~7,500 in on campus housing).  No comment on caching 
alternatives.

LAN:
Wired environments are trivially engineered to handle the load.  Wireless, is 
of course more difficult because the carrying capacity of the spectrum is 
finite.  High Netflix use in a dense area (e.g. large classroom) could cause 
saturation reaching the limits of current technology even if well engineered.  
We are struggling with large/dense population areas like that.  Its everything 
though, not just Netflix.  I don’t see our dorms as a dense area-- they have 
not reached capacity of the spectrum, just an old sparse AP deployment scheme.  
We are in the process of increasing that density now and should be done by 
summer.



-William

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: Trying to get the Wi-Fi Alliance's Attention

2015-01-24 Thread Green, William C 
Many perspectives presented….  From one bigU’s perspectives:

1)  Additional Wi-Fi Alliance efforts would be good (around enterprise security 
and Passpoint).  I understand the Alliance can’t make vendors do things, but 
they can support/encourage/cajole.  Articles like Lee’s help get that message 
out to more ears.

2)  Security is most effective and properly applied at the applications layer.  
For wireless I believe encryption is necessary to protect integrity of the link 
layer.  Encryption needs to be flexible and evolving because it will no doubt 
have exploits itself.  The obvious why:  with wired networks, the transmissions 
are effectively scoped to the medium (the wire) reducing exposure to how that 
network operates, which is not the case for wireless (where the scope can be 
hundreds of feet in all directions).  The larger that wireless network, the 
larger the scale of exposure.  A home wireless is not the same as enterprise 
wireless due to the scale— PSK, for example, with thousands of devices is 
effectively no encryption.  Again, this has nothing to do with application 
security from my perspective, its having the network operate as intended (e.g. 
man-in-the-middle attacks).

3)  Authentication is necessary for operations.  I need ways to track, identify 
and isolate devices to maintain operations.  MACs may be changed per the 
standard, while it doesn’t happen often, we monitor devices that do it per 
session — and were there a motivation (such as MAC auth), I’m sure it would 
happen even more.  Its also needed to track use (liability/legal — no moral 
judgement implied).  Smaller networks may not have these concerns.

4)  Broadcast discovery mechanisms can stuff it, they don’t scale and open a 
plethora of vulnerabilties.  I’m a proponent of layer 3 to the device (the 
world doesn’t agree).  In the beginning of Ethernet at Xerox Parc in the 70s 
there was the Grapevine for resource discovery.  Forty years later and we can’t 
have directory services, really?   Planet level cloud data centers, but no 
directory services?

5)  My institution moved to 802.1x early for wireless, and found it a far 
superior user experience to web redirect mechanisms (stability/reliability/ease 
of use).  While we have an installer, it is rarely used these days.

6)  I have hopes that Passpoint/Hotspot 2.0/802.11u will create motivations for 
better support of enterprise environments.  Increased mobile usage and the 
limited available spectrum will drive more pressure for that support (Voice 
over LTE enabling Voice over WiFi, motivating deeper pocket players to push 
compatibility).  Its a numbers game.




-William




**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: Residence Halls Internet Bandwidth

2014-02-27 Thread Green, William C 

Total number of users in dorms?
7,500
Total Internet bandwidth reserved for residence halls (to your ISP):
No bandwidth is reserved specifically for the residence halls.
Do you have a cap (Mbps) per users?  If so, at what speed?
More MB/week-- we utilize weekly bandwidth accounting.  Students purchase a 
tier of service of service, and are unlimited in speed unless they exceed their 
allocation, then are reduced to modem speeds until their weekly reset or they 
purchase a higher tier (no harm/no foul).  This is for all students 
resident/commuter.  Resident tiers are priced/packaged differently due to their 
greater consumption patterns (to avoid subsidies).
If you cap, do you set it at the switch port using QOS (wireless controller for 
wireless) or use an appliance such as a Packetshaper or Firewall?
When do you decide to upgrade your bandwidth? When you hit 80% or do you wait 
until you bump up against your limit?
If your connection is over 1 gig to your ISP, are you using a 10Gig handoff or 
multiple one gig handoffs bundled together?
We pay for a committed rate of ~5Gbps at the 95th percentile for the entire 
campus, however have two 10Gbps ports to our provider due to bursty traffic 
which will occasionally exceeds 10Gbps.  The residential service pays for its 
portion of use.  That is calculated across all wired and wireless consumption 
on campus by their users (not just in the residence halls).

When to worry is a bit more complicated given access rate versus committed rate 
-- and also sampling rates.  I drive the committed close to 100%.  Access, 
depends on the price, 30% if you can afford it.  But looking at short-term 
sample rates may indicate otherwise (1, 10, 30, 60 second samples).

-William




**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: How many drops 802.11ac phase 2

2014-02-07 Thread Green, William C 
We pull one 6a also.  That makes enough of us to drink together comfortably at 
the next Educause party.

Most of our APs are one 5e.  As well discussed, I also expect GE to be 
sufficient for a number of years, but I never bet against more bandwidth (we 
consume 3 orders of magnitude more WAN bandwidth than from when I started my 
career).  Power use to be my concern driving the consideration for two cables 
(and I think we have that in several buildings), but not with the new POE 
standards.

Given the amount of 5e out there (thinking beyond WiFi), the magic of market 
forces will likely provide additional options for more bandwidth across 5e 
(just look at the  options for Cat 3 as ugly as they might be).  

10G capable ports on APs will be an after-thought in 4-5 years.  Vendors would 
have to look hard to find chips that don't do 100/1000/1 (etched glass, 
moore's law, all that).

If I had the funds, I would consider two, but I don't have funds or 
pathways/facility space.  Should other tech (60GHz, LiFi, UWB [time-domain, not 
that lazy standard]) gain wide adoption, we'll all be sad, because two cables 
at a location probably won't help much in relation to the scale of the new 
challenge.


--
William C. Green  e-mail:  gr...@austin.utexas.edu
Director, Networking and Telecommunications   phone:   +1 512-475-9295
ITS (Information Technology Services) fax: +1 512-471-2449
University of Texas
1 University Station Stop C3800
Austin, TX  78712

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: Guest Network Access Policy

2014-01-16 Thread Green, William C 
1)  Do you allow guests on your wireless network?

Yes


a.   If you allow guests, what steps do they need to take to gain access to 
the network (eg. sponsorship, MAC registration, open network)?

Primarily, outsourced to attwifi (we hand ATT equipment the broadcast domain 
for the SSID in our NOC, and they handle the rest including end-user phone 
support).  Guests may use a coupon or conference code they have been given; use 
a credit card to purchase access; be an existing ATT subscriber (device or 
account); be a subscriber to a provider ATT affiliates with and shares access.

We hope that 802.11u gains traction/support so we can support many vendors 
(BYOISP).


b.  If you require sponsorship or device registration, can you explain the 
process or give me a pointer to your policy?

Designated department representatives can also create guest accounts for 
mission related activities through tools we provide, but it is discouraged in 
favor of attwifi.  Or if the guests are really something else, then departments 
create records in our human resource systems (vendors, advisory boards, etc).

2)  Is your wireless network completely open in any part of your campus 
(eg. Library, student center, event spaces, athletic fields, etc.)?

attwifi is the only open option.

The university SSID is 802.1x as of summer -- there have not been many problems 
reported.  There is an open SSID, for help, that instructs guests to attwifi or 
helps those with accounts configure for 802.1x.


-William




**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

FYI: UT Austin Network Stats

2013-07-31 Thread Green, William C 

Attached is a link to our campus network report.  It contains various 
operational statistics, including wireless.  I would be interested in learning 
from other schools' statistics if folks would like to share.
https://utexas.box.com/s/pj962e2l842w2toec2vv


--
William C. Green  e-mail:  
gr...@austin.utexas.edumailto:gr...@austin.utexas.edu
Director, Networking and Telecommunications   phone:   +1 512-475-9295
ITS (Information Technology Services) fax: +1 512-471-2449
University of Texas
1 University Station Stop C3800
Austin, TX  78712






**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: Non-802.1x devices on wireless...

2013-06-05 Thread Green, William C 
We are removing our open SSID for sponsored guests (and students/faculty/staff 
non-802.1x supporting devices) Friday.  It will be interesting to see what 
problems are generated.


We have had three SSIDs:   802.1x, open for sponsored guests (mostly), and an 
open commercial provider.  Sponsored guest may use 802.1x or open.  Unsponsored 
guests use the commercial provider.  Students/faculty/staff are supposed to use 
802.1x, and mostly do (the open SSID's web-redirect had login timeouts that 
were bothersome from a user perspective).  This spring the open sponsored 
guests network only had 0.47% of the client load -- most of those guests and 
not university.  One goal has been to get the loosely affiliated guests onto 
the commercial provider and off the university's networks.  So we end up with 
802.1x, open commercial provider, and an open help/landing directing to one of 
the other two and offering configuration assistance.




--
William C. Green  e-mail:  gr...@austin.utexas.edu
Director, Networking and Telecommunications   phone:   +1 512-475-9295
ITS (Information Technology Services) fax: +1 512-471-2449
University of Texas
1 University Station Stop C3800
Austin, TX  78712

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: Eduroam and AUP acceptance?

2013-02-26 Thread Green, William C 
I think the driver's license is an interesting analogy, and it causes me to 
think differently about the issues eduroam raises in a different light.  
However, as with most analogies it breaks down quickly (states do have 
standards coordinated with federal entities on IDs [blustering aside], 
coordinated training and standards [e.g. car vs truck], integrated license 
plate databases, user identities on the drivers license when pulled over, etc).

I am interested in the service, and like the idea of enabling researchers 
better network access.  But I'm still troubled by a number of issues which I 
think could be solvable, but solving them doesn't seem to be in the spirit of 
the European effort.  Just a few:

My understanding is eduroam doesn't allow the host university to know the 
identity of the user of the local network resource.  The host can request it of 
the remote university, but the remote may or may not respond.  It adds 
complexity to security investigations and law enforcement actions.  Local law 
enforcement can't compel another country's university to release credentials.  
What might US CALEA implications be in these cases?  I realize different 
laws/rules apply in different localities/entities regarding network use and 
identity and interpretation by each entities legal counsel.

My understanding is also that eduroam doesn't have standards for who is granted 
credentials across institutions participating.  At one school it may be 
faculty/students/staff, while at others that may include alumni/visitors/hobos. 
 Related, I don't believe attributes are revealed in cases where the local 
institution wished to grant different status to, say faculty versus student.  
How do different access policies and charges (for those of us that charge) map?

There may be exposures to user/password credentials utilized.  For institution 
that use a consistent/single sign-on credential for their network access also, 
this is once again problematic.  [lost the argument about the dangers of using 
SSO for network access -- even back in the web portal days prior to 802.1x]



It is the same for everyone.  I think it is fair to say that every institution 
requires faculty, staff, and students to accept an AUP before assigning a user 
ID and password (typically once a year).  Simply apply your AUP rules to the 
eduroam “visitors”.  Do not consider Eduroam users as outsiders/guests of your 
institution; they are authorized colleagues from neighbouring institutions.  
They know the rules and more importantly, they are easily traceable.  I can 
drive in your state with my driver’s licence.  It is accepted and I am 
authorized, but I should learn your specific state rules to ensure I am not 
ticketed.  Same idea.


Peter


-William




**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

WiFi/Leaky Coax

2013-01-31 Thread Green, William C 
Does anyone have recommendations for vendors selling leaky coax systems that 
support 802.11g (2.4GHz single antenna)?

We're studying ways to inexpensively provide very low density wireless coverage 
in our utility tunnels.  This would only be for the occasional worker-- our 
tunnels are small, dangerous and not open for public access.  The interior DAS 
market that use to push these solutions seems to have gone away (given leaky 
coax doesn't work well for high density/high speed and MIMO).  Traditional AP 
placement looks to be cost prohibitive.  We'd be happy to learn tips from 
anyone that has done this at their institution already.




-William




**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: Apple Petition

2012-07-06 Thread Green, William C 
Today it is AppleTV, tomorrow it will be a different device/use/software.  The 
underlying issue, as others have noted, is the Bonjour resource discovery 
mechanism, what Apple likely needs is a directory service.  Once that is 
solved, the problem will then shift to authentication/authorization/accounting 
and scalability.  I'd suggest:

That Apple create non-Bonjour/non-multicast discovery mechanisms that scale in 
large enterprise environments.
That Apple integrate their offerings with enterprise AAA services.





-William




**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: Very high number of wireless devices returning from break

2012-01-26 Thread Green, William C 
I would be interested in any research into mobile device IP address consumption 
folks could point us towards.  We see curious address consumption behavior by 
mobile devices, but have not done the testing to determine if it is the 
device's OS consuming all the addresses (iOS is our campus' dominant mobile OS) 
or an artifact of our DHCP/802.1x/Controller configurations.

We've seen a 12% device increase since the break (from 25K to 28K simultaneous 
connections), not as large an increase as reported by others.

--
William C. Green  e-mail:  
gr...@austin.utexas.edumailto:gr...@austin.utexas.edu
Director, Networking and Telecommunications   phone:   +1 512-475-9295
ITS (Information Technology Services) fax: +1 512-471-2449
University of Texas
1 University Station Stop C3800
Austin, TX  78712


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: Disappointing numbers of 5ghz clients

2011-09-26 Thread Green, William C 
We also see low 5GHz uptake (20% campus-wide).  But I think the numbers are 
skewed by smartphones which tend to only use 2.4GHz.

We installed dense coverage in two large auditoriums this summers (521 and 420 
seats) and in those we were seeing 40% 5GHz uptake by users the first two weeks 
of class.  Now those are special environments.  In order to get 2.4GHz to work 
even marginally, we were playing lots of games to reduce and absorb the 2.4GHz 
signal strength to deal with the limited number of channels.  While at 5GHz all 
APs were left full power, and there were a lot more of those APs.  Students 
were asked to bring their laptops/tablets to class (tablet meaning iPad 
predominantly on our campus which are 5GHz) and leave their phones off or in 
airplane mode.  As the semester has progressed we are down to 28% 5GHz uptake 
-- presumably as the students forgot/ignore their syllabus instructions.



-William


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.



smime.p7s
Description: S/MIME cryptographic signature

FYI: UT Austin Network Stats

2011-07-19 Thread Green, William C 
Below is a link to our campus network report.  It contains various operational 
statistics, including wireless in section 4.5, for reference.  I would be 
interested in learning from other schools' statistics if folks would like to 
share.
https://webspace.utexas.edu/xythoswfs/webview/_xy-25279652_docstore1


I was asked previously why we go to all the effort for these reports...  Our 
campus' federated governance model requires a lot of transparency to engender 
the levels of trust needed for large network investments, and these reports are 
one small part of that.  If you are interested in challenging environments, we 
do have an opening for manager of our Edge Networking group:
http://utdirect.utexas.edu/pnjobs/pnjobsvw.WBX?job_nbr=11-07-05-01-9302


--
William C. Green  e-mail:  gr...@austin.utexas.edu
Director, Networking and Telecommunications   phone:   +1 512-475-9295
ITS (Information Technology Services) fax: +1 512-471-2449
University of Texas
1 University Station Stop C3800
Austin, TX  78712


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.



smime.p7s
Description: S/MIME cryptographic signature

iPads, Labs/classroom use, 802.1x

2011-04-01 Thread Green, William C 
Does anyone have experience managing iPads for classrooms (where an iPad is 
given to each user and returned at the end of the course, only for the next 
class to pick them up)?  I'm interested in how to manage credentials in an 
802.1x environment (to ensure actions on the network are attributable to the 
user at that time).   If someone has resolved this, I'd like to speak with 
them, we have instructors working on proposals.


--
-William

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Network Engineer Position

2010-10-27 Thread Green, William C 
The University of Texas at Austin has a posting for a network engineer with an 
emphasis on wireless:

http://utdirect.utexas.edu/pnjobs/pnjobsvw.WBX?job_nbr=10-10-18-01-9383


If you have ever wanted to work in a challenging large and complex environment, 
this is your opportunity:

*  4,500 access points supporting 15K simultaneous sessions
* 120K Ethernet ports across 2,900 switches
* Over 150K end user devices
* 2.4Gbps of commodity and 10Gbps of I2 and NLR bandwidth
* 70K faculty, students, and staff
- Stir vigorously


--
William C. Green  e-mail:  gr...@austin.utexas.edu
Director, Networking and Telecommunications   phone:   +1 512-475-9295
ITS (Information Technology Services) fax: +1 512-471-2449
University of Texas
1 University Station Stop C3800
Austin, TX  78712

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: anyone still using TKIP

2009-10-01 Thread Green, William C 
Yes, we support both WPA/TKIP and WPA2/AES due to legacy devices.  We also 
still have an open network (web redirect) for guests and devices that do not 
support 802.1x.  The majority of our users are on the 802.1x network (96%) and 
the majority on that network are using WPA2 (94%) -- around 10K simultaneous on 
a weekday, ~50K total.  Our configuration software prefers WPA2, as do most 
clients, and WPA2 is our recommendation to users.  We had a project a year and 
half ago to try and move most of campus to WPA2.

As I understand it the attack is not trivial to perform, however WPA/TKIP 
should be on the way out.  At the same time, because we still allow open access 
we would rather have someone's traffic encrypted with something that could be 
broken than in the clear on an open network that doesn't need to be broken.


In light of this article I’m wondering if anyone is still sticking with TKIP 
(for legacy system issues I would guess) as opposed to using AES solely?

http://www.idgconnect.com/index.cfm?event=showarticlecid=116pk=9433


--
William C. Green  e-mail:  
gr...@austin.utexas.edumailto:gr...@austin.utexas.edu
Director, Networking  phone:   +1 512-475-9295
ITS (Information Technology Services) fax: +1 512-471-2449
University of Texas
1 University Station Stop C3800
Austin, TX  78712


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] BW capping

2009-09-29 Thread Green, William C 
What:  We do bandwidth accounting based on tiers of service our users purchase 
(4GB, 20GB, 40GB, 60GB per week -- http://resnet.utexas.edu).  Its a home grown 
netflow based system.  Once a users exceeds their allocation, they are rate 
limited to modem speeds off campus for the remainder of the week (Cisco 6500 
uBRL).

Why:  Our Housing organization is an auxiliary business unit contracting for 
this service, so the Resnet must be self supporting which is why we charge.  
Given wireless expansion, equipment refresh and staffing, current charges allow 
for these bandwidth allocations based on present consumption patterns (we 
revisit yearly).  Without any limits, history has taught us 5% of the users 
will dominate all available bandwidth to the detriment of the 95%.  The 
approach fits with our university's core values (freedom of discovery and 
individual responsibility).  We also view ourselves as an ISP when serving 
Housing and don't wish to be involved in what adults do with their network (as 
I wouldn't expect an ISP at my home to tell me what I should do).

Non-dorm:  Non-dorm wireless users on campus receive a base allocation 
(500MB/week for students).  They may purchase tiers of service or one time 
bandwidth to supplement that.


Universities have different values and cultures.

1) What do people use who do bandwith cap?
2) Do you Bandwith Cap? Why or Why Not?

--
William C. Green  e-mail:  
gr...@austin.utexas.edumailto:gr...@austin.utexas.edu
Director, Networking  phone:   +1 512-475-9295
ITS (Information Technology Services) fax: +1 512-471-2449
University of Texas
1 University Station Stop C3800
Austin, TX  78712


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.