Re: [WIRELESS-LAN] Problems in the Dorms
On 01/11/2011 17:56, Jeffrey Sessler wrote: How was your multicast configured? Past the controller-multicast, the important piece is the AP Multicast mode set on the general page. If it's set to Unicast, pain and suffering can occur. Also, have you enabled any of the Media Stream features? Are you still working with Cisco TAC, or have you engaged the wireless business unit? Jeff >>> On Thursday, October 27, 2011 at 6:31 PM, in message <700d77bb392ae543b5b4455c8db89e3a09cc7...@mbox1.ad.bradley.edu>, "Ghere, Shayne" wrote: One thing we did find is that by turning Multicast off (Controller-Multicast) it dropped the UDP traffic from 40-60Mb/sec down to 1-2Mb/sec on all Trunk Ports across campus. This was something even Cisco was surprised by, so maybe it’s something with the 7.0.116 code. ??? It was on by default after the upgrade because I don’t remember ever enabling it since we don’t use Multicast over wireless, just on the wired network. All our AP’s and controllers are on the same Vlan, so we’ve ruled out the router/firewall, and none of the Gig trunk ports are even near capacity. We are starting to make progress, but the biggest thing we’re seeing now is the massive interference which we’re working on. +1 on multicast enabled in "unicast mode" breaks everything in special ways (including our WISM2s *generating* ~200Mbps traffic) with 7.0.116.0 and Cisco haven't yet been able to explain why. -James ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Certs for EAP-PEAP
On 19/10/2011 20:20, John York wrote: Hi We’re in the process of bringing up a new NPS server, and a contractor tells me that the cert Common Name and the server’s DNS fqdn don’t have to match like they do on an SSL server. “For wireless, any valid certificate will do. It does not have to match the name of the NPS server. You can use an existing certificate for anything as long as it’s valid and doesn't invalidate your licensing agreement with your SSL cert provider.” If that’s true, I’ve been adding extra complexity to my work for years. I guess “any valid cert” would also have to come from a CA the user’s computer accepts. Comments? Generally [I don't know if NPS has any MS non-standard restrictions] that's true with EAP. It's probably a good idea to set the CN to something that looks like a DNS name though. This also means that you can use the same radius certs on both radius servers if you have a pair for resilience etc. Also, because many supplicants don't verify the cert CN (the "connect to these servers" box in Windows), just rely on the cert being signed by a known CA, and anyone could potentially get a cert from the same commercial CA as you, it is best practice to use a cert signed by your own root CA for EAP. You then need to configure each client with this root CA. Regards, James ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Issue with Microsoft NPS certs and ipads/iphones
On 20/09/2011 12:19, Osborne, Bruce W wrote: -Original Message- From: Dennis Xu [mailto:d...@uoguelph.ca] Sent: Monday, September 19, 2011 3:04 PM Subject: Re: Issue with Microsoft NPS certs and ipads/iphones We use the same certificate on two ACS servers for PEAP authentication to avoid the certificate warning when user connects to the 2nd ACS server. We haven't seen any issues with that. > Dennis, > > How does that work? The two servers have different hostnames& DNS entries, I assume. > > I do not think it would work in our NPS environment anyway. Our > NPS servers are also Read-Only Domain Controllers (each in their > own site). This removes the RADIUS server load from our production > Domain Controllers. The names on the certificate are irrelevant as such, as long as: - The client trusts the CA that signed the cert - The client trusts the CN on the presented cert. The certificates are used for TLS in the EAP transaction that forms the authentication. There is no DNS at this point - you don't even have a network connection as such yet. This is why [some] supplicants allow you to specify certificate CN verification. In windows this is the "Connect to these servers:" field. Without this your supplicant would trust any cert signed by your CA (which is why it's recommended that you do not use a public CA for EAP). Regards, James -- James J J Hooper Senior Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Same Radius server, more than one SSID, different groups of users?
On 19/09/2011 18:12, Urrea, Nick wrote: Cisco shop yes we use a WISM2 with CAPWAP APs. We are currently using IAS as our RADIUS server. Can you have FreeRADIUS talk to AD or do you need another LDAP? We also use AD as our primary credentials DB. FR can talk to AD by using ntlm_auth (part of samba) for authentication, and LDAP for authorization. -James -- James J J Hooper Senior Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Same Radius server, more than one SSID, different groups of users?
On 19/09/2011 17:24, Urrea, Nick wrote: We at UC Hastings would like to create a new SSID that only allows certain users with WPA-Enterprise authentication to access. We currently have two SSIDs one which uses WPA-Enterprise with RADIUS which checks against and Active Directory group and the other which uses Web-Auth which checks against the same Active Directory. We are using the Cisco Solution for enterprise wireless. I would like to use the same RADIUS server for both WPA-Enterprise SSIDs. Any ideas? ** If by "Cisco Solution" you meant Cisco WLC's with controller based APs: This would be very easy to do with FreeRADIUS (http://www.freeradius.org/). Do you have any other constraints? e.g. FreeRADIUS is unix/linux based, if you are a solely Windows shop, it'd be a bit of a learning curve. We use FreeRADIUS to AAA our: VPN, Web-Auth wireless & multiple WPA2-Enterprise Wireless (inc. eduroam). A single instance can handle these simultaneously. I believe the majority of the eduroam community use FreeRADIUS too. ** If you meant with Cisco ACS as your RADIUS server: ...sorry, no idea Regards, James -- James J J Hooper Senior Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wi-Fi connection issue when switching SSIDs
--On Tuesday, September 13, 2011 09:59:01 -0400 Dennis Xu wrote: Hi everyone, we have Cisco WiSMs 7.0.116.0 and we see a connection issue in our environment. When users disconnect from one SSID and connect to another SSID, most of times they need to try 2-3 times then got connected. It seems to consistent for IPhone users, but also happens some times for Windows especially when switching from open SSID to 802.1x SSID. This only happens when switching SSIDs. Has anyone else seen this issue? Do you have 'Fast SSID change' enabled? If not, that would explain this. -James -- James J J Hooper Senior Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 1200 Series AP's on a newer 2960s Cisco switch using POE
On 15/08/2011 19:57, Taillon II, Kendall wrote: We are in the middle of adding new 2960s Cisco switches to are edge. When connecting our old 1200 series AP’s to the switch via POE, the switch interface just keeps flashing. Is this because the old AP’s use the old pre-standard POE? Our new 1142 series AP’s connect just fine. Is there any way to have the older AP’s use the newer POE through the switch port? http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6406/prod_qas0900aecd80322c37.html ...it should "just work" Note however that _some_ of the 2960 series are oversubscribed for POE i.e. it can only power 8 APs on a 24 port poe switch, and only 24 on a 48port poe switch. Exactly which model switches do you have? have you enabled CDP on the ports? If you're using gig ports, what happens if you set them to 100/full? -James ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Eduroam questions
On 29/07/2011 20:35, Hanset, Philippe C wrote: Also, if you don't mind the initial investment (will save you money in the long run)... get Xpressconnect ... or SU1X (free, but Windows only): http://sourceforge.net/projects/su1x/ and you can use .mobileconfig 'profiles' for iOS & OS X Lion. -James ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] One user, many devices
On 01/04/2011 22:20, David LaPorte wrote: I randomly chose a few and the OUIs are all Apple, so it looks OK. I also checked the user-agent strings and they look to be iPhones. Strange. On 04/01/11 16:59, James J J Hooper wrote: On 01/04/2011 21:03, David LaPorte wrote: I would've hoped so, but ~36% of devices fingerprinted as iPod/iPad/iPhone didn't sent a hostname. Of those that did, ~27% changed it from the default Apple format :( On 04/01/11 15:47, James J J Hooper wrote: Can you not differentiate between iOS devices by the "host name" in the DHCP request (http://tools.ietf.org/html/rfc2132#section-3.14) ? iOS seems to format the hostname as s-iP(ad|hone|od)=>Annes-iPad Obviously, it's not guaranteed to be accurate, but it gives an indication. e.g: Pull out apple devices by MAC OUI, then cross reference with DHCP: +-- Total number of devices: 10043 Total number of devices matching APPLE OUI: 4974(49.53%) Num%ofApple%ofTotal Total number claiming to be iPods:55611.18%5.54% Total number claiming to be iPhones: 158531.87% 15.78% Total number claiming to be iPads: 1673.36%1.66% Total remaining, presumed Mac laptops: 266653.60% 26.55% +-- Interesting... Have you been able to verify acuracy either way? I've only looked at PF for the last 20 minutes, so I may be totally wrong, but PF seems to match devices based on vendor_id (VCI) and/or what the DHCP parameter request list is (not the content of any options present): http://mtn.inverse.ca/revision/file/1880ecba4c2e7e7511154b6abe331be436183fa9/pf/conf/dhcp_fingerprints.conf iPhone/pod/pad would match on 1,3,6,15,119,252 which seems to be a pretty generic set (subnet mask, router, DNS srv, domain name, DNS search suffixes, WPAD address), but maybe iOS is the only one that asks for just that! ...hmmm, I'll see if I can analyse it some more... wireshark time~~~ Sampling over the last hour on our DHCP server seems to confirm that Apple devices are the only ones we see using a parameter request list of 1,3,6,15,119,252. Also, as you said, a proportion of the Host Name options for these do not comply with the s-iP(ad|hone|od) format. So the Host Name DHCP option can provide an indication, but it's far from reliable / statistically sound. Shame -James ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] One user, many devices
On 01/04/2011 21:03, David LaPorte wrote: I would've hoped so, but ~36% of devices fingerprinted as iPod/iPad/iPhone didn't sent a hostname. Of those that did, ~27% changed it from the default Apple format :( On 04/01/11 15:47, James J J Hooper wrote: Can you not differentiate between iOS devices by the "host name" in the DHCP request (http://tools.ietf.org/html/rfc2132#section-3.14) ? iOS seems to format the hostname as s-iP(ad|hone|od)=> Annes-iPad Obviously, it's not guaranteed to be accurate, but it gives an indication. e.g: Pull out apple devices by MAC OUI, then cross reference with DHCP: +-- Total number of devices: 10043 Total number of devices matching APPLE OUI: 4974(49.53%) Num%ofApple%ofTotal Total number claiming to be iPods:55611.18%5.54% Total number claiming to be iPhones: 158531.87% 15.78% Total number claiming to be iPads: 1673.36%1.66% Total remaining, presumed Mac laptops: 266653.60% 26.55% +-- Interesting... Have you been able to verify acuracy either way? I've only looked at PF for the last 20 minutes, so I may be totally wrong, but PF seems to match devices based on vendor_id (VCI) and/or what the DHCP parameter request list is (not the content of any options present): http://mtn.inverse.ca/revision/file/1880ecba4c2e7e7511154b6abe331be436183fa9/pf/conf/dhcp_fingerprints.conf iPhone/pod/pad would match on 1,3,6,15,119,252 which seems to be a pretty generic set (subnet mask, router, DNS srv, domain name, DNS search suffixes, WPAD address), but maybe iOS is the only one that asks for just that! ...hmmm, I'll see if I can analyse it some more... wireshark time~~~ -James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] One user, many devices
On 01/04/2011 20:18, David LaPorte wrote: Thanks for sharing always interesting to see this kind of information. Wwe have some similar statistics running, so I've included a couple of graphs of our own. Interested to know about how you do this via detecting browser agents when looking at device type. We have been using DHCP fingerprinting which seems pretty successful but we can't tell the difference between and Ipad/Ipod/Iphone etc, which might be good to know since IOS devices appear to make up most of our clients. We're doing OS detection with DHCP fingerprinting using PacketFence. We can't tell an iPad from an iPhone based on the fingerprint either, but you might be able to run the fingerprinting data against user-agent string or OUI if you're capturing that. I started mapping out the Apple-owned OUIs by device type, but - while there's clearly method to the madness - I figured it wasn't worth the effort. Can you not differentiate between iOS devices by the "host name" in the DHCP request (http://tools.ietf.org/html/rfc2132#section-3.14) ? iOS seems to format the hostname as s-iP(ad|hone|od)=> Annes-iPad Obviously, it's not guaranteed to be accurate, but it gives an indication. e.g: Pull out apple devices by MAC OUI, then cross reference with DHCP: +-- Total number of devices: 10043 Total number of devices matching APPLE OUI: 4974(49.53%) Num %ofApple%ofTotal Total number claiming to be iPods: 556 11.18% 5.54% Total number claiming to be iPhones:158531.87% 15.78% Total number claiming to be iPads: 167 3.36% 1.66% Total remaining, presumed Mac laptops: 266653.60% 26.55% +-- Regards, James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless to the Rescue...
On 01/04/2011 17:22, Hanset, Philippe C wrote: All, University of Tennessee has had some class attendance issues lately, especially with Sophomores. We came up with a location based wireless solution that could fix this issue. We have built a database of rooms surrounding Access-Points that we correlate with a class roster. Basically if a student is supposed to be in room x at time y, our filtering only allows the student access to a set of access points surrounding that room during that time. No wireless elsewhere. Dormitories are included in the algorithm. If you are doing something similar, we would like to know some of the caveats. We do the same here in the UK, but using dynamic access control lists depending on client location. We have found that by *only allowing twitter & facebook* during lectures, students fall asleep during the class much less often. Students can also provide concise realtime feedback, or questions, throughout each lecture. Outside of scheduled class times we re-allow access to those things that can be so distracting for young people, such as the Information Services News archive: http://www.bristol.ac.uk/is/news/2010/ We have however found the maintenance of the "who is supposed to be where" database to be quite onerous. Initial consultations on making the restrictions plain 9am-5pm site-wide have returned favourable responses. Kind regards, James -- James J J Hooper http://www.bristol.ac.uk/eduroam -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Comodo CA (InCommon) and Cisco ACS 5.x
--On Wednesday, January 19, 2011 10:24:38 -0600 "Schmidt, Jason W" wrote: All, Has anyone deployed Cisco ACS 5.x paired with Comodo certificates via InCommon for wireless 802.1x (PEAP specifically)? We are seeing an issue with iOS devices not trusting the server certificate despite the full chain of certificates being installed into ACS and iOS having trust for the root CA. We have a case open with Cisco to see if indeed ACS sends the whole chain with a PEAP session, but it is slow going. Thanks for any insight. Hi Jason, Sorry, no info specific to your scenario, but you can use eapol_test from the wpa_supplicant package to see exactly what your radius server is up to. e.g. ./eapol_test ... | grep CTRL-EVENT-EAP-PEER-CERT | uniq would output something like: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=GB/ST=Bristol/O=University of Bristol/OU=Information Services/CN=University of Bristol CA/emailAddress=ca-ad...@bristol.ac.uk' CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=GB/ST=Avon/L=Bristol/O=University of Bristol/OU=Information Services/CN=eduroam.wireless.bris.ac.uk/emailAddress=wireless-h...@bristol.ac.uk' ...so for Bristol, you can see both our root and the radius server cert (we have no intermediates). wpa_supplicant: <http://hostap.epitest.fi/wpa_supplicant/> eapol_test quick guide: <http://deployingradius.com/scripts/eapol_test/> Regards, James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Active Directory and LDAP at the same time. Or... just LDAP with 802.1x.
On 12/10/2010 20:08, Lee H Badman wrote: Here’s the backdrop for my questions: For 802.1x authentication on the WLAN, we use PEAP w/ MS-CHAPv2, against our AD environment. This works wonderfully and always has. The rub- we have a set of users not in AD- they are in our ED (LDAP). I’ll thank you not to ask why. These LDAP credential folk cannot use the 802.1x setup as it is, as they are not in AD. LDAP lookups aren’t possible because PEAP w /MS-CHAPv2 doesn’t work with LDAP. Potential options: - add support for TTLS/PAP against LDAP on a new SSID (yuck) - add support for TTLS/PAP on current SSID to make it support two EAP types (never done it here) - insist that everyone be AD (politics) - insist that everyone be in LDAP and go to TTLS/PAP globally This is not a terribly important issue right now, but looking down the road it will come up and so I’d like to get my thoughts lined up. Does anyone else use a single SSID with two EAP types? Or have AD and LDAP both at play in any other way? Anyone using TTLS/PAP that can comment on it’s suitability and reliability versus PEAP w/ MS-CHAPv2? Hi All, There is a combination of aspects to this: 1) PEAPv0/MS-CHAPv2 can be performed against any back-end that knows either [1]: - The NTLM hash or - The plain-text password 2) "Talking" to the backend - Can your RADIUS server talk both LDAP and to AD? 3) EAP types - EAP types are "supported", or not, by your radius server. The clients only have to do one of the supported methods, not all. There is no reason to separate EAP types using different SSIDs. In your LDAP directory, how are the passwords stored? - If you have got NTLM hashes or plain text you can do PEAP/MS-CHAPv2 against your LDAP directly. You could also do TTLS/PAP. All depends on the capabilities of your RADIUS server. - If you have got some other variety of hash, you are probably left with TTLS/PAP and no PEAP, but you can do TTLS/PAP->LDAP and PEAP->AD on the same SSID, again depending on the capabilities of your radius server. As someone else mentioned, the various directories usually have some variety of 'enable universal password' i.e. enable plain text passwords in the directory. All [password based] EAP types will work if the back-end knows the plain-text password. Politics may prevent you enabling the plain-text password storage option though. I keep mentioning "the capabilities of your radius server"... The radius server has to take what the client presents and match it with what AD/LDAP store. If you're using FreeRADIUS this functionality is easily within its capabilities. With other RADIUS implementations YMMV. I've never used ACS, if it can't do the above, it might be able to proxy off the LDAP users to a FreeRADIUS box - depends if there is something to key off. We support TTLS/MS-CHAPv2 and PEAP/MS-CHAPv2 on our single eduroam SSID, authenticated against AD. Regards, James [1] http://deployingradius.com/documents/protocols/compatibility.html -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] PEAPv0 Config Best Practice and Certificate Root question/concern
Hi Ryan, We also used a self signed certificate and a set-up wizard to load the CA cert on to the client and configure the wireless profile (similar to SU1X). We configure explicit trust for maximum security i.e. only trust our CA cert, and only trust a radius server if it's cert CN matches 'eduroam.wireless.bris.ac.uk' As far as multiple radius servers go -- they should all use the same certificate (the name of the radius box is irrelevant to the PEAP certificate CN). Regards, James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk -- --On Tuesday, October 12, 2010 07:33:42 -0400 "Osborne, Bruce W" wrote: Gareth, How do you handle multiple RADIUS servers for redundancy? We have our own CA trusted by GTE OmniRoot (http://cybertrust.omniroot.com/) so we just setup to trust them as the root CA. We will be deploying 802.1x, trust OmniRoot only, & not prompt for other certificates. We have 2 RADIUS servers for redundancy, but since they both have trusted certificates, there appears to be no issue. Bruce Osborne Liberty University From: Ayres G.J. [mailto:g.j.ay...@swansea.ac.uk] Sent: Monday, October 11, 2010 11:16 AM Subject: Re: PEAPv0 Config Best Practice and Certificate Root question/concern Just use a self-signed cert, its more secure. We use a self-signed cert and deploy it with SU1X to windows devices. Gareth. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Holland, Ryan C. Sent: 11 October 2010 13:32 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] PEAPv0 Config Best Practice and Certificate Root question/concern We are pursuing an updated configuration for our 802.1X enabled WLAN using PEAP/MSCHAPv2. Historically, we have not specified the specific certificate name in the Windows configuration file. We are going to move towards this and toggle the option to not prompt the user to accept other certificates. In doing so, we are also specifying the root CA in the configuration. My questions are: 1.) Are other universities sharing this approach currently? 2.) If you are, how have you mitigated concerns that your certificate provider changes the root CA that is signing your server certificate? For #2, for instance, if your root was currently 'Equifax Secure Certificate Authority' and your root changed to 'AddTrust External CA Root', how can you avoid having users suddenly unable to connect (since the user will not be prompted to accept the new certificate)? Thanks, == Ryan Holland ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Student Wireless Satisfaction Survey
--On Thursday, October 07, 2010 08:17:50 -0500 "Fleming, Tony" wrote: Crew, We are in the process of evaluating two vendor wireless solutions. At this point we have take two very similar dorms and deployed one vendor solution in each location. After performing a technical evaluation by IT staff, we thought it might be worthwhile sending a survey to the students in each dorm to evaluate their wireless satisfaction and experience. I am curious. Have any of you sent out a wireless satisfaction survey to your students? If so, did it give you a reasonable picture of the state of your wireless networks? Would any of you be willing to share your survey questions with me privately? Hi Tony, The questions and primary wireless access method[1] have changed over the years, but our users surveys, and results are here: <http://www.wireless.bris.ac.uk/help/staff-student-info/wireless-survey/> I haven't had time to publish the results of the 2010 survey yet (surveys take place at the end of the academic year ~~June). With regard to the results, we have found that we get one or two inspirational comments each year, but generally the results point to: a) known existing problems that we can't easily fix due to politics or cost. b) Things that were recently fixed/improved, but the news hasn't got around yet or we need to improve publicity to certain user groups. Regards, James [1] We have changed from open+VPN -> open+VPN & WPA2/AES half and half -> Solely WPA2/AES Eduroam now. -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Android 2.2 disappointing on the secure WLAN- is it just us?
Hi Bruce, It appears that Google have just acknowledged that a patch [from upstream wpa_supplicant] has gone into the Android code tree, and will be part of the "next major release of Android": http://code.google.com/p/android/issues/detail?id=8804#c28 ... regarding the bits you picked out below, we have Cisco WiSMs, with WMM enabled - my HTC Desire works ok, my testing hasn't been much more than with that so far - the majority of our users return from summer vacation next week... -James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk -- On 30/09/2010 13:24, Osborne, Bruce W wrote: Very useful information, James. The most interesting quote from the second link is this: === The partial fix for getting Android 2.2 to connect to 802.1x secured network on Aruba Aps was to disable 'Wireless Multimedia U-APSD (WMM-UAPSD) Powersave' in the advanced properties of the SSID profile. This is enabled by default. In the 802.1x Authentication Profile Changing the 'WEP Key Message Retry Count' value to 3, the 'Interval between WPA/WPA2 Key messages' to 3000msec, the WPA/WPA2 Key Message Retry Count' to 3, and disabling 'Opportunistic Key Caching' seems to make things more reliable. These are the new defaults in ArubaOS 5.x, but were set lower by default in earlier versions. We have also found that not using an anonymous identity makes authentication more reliable, so it seems there could be an issue both in the WLAN driver and in the 802.1x supplicant. We do still have to tell Android to forget the network then re-enter my credentials if WLAN is turned off though... === It is difficult following the "alphabet soup" of acronyms. If the above posting is correct, part of the problem appears to be an issue with WMM-PS and, more specifically, WMM-UAPSD. These are features I would expect on any multimedia mobile device to save battery life. Disabling WMM would disable the power saving features, but also disable QoS. Disabling WMM-UAPSD could reduce battery life on any device on that WLAN that properly supports WMM-UAPSD. As I understand it, a WMM-UAPSD supported AP buffers data for devices and releases the data in response to a trigger packet from the client. This enables the client to periodically enter a low power state, preserving battery life. === Glossary: WMM: Wi-Fi Multimedia certification used for QoS on a Wi-Fi network WMM-PS: Wi-Fi Multimedia Power Save certification WMM-UAPSD: Wi-Fi Multimedia Unscheduled Automatic Power Save Delivery QoS: Quality of Service tagging on a network used to prioritize voice& video traffic. === Bruce Osborne Network Engineer - Wireless& NAC Liberty University -Original Message- From: James J J Hooper [mailto:jjj.hoo...@bristol.ac.uk] Sent: Wednesday, September 29, 2010 3:42 PM Subject: Re: Android 2.2 disappointing on the secure WLAN- is it just us? On 29/09/2010 18:55, Lee H Badman wrote: We have three cases of Droid smartphones that worked wonderfully on our 802.1x/WPA2 WLAN on Android 2.1 operating system. Since going to 2.2 with the devices, getting them to connect to the secure wireless network is almost impossible. Open networks are OK. There are known issues: http://code.google.com/p/android/issues/detail?id=8804 http://www.google.co.uk/support/forum/p/android/thread?tid=7f71ff06702e39e1 We have found that Android 2.2 "works" on our WPA2/AES eduroam, but roaming and re-auth are not reliable. HTC build 2.10.405.2 appears to improve things, but it's still not brilliant... Regards, James ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Android 2.2 disappointing on the secure WLAN- is it just us?
On 29/09/2010 18:55, Lee H Badman wrote: We have three cases of Droid smartphones that worked wonderfully on our 802.1x/WPA2 WLAN on Android 2.1 operating system. Since going to 2.2 with the devices, getting them to connect to the secure wireless network is almost impossible. Open networks are OK. There are known issues: http://code.google.com/p/android/issues/detail?id=8804 http://www.google.co.uk/support/forum/p/android/thread?tid=7f71ff06702e39e1 We have found that Android 2.2 "works" on our WPA2/AES eduroam, but roaming and re-auth are not reliable. HTC build 2.10.405.2 appears to improve things, but it's still not brilliant... Regards, James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Cisco WiSMs (7.0.98.0), roaming and "dhcp required"
Hi All, Is anyone out there using 7.0.98.0 on their WiSMs and has the "DHCP required" setting enabled? ...We are having a problem: * The DHCP required functionality works as expected upon initial connection. * If the client roams between APs using pre-emptive caching (pmk-cache), the DHCP_REQUIRED state is activated again. As hosts don't renew dhcp lease at this point, things break until the user renews their lease. * This doesn't appear to be a problem if the host does a full re-auth because they seem to renew the DHCP lease at this point. We have DHCP proxy disabled, and this is on a WPA2/AES Enterprise WLAN. Has anyone else seen similar issues / know of a tweak to fix it? Regards, James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] share 802.1x experience? (Eduroam Question)
On 19/08/2010 17:45, Lee H Badman wrote:
Phillipe-
Good summary. On the topic of Eduroam- any sense of real demand and usage
for the service?
Thanks-
Lee
Hi Lee,
We are in the UK, but some stats for you:
1) People visiting Bristol in the last month is on the diagram here:
http://www.wireless.bris.ac.uk/getconnected/services/eduroam/eduroam-visitors-advice/
2) Stefan at Restena has put together a prototype system that shows daily
usage between a selection of European countries:
http://ticker.eduroam.lu/daily.php
{So far today: a total of 3251 devices visiting another organisation
within their own country, and 379 devices roaming outside their home country.}
-James
--
James J J Hooper
Network Specialist
Information Services
University of Bristol
http://www.wireless.bristol.ac.uk/eduroam
--
**
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Cisco Wireless Controller Feature Gaps
--On Friday, April 23, 2010 12:34:28 PM -0400 Mike King wrote: I was asked this today, and I didn't have a good answer, looking from other Cisco Wireless Controller users to help me formulate a good response. What features do you find lacking in the wireless LAN controller that are available in other products? What is a major source of discontent with the product. What feature do you wish the product has I know I have one major source of discontent, the separate mesh releases (which have finally be re-intergrated in the 6.0 release) What have you guys got? I'm aware it's supposed to do IPv6, but have heard rumblings on the grapevine that it doesn't do it in a functional sense -- is anyone using IPv6 in production with Cisco WLCs (WiSMs in our case)? If indeed the community believes this to broken, then that would be lacking feature for me. Regards, James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] wireless labs
On 20/01/2010 22:01, John York wrote: Hi We are moving some of our labs from wired to wireless, but running into problems with the windows client. (We run Vista in our labs now, hopefully will change to 7 before long.) At present the machines autologin with cached credentials, then they authenticate to the wireless network. This causes problems in drive mapping and running group policies. We're trying to find a way to authenticate to the wireless at the machine level before any of the user level stuff runs. Years ago we did this with the Funk Odyssey client. Is there a way to do that through windows, or does it still require a third-party client? Thanks John Hi, If your wireless network is WPA/WPA2-Enterprise (802.1x), you can "machine authenticate" to the wireless. Windows supports two varieties: 1) You machine auth and that's it. 2) Machine auth when no-one is logged in, user auth when a user logs in. We do (1) with a couple of hundred machines (mainly XP). We configure the machines via GPO. It works reliably. Windows uses PEAP/MS-CHAPv2, so your RADIUS server will need to be configured for PEAP, and obviously be able to talk to your Domain servers. We use FreeRADIUS + Samba. MS IAS and many others should work as well. No need for cached credentials. Never seen before users can logon with their domain credentials - no problem. Let me know if you have any follow-up questions. -James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Migrating from WPA1 to WPA2- any tales of woe?
--On 05 January 2010 10:11 -0500 Devin Akin wrote: Good info James. On the Win7/Vista comment, once a client is associated to an AP, it's supposed to use that cipher suite until it reassociates to another AP or is disconnected and reconnects (for whatever reason) to that same AP. Cipher suite selection is based on a per-association basis, and CCMP should always be preferred when the AP is announcing both in beacons and probes for Wi-Fi certified clients. With Vista and Win 7, you can setup multiple wireless network profiles for the same SSID (as long as the profile names are different). So you could set up one SSID XYZ profile to be WPA/TKIP and one SSID XYZ profile with WPA2/AES. If you do this, then indeed, the client will decide based on what it can 'see' and should pick the WPA2/AES if it can see both. My point was that, unless you have already setup the two profiles, the clients will only have a profile for the SSID as it is now. The client will not connect if you change the wireless encryption, without manual interaction from the user. -James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Migrating from WPA1 to WPA2- any tales of woe?
--On Tuesday, January 05, 2010 09:21:35 AM -0500 Lee H Badman wrote: Has anyone made the move from WPA1/TKIP-only to WPA2/AES-only in the WLAN? Did you find a significant (or insignificant) percentage of client devices that couldn't make the change? Did you make any attempts to otherwise accommodate the user devices that couldn't make the jump? Any other details of the transition worth mentioning? Hi Lee, We have nearly completed this (we have a second SSID that is still WPA/TKIP, but that will be turned off in July. It has very few users.) * XP SP2 will need SP3 or hotfix KB917021 * Many laptops ship with very old wireless drivers. Many of these proved to be unstable or not support WPA2, so our helpdesk have local copies or direct links to all the common drivers. * We don't sell kit direct to users, but we keep a list of cheap and cheerful USB wireless adapters if a laptops lack of WPA2 can not be fixed with a driver update. * For the smaller mobile devices, we haven't had problems - All that support 802.1x, tended to support WPA2 as well. * Ubuntu / Mac OS / Blackberry / iPhone can auto detect the change from WPA/TKIP to WPA2/AES and just work (with the same SSID name), but Vista and Win 7 can't. ...I can see the advantages of being able to enforce WPA2/AES client side though. Regards, James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Encryption and Authentication
--On 31 December 2009 10:08 -0500 Philippe Hanset wrote: Diana, The info on the outer tunnel will always be un-encrypted for tunneled EAPs (EAP-TTLS, EAP-PEAP, EAP-TLS, EAP-FAST...). What you want is to be able to configure the supplicant to send "anonym...@realm" as the outer tunnel identifier. 802.1x doesn't need a valid username for the outer tunnel to function properly. In most supplicants (whether native OS or not) you can define the identity of the outer tunnel. Has anyone found an easy way to define the outer tunnel identity for the native Microsoft supplicant? (we haven't found one so far) If you plan to use "eduroam" in the near future, be aware that anonymous will work, but the realm will be important for eduroam-routing purposes (eg: anonym...@yourdomain will have to appear on the outer tunnel) Best 2010, Philippe Univ. of TN Hi All, Happy New Year! Although only for Win7: <http://blogs.msdn.com/eapteam/archive/2009/01/16/peap-identity-privacy-support-in-windows7.aspx> We are using this with our Win7 eduroam clients. Regards, James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Cisco WiSM webauth custom login page
--On Tuesday, November 10, 2009 17:14:32 + Jeremy Skelton wrote: Has anyone got a working example custom webauth login page they would be willing to share. I've got one mostly working which I based on the default page with major formatting changes - but it is failing at the last hurdle - the login part works, as do the commercial certificates which I have uploaded to encrypt the loging details, but it won't re-direct to the originally requested web page. Interestingly, the default page shows the same problem if I upload it as a custom page (along with the loginscript.js file that it calls), so I think the problem may be either the location, or that it is called differently, or maybe I need some other file that is present at the default location and I haven't copied. The default page is called with URL such as https://webauth.wism.lse.ac.uk/login.html?redirect=www.cisco.com/, and the custom page with https://webauth.wism.lse.ac.uk/fs/customwebauth/login.html?switch_url=ht tps://webauth.wism.lse.ac.uk/login.html&ap_mac=00:19:07:8e:f9:30&wlan=tw a&redirect=www.cisco.com As a bit of background, we currently have two WiSMs (one each in two of our four 6509s, which will become six before long) and around 270 APs. We will get a third WiSM for when we break the 300 AP barrier. The WiSMs are running version 6.0.182.0. We have 802.1x working OK but not widely deployed for other reasons, and also unauthenticated pass-through to our Bluesocket gateways which are currently under pressure, which is why we are pursuing the WiSM web authentication route as a half-way house towards 802.1x everywhere. We have purchased and uploaded commercial certificates for the I've got a support call open with our supplier, but I don't think this is a widely used feature so there isn't a lot of experience around and they haven't provided an answer. Any assistance will be gratefully received. Jeremy Skelton, London School of Economics IT Service Hi Jeremy, We specifically redirect to our homepage, so our config probably wouldn't help you. However I notice that the bit I commented out in loginscript.js has this: var searchString = "?redirect="; at least with our WiSMs the redirect is added as the last URL argument i.e. ?blah=a&foo=bar&redirect=URL so in order to catch the URL you would need to change the JS to something like: var searchString = '&redirect='; does that correlate with your situation ? -James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] wireless DHCP lease time
Garrett Harmon wrote: We're running into some issues at the ramp up of a quarter with our DHCP lease time attempting to utilize the /24's we currently pool for our main essid. We moved from 1hr. to 30 minutes, but are still running out of leases occasionally. For instance, we have 160 users in a /24, but due to the transient nature of wireless/classes leases that are used for a brief moment the cycle isn't quite efficient enough. What is everyone else using for wireless DHCP lease times? I know I can just add another /24 to the pool, but the networks are not being utilized enough. We want to try 15 minutes but are wondering if we will start to run into issues related with that? Your input is greatly appreciated!! Hi, We give out 30 minute leases and peak at about 700 used leases with 600 peak concurrent wireless users at the moment. We have two /22 nets (enough for when the usage picks up towards deadline time). Two things: - If your using ISC DHCPd in failover mode, I believe each client's 'new' lease is for the MCLT time (renewals are then for whatever you actually set the lease time to). - We do: option space MSFT; option MSFT.release-dhcp-lease-on-shutdown code 2 = unsigned integer 32; ... to try to pursuade windows machines to explicitly release their leases if they are shutdown while still in wireless range - there must be an equivalent to set this DHCP option if you're not using ISC dhcp. -James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.ukhttp://www.jamesjj.net -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Phones with 802.1x capabilities...
--On Tuesday, August 04, 2009 09:27:40 -0500 Hector J Rios wrote: I've run into a couple of cellphones that have 802.1x capabilities and even built in certificates. The issue is that when they try to connect to our network (802.1x/PEAP) they get stuck on the certificate step. It basically says that a certificate is required. But when I look in the certificates for the phones, I see a bunch of Root certificates, including the one that would be needed for our setup. Anybody messed with this? Hi Hector, We have done bits and pieces with WM / Palm / Symbian / Blackberry kit. Please see here for our connection guidance: <http://www.wireless.bris.ac.uk/getconnected/students/#mobilethings> Windows mobile, even these days, isn't brilliant by default for 802.1x. If anyone is relying on using a WM device with 802.1x wireless, I usually recommend that they go and buy a supplicant program (e.g. <http://www.juniper.net/us/en/products-services/software/ipc/odyssey-access-client/oac/> ) -James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bris.ac.uk http://www.JamesJJ.net -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
iPhone: preventing safari doing "wifi login mode" on your captive portal
Hi All, I noticed a couple of posts related to the new iPhone v3 OS. None seemed to be directly related to preventing safari doing "wifi login mode" on a captive portal - so a new thread. 1) 'Google' says install the Boingo App. I haven't tried this (and it's not feasible to get all the users to do this IMHO). 2) This works for me: * Ensure www.apple.com DNS resolves to your captive portal web server. * Have the web server serve the following HTML from this url: http://captiveportal.com/library/test/success.html - Success Success - i.e. so when the iPhone tests for internet connectivity by asking for: http://www.apple.com/library/test/success.html it will ''work'' on your captive portal (so login mode is not triggered). e.g: <http://www.wireless.bris.ac.uk/library/test/success.html> Regards, James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bris.ac.uk http://www.jamesjj.net -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1X accounting, outer identity
Michael Dickson wrote:
> Hi,
>
> How are people handling accounting records for your 802.1X wireless
> networks with regard to TTLS and outer identity?
>
> I found a discussion about this in 2006 (subject "802.1X accounting,
> PEAP outer identity"). Back then the problem was acknowledged but not
> resolved.
>
> We use Radiator and PAP/EAP-TTLS. For Windows users we are offering
> SecureW2.
>
> If the outer identity were manually configured with the user's real ID
> then we'd have accurate records. The problem occurs because people can
> configure anything they want in the Outer Identity field (called Roaming
> Identity in Windows). Leaving it blank is interpreted differently by
> different supplicants (MacOS uses the inner identity, SecureW2 uses
> "anonymous", etc..).
>
> Has anyone found a way to map the outer identity to the inner identity
> so that we can track users accurately as they roam?
Hi Mike,
Generally, your NAS (the switch / wireless access point / whatever) will
use the _username sent back_ in the outer part of the access-accept
packet when creating accounting packets.
... So during the authentication (when the radius server has access
to the inner user-name), configure your radius server to update the
user-name outside of the TLS tunnel with the username from inside the
TLS tunnel and then your accounting will use the genuine user-name.
AUTH: NAS -> fakeuserN{realname} -> RADIUS -> realname{realname} -> NAS
then
ACCT: NAS -> realname -> RADIUS
It's easy in freeradius. Sorry, I have never used Radiator.
Regards,
James
--
James J J Hooper
Network Specialist
University of Bristol
http://www.JamesJJ.net
**
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2
James J J Hooper wrote: > Lee H Badman wrote: >> Wondering if anyone has gone down this road… according to >> >> http://na.blackberry.com/eng/deliverables/4133/BB_Ent_Soln_Security_4.1.6_STO.pdf >> >> >> >> the Blackberry 8900 should be able to do 802.1x with PEAP and MS-CHAPv2- >> which does not require a client-side cert. And even though you can tell >> the device not to verify server cert, this has nothing to do with the >> fact that the Blackberry seemingly demands a cert or won’t even let you >> go on (certainly not the first handheld to act like this). This is a >> client device, so I don’t have the luxury of playing with it very much, >> and so looking to glom onto anyone else’s success if you may have >> figured out how to work past this. We have multiple auth servers as >> well, which may or may not complicate it. >> >> >> >> >> >> I know these EAP types are not “standards” and device manufacturers >> have freedom to implement as they see fit. > > > Hi Lee, >Not specifically on a 8900, but we did get PEAP/MS-CHAPv2 on a 8120: > http://www.wireless.bris.ac.uk/getconnected/services/uobroam/manual-blackberry/ I had more of a think the certificate mentioned in those instructions is an intermediate certificate. Our radius server sends it to clients along with its server cert, but we couldn't get the blackberry to connect without specifically installing the intermediate cert first. So, if your cert is chained one, you have to install the intermediate certs (but not the final radius server cert) on to the blackberry first. As long as all your auth servers are signed by the same CA, once one works, they all will. The 'UoB-Wireless' SSID mentioned is open (only lets you get to the wireless web site and a VPN server), so we can use it to get certs directly to a device. The blackberry recognises certs with .cer extension, mime type application/x-x509-ca-cert in x509 format. Regards, James -- James J J Hooper University of Bristol http://www.wireless.bris.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Blackberry 8900 on 802.1x w PEAP, MS-CHAPv2
Lee H Badman wrote: > Wondering if anyone has gone down this road… according to > > http://na.blackberry.com/eng/deliverables/4133/BB_Ent_Soln_Security_4.1.6_STO.pdf > > > > the Blackberry 8900 should be able to do 802.1x with PEAP and MS-CHAPv2- > which does not require a client-side cert. And even though you can tell > the device not to verify server cert, this has nothing to do with the > fact that the Blackberry seemingly demands a cert or won’t even let you > go on (certainly not the first handheld to act like this). This is a > client device, so I don’t have the luxury of playing with it very much, > and so looking to glom onto anyone else’s success if you may have > figured out how to work past this. We have multiple auth servers as > well, which may or may not complicate it. > > > > > > I know these EAP types are not “standards” and device manufacturers > have freedom to implement as they see fit. Hi Lee, Not specifically on a 8900, but we did get PEAP/MS-CHAPv2 on a 8120: http://www.wireless.bris.ac.uk/getconnected/services/uobroam/manual-blackberry/ (OS: 4.3.0.67) -James -- James J J Hooper University of Bristol http://www.wireless.bris.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Integrating Cisco WiSM and FWSM
--On Monday, May 12, 2008 16:49:03 -0600 John Duran <[EMAIL PROTECTED]> wrote: Good Afternoon, We are looking at moving one of our wireless SSIDs into a Guest type service that allows certain encrypted, authenticated and authorized TCP/UDP ports. We plan on configuring this with an FWSM facing our Internet connection so that we are treating clients on this SSID like guests with more access, but still somewhat restricted. My question is; has anyone accomplished this without using VRFs to route the traffic to the FWSM and if so did you employ the Guest Anchor controller model specified in the CISCO 4.1 Wireless Deployment Guide. My suspicion is that this may be accomplished without utilizing the Anchor/Foreign controller model and without using VRFs. The only document that I have found that specifically refers to integrating the FWSM with the WiSM is at the following link and specifies VRFs as part of the solution. http://www.cisco.com/en/US/docs/wireless/technology/wism/technical/refere nce/appnote.html#wp41069 My local CISCO SE indicated that this could be accomplished by simply passing the VLAN traffic through a context on the FWSM. Hi John, We have multiple wireless services setup just like that: wism vlan->FWSM, with fwsm in transparent mode. No extra magic required. We use the fwsm to PAT wireless users on private IPs to the inside and outside worlds. -James -- James J J Hooper Network Specialist Information Services University of Bristol -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Cisco Wisms CPU
Hi All, A quick question for those out there with WISMs... What level of CPU usage are you experiencing (with how many users)? A bit of background... We have two wism blades (4 wisms) and since we purchased them in about april'07 they were running at about 35%, rising to 50% at peak times, with frequent spikes up to about 90%. The spikes were worrying, but the average seemed ok, and as they did this from day one I was under the impression this was the norm. Recently, we upgraded to the 4.2.x.y stream from 4.1. As has been covered in other recent posts, 4.2 has some outstanding issues (more than others anyway) and things became unstable... so we decided to go back to 4.1.85.0 (TAC hasn't provided us with any solutions for 4.2 issues). We had a backup of our previous 4.1 config, but I chose not to use it and start again from scratch (a few things had changed, so either way involved work) Since the reversion to 4.1.85.0, our cpu usage now averages 2% and peaks at 6% at peak times (220 waps, ~350 users). [4.1.85.0, 12.2(18)SXF7] Thanks, James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bristol.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Cisco WISM + Radius to select VLAN
Hi Dennis, Yes there is a "np8ss0" dynamic i/f. I have tried combinations of just the VLAN type attributes and just the airespace attributes and with both - no joy with either. -James On 22 Oct 2007, at 22:35, Dennis Xu wrote: James, The client should be moved to the vlan specified in "Airespace / Interface-Name" attribute, not "Tunnel-Group-ID". Do you have a dynamic interface called "np8ss0" in your WLC? Dennis Xu Network Analyst(CCS) University of Guelph 5198244120 x 56217 -----Original Message- From: James J J Hooper [mailto:[EMAIL PROTECTED] Sent: October-22-07 12:43 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco WISM + Radius to select VLAN Hi All, We have the Cisco WISM solution up and running. I have set up a new WLAN SSID with web based auth. I now want to put the users in different VLANs depending on who they are using the RADIUS reply. I have ticked the 'Allow AAA Override' box and i'm sending back the following RADIUS attributes: Sending Access-Accept of id 50 to 172.17.107.242 port 32769 Airespace-Interface-Name = "np8ss0" Service-Type = Login-User Tunnel-Medium-Type = IEEE-802 Tunnel-Type = VLAN Tunnel-Private-Group-Id = "449" Airespace-Wlan-Id = 3 These are correctly received by the WISM: Packet contains 6 AVPs: AVP[01] Airespace / Interface-Name.np8ss0 (6 bytes) AVP[02] Service-Type...0x0001 (1) (4 bytes) AVP[03] Tunnel-Medium-Type.0x0006 (6) (4 bytes) AVP[04] Tunnel-Type0x000d (13) (4 bytes) AVP[05] Tunnel-Group-Id449 (3 bytes) AVP[06] Airespace / WLAN-Identifier0x0003 (3) (4 bytes) but the client still remains in the default VLAN (i.e. is not moved to 449). Does anybody know: Am i sending the correct attributes back? What the magic incantation to make it work is? We are running 4.1.185.0 on the WISMs and FreeRADIUS 1.1.7 for AAA. Many Thanks, James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bris.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Cisco WISM + Radius to select VLAN
Hi All, We have the Cisco WISM solution up and running. I have set up a new WLAN SSID with web based auth. I now want to put the users in different VLANs depending on who they are using the RADIUS reply. I have ticked the 'Allow AAA Override' box and i'm sending back the following RADIUS attributes: Sending Access-Accept of id 50 to 172.17.107.242 port 32769 Airespace-Interface-Name = "np8ss0" Service-Type = Login-User Tunnel-Medium-Type = IEEE-802 Tunnel-Type = VLAN Tunnel-Private-Group-Id = "449" Airespace-Wlan-Id = 3 These are correctly received by the WISM: Packet contains 6 AVPs: AVP[01] Airespace / Interface-Name.np8ss0 (6 bytes) AVP[02] Service-Type...0x0001 (1) (4 bytes) AVP[03] Tunnel-Medium-Type.0x0006 (6) (4 bytes) AVP[04] Tunnel-Type0x000d (13) (4 bytes) AVP[05] Tunnel-Group-Id449 (3 bytes) AVP[06] Airespace / WLAN-Identifier0x0003 (3) (4 bytes) but the client still remains in the default VLAN (i.e. is not moved to 449). Does anybody know: Am i sending the correct attributes back? What the magic incantation to make it work is? We are running 4.1.185.0 on the WISMs and FreeRADIUS 1.1.7 for AAA. Many Thanks, James -- James J J Hooper Network Specialist Information Services University of Bristol http://www.wireless.bris.ac.uk -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
