Re: [WIRELESS-LAN] User and/or Location-based Content Restriction

2016-02-08 Thread Hinson, Matthew P 
Depending on your APs, you could do some custom firewall rules on them. For 
example,


If a packet arrives and:

-Its source is from $TroublesomeStudent AND

-Its destination is $ListOfBlockIPv4Addresses AND

-It is between 8:30am and 9:20am THEN

-DROP the packet


You could put that firewall rule on the APs that this individual would be 
likely connecting to while in Building Z. Also create a DHCP reservation for 
his devices so they always get the same IP address in that subnet.


It's kludgy and not perfect but it might work.


Thank you!

-Matthew Hinson

"Have I not commanded you? Be strong and courageous. Do not be afraid. Do not 
be discouraged for the LORD your God will be with you wherever you go." -Joshua 
1:9



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Williams, Matthew 

Sent: Monday, February 8, 2016 3:03 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] User and/or Location-based Content Restriction


Is the intent to target users or locations.  I would think it would be easier 
to block access to applications based on location than user.  i.e. no one in 
your “Student” AD group can access Netflix while in Building “Z” from 8:30-5:30 
M-F.  That’s probably far too restrictive, but something to consider.



Do you do any packet shaping?  Perhaps do the limiting there?



Respectfully,



Matt



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Frank Sweetser
Sent: Monday, February 8, 2016 2:32 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] User and/or Location-based Content Restriction



We've always killed these kinds of requests by pointing out that we can't do 
anything at all about anything with a 4g data plan.

On February 8, 2016 2:27:55 PM EST, "Case, Brandon J" 
> wrote:

Is anyone exploring or able to suggest good options for rate limiting or 
preventing access to random content services? This idea was posed to me today 
from up the chain with the goal of limiting certain students' ability to access 
certain services for a certain time, potentially only from a certain location. 
Yep.

As an example: Student A has a class in room 2 of building Z from 8:30 to 9:20 
M, W and F. The goal would be to prevent (or severely hinder the ability of) 
student A watching Netflix from 8:30 to 9:20 M, W and F while they're in room 2 
of building Z. Outright blocking of access to Netflix during that timeframe for 
student A regardless of location has also been discussed. I've already provided 
a plethora of possible pitfalls to any of these types of approaches and the 
associated administrative overhead they could incur but am being asked for 
answers all the same.

Yes, this does definitely wade into the treacherous waters of

technological solutions to what are really social problems (and I know has been 
discussed on this list in the past) however, I'm charged with providing some 
form of an answer up the chain and so I turn to you all for comments, insight 
and cautionary tales.

We're an all-Cisco shop with a healthy ISE deployment so my focus is there with 
AAA override for ACLs, dynamic VLAN assignments, AVC profiles and QoS profiles. 
Any solution I've thought of so far feels too much like a blunt object though.

Thanks,
--
Brandon Case
Senior Network Engineer
IT Infrastructure Services
Purdue University
ca...@purdue.edu
Office: (765) 49-67096
Mobile: (765) 421-6259
Fax:(765) 49-46620

PGP Fingerprint:
99CB 02D6 983C 1E2A 015F  205C C7AA E985 A11A 1251

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

--
Sent from my Android device with K-9 Mail. Please excuse my brevity.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] [Ext] Re: [WIRELESS-LAN] Sticky Clients and Probe Suppression

2015-11-20 Thread Hinson, Matthew P 
Disabling the data rates is the preferred method of doing this. A few WLAN 
vendors (Aerohive and Ubiquiti are the ones I know of for sure) allow you to 
set a Min RSSI value. If a client’s SNR drops too low for X number of TU’s, 
then AP will deauth the client to…persuade them to pick a different AP

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeremy Gibbs
Sent: Friday, November 20, 2015 3:31 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [Ext] Re: [WIRELESS-LAN] Sticky Clients and Probe 
Suppression

This is the GTAC solution guide to probe suppression.  I will report if it 
helps with sticky clients or not.  This is assuming there is enough RF from 
surrounding AP's.

https://gtacknowledge.extremenetworks.com/articles/Solution/Issues-with-clients-staying-with-an-Access-Point-that-has-bad-signal-Sticky-Clients


--

Jeremy L. Gibbs
Sr. Network Engineer
Utica College IITS


On Fri, Nov 20, 2015 at 2:49 PM, Jim Glassford 
> wrote:
Hi,

Jeremy, we have not used probe suppression but Chris thanks for the opening on, 
disabling lower data rates.

This Cisco best practice, last updated Jan 2015, page 18 shows 2.5GHz disabled 
up to 12Mbps and 5GHz disabled up to 24Mbps


Curious if any have taken this many lower speeds off line?

We have disabled 1, 2, 5.5, and 11 on 2.5GHz.
Just started toying a little disabling 6 and 9 on 2.5 and 5GHz.

thanks!
jim


On 11/20/2015 2:07 PM, Chris Adams (IT) wrote:
We have typically achieved this by disabling lower data rates available per 
SSID.


Thanks,

Chris Adams

Director, Network & Telecom Services
Division of Information Technology
University of North Georgia
E-Mail: chris.ad...@ung.edu | Office: (706) 
867-2891

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeremy Gibbs
Sent: Friday, November 20, 2015 2:05 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Sticky Clients and Probe Suppression

Has anyone ever used probe suppression and force dissociation of clients at a 
particular RSS value?  This feature was just introduced and we have a lot of 
"sticky" clients that don't like to roam even though there are more desirable 
AP's in the area.

I have enabled it on a handful of AP's for testing, but would like to hear what 
others have experienced.

Thanks

--

Jeremy L. Gibbs
Sr. Network Engineer
Utica College IITS
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] [Ext] Re: [WIRELESS-LAN] Sticky Clients and Probe Suppression

2015-11-20 Thread Hinson, Matthew P 
That’s what I observed too. Deauth frames have no information element for 
specifying that the client was disconnected due to insufficient signal 
strength. So many clients will just keep trying to reconnect ad infinitum. 
Disable those lower data rates and they’ll figure it out on their own.

Though for some of our outdoor APs, I have found that setting a 10dB SNR 
threshold for deauthentication works rather well.

Disabling the data rates is the carrot, SNR-based deauthentications are the 
hammer.



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeremy Gibbs
Sent: Friday, November 20, 2015 4:02 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [Ext] Re: [WIRELESS-LAN] Sticky Clients and Probe 
Suppression

In my testing so far (limited), it appears to work better then disabling 
various data rates.  But for now I am just testing in a few small areas with 
high AP density.  My worry is clients who are on the fringe of all APs would 
end up being bounced around, creating a worse problem than poor data rates or 
low signal strength.


--

Jeremy L. Gibbs
Sr. Network Engineer
Utica College IITS

T: (315) 223-2383
F: (315) 792-3814
E: jlgi...@utica.edu<mailto:jlgi...@utica.edu>
http://www.utica.edu

On Fri, Nov 20, 2015 at 3:48 PM, Hinson, Matthew P 
<matthew.hin...@vikings.berry.edu<mailto:matthew.hin...@vikings.berry.edu>> 
wrote:
Disabling the data rates is the preferred method of doing this. A few WLAN 
vendors (Aerohive and Ubiquiti are the ones I know of for sure) allow you to 
set a Min RSSI value. If a client’s SNR drops too low for X number of TU’s, 
then AP will deauth the client to…persuade them to pick a different AP

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>]
 On Behalf Of Jeremy Gibbs
Sent: Friday, November 20, 2015 3:31 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] [Ext] Re: [WIRELESS-LAN] Sticky Clients and Probe 
Suppression

This is the GTAC solution guide to probe suppression.  I will report if it 
helps with sticky clients or not.  This is assuming there is enough RF from 
surrounding AP's.

https://gtacknowledge.extremenetworks.com/articles/Solution/Issues-with-clients-staying-with-an-Access-Point-that-has-bad-signal-Sticky-Clients


--

Jeremy L. Gibbs
Sr. Network Engineer
Utica College IITS

On Fri, Nov 20, 2015 at 2:49 PM, Jim Glassford 
<jmgl...@iup.edu<mailto:jmgl...@iup.edu>> wrote:
Hi,

Jeremy, we have not used probe suppression but Chris thanks for the opening on, 
disabling lower data rates.

This Cisco best practice, last updated Jan 2015, page 18 shows 2.5GHz disabled 
up to 12Mbps and 5GHz disabled up to 24Mbps
<http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.pdf><http://www.cisco.com/c/en/us/td/docs/wireless/technology/wlc/82463-wlc-config-best-practice.pdf>

Curious if any have taken this many lower speeds off line?

We have disabled 1, 2, 5.5, and 11 on 2.5GHz.
Just started toying a little disabling 6 and 9 on 2.5 and 5GHz.

thanks!
jim

On 11/20/2015 2:07 PM, Chris Adams (IT) wrote:
We have typically achieved this by disabling lower data rates available per 
SSID.


Thanks,

Chris Adams

Director, Network & Telecom Services
Division of Information Technology
University of North Georgia
E-Mail: chris.ad...@ung.edu<mailto:chris.ad...@ung.edu> | Office: (706) 
867-2891<tel:%28706%29%20867-2891>

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeremy Gibbs
Sent: Friday, November 20, 2015 2:05 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Sticky Clients and Probe Suppression

Has anyone ever used probe suppression and force dissociation of clients at a 
particular RSS value?  This feature was just introduced and we have a lot of 
"sticky" clients that don't like to roam even though there are more desirable 
AP's in the area.

I have enabled it on a handful of AP's for testing, but would like to hear what 
others have experienced.

Thanks

--

Jeremy L. Gibbs
Sr. Network Engineer
Utica College IITS
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCA

Minimum Standards

2015-11-04 Thread Hinson, Matthew P 
Just wondering what everyone's minimum standards look like for supported Wi-Fi 
devices. Or if your department has any defined.

We don't enforce any sort of minimum bar aside from

-Your device needs to support 802.11a, g, n, or ac. 802.11b devices cannot 
successfully authenticate
-Consistent 2.4GHz-only connectivity usually cannot be guaranteed in residence 
halls.

At a glance, we're usually only at about 0.3% 802.11g clients. Everyone else is 
a, n, or ac.

Thank you!
Matthew Hinson
Supervisor, Network Operations
"Have I not commanded you? Be strong and courageous. Do not be afraid. Do not 
be discouraged. For the LORD your God will be with you wherever you go." 
(Joshua 1:9)


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Multi Vendor environments in WiFi space

2015-10-15 Thread Hinson, Matthew P 
We did that for awhile with two different vendors. Over the course of about 
6-12 months, we migrated from a full vendor A system to a vendor B system. It 
actually wasn't all that bad, really, provided you stick to some basic 
principles:

1. Do it building by building. Don't swap half the WAPs in one building with 
vendor A while the remainder is vendor B.
a. Keep a list of what buildings are on what system so you know at a 
glance where to go to investigate trouble
b. Make sure to reserve some mgmt. IP space for your new gear. Lay all 
this out before the first piece of new hardware arrives
2. Any proprietary L3 roaming between the two is obviously not going to work
3. Test test test! Your current vendor may have a small tickbox (like a MAC 
filter or some other feature you're relying on) that the new stuff can't 
replicate
4. Rip and replace may not be the wisest option. Understand the radio 
propagation properties of your new gear. A total WAP infrastructure replacement 
can be a great time to adjust coverage and really get it right the second time 
around

In our case, our users never complained at all about the new gear (actually, 
those who knew what they were looking at got good at spotting the new WAPs and 
gravitated towards them :)  Our old gear was .11g controller-based and the new 
dual-band distributed data forwarding .11n stuff was a massive upgrade. UX 
definitely improved wherever we put the new stuff in.


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Oliver, Jeff
Sent: Thursday, October 15, 2015 12:42 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Multi Vendor environments in WiFi space

All,

This is probably an old topic, but I have not seen anything in a while on it.

At present we are a Cisco shop with regard to our wireless deployment, and we 
are looking at changing out a substantial number (250) of our AP's (1131 to 
3702). These AP's represent about 30% of our deployment so is a substantial 
investment, and as such our CIO has asked us to look at other solutions.

I am wondering if any of you are running multi vendor environments and if so, 
what the UX is like? What are the toolsets like regarding management of two 
disparate systems?



Cheers,
Jeff

---

Jeffrey L. Oliver
Sr. Network Analyst
Information Technology Services
The University of Lethbridge
4401 University Drive, Lethbridge, Alberta, T1K 3M4

Tel:403.329.5162
Mob:403.315.4461
Fax:403.382.7108

URI:jeff.oli...@uleth.ca

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Handling Non 802.1x Devices on the Enterprise Network

2015-09-01 Thread Hinson, Matthew P 
We used to use an open network with MAC filtering, but now we've moved to
Aerohive's PPSK. It's been working great so far.

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Case, Brandon J
Sent: Tuesday, September 1, 2015 11:05 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Handling Non 802.1x Devices on the Enterprise
Network

 

We are doing pretty much the same thing as well, although without the DHCP
tie-in. 

 

We set up a separate SSID for gaming consoles/media devices in the residence
halls and have students register them via one of ISE's portals. We did set
up an authorization policy with a logical profile to prevent 1x-capable
devices from using the SSID. They get stuck in a walled garden and can only
see a page that essentially says they have to connect the device they're
currently using to the 1x SSID (which is the same one we broadcast all over
campus). The profiling component of ISE works pretty well most of the time
but we have had a real headache dealing with XboxOne's since they are
essentially Windows 8 machines and we drop Windows 8 clients in the walled
garden. I ended up writing a few custom rules in the profiler that catch
most of them and we handle the rest on an individual basis.

 

The whole system has worked out pretty well considering the scope (about
12,000 students in 15 residence halls). It hasn't been without its share of
bumps but overall we're pleased with it.

 

Thanks,

--

Brandon Case

Senior Network Engineer

IT Infrastructure Services

Purdue University

ca...@purdue.edu  

Office: (765) 49-67096

Mobile: (765) 421-6259

Fax:(765) 49-46620

 

PGP Fingerprint:

99CB 02D6 983C 1E2A 015F  205C C7AA E985 A11A 1251

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Rick Coloccia
Sent: Tuesday, September 1, 2015 10:56 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 
Subject: Re: [WIRELESS-LAN] Handling Non 802.1x Devices on the Enterprise
Network

 

+1. We're doing almost exactly the same.

On 9/1/2015 10:53 AM, Williams, Matthew wrote:

We have an SSID for these devices and we built a device registration page
for our students to go to enter their wireless MAC address.  This page
requires the students to login so we capture who owns the device in
question.  This page has an API that ties into our DHCP system.  Several of
the newer RADIUS products have this feature built in, but we're still riding
an old system that couldn't do this. 

 

Respectfully, 

 

Matthew Williams

Manager, Network and Telecommunications Services

Kent State University

Office: (330) 672-7246

Mobile: (330) 469-0445 

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Troy Lynn Wiseman
Sent: Tuesday, September 1, 2015 10:40 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 
Subject: [WIRELESS-LAN] Handling Non 802.1x Devices on the Enterprise
Network

 

We are trying to figure out how to handle non 802.1x devices on our
enterprise network.  We are a Cisco shop and currently are broadcasting 4
SSIDs including a guest SSID that is non 802.1x.  We are concerned with how
to give access to non 802.1x devices in our residence halls.  We were
wondering how others are tackling this issue.  

 

TROY WISEMAN

Network Engineer II

 

INFORMATION TECHNOLOGY 
MAIL CODE 4622
SOUTHERN ILLINOIS UNIVERSITY
625 WHAM DRIVE
CARBONDALE, ILLINOIS 62901

 

  twise...@siu.edu

P: (618) 453-6264

  INFOTECH.SIU.EDU

 



 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 

 

-- 
Rick Coloccia, Jr.
Network Manager
State University of NY College at Geneseo
1 College Circle, 119 South Hall
Geneseo, NY 14454
V: 585-245-5577
F: 585-245-5579

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.



smime.p7s
Description: S/MIME cryptographic signature

Re: [WIRELESS-LAN] LTE over Wi-Fi spectrum sets up industry-wide fight over interference

2015-08-28 Thread Hinson, Matthew P 




The mission of York College is to transform lives through Christ-centered 
education and to equip students for lifelong service to God, family, and society

On Thu, Aug 27, 2015 at 4:12 PM, Thomas Carter 
tcar...@austincollege.edumailto:tcar...@austincollege.edu wrote:
Don’t forget the WiFi SLA discussion – another source of interference outside 
of our control.

Thomas Carter
Network and Operations Manager
Austin College

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Philippe Hanset
Sent: Thursday, August 27, 2015 2:17 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] LTE over Wi-Fi spectrum sets up industry-wide fight 
over interference

We can now combine three threads that we have had over the summer on this list
5 GHz, Containment, and the LTE-U controversy (this thread just started)

LTE-U and Jamming…will my Wi-Fi equipment provider enable LTE-U “containment” 
and as a University/College how can I prevent LTE-U from interfering
with my 5GHz deployment.

Oh boy…

Philippe

Philippe Hanset
www.eduroam.ushttp://www.eduroam.us



On Aug 27, 2015, at 2:55 PM, Hinson, Matthew P 
matthew.hin...@vikings.berry.edumailto:matthew.hin...@vikings.berry.edu 
wrote:

Source: 
http://arstechnica.com/information-technology/2015/08/verizon-and-t-mobile-join-forces-in-fight-for-wi-fi-airwaves/#p3

It was only a matter of time.

Thank you!
Matthew Hinson
Supervisor, Network Operations
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

LTE over Wi-Fi spectrum sets up industry-wide fight over interference

2015-08-27 Thread Hinson, Matthew P 
Source: 
http://arstechnica.com/information-technology/2015/08/verizon-and-t-mobile-join-forces-in-fight-for-wi-fi-airwaves/#p3

It was only a matter of time.

Thank you!
Matthew Hinson
Supervisor, Network Operations

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: WiFi Service Level Agreement

2015-08-25 Thread Hinson, Matthew P 
Mike: It is true that a few quality APs and wireless adapters for the clients 
can replace wired ports most of the time. I've admin'ed a few sites where this 
was done, but if you've already got the Ethernet runs done, why work towards 
the reduction of bespoke ports? Or are you referring to only new construction 
or room repurposing?

Chuck: It was just a brainstorming idea. I wasn't saying that this should be 
implemented as official policy. I view Wi-Fi as an extension of our wired 
network that has massive convenience and cost benefits, but at the end of the 
day, if given the option, I'll take an Ethernet connection 10 times out of 10.

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mike Cunningham
Sent: Tuesday, August 25, 2015 9:43 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WiFi Service Level Agreement

We have just approved a campus strategic plan that calls for a reduction in 
wired outlets in favor of wireless. Mostly targeted at office desktops where 
usage is very predictable and not classrooms or other student spaces where it 
is not. Bandwidth use to our typical office desktop is very low and a cluster 
of 5-6 desktop users could easily share a single high bandwidth access point 
instead of 5-6 wired connections.   

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Chuck Enfield
Sent: Tuesday, August 25, 2015 9:22 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WiFi Service Level Agreement

Wi-Fi is not intended to replace the wired network, but is a convenient, 
supplemental method for accessing the campus network. Mission-critical 
applications should NOT rely upon Wi-Fi.

While I think it's completely appropriate to recommend wired connections for 
certain functions, if anybody who worked for me suggested something this broad 
I would affect an extreme attitude adjustment.

Chuck Enfield
Manager, Wireless Systems  Engineering
Telecommunications  Networking Services The Pennsylvania State University 
110H, USB2, UP, PA 16802
ph: 814.863.8715
fx: 814.865.3988

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hinson, Matthew P
Sent: Tuesday, August 25, 2015 8:38 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WiFi Service Level Agreement

We looked into doing this for awhile but could never clearly define what 
acceptable quality of service is. 99.999% uptime in all areas? 99%? 90?
75?

Here are a few excerpts of things we had in our draft that never went live.

Wi-Fi is not intended to replace the wired network, but is a 
convenient, supplemental method for accessing the campus network.
Mission-critical applications should NOT rely upon Wi-Fi.
 Due to the uniqueness of each wireless installation and the shared 
spectrum nature of current wireless technology, the theoretical maximum 
throughput will not be available everywhere coverage is provided.
Further, the available bandwidth will depend directly on the number of Wi-Fi 
users and upon their respective bandwidth usage in any given coverage area.
All 802.11 technologies (a, b, g, n, and ac) utilize frequencies 
unlicensed by the FCC. Therefore, other devices utilizing wireless technology 
that are operating within the same frequency ranges may interfere with Wi-Fi. 
IT will try to solve any interference issues that arise, but IT may not be able 
to affect the removal of such interfering devices.
Construction materials used in many buildings significantly impair the 
propagation of wireless radio signals. As such, not all devices will be able to 
consistently connect in all areas of the campus' buildings.
Consistent coverage, especially for devices with small antennae (such as 
smartphones), cannot be guaranteed.


While we never ended up making it live, I think it might get you started.
:)

-Matthew

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mervyn Christoffels
Sent: Tuesday, August 25, 2015 1:45 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WiFi Service Level Agreement

Greetings Colleagues


I have been tasked with the process of setting up a service level agreement for 
a wifi tender


Has anyone developed a user experience sla for wifi ? Or a services description 
for the wifi solution


Best regards, mervyn





Mervyn Christoffels, Elec Eng (CPUT), MBA (UCT), Mcomm InfSYS (UCT)

University of the Western Cape, Modderdam Road, Bellville, 7535, South Africa T 
+27 21 9592304 E mchristoff...@uwc.ac.za

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can

RE: Parents sue school, say Wi-Fi signal making son sick.

2015-08-25 Thread Hinson, Matthew P 
This reminds me of the old story I heard from an ATT engineer.

This happened at $smalltownUSA where ATT had just finished construction of a 
new cellular tower. There had been a series of protests and attempts to stop 
the project. At a hearing, over a dozen people came up and spoke in front of 
the town testifying that the ATT tower had given them headaches, dizziness, 
trouble sleeping, their children were having nightmares, etc etc. Just one 
story after another about how the tower had medically ruined their lives.

The ATT engineer listened with real concern and heard all the townspeople out. 
When it was his turn to speak, he said, “My goodness, I’m so sorry to hear all 
of this, it’s truly just terrible. I can’t even imagine what it’ll be like next 
week when we actually turn the tower on.”


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Chuck Enfield
Sent: Tuesday, August 25, 2015 4:29 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Parents sue school, say Wi-Fi signal making son 
sick.

Say what you want, but I know Wi-Fi makes me sick every year around this time.  
I can’t sleep, I eat less, I drink more, and it’s all Wi-Fi’s fault.

Chuck Enfield
Manager, Wireless Systems  Engineering
Telecommunications  Networking Services
The Pennsylvania State University
110H, USB2, UP, PA 16802
ph: 814.863.8715
fx: 814.865.3988

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mike King
Sent: Tuesday, August 25, 2015 4:22 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Parents sue school, say Wi-Fi signal making son sick.


In the local news today.
http://www.whdh.com/story/29873525/parents-say-schools-wi-fi-signal-making-son-sick
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] WiFi Service Level Agreement

2015-08-25 Thread Hinson, Matthew P 
We looked into doing this for awhile but could never clearly define what 
acceptable quality of service is. 99.999% uptime in all areas? 99%? 90? 75?

Here are a few excerpts of things we had in our draft that never went live.

Wi-Fi is not intended to replace the wired network, but is a 
convenient, supplemental method for accessing the campus network. 
Mission-critical applications should NOT rely upon Wi-Fi.
 Due to the uniqueness of each wireless installation and the shared 
spectrum nature of current wireless technology, the theoretical maximum 
throughput will not be available everywhere coverage is provided. Further, the 
available bandwidth will depend directly on the number of Wi-Fi users and upon 
their respective bandwidth usage in any given coverage area.
All 802.11 technologies (a, b, g, n, and ac) utilize frequencies 
unlicensed by the FCC. Therefore, other devices utilizing wireless technology 
that are operating within the same frequency ranges may interfere with Wi-Fi. 
IT will try to solve any interference issues that arise, but IT may not be able 
to affect the removal of such interfering devices.
Construction materials used in many buildings significantly impair the 
propagation of wireless radio signals. As such, not all devices will be able to 
consistently connect in all areas of the campus' buildings. Consistent 
coverage, especially for devices with small antennae (such as smartphones), 
cannot be guaranteed.


While we never ended up making it live, I think it might get you started. :)

-Matthew

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mervyn Christoffels
Sent: Tuesday, August 25, 2015 1:45 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WiFi Service Level Agreement

Greetings Colleagues


I have been tasked with the process of setting up a service level agreement for 
a wifi tender


Has anyone developed a user experience sla for wifi ? Or a services description 
for the wifi solution


Best regards, mervyn





Mervyn Christoffels, Elec Eng (CPUT), MBA (UCT), Mcomm InfSYS (UCT)

University of the Western Cape, Modderdam Road, Bellville, 7535, South Africa T 
+27 21 9592304 E mchristoff...@uwc.ac.za

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

IT Orientation information

2015-08-06 Thread Hinson, Matthew P 
With the Fall term of the '15-'16 school year coming up, I'm interested to hear 
what the members of this group do in terms of communications to incoming 
students. Specifically, what IT resources are available, things you should NOT 
do (personal wireless routers, etc). I know it's always tough getting any 
useful information communicated to students as they are swamped by flyers and 
other things from every other department on campus.



I know that throughout the year, we often have students who honestly don't know 
that they shouldn't be on the open guest wireless network or similar.



So, has anyone found a particular method for communicating with the incoming 
students that they pay attention to and is effective?



Thank you,

Matthew Hinson

Network Operations Engineer

Have I not commanded you? Be strong and courageous. Do not be afraid. Do not 
be disheartened. For the LORD your God will be with you wherever you go. 
Joshua 1:9




**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] CWNA training

2015-07-23 Thread Hinson, Matthew P 
I'd recommend the Official Study Guide by Sybex. It's written by David Coleman 
and David Westcott. I was able to pass the exam by a healthy margin simply by 
reading and re-reading that book.

The Davids do not teach for the test. They absolutely stress that you need a 
strong functional knowledge of 802.11 concepts rather than know these five 
items to pass the test.

Relatively speaking, it's cheap, and I highly recommend it. I didn't 
personally utilize a training course because of how well done the book was.

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jason Becker
Sent: Thursday, July 23, 2015 1:12 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] CWNA training

Looking for reviews on the CWNA training course?  Any recommendations on who 
to go through?

Thanks in advance,

--
Jason Becker
Network Systems Engineer,
Network Planning and Services
Tel:(314)935-5006

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.



smime.p7s
Description: S/MIME cryptographic signature

RE: SSID jumping with Win 8.1 (Surface Pro 3) on Aruba

2015-07-22 Thread Hinson, Matthew P 
I’ve seen my test laptop (Latitude D630 + Intel 7260-AC) with Windows 10 Tech 
Preview on it do this. I think the enabled-by-default Wi-Fi Sense feature that 
seeks out open Wi-Fi is the culprit, at least for me.

 

I really have to question the logic of having a computer auto-connect to any 
unsecured network that it comes across…. After connecting to our .1X network, 
it usually stays there, but at first boot if the EAP auth takes more than a few 
seconds it gives up and goes for the guest network even though I’ve deleted the 
profile for said guest network.

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Chuck Enfield
Sent: Wednesday, July 22, 2015 9:03 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] SSID jumping with Win 8.1 (Surface Pro 3) on Aruba

 

I’m having similar problem on a Win7 SP1 laptop.  When I enable my wireless 
adapter it connects to our guest network instead of our 802.1X network.  The 
order of the profiles in the network list doesn’t matter, and even deleting the 
guest network profile doesn’t help.  Once I manually choose the 1x network it 
doesn’t generally “jump” to guest, but I recall that happening at least once.  
My theory was that my connection dropped, giving my machine a chance to 
exercise its newly-found preference for the guest network over all others.  I 
don’t have this problem on any other devices, and I haven’t heard any reports 
from anybody else yet, so I assumed my laptop was the problem.  That said, the 
laptop was problem-free for years.  If the problem coincided with an AOS 
upgrade, I failed to make the connection.

 

When I thought this was just a problem with my laptop I opted to work around 
it, but maybe it deserves some attention.  Windows devices make up a modest 
percentage of our wireless clients, so others could be having the same 
experience and word just hasn’t reached me yet.  I’ll get a packet capture next 
time I put this device on the Wi-Fi.  If I turn up anything suspicious I’ll 
post to the group.

 

Chuck Enfield

Manager, Wireless Systems  Engineering

Telecommunications  Networking Services

The Pennsylvania State University

110H, USB2, UP, PA 16802

ph: 814.863.8715

fx: 814.865.3988

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W 
(Network Services)
Sent: Wednesday, July 22, 2015 7:27 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] SSID jumping with Win 8.1 (Surface Pro 3) on Aruba

 

I have not seen this here at Liberty University with our Aruba 6.3.1.16 
network. We will be moving to 6.4 soon.

 

In fact, I use a Surface Pro 3 as my daily computer.

 

​

 

Bruce Osborne

Wireless Engineer

IT Infrastructure  Media Solutions

 

(434) 592-4229

 

LIBERTY UNIVERSITY

Training Champions for Christ since 1971

 

From: David Gillett [mailto:gillettda...@fhda.edu] 
Sent: Tuesday, July 21, 2015 4:37 PM
Subject: SSID jumping with Win 8.1 (Surface Pro 3) on Aruba

 

  Anybody else seen this?  I’ve seen devices reconnect to the sane SSID as a 
previous session, and I believe I’ve seen them connect to an SSID that was “the 
only one visible.”  But twice now, I’ve seen my Surface Pro 3, in the midst of 
logging in to our “primary” SSID, suddenly bring up the login page for our 
secondary “guest” Wi-Fi service, to which it had never previously been 
connected….
  Is this a Windpws 8.1 (mis)feature?  An Aruba bug?  A quirk of the wireless 
interface chip Microsoft chose to use in he Surface Pro 3?  



 

   Or perhaps something else, stranger than I can imagine?

 

David Gillett CISSP CCNP

 

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/. 

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/. 

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/. 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.



smime.p7s
Description: S/MIME cryptographic signature

RE: [WIRELESS-LAN] Roaming

2015-05-06 Thread Hinson, Matthew P 

I guess I'll register as the odd man out in terms of our IP setup.

We've got a single /24 block of external addresses with our ISP. We probably 
use about half of them as 1:1 NAT for websites, Exchange, etc. All campus 
traffic is NAT'ted and PAT'ted out a single public IP. Our internal space is a 
one VLAN per building setup with a /19 or so of internal addresses setup on 
the DHCP server scope options for each VLAN. Our lease times are set at eight 
days (because why not?)

We have a firewall/UTM from $LargeVendor that does DPI and App-control to 
shutdown P2P and other associated evils. Ever since we did that, the abuse 
letters have literally gone to zero.

Our buildings are not spaced in such a way that inter-VLAN roaming would be 
possible anyway.

Sent from a grassfire using smoke signals

From: Coehoorn, Joelmailto:jcoeho...@york.edu
Sent: ‎5/‎5/‎2015 5:13 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Roaming

?
Do y’all have one vlan per building?

We have four wireless vlan zones (North, South, East, West).

Do you allow roaming over entire campus, per building or what?

The buildings in each zone are strategically chosen to avoid roaming 
problems... we don't have much outdoor coverage, so it would be hard to roam 
between the zones anyway. North and South are academic/administrative 
buildings, East and West are residential.

How large are youf DHCP pools? What is the pool expiration time?

We use /21s with 8 day leases. However, it works out such that the vlans in 
each zone rarely have more active devices than you would with a /24. The larger 
address space and longer leases are so that clients generally have persistent 
IP addresses in each zone over time, even if they aren't actively using a 
lease. We do NAT everything, so maintaining address space for 4x our regular 
population isn't a problem.

How do y’all find these abusers?

We don't require any authentication to the wireless network. We want to be as 
welcoming to guests (especially alumni and admissions candidates) as possible. 
However, we do still track use based on IP only (hence the need for longer, 
persistent leases). This is a kind of double-blind strategy to avoid charges of 
favoritism in enforcement. Abuse is monitored at the internet gateway, using a 
product called Untangle NGFW. I can't say enough good things about that 
product, though we're a very small institution and it might not scale up for 
many others on this list. If/when abuse is detected, an enforcement 
determination is then made by the student development office... not by IT.

Only after the enforcement determination is made will we cross reference the 
IP/mac across all four zones, and force all four IPs to a captive portal page 
on the NGFW that requires authentication. We also convert the leases to 
reservations, and move the macs to a policy group in the policy trees such that 
internet service is highly degraded if the user chooses to attempt something 
like setting a static IP, but will operate normally if we have a username 
associated with it. This process isn't as much work as it sounds like.

The whole scheme was created initially because we haven't long had the ability 
to do vlan pools. We had to use zones to avoid everyone being in one big vlan, 
and each zone had exactly one vlan. We keep the scheme because it allows some 
natural isolation of residential traffic from the rest of the network.


[http://www.york.edu/Portals/0/Images/Logo/YorkCollegeLogoSmall.jpg]


Joel Coehoorn
Director of Information Technology
402.363.5603
jcoeho...@york.edumailto:jcoeho...@york.edu




The mission of York College is to transform lives through Christ-centered 
education and to equip students for lifelong service to God, family, and society

On Tue, May 5, 2015 at 10:19 AM, Legge, Jeffry 
jgle...@radford.edumailto:jgle...@radford.edu wrote:
Currently we allow roaming over our entire campus. Some buildings have their 
own vlan while others do not. Each year we have more devices and thus our DHCP 
pools are stressed. We are looking at changing our network design and giving 
each building their own vlan and larger DHCP pools. We currently have a class B 
IPV4 internet addresses and will move to NAT. When students are abusing 
copyright etc. we are given an IP address and asked to determine who is doing 
the abusing. As students roam they could end up with multiple IP addresses and 
Natting will complicate the ability to find these abusers  I am curious about 
the following.

??
Do y’all have one vlan per building?

How large are you DHCP pools?

What is the pool expiration time?

Do you allow roaming over entire campus, per building or what?

How do y’all find these abusers?

Any thoughts will be appreciated.

-Jeff Legge
Radford University
540-250-5224tel:540-250-5224


** Participation and subscription information for this EDUCAUSE 
Constituent Group

RE: [WIRELESS-LAN] Roaming

2015-05-06 Thread Hinson, Matthew P 
Frank,

We would if we needed them. As it is, we're probably only using around half of 
them at most. Users on premises don't really complain about it since most 
applications today understand that they are probably running on a network 
behind at least one layer of PAT.

Stats on our firewall show that, at worst case, only about ~30,000 TCP states 
are in use of the theoretical ~64,000 so we're just not in any rush to get more 
IP space. Amazing how many states you have to spare when you drop the perimeter 
hammer on P2P... :)

If it ever became a problem, we could add some extra IPs to the NAT, and we've 
plenty to do that with.

The only thing I could see us needing more public IPs for would be Xbox Live 
and PlayStation Network and their silly strict NATwarnings. As it is though, 
we don't get much flak about that.

Sent from a grassfire using smoke signals

From: Frank Bulkmailto:frnk...@iname.com
Sent: ‎5/‎6/‎2015 3:03 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Roaming

Matthew,

Why don’t you get more public IPs from ARIN?

Frank

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hinson, Matthew P
Sent: Wednesday, May 06, 2015 8:04 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Roaming


I guess I'll register as the odd man out in terms of our IP setup.

We've got a single /24 block of external addresses with our ISP. We probably 
use about half of them as 1:1 NAT for websites, Exchange, etc. All campus 
traffic is NAT'ted and PAT'ted out a single public IP. Our internal space is a 
one VLAN per building setup with a /19 or so of internal addresses setup on 
the DHCP server scope options for each VLAN. Our lease times are set at eight 
days (because why not?)

We have a firewall/UTM from $LargeVendor that does DPI and App-control to 
shutdown P2P and other associated evils. Ever since we did that, the abuse 
letters have literally gone to zero.

Our buildings are not spaced in such a way that inter-VLAN roaming would be 
possible anyway.

Sent from a grassfire using smoke signals

From: Coehoorn, Joelmailto:jcoeho...@york.edu
Sent: ‎5/‎5/‎2015 5:13 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Roaming
​
Do y’all have one vlan per building?

We have four wireless vlan zones (North, South, East, West).

Do you allow roaming over entire campus, per building or what?

The buildings in each zone are strategically chosen to avoid roaming 
problems... we don't have much outdoor coverage, so it would be hard to roam 
between the zones anyway. North and South are academic/administrative 
buildings, East and West are residential.

How large are youf DHCP pools? What is the pool expiration time?

We use /21s with 8 day leases. However, it works out such that the vlans in 
each zone rarely have more active devices than you would with a /24. The larger 
address space and longer leases are so that clients generally have persistent 
IP addresses in each zone over time, even if they aren't actively using a 
lease. We do NAT everything, so maintaining address space for 4x our regular 
population isn't a problem.

How do y’all find these abusers?

We don't require any authentication to the wireless network. We want to be as 
welcoming to guests (especially alumni and admissions candidates) as possible. 
However, we do still track use based on IP only (hence the need for longer, 
persistent leases). This is a kind of double-blind strategy to avoid charges of 
favoritism in enforcement. Abuse is monitored at the internet gateway, using a 
product called Untangle NGFW. I can't say enough good things about that 
product, though we're a very small institution and it might not scale up for 
many others on this list. If/when abuse is detected, an enforcement 
determination is then made by the student development office... not by IT.

Only after the enforcement determination is made will we cross reference the 
IP/mac across all four zones, and force all four IPs to a captive portal page 
on the NGFW that requires authentication. We also convert the leases to 
reservations, and move the macs to a policy group in the policy trees such that 
internet service is highly degraded if the user chooses to attempt something 
like setting a static IP, but will operate normally if we have a username 
associated with it. This process isn't as much work as it sounds like.

The whole scheme was created initially because we haven't long had the ability 
to do vlan pools. We had to use zones to avoid everyone being in one big vlan, 
and each zone had exactly one vlan. We keep the scheme because it allows some 
natural isolation of residential traffic from the rest of the network.


[http://www.york.edu/Portals/0/Images/Logo/YorkCollegeLogoSmall.jpg

RE: [WIRELESS-LAN] Running APs at full power: client transmit power levels low?

2015-05-04 Thread Hinson, Matthew P 
Hi Tristan,



You definitely want to match the Tx power between clients and APs as close as 
you can. Obviously, being education, we have little to no control over the 
hardware brought into our environment, so always knowing every device’s Tx 
power can be hard.



Wi-Fi is a two way street. If at all possible, a client and an access point’s 
power settings should match. Almost every frame sent to a client must be 
acknowledged very soon after, and if the client can’t reliably talk back to the 
AP, you’re going to have an unstable or unreliable connection.



We run our APs around 15-17dBm in the 2.4GHz band depending on the area but 
never higher. With the proliferation of mobile devices, that’s about all you 
can get away with without causing a mismatch.



Aerohive had a blog post a while back about the iPhone 5 and its 16dBm output 
power in the 2.4GHz band.

http://blogs.aerohive.com/blog/the-network-revolution/apple-iphone-5-wi-fi-specs





From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Tristan Gulyas
Sent: Monday, May 4, 2015 3:55 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Running APs at full power: client transmit power levels 
low?



Hi all,



We’ve run into an issue in some of our sparsely covered areas (2.4GHz coverage 
optimised, not density optimised) where we have APs in a corridor style 
deployment.  This is typically found in older buildings which means we’re 
dealing with solid brick interior walls.



These APs are typically running at maximum power levels (typically 3600/3700 
series Cisco radios).



In one case, we measured the client end (MacBook Pro) as -71dBm with an SNR of 
22; the AP end saw the client with an SNR of 14 and a signal of -81dBm and 
connectivity was unreliable.  I have seen similar results elsewhere with a 
similar deployment model.



Has anyone else experienced similar issues with corridor style deployments at 
full power?



Cheers,

Tristan





Tristan Gulyas

Senior Network Engineer
Network Operations

eSolutions | Monash University

738 Blackburn Road Clayton 3800

www.monash.eduhttp://www.monash.edu/ | 
tristan.gul...@monash.edumailto:tristan.gul...@monash.edu









** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

Re: 802.11ac AP Deployment

2015-04-08 Thread Hinson, Matthew P 
We're running a single CAT6 pretty much everywhere that we're doing deployments 
nowadays. Though, we're not doing very many new deployments at this time since 
we have no new spaces to cover and we've got every existing location fairly 
well covered. We probably roll out a half dozen APs a year to fill gaps which 
make themselves known, but those get a single Cat6. We're not using multiple 
cables or 6a as we just don't see 10GBASE-T being a likely need at the edge 
anytime soon.

Even with the new Wave2 stuff coming out, having a BSS that can hit greater 
than 700mbit/s of real throughput on the wire is probably not going to happen.

Thank you!
-Matthew Hinson​
Have I not commanded you? Be strong and courageous. Do not be afraid. Do not 
be discouraged for the LORD your God will be with you wherever you go. -Joshua 
1:9


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of Brian Helman 
bhel...@salemstate.edu
Sent: Wednesday, April 8, 2015 9:37 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] 802.11ac AP Deployment

Our general rule will be to install radios such that no space is more than 1 
wall away.  Yes, it depends what the wall is.  Just as large an issue is, how 
many cables are you running to each location?  We are running two Cat6's.

-Brian

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Doug Burke
Sent: Monday, April 06, 2015 7:29 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] 802.11ac AP Deployment

All,

Last year we cabled our campus classrooms and administrative offices with CAT6a 
preparing for the deployment of Wav 2 802.11ac. We are about to begin Phase II 
of the cabling project in our residence halls and we are looking for input from 
others on whether to plan for one AP per room or trust our survey tools. I 
expect most of you will say it depends and we understand the complexities of 
building construction. We have deployed 70 Wav 1 APs as a Proof of Concept 
(POC) testing them in different types of building construction but would like 
to hear other's experiences in particular to residence halls. Thank you for 
your help.

Douglas Burke
Senior Director '13 MSEL, BSBA
Network Infrastructure Systems  Services University of San Diego

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Cisco 2702 APs and MacOS security error?

2015-03-30 Thread Hinson, Matthew P 
Indeed. Our environment sees anywhere from 6-10k unique devices every day. Less 
than one tenth of one percent of those use TKIP. (6-10 devices total).

All of the other devices choose the most robust cipher suite available 
(CCMP-AES). And I bet we could disable TKIP entirely without any trouble. Xbox 
360's got WPA2-Personal support many years ago via firmware update, but there 
was a time that they didn't support it well.

http://forums.xbox.com/xbox_forums/xbox_support/f/9/p/298768/1566370.aspx

Also remember that TKIP-RC4 devices are forbidden by the standard from using 
MCS rates.

Sent from a grassfire using smoke signals

From: Steve Bohrermailto:skboh...@simons-rock.edu
Sent: ‎3/‎30/‎2015 10:13 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco 2702 APs and MacOS security error?

We are very small, so my experiences don’t necessarily scale, but we disabled 
TKIP two years ago with no complaints. Are lots of people still running TKIP? 
Are there particular classes of equipment that require it?

Steve Bohrer
Network Admin, ITS
Bard College at Simon's Rock
413-528-7645

On Mar 27, 2015, at 12:09 PM, Joe Roth 
jr...@binghamton.edumailto:jr...@binghamton.edu wrote:

We are in the process of upgrading some buildings to 2702 APs, and after doing 
our first building clients with Apple hardware are seeing some odd behavior. 
They are receiving the attached error. It seems to be related to TKIP. We plan 
to remove TKIP from the WPA2 SSID this summer anyway and go with AES natively, 
but in the mean time we are trying to determine a fix.


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Cisco 2702 APs and MacOS security error?

2015-03-27 Thread Hinson, Matthew P 
Yep… that’s TKIP countermeasures alright. Some would suggest disabling the 
countermeasures, but I’m not sure that’s always a good idea. The MIC only 
provides weak protection against forgeries, etc and countermeasures are really 
the only way to defend against a determined bad guy.

The devices that you list are all capable of CCMP-AES. Is there a 
legacy/compatibility reason that you’ve still got TKIP enabled?

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Joe Roth
Sent: Friday, March 27, 2015 12:09 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cisco 2702 APs and MacOS security error?

We are in the process of upgrading some buildings to 2702 APs, and after doing 
our first building clients with Apple hardware are seeing some odd behavior. 
They are receiving the attached error. It seems to be related to TKIP. We plan 
to remove TKIP from the WPA2 SSID this summer anyway and go with AES natively, 
but in the mean time we are trying to determine a fix.
This is happening on both Apple OSX Yosemite and Maverick (that we have seen so 
far), as well as some iPhones.

Has anyone seen anything similar? The odd thing is that we have not seen this 
on any 1142, 2602 or 3602 APs, just the new 2702's.
Thanks.

--
Joe Roth
Network Manager
Binghamton University
Ph. 607-777-7528
Fax 607-777-4009
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

1GBE as a bottleneck to APs?

2015-03-24 Thread Hinson, Matthew P 
I've seen a few articles here and there regarding possible solutions for the 
gigabit bottleneck as it pertains to .11ac access points. Said solutions 
include Cisco's forthcoming protocols for 2.5G and 5G over CAT5 cabling as well 
as LACP'ing two gigabit ports per switch and AP as some vendors suggest...

My question for the group is: Has anyone actually seen a throughput issue using 
gigabit to the edge? Certainly your distribution layer gear could be a 
limitation if it's not specced correctly, but I've just never seen a situation 
where I've wished for more than 1000BASE-T to an AP. Our fastest 802.11ac 
access points can only hit 600-700mbit/s real TCP throughput, and that's in 
ideal, almost laboratory conditions.

Thoughts?

Thank you!
Matthew Hinson
Network Operations

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: eagle

2015-03-06 Thread Hinson, Matthew P 
I see your Eagle Cam and I raise you two cameras. :)



http://www.berry.edu/eaglecam/



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Peter P Morrissey
Sent: Friday, March 6, 2015 7:32 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] eagle



http://hdontap.com/index.php/video/stream/bald-eagle-live-cam



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Windows Phone 8.0 and EAP-TLS

2015-03-03 Thread Hinson, Matthew P 
I think Lee is correct. My Lumia 920 (Windows 8.1) offers PEAP-MSCHAPv2 and 
TTLS, but it didn't used to support  TTLS

No Winphone 8.0 support
http://forums.windowscentral.com/windows-phone-8/200619-802-1x-eap-ttls-support.html

Winphone 8.1 support https://technet.microsoft.com/library/dn643706.aspx

I am not aware of any enterprise add on pack that you can download to add 
support...

Sent from a grassfire using smoke signals

From: Lee Flightmailto:l...@leicester.ac.uk
Sent: ‎3/‎3/‎2015 3:22 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Windows Phone 8.0 and EAP-TLS

Hi,

I do not think that Enterprise feature pack exists, I think the features
were rolled into Windows Phone 8.1 and so 8.0 never got EAP-TLS. See p17
of:

  http://www.microsoft.com/en-gb/download/details.aspx?id=42509


Lee Flight
IT Services,
Computer Centre, University of Leicester
Leicester LE1 7RH, United Kingdom


On Tue, 3 Mar 2015, Curtis K. Larsen wrote:

 Hello,

We are pilot testing migration to EAP-TLS and I have discovered a user with a 
Windows 8.0 phone that does support PEAP, but not EAP-TLS.  A little googling 
turns up something called an Enterprise Feature pack whch apparently brings 
with it support for EAP-TLS.  The problem is I can't seem to find where to 
download this.

Does anyone know how to obtain the Enterprise feature pack for Windows Phone 
8.0?  Let me know.

Thanks,

Curtis Larsen
University of Utah
Network Engineer III
 **
 Participation and subscription information for this EDUCAUSE Constituent 
 Group discussion list can be found at http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] HP is reportedly trying to buy Aruba Networks

2015-02-26 Thread Hinson, Matthew P 
Haven't personally experienced this one... I've used some $30 J4859C's I got 
from eBay and the switch didn't care.

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Chuck Anderson
Sent: Thursday, February 26, 2015 4:57 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] HP is reportedly trying to buy Aruba Networks

HP also has a history of forced lock-in.  Their switches specifically prevent 
you from using third-party SFPs.  Imagine if they did this with the wireless 
APs--purposely make them not work with non-HP ethernet switches.

On Thu, Feb 26, 2015 at 09:47:52PM +, Williams, Matthew wrote:
 I've heard from multiple CIOs that they don't want a converged campus 
 solution.  They don't want to end up beholden to a single vendor for 
 financial and security reasons.  They want best-of-breed products that 
 provide the most bang for the buck without the caveats of, Well if you want 
 that that feature then you'll have to buy this 
 appliance/plugin/thing-a-ma-bob, too.

 I find the potential merger a bit disappointing because Aruba was a wireless 
 company (with a few switches) and that's what they did.  I'd hate to see them 
 end up getting lost in the shuffle of HP's portfolio of solutions.  
 Hopefully, if this all goes through, that won't happen.

 Respectfully,

 Matthew Williams
 IT Manager, Wireless
 Kent State University
 Office: (330) 672-7246
 Mobile: (330) 469-0445

 -Original Message-
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Thomas Carter
 Sent: Thursday, February 26, 2015 4:33 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] HP is reportedly trying to buy Aruba
 Networks

 Yes, edge switches, but HP can sell the whole campus from firewalls to 
 routers to core switches to APs to software (clearpass, airwave, etc) to 
 truly compete with the likes of Cisco. They're pushing the converged campus 
 to sound like a marketing wonk. Whether or not they screw it up is what we'll 
 have to wait and see.

 Thomas Carter
 Network and Operations Manager
 Austin College
 903-813-2564


 -Original Message-
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Frank
 Sweetser
 Sent: Thursday, February 26, 2015 2:44 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] HP is reportedly trying to buy Aruba
 Networks

 On 02/26/2015 02:23 PM, Thomas Carter wrote:
  I kept telling our Dell reps that Dell needs to buy into wireless
  and grab Aerohive or Ruckus. They would just mention the Aruba deal;
  we'll see what happens with that.
 
  I do think this can be good for Aruba. I see it as this - Cisco is a
  company that does $50B revenue annually and spends $6B in RD. I
  know that's not all wireless, but Aruba has $725M annual revenue
  with $170M RD. They need the financial backing to stay in second
  and maybe close the gap on Cisco. If integrated well, HP could have
  a compelling package with ProCurve and Aruba all managed under AirWave with 
  some magic SDN sprinkled in there somewhere.

 But Aruba already has their own package with their MAS switches!

 My biggest fear is that HP is buying Aruba the wireless company, not
 Aruba the client access company.  This would lead them to keeping the
 APs and controllers, while putting all of the rest of the goodies that
 let us to selecting them (Clearpass, Airwave's cross vendor
 capabilities, their
 switches) in jeopardy of either being tossed outright or left hanging around 
 atrophying.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Annual Exercise in Frustration: Printers that do wireless 1x?

2015-02-12 Thread Hinson, Matthew P 
Yeah, I configured a Ricoh something-or-another last semester that claimed to 
do dot1X, but I didn't believe it. We already had a PSK network out there and 
we put it on that. I should mention that it took two of our techs plus the 
vendor sending a rep out and wasting hours of time to get it to accept a simple 
PSK connection.

Oh, and did I mention that this is a brand new unit (as of 4 months ago) and it 
only supports 802.11a/b/g... :|

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hector J Rios
Sent: Thursday, February 12, 2015 2:17 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Annual Exercise in Frustration: Printers that do 
wireless 1x?

I was recently working on an HP laser Pro 200 that does have 802.1X support, 
but couldn't tell you if it works reliably. I was also impressed to see that it 
comes, along with other models, with IPv6 support.

Hector Rios
Louisiana State University

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Thursday, February 12, 2015 1:00 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Annual Exercise in Frustration: Printers that do 
wireless 1x?

This is a good for a yearly laugh, so let me throw it out there:

Has anyone found- and confirmed through actual use- any enterprise WLAN-capable 
printers or print servers that work with 802.1x WLAN security?

Thanks-

Lee Badman

Lee Badman
Wireless/Network Architect
ITS, Syracuse University
315.443.3003
(Blog: http://wirednot.wordpress.com)



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

CWNP acquired by Certitrek?

2015-01-30 Thread Hinson, Matthew P 
It's very possible it's been this way for some time, but I noticed this morning 
on the CWNP homepage that the logo had changed to include another company's 
name.

Apparently, Certitrek has acquired CWNP. That, or it's been this way for a 
while and they're just getting around to changing the logo.

http://www.certitrek.com/

-Matthew

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Trying to get the Wi-Fi Alliance's Attention

2015-01-22 Thread Hinson, Matthew P 
Lee,

Good write-up. I found myself nodding in agreement frequently as I read along.

The biggest problem I see in the trenches of WLAN administration is a lack of 
knowledge about the Alliance at all. Their marketing has been so successful 
that “Wi-Fi” has become synonymous with 802.11 wireless networking. I cannot 
tell you the number of times a user brings a particular device on our network 
that can’t do .1X or some other critical standard. 10/10 times, you can check 
the Alliance’s database and find out that it isn’t certified.

Of course, when you explain to them that their device isn’t working, they 
immediately default to “Well I’ve never even heard of that Wi-Fi Alliance 
thing.”

TL;DR: I see the biggest problem as people not caring whether the device is 
certified or not, to say nothing of the quality of said certification.

-Matt

Matthew Hinson
CWAP

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Thursday, January 22, 2015 2:47 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Trying to get the Wi-Fi Alliance's Attention


I know self-promotion is in poor taste, but wanted to share this



http://www.networkcomputing.com/wireless-infrastructure/the-case-for-wlan-interoperability/a/d-id/1318718?​



and encourage anyone of like (or opposing) mind to add comments. I'm told that 
the Alliance is at least reading along, FWIW.



-Lee


Lee H. Badman
Network Architect/Wireless TME
ITS, Syracuse University
315.443.3003
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.