Re: [WIRELESS-LAN] MacOS Lion Wireless Password Resets
All, Per advice from our Apple rep, I have submitted Apple BUG# 9922069. If you would, please also submit bug entries for this so they understand the affect of this issue. For your ease of submission, here's what I submitted: 09-Aug-2011 02:23 PM Ryan Holland: Summary: After successfully authenticating via 802.1X to an enterprise Wi-Fi network, credentials are stored in Keychain correctly. If the username/password are changed on the enterprise side (i.e., user changes their password), OS 10.7 continues to use the stored keychain item and never prompts the user to reenter their username and password. Authentication continuously fails. Steps to Reproduce: 1.) Connect to an 802.1X authenticated WPA2-AES enterprise Wi-Fi network (like most higher education institutions) and verify credentials are stored in the keychain. 2.) Change username and password via the authentication database 3.) Disconnect from Wi-Fi on the 10.7 machine. 4.) Reconnect/reauthenticate to Wi-Fi At this point, reconnection is not possible. Expected Results: OS 10.7 will use the keychain with the now-incorrect username and password. Upon failed authentication, the UI should prompt the user to reenter their username and password. User would enter their now-correct username and password, successfully authenticate, and OS 10.7 would update the keychain entry appropriately. Actual Results: UI never prompts for now-correct username and password. Authentication continuously fails. Regression: User must manually remove any and all related keychain items that have the stored username and password. Then, OS 10.7 UI will prompt user for NEW username and password. Notes: Regression is workable on a case-by-case basis. However, we have 10,000+ mac users and a 90-day password policy that is enforced. With this current bug, users will have to tinker with their keychain at least every 90 days. Please email me at holland@osu.edu or call at 614-292-9906 to discuss this matter further. **THIS NEEDS TO BE PRIORITIZED, AS NUMEROUS UNIVERSITIES ARE AFFECTED BY THIS BUG** == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland@osu.edu On Aug 5, 2011, at 11:44 AM, Holland, Ryan C. wrote: All, I used the iPhone configuration utility to create a .mobileconfig file, as recommended by apple. Upon double-clicking, it prompts to install the profile, and you can optionally enter a username and password at that time. Either once you enter those and finish profile installation, or if you skip entering there and later enter username and password connecting, either way an entry is added to the keychain. THEN, if the user changes their password, that keychain entry is still there and is used, continuously failing auth. Only workaround I've found is to delete the keychain, which results in user prompted for username and password, at which point a new keychain item is created. I think this is more of a keychain behavior problem.or just a WiFi problem on the Apple. Regardless, the Mac supplicant's behavior should not try and be stubbornly using wrong credentials over and over. That password didn't work?! Hmm. Maybe I should try it again. Didn't work again? Hmm. Maybe I should try it again. Dang! How about now? no!? Hmm Now?.. At this point, Xpressconnect is not an option for us. Also, we can't not do 802.1X. Right now, the only I do I have is bold face text on the WebUI where users change their password stating that Mac users *must* delete their keychain, etc. Additional ideas? === Ryan Holland On Aug 5, 2011, at 11:06 AM, Palmer IV, Daniel dbpa...@emory.edu wrote: That was going to be my point. That profile can be for the user or for the machine. We are using a user based profile that we modify via script and slurp in to create our connection. (Cannot say which id is being used to validate though, have not had time to test that). dp Daniel Palmer University Technology Services (UTS) Emory University Atlanta, GA 30322 404.727.5297 (office) 404.213.1643 (mobile) From: David Blahut dabla...@vassar.edu Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Date: Fri, 5 Aug 2011 11:00:24 -0400 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] MacOS Lion Wireless Password Resets Great question, I was surprised to not see the + in the 802.1X window. When I associated to the secure SSID a dialog box popped up asking for username and password. I think the credentials are added to the keychain at that point. You can also use Lion server to create a profile. I haven’t tested this but more information can be found here: http://support.apple.com/kb/HT4772 -d From: The EDUCAUSE Wireless Issues Constituent Group Listserv
Re: [WIRELESS-LAN] MacOS Lion Wireless Password Resets
All, I used the iPhone configuration utility to create a .mobileconfig file, as recommended by apple. Upon double-clicking, it prompts to install the profile, and you can optionally enter a username and password at that time. Either once you enter those and finish profile installation, or if you skip entering there and later enter username and password connecting, either way an entry is added to the keychain. THEN, if the user changes their password, that keychain entry is still there and is used, continuously failing auth. Only workaround I've found is to delete the keychain, which results in user prompted for username and password, at which point a new keychain item is created. I think this is more of a keychain behavior problem.or just a WiFi problem on the Apple. Regardless, the Mac supplicant's behavior should not try and be stubbornly using wrong credentials over and over. That password didn't work?! Hmm. Maybe I should try it again. Didn't work again? Hmm. Maybe I should try it again. Dang! How about now? no!? Hmm Now?.. At this point, Xpressconnect is not an option for us. Also, we can't not do 802.1X. Right now, the only I do I have is bold face text on the WebUI where users change their password stating that Mac users *must* delete their keychain, etc. Additional ideas? === Ryan Holland On Aug 5, 2011, at 11:06 AM, Palmer IV, Daniel dbpa...@emory.edumailto:dbpa...@emory.edu wrote: That was going to be my point. That profile can be for the user or for the machine. We are using a user based profile that we modify via script and slurp in to create our connection. (Cannot say which id is being used to validate though, have not had time to test that). dp Daniel Palmer University Technology Services (UTS) Emory University Atlanta, GA 30322 404.727.5297 (office) 404.213.1643 (mobile) From: David Blahut mailto:dabla...@vassar.edudabla...@vassar.edumailto:dabla...@vassar.edu Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUWIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Date: Fri, 5 Aug 2011 11:00:24 -0400 To: mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUWIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] MacOS Lion Wireless Password Resets Great question, I was surprised to not see the + in the 802.1X window. When I associated to the secure SSID a dialog box popped up asking for username and password. I think the credentials are added to the keychain at that point. You can also use Lion server to create a profile. I haven’t tested this but more information can be found here: http://support.apple.com/kb/HT4772 http://support.apple.com/kb/HT4772 -d From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Palmer IV, Daniel Sent: Friday, August 05, 2011 9:43 AM To: mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] MacOS Lion Wireless Password Resets In your test machine… How did you create your 802.1x profile? dp Daniel Palmer University Technology Services (UTS) Emory University Atlanta, GA 30322 404.727.5297 (office) 404.213.1643 (mobile) From: David Blahut mailto:dabla...@vassar.edudabla...@vassar.edumailto:dabla...@vassar.edu Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUWIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Date: Fri, 5 Aug 2011 09:13:43 -0400 To: mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUWIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] MacOS Lion Wireless Password Resets I did some Lion testing yesterday on our 802.1X secured SSID and discovered the following while watching the RADIUS logs: The laptop had two accounts set up on it, mine and another ‘tester’. If you simply switched users the machine would reauthenticate but still use the other username/password (the account switching from). If the laptop was restarted or shut down and started back up the correct username/password would be used to log into the wireless no matter what user was logged in when the restart was initiated. I don’t necessarily think this is a big problem in our environment but I can see where it could be in others. -d From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Holland, Ryan C. Sent: Thursday, August 04, 2011 5:01 PM To: mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] MacOS Lion Wireless Password Resets I have finally got my hands on MacOS
MacOS Lion Wireless Password Resets
I have finally got my hands on MacOS 10.7 (lion) and have started running it through wireless tests. One item I find very worrisome is this: - Via WPA2-Enterprise (PEAP/MSCHAPv2), I connect to the SSID using username password1; these credentials are then stored in the keychain - If I change my password to, say, password2, then the next time I connect, the Mac fails authentication It seems that the Mac, if failing authentication, never prompts for the username password to be reentered. Our university is soon to roll-out and enforce a 90-day password policy, and I am concerned that users will be unable to authenticate and forced to remove the password from their keychain. Have any of you run into this similar issue? If so, how do handle this behavior? (I don't recall it being this way in MacOS 10.6 or 10.5) == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland@osu.edu Submit a Kudos to an OCIO employee! ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] ATT WiFi
To answer Lee's question, yes, there has been value. The transient users that use the attwifi service are the responsibility of ATT and not the university. This is a value-add for us. == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland@osu.edu Submit a Kudos to an OCIO employee! On Jul 21, 2011, at 1:08 PM, Lee H Badman wrote: This is where I gotta plug our Bluesocket box for guest access. They worked with us to develop a simple “SMS you your password” mechanism, and I can’t imagine a simpler guest portal for people to use. The ATT model does seem interesting, but to Phillipe’s point, I’m not digging the single carrier thing. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanset, Philippe C Sent: Thursday, July 21, 2011 1:01 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ATT WiFi Overlaying ATT Wi-Fi over the wireless network to me seems like the same problem as a vendor specific DAS. Only ATT customers can really use the infrastructure unless you are willing to pay a la carte for the service. What's next? Verizon Wi-Fi, Sprint Wi-Fi... or a web page where you have to pick the vendor of your choice in a long list (highly sensitive to MITM). With models like eduroam, at least all RE people can join the network while traveling around. What we really need is eduroam for other users as well! (I'm working on it ;-) Philippe Philippe Hanset Univ. of TN, Knoxville www.eduroamus.org On Jul 21, 2011, at 12:28 PM, Dewitt Latimer wrote: As a person who travels to many campuses, I can tell you that having my iPhone auto-associate with a campus WiFi is a whole lot nicer than having to bug my hosts to sponsor me for a guest wireless account. So I think the real way to look at this is (1) how many guests do you have to your campus, (2) do you care about them, (3) is your wireless guest registration system self sponsored and simple, or a real PIA? You don't necessarily have to overlay the ATT ssid over your whole campus either. You can hit (say) the performing arts, campus hotel and conference, etc. But that's more of a political outcome than technical. If you go through the hassle of a couple of buildings, you might as well do them all. Also, ATT almost always brings their own commodity bandwidth to the bargaining table. So depending on how many guests you have anyway, you can off load some of their data to their pipe. -d On Thu, Jul 21, 2011 at 12:16 PM, Lee H Badman lhbad...@syr.edu wrote: Ryan- Do you feel there has been any real value to OSU, or any downside? Thanks- Lee H. Badman Wireless/Network Engineer Information Technology and Services Adjunct Instructor, iSchool Syracuse University 315 443-3003 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Holland, Ryan C. Sent: Wednesday, July 20, 2011 1:34 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ATT WiFi We have it here at OSU, and it works adequately. Nothing special. Just a L2 handoff from our equipment to theirs. == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland@osu.edu Submit a Kudos to an OCIO employee! On Jul 20, 2011, at 1:17 PM, Steve Hess wrote: Anyone have experience with the ATT WiFi product? Upper management is looking into it here. My understanding is they will use our existing Aruba infrastructure to propagate the signal. Curious for input from others on direct experience and technical considerations (in general and as relates to Aruba specifically). Thanks, Steve -- - Steve Hess Network Administrator Wheaton College Phone: 508-286-3404 Fax: 508-286-8270 - Spam Not spam Forget previous vote ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. No virus found in this message. Checked by AVG - www.avg.com Version: 10.0.1390 / Virus Database: 1518/3776 - Release Date: 07/20/11 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. No virus found in this message. Checked
Re: [WIRELESS-LAN] ATT WiFi
We have it here at OSU, and it works adequately. Nothing special. Just a L2 handoff from our equipment to theirs. == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland@osu.edu Submit a Kudos to an OCIO employee! On Jul 20, 2011, at 1:17 PM, Steve Hess wrote: Anyone have experience with the ATT WiFi product? Upper management is looking into it here. My understanding is they will use our existing Aruba infrastructure to propagate the signal. Curious for input from others on direct experience and technical considerations (in general and as relates to Aruba specifically). Thanks, Steve -- - Steve Hess Network Administrator Wheaton College Phone: 508-286-3404 Fax: 508-286-8270 - Spam Not spam Forget previous vote ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Separate SSID for 5GHz band
Band steering is favorable when you have similar coverage areas on both 2.4 and 5 ghz. That should be a given nowadays, however, with the adoption of 11n. I recommend folks evaluate their RF designs first prior to tinkering with these types of feature sets. Tune down your 2.4 so it's similar to your 5 ghz, THEN try band-steering. Otherwise, what John outlines will occur. === Ryan Holland Ohio State On Jul 7, 2011, at 7:22 PM, John Kaftan jkaf...@utica.edu wrote: We considered a 5Ghz SSID too but declined for the same reasons that Karl noted. Our vendor suggested band steering. We have only done minimal testing with band steering but it seems promising. I had 30 clients connected to a single AP in our testing with only 2.4 enabled. When I turned up the 5 Ghz band with band steering enabled all clients that were able (50%) went to 5 Ghz. I'd like to understand what happens when a decision needs to be made between 5 and 2.4, i.e. when 2.4 offers a better choice due to propagation. Would you rather connect at -90 dBm to 5 or -70 to 2.4? I have set the min RSSI to around 10 Mb for 5 Ghz thinking that I do not want them connecting to 5 Ghz no matter what. That should take care of it but I have not tested. John Kaftan Infrastructure Manager Utica College On 7/7/2011 11:16 AM, Karl Reuss wrote: On 7/7/2011 10:29 AM, Johnson, Neil M wrote: Has anyone here considered creating a separate SSID for the 5GHz band? The ideas is to encourage users to exclusively use 5 GHZ over 2.4. We've implemented band-steering, but it was suggested this would insure that users use 5GHz and not fall back to 2.4. We've had something like this in place for a long time now, with mixed results. Our main SSID is 'umd' which is on 2.4 and 5GHz. We also have a 'umd-fast' that is only on 5GHz. The idea was that people with 5Hgz cards would see the umd-fast SSID and would choose it due to the superior sounding name. If you couldn't tell your device to prefer 802.11a, umd-fast was an easy way to get it. Maybe we didn't do enough PR, but the -fast SSID seems to cause more questions and confusion than it's worth. With band-steering and OSs doing a better job of selecting bands, we will probably decommission the -fast SSID this summer. -Karl Reuss ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- BEGIN-ANTISPAM-VOTING-LINKS -- Teach CanIt if this mail (ID 1222678676) is spam: Spam:https://antispam.osu.edu/b.php?i=1222678676m=ac618bf84df2c=s Not spam:https://antispam.osu.edu/b.php?i=1222678676m=ac618bf84df2c=n Forget vote: https://antispam.osu.edu/b.php?i=1222678676m=ac618bf84df2c=f -- END-ANTISPAM-VOTING-LINKS ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] iOS devices on wireless
Bruce is correct in that each residence hall could be placed on its own vlan, thus enabling L2 protocols such as bonjour. I believe Bruce's argument is vlan pooling allows for easier operational administration (e.g., can easily increase capacity by adding to the pool). Both are true statements. It comes down to operational requirements versus customer requirements, and each university will have their own philosophy on how to balance that. == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland@osu.edu On Jun 23, 2011, at 8:32 AM, Osborne, Bruce W wrote: Jeff, Large wireless subnets increase airtime consumed by broadcast traffic. That is why we use a VLan pool of /23 subnets. The clients are distributed automatically based on a hash of the mac address the number of subnets in the pool, so we cannot easily control which subnet a user gets. Changing the number of subnets in the pool recalculates everybody's subnet too, so we make sure we have plenty of capacity. Bruce Osborne Wireless Network Engineer IT Network Services (434) 592-4229 LIBERTY UNIVERSITY 40 Years of Training Champions for Christ: 1971-2011 -Original Message- From: Jeffrey Sessler [mailto:j...@scrippscollege.edu] Sent: Wednesday, June 22, 2011 4:30 PM Subject: Re: iOS devices on wireless Bruce, You could, by any number of technical solutions, ensure that students within a given residential space were all on the same L2 network. That is to say, if a given residence hall is made up of 200 students, then it's not technically difficult to ensure all the residential wireless devices within that area are placed in the same VLAN. Or, at a minimum, to ensure that a user's device(s) will always be in the same L2 network so that they can see each other. If one can't do that, then I wouldn't consider the wireless solution to be very flexible, especially given the trend in devices wanting/needing to talk to each other. On my campus, students spend four years of their life in what we consider a residential setting, and it seems only logical to me that the experience should, to the extent possible, mimic home life. That is, it's reasonable to me to expect a student's wireless devices to see each other, and that they should be able to share/collaborate with the other users within their residential hall. I know that if I was back in college, I'd expect that level of functionality, and If it wasn't there, I'd probably make it happen using my own gear... exactly what you don't want happening. Jeff Osborne, Bruce W bosbo...@liberty.edu 6/22/2011 4:55 AM We here at Liberty University have about 8000 students in our residences, the vast majority using wireless. That would be a *huge* L2 network. Bruce Osborne Wireless Network Engineer IT Network Services (434) 592-4229 LIBERTY UNIVERSITY 40 Years of Training Champions for Christ: 1971-2011 -Original Message- From: Jeffrey Sessler [mailto:j...@scrippscollege.edu] Sent: Tuesday, June 21, 2011 3:05 PM Subject: Re: iOS devices on wireless Mike, I take it you are not able to reference housing data and then place all students/student devices from the same residential hall into the same VLAN? Jeff Michael Dickson mdick...@nic.umass.edu 6/21/2011 11:18 AM On Jun 21, 2011, at 2:04 PM, Jeffrey Sessler wrote: My belief is that a student should be able to have a similar experience when in a residential hall as they would at home. That requires supporting everything under the sun including Bonjour. Unfortunately our enterprise network is sufficiently different enough that the user cannot have a similar experience as they would at home. At home all of their devices are segregated in an L2 network. All their neighbors devices are in their own L2 network, etc. They can browse and discover all the devices in their house but not (hopefully) the devices in their neighbors. Here at UMass their L2 domain is huge and includes mostly unknown devices. Plus, thanks to vlan pooling, it is likely that all of their devices are not in the same L2 subnet. So the similar to home experience is not a reality for us. Personally I think students should not think of an enterprise network as similar to their home network. That's a dangerous concept given most students turn on every sharing feature and protocol they can find at home - with relative (L2) protection from the outside world - in an effort to make all of their music and videos work in harmony across all devices. My understanding is that Bonjour only discovers devices at L2, not across L3. If that is correct and our enterprise wireless network offers no less than a dozen L2 networks per SSID in a vlan pool configuration (Aruba), then users aren't discovering their devices in most cases
Re: [WIRELESS-LAN] iOS devices on wireless
The BYOD campaign is largely geared towards enterprises with PKI infrastructures wherein their corporate WLAN is using EAP-TLS with client certificates. They are tackling the question of how do I get a client certificate for my device? They're using the AOS 6.1 device fingerprinting to send the device to a captive portal hosted on Amigopod, which is then acting as a CA for client certificates. Apple's iPhone Configuration Utility allows them to push out a profile which puts the certificate on the device, hence it can then connect, and the enterprise now has the device registered. I do not see how that campaign aligns to supporting Apple's bonjour solution in a large university. Like Michael, we segment out user-base into /24 and /23 sized networks, and we cannot easily rollout campus-wide L2-based applications due to this topology and/or limitation. I agree with Michael in that users should be educated that a secured 802.1X-enabled network should not be thought of as synonymous with your SOHO network at home. It is our job as IT professionals to help set the expectations for users of our systems. == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland@osu.edu On Jun 22, 2011, at 8:00 AM, Osborne, Bruce W wrote: Michael, Have you seen Aruba's push for Bring Your Own Device aimed heavily on iPads? http://www.arubanetworks.com/solutions/bring-your-own-device/ From what I understand, some of the features are only in ArubaOS 6.1, but I would expect some things would work in 5.x 6.0.x too. We have 16 VLANs per pool on 3 local controllers. We have not yet had a huge problem, but I plan on studying this further once the summer rush is over. We actually have multicast video running successfully on our wireless network. See http://www.arubanetworks.com/video.php?v=/case-studies/LibertyMulitmediaVideo_H264.movw=640h=480 Bruce Osborne Wireless Network Engineer IT Network Services (434) 592-4229 LIBERTY UNIVERSITY 40 Years of Training Champions for Christ: 1971-2011 -Original Message- From: Michael Dickson [mailto:mdick...@nic.umass.edu] Sent: Tuesday, June 21, 2011 2:19 PM Subject: Re: iOS devices on wireless On Jun 21, 2011, at 2:04 PM, Jeffrey Sessler wrote: My belief is that a student should be able to have a similar experience when in a residential hall as they would at home. That requires supporting everything under the sun including Bonjour. Unfortunately our enterprise network is sufficiently different enough that the user cannot have a similar experience as they would at home. At home all of their devices are segregated in an L2 network. All their neighbors devices are in their own L2 network, etc. They can browse and discover all the devices in their house but not (hopefully) the devices in their neighbors. Here at UMass their L2 domain is huge and includes mostly unknown devices. Plus, thanks to vlan pooling, it is likely that all of their devices are not in the same L2 subnet. So the similar to home experience is not a reality for us. Personally I think students should not think of an enterprise network as similar to their home network. That's a dangerous concept given most students turn on every sharing feature and protocol they can find at home - with relative (L2) protection from the outside world - in an effort to make all of their music and videos work in harmony across all devices. My understanding is that Bonjour only discovers devices at L2, not across L3. If that is correct and our enterprise wireless network offers no less than a dozen L2 networks per SSID in a vlan pool configuration (Aruba), then users aren't discovering their devices in most cases anyway. -Mike ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- BEGIN-ANTISPAM-VOTING-LINKS -- Teach CanIt if this mail (ID 1215886534) is spam: Spam:https://antispam.osu.edu/b.php?i=1215886534m=7571f342f7dac=s Not spam:https://antispam.osu.edu/b.php?i=1215886534m=7571f342f7dac=n Forget vote: https://antispam.osu.edu/b.php?i=1215886534m=7571f342f7dac=f -- END-ANTISPAM-VOTING-LINKS ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Strange Cisco AP problem
Not a cisco customer, but: - when the client sends 802.11 frames after receiving an IP, are you seeing 802.11 ACKs from the AP? - if yes, are you seeing the client's traffic arrive at the controller? - is bcast traffic passing but not mcast? With these anomalous problems, packet captures/sniffs are very revealing. The ARP mentions remind me of a time wherein symptoms were similar - IP received but no further traffic. As it turned out, the device was ARPing for addresses outside it's subnet. The reason was that the client erroneously set an incorrect mask, causing the ARPs. Another example where pcaps uncovered the problem. === Ryan Holland (sent while mobile) On Apr 15, 2011, at 6:17 PM, Lay, Daniel dl...@samford.edumailto:dl...@samford.edu wrote: I have run into a very odd issue. We have received complaints from students that they are having wireless issues in specific dorm areas. After receiving such a report I went to investigate, I walked the entire dorm connecting to each AP with several devices(an iphone, an Ipad, a XOOM tablet, and a laptop) and everything worked exactly as it was supposed to. The next morning as I was sharing my findings with the helpdesk guys 2 students walked in, and as luck would have it they were from the same dorm that I had just verified the evening before. So we went back to the dorm to look at it from their device So now we are back at the dorm looking at a student’s Mac Book Pro. When the student is anywhere else on campus it works just fine on wireless with any SSID. In his room however we cannot Tx/Rx to the network or to internet. One strange thing to note here is that while his machine could not Transmit or receive data it did get an IP address from DHCP. I was also able to connect to the same AP with my IPAD and XOOM and then open Wireless Control System and look back at the students machine. I wiped his connection and started from the beginning only to arrive at the same result. I then moved his system to another location and reset his connections. I moved back to his room and it still would not function. I reset the AP and then it started working. I would say well it comes down to a simple reset but having several connections that are working fine and several connections that are not working all on the same AP is concerning. I have about 3 locations on campus that are experiencing this same behavior. I have rebooted them but it still seems to be having the same problem. We are using Cisco 1130 AP’s with both A and B/G radios on They are connected to 4404’s that are running 6.0.199.4 code All are connected to a WCS running on a virtual machine with software version 7.0.164.3 Spamhttps://antispam.osu.edu/b.php?i=1184572273m=8af581b82bc9c=s Not spamhttps://antispam.osu.edu/b.php?i=1184572273m=8af581b82bc9c=n Forget previous votehttps://antispam.osu.edu/b.php?i=1184572273m=8af581b82bc9c=f ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
PEAP/MSCHAPv2 using Juniper SBR + AD
Is anyone out there using 802.1X w/ PEAP/MSCHAPv2, leveraging Juniper's Steel-belted radius pointed to Microsoft Active Directory? == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland@osu.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless Site Survey cost
I don't believe there is any cookie-cutter answer anyone can give. All of our designs are likely variant due to the needs of wireless. Surveys/designs should be performed in accordance to what applications you plan to leverage. If you're deploying a dense VoWLAN deployment, requirements are different than that of simple coverage. Wireless in auditoriums, etc., will require a completely different design. I'd recommend identifying your requirements then coming up your strategy for surveying/design. For the majority of our locations, coverage is the primary requirements, so we perform active surveys of those locations, ensuring that the 2.4GHz design conforms to the 5GHz design. . . . my two cents. == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland@osu.edu On Mar 16, 2011, at 2:50 PM, Jeffrey Sessler wrote: So let me ask this... Given the need for designs based on capacity rather than coverage, do those who've done site surveys previously feel they are still worth the trouble? When we deployed, we based our coverage on capacity which resulted in AP's no more than 50' apart in general areas, and classroom deployment based on room capacity (1 dual-radio AP for 12, 2 for 24, etc.). As such, I've yet to find a coverage hole in either 2.4GHz or 5GHz, and the idea of doing a site survey, while so important in the days of coverage planning, now seems unnecessary. Thoughts? best, Jeff John Kaftan jkaf...@utica.edu 3/15/2011 5:50 PM Thanks, but I have purchased already. We will be doing this backwards. We are pulling extra drops and leaving 20' coils of cable above the ceilings and then throw up the APs and see what happens. Not perfect but we have been doing alright with that. We have a feel for it and the students report happiness. This summer we will do the survey to tighten things up a bit. I am considering dropping the wired ports as our LAN is past due for a refresh and I do not want to re-invest in the port-per-pillow model. John On 3/15/2011 7:09 PM, Brian Helman wrote: Have you already selected a wireless product? If not, I think you'd be far better served issuing an RFP for full procurement and installation, with signal guarantees (I'd recommend -68dBm). If you have holes, the contract should be on the hook for it. Take advantage of this economy. Vendors will jump on this. Remember, antennas vary GREATLY. If you do a survey and then bid out and end up with a different product than you conducted the survey with, you could end up with holes. -Brian From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of heath.barnhart [heath.barnh...@washburn.edu] Sent: Tuesday, March 15, 2011 9:57 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless Site Survey cost If you have any resellers/technology partners/consultants you might ask them. Standard consultant fees would probably apply (I've seen $150-$300/hour). If they're good they should be able to survey a couple buildings in a day (which should be less than $1500 a floor). You could also do it yourself. Someone mentioned Ekahau; we use Airmagnet Survey. Its good too have a survey solution for troubleshooting anyways. -- Heath Barnhart, CCNA Network Administrator Information Systems and Services Washburn University Topeka, KS 66621 On 3/14/2011 4:46 PM, Winston Chow wrote: Usually companies don't like to do site surveys because they do it assuming you'll buy APs from them. If anything I found that companies will do it for a lot of money but give you a significant credit if you buy APs/controllers/service from them. That doesn't work with our procurement system that needs 3 lowest bidders. Good Luck! -Winston On Mon, Mar 14, 2011 at 6:41 AM, John Kaftanjkaf...@utica.edumailto:jkaf...@utica.edu wrote: I know this is a crazy question with tons of variables but I am trying to at least get an idea of what it would cost to do a wireless survey in our residence halls. We have 7 buildings built over the years with a variety of construction materials. Each building has 3-4 floors. We have a total of 1100 students living on campus. Has anyone had a commercial wireless survey done and if so can you give me any idea of what I would be looking at? My intention is to do this via an Internship so I do not really want to shop this out and put vendors through the paces. I just want to give an estimate of what it would cost the college if we were to have a commercial provider do the work. John Kaftan Infrastructure Manager Utica College 315.792.3102 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at
Re: [WIRELESS-LAN] Android and WPA2?
Russ, I encountered a Samsung Captivate that was using an incorrect subnet mask, i.e., ignoring the mask received in the DHCPOFFER. This resulted in the device ARPing for addresses outside of its subnet, which in turn, it did not receive responses for. The user symptom was that DHCP succeeded, but no traffic beyond that passed. If you're looking at pcaps, look for excessive or questionable ARP traffic. == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland@osu.edu On Feb 16, 2011, at 9:14 AM, Russ Leathe wrote: Aruba 5.0.3 Impulse Safeconnect We started to have a problem with all Androids on our Aruba Wireless Network. We connect, obtain an IP using WPA2. However, no data is passed. I have tickets open with both vendors, but I just wanted to reach out and ask if you have experienced this with the Android, and if there are any 'fixes'. I'm running wireshark now to see if anything stands out. Thanks Russ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- BEGIN-ANTISPAM-VOTING-LINKS -- Teach CanIt if this mail (ID 1156435022) is spam: Spam:https://antispam.osu.edu/b.php?i=1156435022m=d24ba052bab2c=s Not spam:https://antispam.osu.edu/b.php?i=1156435022m=d24ba052bab2c=n Forget vote: https://antispam.osu.edu/b.php?i=1156435022m=d24ba052bab2c=f -- END-ANTISPAM-VOTING-LINKS ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Android and WPA2?
Great question. As of now, we do not have NAC applied on wireless. This may change in the future, and we're likely to encounter the same difficulties. We do have it enabled on VPN, and our staff using handhelds are encountering this very issue. If we were looking to deploy this wider spread, I would end up discussing with Aruba the feasibility of distinguishing handhelds from phones. There's likely to be something that acts as a signature for those devices. == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland@osu.edu On Feb 16, 2011, at 9:47 AM, leo song wrote: Hi, Ryan. Just an OT question. We deployed Cisco NAC on our wireless network which is NOT available to handheld devices, mainly because they cannot install Cisco NAC agent on handheld devices, and Cisco cannot differentiate the handheld devices from the rest laptop world and to apply different policy, ie, no NAC agent required, full network access, etc. Just wondering what is your case over there? How do you differentiate the Laptop and handheld devices? thanks. -Original Message- From: Holland, Ryan C. holland@osu.edu Reply-to: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Android and WPA2? Date: Wed, 16 Feb 2011 09:32:24 -0500 Russ, I encountered a Samsung Captivate that was using an incorrect subnet mask, i.e., ignoring the mask received in the DHCPOFFER. This resulted in the device ARPing for addresses outside of its subnet, which in turn, it did not receive responses for. The user symptom was that DHCP succeeded, but no traffic beyond that passed. If you're looking at pcaps, look for excessive or questionable ARP traffic. == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland@osu.edu On Feb 16, 2011, at 9:14 AM, Russ Leathe wrote: Aruba 5.0.3 Impulse Safeconnect We started to have a problem with all Androids on our Aruba Wireless Network. We connect, obtain an IP using WPA2. However, no data is passed. I have tickets open with both vendors, but I just wanted to reach out and ask if you have experienced this with the Android, and if there are any 'fixes'. I'm running wireshark now to see if anything stands out. Thanks Russ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- BEGIN-ANTISPAM-VOTING-LINKS -- Teach CanIt if this mail (ID 1156435022) is spam: Spam: Not spam: Forget vote: -- END-ANTISPAM-VOTING-LINKS ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Leo Song, Senior Analyst Cluster Lead Computing and Communication Services - Networking and Security University of Guelph (519) 824-4120 x 53181 Spam Not spam Forget previous vote ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Android and WPA2?
Interesting, Peter. We were using /24s and the phone consistently used a /16 (255.255.0.0) mask. We have three class B networks on campus, so basically if the user tried to go to a third of our address space (DNS servers included), it would ARP for it and fail. == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland@osu.edu On Feb 16, 2011, at 9:59 AM, Methven, Peter J wrote: Russ/ Ryan, we found the issue that Ryan reported is an issue with all the versions of Android we have tested (but we haven’t tested 2.3 yet), but I thought it was something unique to our environment and we broke our /20 wireless network subnet into multiple /24 subnets based on location to solve the issues. This has worked ok for everything apart from Apple devices... Essentially we found regardless of which mask was provided via DHCP the Android device will always use a 255.255.255.0 class c mask. So obviously if you are using a /22 or /20 mask etc. the device will function with no problems if it is lucky and is assigned an IP Address within the same class c segment as the gateway. Otherwise it will be unable to reach the gateway, and as Ryan says will send out unusual ARP traffic etc. Many Thanks Peter Mr Peter Methven, Network Specialist Information Technology (IT) Allen McTernan Building, Edinburgh Campus Tel: 0131 451 3516 For IT support queries or requests, please email ith...@hw.ac.uk or phone ext 4045, with full details of your query or request and your contact details. http://www.hw.ac.uk/it From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Holland, Ryan C. Sent: 16 February 2011 14:32 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Android and WPA2? Russ, I encountered a Samsung Captivate that was using an incorrect subnet mask, i.e., ignoring the mask received in the DHCPOFFER. This resulted in the device ARPing for addresses outside of its subnet, which in turn, it did not receive responses for. The user symptom was that DHCP succeeded, but no traffic beyond that passed. If you're looking at pcaps, look for excessive or questionable ARP traffic. == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland@osu.edu On Feb 16, 2011, at 9:14 AM, Russ Leathe wrote: Aruba 5.0.3 Impulse Safeconnect We started to have a problem with all Androids on our Aruba Wireless Network. We connect, obtain an IP using WPA2. However, no data is passed. I have tickets open with both vendors, but I just wanted to reach out and ask if you have experienced this with the Android, and if there are any 'fixes'. I'm running wireshark now to see if anything stands out. Thanks Russ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- BEGIN-ANTISPAM-VOTING-LINKS -- Teach CanIt if this mail (ID 1156435022) is spam: Spam:about:blank Not spam:about:blank Forget vote: about:blank -- END-ANTISPAM-VOTING-LINKS ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. Spam Not spam Forget previous vote Heriot-Watt University is a Scottish charity registered under charity number SC000278. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Versign New Root CERT
Bruce, We had this exact same issue! Instead of a default 1024bit certificate rooted in Equifax, we received a 2048bit certificate rooted in GeoTrust. We explained that reconfiguring the tens of thousands of devices 'out there' is an impossibility at this time. Basically, this resulted in a lot of back and forth, but in the end, we leveraged the fact that Verisign had until December 31, 2010 to comply with new regulations that forced them to the 2048bit offering. Thus, we were able to obtain a renewal for our certificate that would last another 12 months. We are now migrating towards using Comodo through Incommon. But again, this is through a different root. Luckily, we are nearing a rollout of a new identity management solution along with a WLAN encryption upgrade; each requires reconfiguration on the user's part. We are leveraging these circumstances to roll out a configuration utility that will trust both Equifax as well as our new root. Many folks will say to just use a self-signed root, but for some entities, that is not an option since the network engineers may not dictate the security policies. :-/ Good luck! == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland@osu.edumailto:holland@osu.edu On Oct 18, 2010, at 12:38 PM, Bruce Boardman wrote: We just renewed our Verisign CERTs only to find that the Verisign Root has changed. This wouldn't be a big deal, if it were for a web server, but since it's student laptops configured to accept the only the old public primary root it has a big impact. Verisign is saying that our only recourse is to reconfigure all the clients. Ouch! We are using a Cisco ACS 5.2 server for the Radius auth, and certification. Anyone solve this already, or have any suggestions about how to avoid reconfiguring all the clients. |Bruce Boardman, Network Engineer, Syracuse University - c 315 412-4156| ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- BEGIN-ANTISPAM-VOTING-LINKS -- Teach CanIt if this mail (ID 1101816143) is spam: Spam:https://antispam.osu.edu/b.php?i=1101816143m=35b1c509aa0fc=s Not spam:https://antispam.osu.edu/b.php?i=1101816143m=35b1c509aa0fc=n Forget vote: https://antispam.osu.edu/b.php?i=1101816143m=35b1c509aa0fc=f -- END-ANTISPAM-VOTING-LINKS ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
PEAPv0 Config Best Practice and Certificate Root question/concern
We are pursuing an updated configuration for our 802.1X enabled WLAN using PEAP/MSCHAPv2. Historically, we have not specified the specific certificate name in the Windows configuration file. We are going to move towards this and toggle the option to not prompt the user to accept other certificates. In doing so, we are also specifying the root CA in the configuration. My questions are: 1.) Are other universities sharing this approach currently? 2.) If you are, how have you mitigated concerns that your certificate provider changes the root CA that is signing your server certificate? For #2, for instance, if your root was currently 'Equifax Secure Certificate Authority' and your root changed to 'AddTrust External CA Root', how can you avoid having users suddenly unable to connect (since the user will not be prompted to accept the new certificate)? Thanks, == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland@osu.edumailto:holland@osu.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Free Public WiFi article
Yeah, neat article. We wrote this up for our users to understand it when they saw it on campus: http://8help.osu.edu/3655.html -- Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland@osu.edu On Oct 11, 2010, at 4:28 PM, heath.barnhart wrote: Gotta love Microsoft networking. On 10/11/2010 2:34 PM, Hector J Rios wrote: I'm sure a lot of you have seen this SSID in your network at some point or other. http://thehill.com/blogs/hillicon-valley/technology/123673-npr-beware-of -qfree-public-wifiq Hector Rios Louisiana State University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Heath Barnhart, CCNA Network Administrator Information Systems and Services Washburn University Topeka, KS 66621 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- BEGIN-ANTISPAM-VOTING-LINKS -- Teach CanIt if this mail (ID 1098646156) is spam: Spam:https://antispam.osu.edu/b.php?i=1098646156m=110c564921d4c=s Not spam:https://antispam.osu.edu/b.php?i=1098646156m=110c564921d4c=n Forget vote: https://antispam.osu.edu/b.php?i=1098646156m=110c564921d4c=f -- END-ANTISPAM-VOTING-LINKS ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Apple and wireless connectivity issues?
Jeff, Do you have any more information on this bug? Is it documented/published? My experience is that Apple will silently 'fix' wireless issues while rarely explaining them to IT professionals. === Ryan Holland (sent while mobile) On Oct 7, 2010, at 1:20 PM, Jeffrey Sessler j...@scrippscollege.edu wrote: Mark, There is a bug in 10.6 where it will under certain circumstances prefer 6-to-4 IPv6 over IPv4. Apple has fixed the problem in the 10.6.5 betas. Jeff Mark Linton mhl...@psu.edu 10/7/2010 9:38 AM On Oct 7, 2010, at 11:12 AM, Deke Kassabian wrote: On 10/7/10 11:00 AM, Reynolds, Walter wrote: We have found that many of these are fixed by disabling IPv6 on the Airport interface for the client. I'd be very glad to hear a cohesive theory (from the list, from Apple, whoever) on why that might be. ^Deke Disclaimer: I use a MacBook, exclusively on our campus wireless. I used to have wireless issues. I disabled IPv6 on the wireless interface and have had *no* issues since. My own theory is that a Vista or Windows 7 user on the wireless network has Internet Connection Sharing turned on. By default, these machines provide IPv6 router advertisements for their built in 6-to-4 tunnel. The Mac prefers IPv6 when available, sees these RAs and accepts that user's machine as its gateway. The users machine passes my traffic on to its gateway as tunneled traffic. Since I'm using IPv6, and it has converted my traffic through its 6-to-4 gateway, my traffic needs another gateway to get back to IPv6. I have seen times when the gateway it found was in New Zealand (I'm in Pennsylvania). Depending on where it dumps me out, I probably don't have an optimal path to my destination. In theory, the fix is to get people to turn of MSICS. In practice, its easier to get people to turn off IPv6. By the way, the MSICS issue should also exist for IPv4, since it includes DHCP offers. However, we have the ability to block this in our LAN. We do not currently have the ability to block RAs. Sincerely, Mark Linton mhl...@psu.edu personal.psu.edu/mhl100 814-865-4698 ♻ Please don't print this e-mail unless you really need to. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- BEGIN-ANTISPAM-VOTING-LINKS -- Teach CanIt if this mail (ID 1096979879) is spam: Spam:https://antispam.osu.edu/b.php?i=1096979879m=eea2a39cd687c=s Not spam:https://antispam.osu.edu/b.php?i=1096979879m=eea2a39cd687c=n Forget vote: https://antispam.osu.edu/b.php?i=1096979879m=eea2a39cd687c=f -- END-ANTISPAM-VOTING-LINKS
Re: [WIRELESS-LAN] Mysterious Missing ARP Entry
Does the WEP ssid that is not working happen to be the radio's base BSSID? We have a similar issue with a different vendor and different device. I would say that you may need to end up performing a packet capture to see where the traffic is dropped. == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland@osu.edumailto:holland@osu.edu On Sep 27, 2010, at 5:40 PM, Watters, John wrote: I need some help with a strange new problem – a persistent missing ARP entry. We are a Cisco shop running WiSMs (6.0.199.4) with a mix of 1142s, 1131’s and a few older 1242 APs. This past Friday we got a report of 5 XP tablets that could not use the wireless network. These are 5 out of a group of 50 handheld tablets used in our hospital by the doctors for charting, etc. All of these are imaged and should be using the same image (and later reimaged to be sure). It turns out that that these five machines can use every SSID on campus except for one – their special one which uses WEP (no flames about WPA; we have tried to get them to move, but they are doctors and know more than anyone else). Further investigation has shown that these five machines never get an ARP entry built for their default gateway. They can talk to other machines on their subnet, but nothing outside. When a manual ARP entry is built for them, they are fine. This problem has persisted across reboots and reimaging of these five machines. Today we have received reports of other machines on campus who have similar symptoms (we have yet to actually see one of them). They lose connectivity on one SSID but are OK on all others. Has anyone else seen this? Can you give me a clue what to look for? Along with the MAC address strangeness, which we are seeing, this problem has made for a very interesting few days. Thanks for any help you can offer. -jcw image002.jpg John WattersThe University of Alabama: OIT 205-348-3992 Spamhttps://antispam.osu.edu/b.php?i=1091954558m=2a1c192503dac=s Not spamhttps://antispam.osu.edu/b.php?i=1091954558m=2a1c192503dac=n Forget previous votehttps://antispam.osu.edu/b.php?i=1091954558m=2a1c192503dac=f ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
I will second that. I, too, am seeing one client with this mac address, reported the same way via Airwave as CIMSYS Inc. == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland@osu.edumailto:holland@osu.edu On Sep 27, 2010, at 9:39 AM, Michael Dickson wrote: Fascinating. We have one user on campus so far with this address: 00:11:22:33:44:55 Vendor (reported by Airwave): CIMSYS Inc For Macbooks, the vendor is typically reported as Apple or Apple,Inc. Mike Michael Dickson 413.545.9639 Network Analyst Univ. of Massachusetts Amherst On 9/26/2010 11:34 PM, Watters, John wrote: I have 7 or 8 machines with this MAC address on our campus. Is it possible that Apple did something not nice with the MAC addresses in the MacBooks? We will try to track some of them down, but it won't be easy even using the block-it-nd-they-will-come method. -jcw From: The EDUCAUSE Wireless Issues Constituent Group Listserv [wireless-...@listserv.educause.edu] On Behalf Of Cortes, Diana [dcor...@miami.edu] Sent: Friday, September 24, 2010 4:17 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Thought I'd share some interesting news... The student was able to recover the box where her Macbook Pro came in and indeed the Airport ID printed on the box is 00:11:22:33:44:55 Diana Cortes, CISSP, CWNA University of Miami IT - Telecommunications -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Greg Williams Sent: Monday, September 20, 2010 7:19 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Not sure if there is software out there for the mac to change this automatically, if you just do an ifconfig en1 ether xx:xx:xx:xx:xx:xx, the mac address will change, but ONLY stay until you reboot the machine, then it changes back. You have to put that command into a script under /system/library/starupitems/ and then run sudo chmod 700 script.sh sudo defaults write com.apple.loginwindow LoginHook /System/Library/StartupItems/script.sh to get it to stick permanently. So it seems to me like people are probably doing this intentionally. Greg Williams IT Security Principal University of Colorado at Colorado Springs greg.willi...@uccs.edumailto:greg.willi...@uccs.edu -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Hao, Justin C Sent: Monday, September 20, 2010 4:34 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses it does show up occasionally, and as far as i can tell, this is because users are following on-line tutorials for cracking WEP passwords (several of them reference changing your mac interface to 00:11:22:33:44:55 manually in the instructions to setup traffic sniffing. If your users are using these on a production network you may want to follow up as they may have inadvertently changed their mac address and have no realized they need to change it back. or you could be mischievous and block that mac address completely and let them come forwards to have their machine fixed. I don't believe this is a bug, but more user-inflicted. - Justin Hao CCNA Network Engineer, ITS Networking The University of Texas at Austin j...@austin.utexas.edumailto:j...@austin.utexas.edu - On Sep 20, 2010, at 5:21 PM, Cortes, Diana wrote: Has anyone encountered any Macbooks with the following MAC addresses: 00:11:22:33:44:55? We believe this may be an Apple bug as we have found 2 on our campus already with the exact same MAC address. Thank you, Diana Cortes, CISSP, CWNA University of MIami IT-Telecommunications ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. **