aruba centric PEF logging question
Quick question, what is the loglevel to get NAT and PAT translates from an aruba controller? I'm stuck but I still don't feel like wasting an afternoon on with TAC. Does someone know offhand? Thanks! ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] advice on impementations for Aruba
Anyone? Jason Appah Security / Systems Administrator OIT 541-885-1719 On Dec 7, 2011, at 1:52 PM, Jason Appah jason.ap...@oit.edumailto:jason.ap...@oit.edu wrote: All, We are looking to allow the private addresses of the unsecured wireless to pass through our aruba, how would we go about configuring the nat pools to accomplish this? That is the 192.168.x.x that the client is assigned to pass through the aruba on the way out to the external FW. As it stands rightnow the aruba is performing PAT on its own address for the clients behind it. the only reason why this is an issue is our aruba performs captive portal for our wired and wireless infrastructure, so it is infact the router. Any suggestions or reading? I’m not looking for the dc-daylight but more a primer on where to start.. Thanks! ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] advice on impementations for Aruba
Thanks! Jason Appah Security / Systems Administrator OIT 541-885-1719 On Dec 9, 2011, at 8:24 AM, Brooks, Stan stan.bro...@emory.edumailto:stan.bro...@emory.edu wrote: Jason - We moved our NAT functionality off the Aruba controllers to separate boxes because of some limitations in the NAT functionality in our specific architecture. We are using two different boxes/methods - one for guest users and one for authenticated users. While the Aruba NAT capability is quite good, it didn't go quite far enough for us from a routing and logging perspective. If you are just trying t set up different NAT pools for each group traffic - that's easy. If what you are trying to do is more involved, I may be able to point you in the right direction as well. Contact me off list to discuss the particulars. - Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.commailto:wlans...@hotmail.com GoogleTalk: wlans...@gmail.commailto:wlans...@gmail.com From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Jason Appah [jason.ap...@oit.edumailto:jason.ap...@oit.edu] Sent: Friday, December 09, 2011 10:49 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] advice on impementations for Aruba Anyone? Jason Appah Security / Systems Administrator OIT 541-885-1719 On Dec 7, 2011, at 1:52 PM, Jason Appah jason.ap...@oit.edumailto:jason.ap...@oit.edu wrote: All, We are looking to allow the private addresses of the unsecured wireless to pass through our aruba, how would we go about configuring the nat pools to accomplish this? That is the 192.168.x.x that the client is assigned to pass through the aruba on the way out to the external FW. As it stands rightnow the aruba is performing PAT on its own address for the clients behind it. the only reason why this is an issue is our aruba performs captive portal for our wired and wireless infrastructure, so it is infact the router. Any suggestions or reading? I’m not looking for the dc-daylight but more a primer on where to start.. Thanks! ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
advice on impementations for Aruba
All, We are looking to allow the private addresses of the unsecured wireless to pass through our aruba, how would we go about configuring the nat pools to accomplish this? That is the 192.168.x.x that the client is assigned to pass through the aruba on the way out to the external FW. As it stands rightnow the aruba is performing PAT on its own address for the clients behind it. the only reason why this is an issue is our aruba performs captive portal for our wired and wireless infrastructure, so it is infact the router. Any suggestions or reading? I'm not looking for the dc-daylight but more a primer on where to start.. Thanks! ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Strange behavior: iMacs 2011
We have had lots of problems with firefox and our aruba in general when used with the captive portal. You didn't mention if this is 802.1x or CP or WPA but safari and firefox seem to have problems with our CP on aruba over wireless only. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanset, Philippe C Sent: Wednesday, June 01, 2011 3:38 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Strange behavior: iMacs 2011 All, (I checked the Archives and couldn't find anything on this) One of our desktop support guy is losing his mind on a problem with three iMacs that have a very erratic behavior on wireless only. -Those iMacs were purchased during the last month. -They can join Wireless -They can get a DHCP lease -Ping, traceroute, etc.. works -Web (Safari or Firefox) doesn't work at all (either by name or by IP address) This is on an Aruba infrastructure (AP-125 with M3 controllers). There is a discussion about this problem at: https://discussions.apple.com/message/15166297#15166297 Anyone else facing this problem? Any resolution (we have contacted Apple... but that might take a while)? Thank you, Philippe Hanset Univ. of TN ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Cisco WLC code
We are using it now, its niice! From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mike King Sent: Wednesday, March 23, 2011 9:28 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco WLC code Holy crap. I guess I gotta call avaya. On Wed, Mar 23, 2011 at 11:17 AM, Jeffrey Sessler j...@scrippscollege.edumailto:j...@scrippscollege.edu wrote: Mike, IDEngines still lives. Their products, including Ignition and Guest Manager, are alive and well at Avaya. In January, Avaya released version 7.0 of the product as a virtual appliance. Jeff Mike King m...@mpking.commailto:m...@mpking.com 3/22/2011 5:39 PM I completely agree with you there Lee. I still pine for the days when IDengines was a shipping product. On Tue, Mar 22, 2011 at 6:46 PM, Lee H Badman lhbad...@syr.edumailto:lhbad...@syr.edu wrote: I have never, ever liked the Cisco guest portal. We had specific guest requirements, and engaged Bluesocket. They worked with us to give us exactly what we wanted in function, and it is quite elegant for a university setting. Contact me if you'd like more information. -Lee Badman From: The EDUCAUSE Wireless Issues Constituent Group Listserv [ WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mike King [m...@mpking.commailto:m...@mpking.com] Sent: Tuesday, March 22, 2011 5:20 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco WLC code I've been on 7.0.98.0 since it was released (in June) of last year. This is the longest I'm aware of for the WLC system to be on the same version of code on the Cisco website (10 months without a new release). We don't use the webauth heavily, but we haven't had any problems with it. Taken directly from the Cisco download portal. 6.0 is a MD train and 6.0.199.4 is a potential MD/AW release Cisco AW is AssureWave Testing. http://www.cisco.com/en/US/netsol/ns779/networking_solutions_program_category_home.html Current gossip in Cisco support circles is that the 5.x code is the devil. (Seriously) They want you on 4.x, 6.x or 7.x. I went to 7.x because there was a bug that affected all versions of code last June, and it was only fixed in 7.x (6.0.199.x got it after 7.x) and we were being severely hurt by it. I haven't regretted the decision. Mike On Tue, Mar 22, 2011 at 4:54 PM, John York yo...@brcc.edumailto:yo...@brcc.edumailto: yo...@brcc.edumailto:yo...@brcc.edu wrote: We're upgrading from a 4402 to 5508 WLC system. The 4402 has had nagging problems with webauth off and on for as long as I remember. We're presently having trouble on 5.2.193.0, which I thought was good. One flavor is that the login page doesn't redirect properly--the WLC fqdn shows in the browser's url window but the browser doesn't go there. Typing the url as https://x.x.x.x/login.html works for them, even though the client's DNS resolves the address properly. The other flavor is the login page appears, but doesn't work--the traffic doesn't make it to the Access Control Server or appear in the ACS logs. This will happen to one person while several others have no problem. A day or two later, the problem person's login works great and someone else has trouble. I've seen several bug reports on these. Anyway, the new WLC came with 6.0.199.4. I asked TAC what load they recommended and the answer was that I should really ask my account manager or vendor, but they would use 7.0.98.0. Would 7.0.98.0 be a good load to go to, and does webauth work better with that load? Thanks John ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. No virus found in this message. Checked by AVG - www.avg.comhttp://www.avg.comhttp://www.avg.com Version: 10.0.1204 / Virus Database: 1498/3522 - Release Date: 03/22/11 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent
RE: [WIRELESS-LAN] Wireless Printing in Dorm Rooms
The simple answer for that is a wireless print server, vlan the printers and give the only route to the printers via the print server... viola! Choke point! Cups works great for windows and mac and linux. As well as working with most printers. Just make certain to bill whatever dept really complained about this for your time and materials! -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jeffrey Sessler Sent: Monday, January 03, 2011 10:26 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless Printing in Dorm Rooms Significant nightmare given that most of the wireless printers I've found don't support access control, so once they are on your wireless network, everyone can print to them. Jeff Holland, Stephen s.holl...@neu.edu 1/3/2011 9:17 AM Currently my school provides wireless access to some dorms. We do not support wireless printers and I have been asked to provide a solution as students want to use wireless printers in their dorm rooms. From my perspective this would be a logistics nightmare as each student could bring in their own printer which could be manufactured by a number of different vendors. In addition different operating systems locate printers using different means (Bonjour for example) and this would further complicate the issue. I'm curious to know if other schools have implemented such a solution and how successful the implementation has been. Thanks so much Stephen Holland Network Engineer Northeastern University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Machine Authentication and IAS 2008
We are a complete Aruba shop, and I'll confess I haven't actually ticketed this with Aruba, but... Has anyone else been able to make machine auth work with IAS as the Radius? Each time the authentication comes across as bad username/password on the machine account. We had an IDengines ignition server that worked flawlessly but has now died. IAS was the replacement and machine auth hasn't worked since. So, has anyone else experienced this? Jason Appah Security/Systems Administrator Oregon Institute of Technology Oregon's only Technical Institute. Office 541-885-1719 Fax 541-885-1919 Email jason.ap...@oit.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Securing IPAD
We as ipad's and iphones become more prevalent in staff and faculty hands, we become more interested in securing that new endpoint, for instance remote wipe, and application security. Can anyone on or off list speak to securing this new popular little bugger?
RE: Wireless Bakeoff
We have been Aruba from the start, and have deployed N alongside our initial BG with great success.. a nice phased approach! The controllers support 10GBE, the N radios have dual Gig uplinks (we use one for POE and one for GB uplink) This was one of the deciding factors against MERU and Xirrus was that it was all or nothing. Don't get me started on licensing though :) Just my personal .02 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Huels, Chris Sent: Monday, October 04, 2010 9:35 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wireless Bakeoff All, Currently Washington University uses Meru for wireless. In order to migrate to 802.11n, we will have to replace all of the access points and look at replacing the controllers to accommodate the throughput. This has given us the opportunity to go back and assess other vendors that offer enterprise wireless solutions. The vendors that we are looking into are Meru, Aruba, and Cisco. I would like to get input from this group on some pros and cons of each, or are there other vendors that have been working well? Any input would be helpful. Thanks Chris ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Vendors contacting list's participants...
I know that we've been contacted about issues relating to our rants on technical nagging problems, (again for support not sales) and this makes us quite happy. A perhaps unintended but useful feature :) -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Philippe Hanset Sent: Friday, August 27, 2010 8:11 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Vendors contacting list's participants... Bruce, The Educause Guidelines mentions unsolicited commercial communications. Really, It's up to list subscribers to decide on direct communication's appropriateness. Imagine that Apple Inc. posts on this list a bug fix announcement for MacBook Pro (we can always dream ;-). That's not commercial, that's technical! Philippe On Aug 27, 2010, at 4:52 AM, Osborne, Bruce W. (NS) wrote: Philippe I assume that it's OK for a vendor to contact an existing customer to resolve an issue that is mentioned on the list. (Primarily for support, not sales) I know that, from time to time, I have alerted vendors about customers who expressed issues with the vendor's products on the list. Bruce Osborne Liberty University From: Philippe Hanset [phan...@utk.edu] Sent: Thursday, August 26, 2010 5:26 PM Subject: Vendors contacting list's participants... All, I just received a complaint from a participant that has been contacted directly by a vendor as a result of a posting on this list. Besides the fact that it violates Educause's policy on list usage this kind of behavior could progressively mute this list. Participants from educational institutions should be able to ask questions freely on this list without the fear of receiving unsolicited emails or phone calls. Please respect these basic requirements, Thank you for your understanding, Philippe Hanset Constituent Group Leader wireless-...@educause.edu p.s. you can report unsolicited communication directly to me, I will make sure to inform Educause ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Limiting Bandwidth on Autonomous APs
Procera will do that exactly -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Urrea, Nick Sent: Friday, April 23, 2010 12:08 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Limiting Bandwidth on Autonomous APs I like the idea of limiting based on usage and time. The incident involving the 1 TB of data was a connection between a Mac and a Time Capsule connected to the same AP using Time Machine. The data never traversed our internet connection. Most of the problems we are experiencing could be solved if we limit heavy users after a certain amount of time. Nicholas Urrea Information Technology UC Hastings College of the Law urr...@uchastings.edu x4718 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Ammar Abdulahad Sent: Friday, April 23, 2010 9:10 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Limiting Bandwidth on Autonomous APs Nick, With BlueCoat packet shaper, you can use dynamic partitions for the dorm subnet to insure fairness to a certain extent. Or you can setup a partition to limit the backup traffic. If the backup traffic is encrypted then it's game over unless you want to use adaptive response, so when a user hits a certain amount of bandwidth you classify his traffic and put him in a partition with lower bandwidth for a limited time period you define (I haven't done this with the packet shaper but I know it is doable). Ammar Abdulahad Wireless/Network Analyst Lawrence Technological University On Fri, Apr 23, 2010 at 11:43 AM, Jeffrey Sessler j...@scrippscollege.edu wrote: It's unlikely that QoS is going to solve this problem unless you can properly classify the backup data from everything else. Depending on the age/type of the AP, it's firmware, and the clients connected to it, ensuring fair use of the radio may be more of a problem than the amount of traffic being passed. Packet shaping is one alternative, but that's assuming it's a data capacity and not a radio fairness issue. You may simply be at the point of exceeding your current wireless design, and it may be time to look at a upgrading to 802.11n, increasing AP density, or a combination of both. In my residential areas, since 2003 we've provide wired gigabit connections to our students, yet they prefer the freedom of our WiFi network. Given the trend, we designed and deployed our new WiFi network with capacity and not coverage as the primary factor. The design resulted in a dense AP deployment, providing a dual-channal 802.11n AP per ~7-12 residential students. A dual-channel AP per ~7-12 users may seem excessive to some, but the reality is that WiFi is now the primary/only network for the majority of our students, and as such, it needs to perform at an appropriate level. If a student want's to transfer 1TB or data, stream movies, edit photoshop files, etc. the wireless design/network shouldn't be a limiting factor. Jeff Urrea, Nick 04/22/10 9:47 AM We are experiencing a problem in our dorm where one wireless user will use all of the Available bandwidth on an 802.11g Autonomous AP's radio. We are currently using a Bluecoat Packeteer packet shaper to shape traffic at the Internet. The problem I have seen is with user on-line backups, either to a Time Capsule (student moved a terabyte of data in a month) or to (mozy, Backblaze, etc.). We receive complainants that the Internet is slow. I am new to setting up QoS on cisco devices. Is there a way of limiting through QoS on an AP, so that if a student is using all of the radio's bandwidth other users using the same AP have a fair share of bandwidth? I would prefer not to rip and replace our 802.11g APs for 802.11N APs. Any other ideas are welcomed. Nicholas Urrea Information Technology UC Hastings College of the Law urr...@uchastings.edu x4718 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Aruba vs HP vs Meraki
I'll chime in as well, we have around 100 Aruba 121 (n) and 65(BGA) access points and two controllers. I won't talk about the ease of setup or the features as that has already been discussed ad-nausea... I'll just say this: not to knock Cisco, as they have never done me wrong, but Aruba support borders on precognition. They are genuinely concerned with the health and well being of their customers. This has happened to me twice, once we had a 802.1x machine authentication issue that turned out to be our fault. I mentioned the issue on a forum, Aruba contacted me, started a ticket and worked with me to resolve my issue. And just this week, I mentioned that I had had one access point die on me in the past year and I was again contacted by Aruba TAC, and was sent a replacement AP the very next day. Brilliant. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of gwill...@uccs.edu Sent: Tuesday, April 13, 2010 8:07 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aruba vs HP vs Meraki I think I'll finally chime in here. We have around 350+ Aruba APs with 10 controllers. I've upgraded the AOS every other version for the past 2 years, ~ 12 upgrades. I've never had an upgrade go bad on all 10 controllers. I've only had 1 AP NIC failure in that time as well. We have APs that are mounted in some of the dorms on the wall even and those haven't been destroyed or stolen. We have APs that sit in a garage and machine shop and work fine. We are primarily a Cisco shop for the rest of our networking equipment, but switched from Cisco fat APs to the Aruba's 3 years ago. Aruba releases software about once a month and it always has worked. I'm very glad we made the decision to go with Aruba based on the fact that I see people on this message board complaining that something doesn't work right with their cisco upgrade. Maybe more people have cisco than Aruba, I don't know. As for Meraki, the concept works in some cases, and I'm not sure what the educational costs are, but the cost of their APs as advertised and enterprise controller seems almost the same as Aruba. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jason S. Cash Sent: Tuesday, April 13, 2010 8:32 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aruba vs HP vs Meraki On Fri, 2 Apr 2010, Ethan Sommer wrote: We are considering replacing our 200+ AP wireless infrastructure with a controller based 802.11n system. I believe we have narrowed it down to Aruba, HP Procurve (we use HP switch gear), and Meraki. I have two questions: 1. Are there any hidden costs we should watch out for with any of these (particularly Aruba.) Will we hit major costs other than the up front cost for the APs and the controllers? 2. I know a lot of schools are very happily using Aruba, but I haven't heard of any schools using HP and very few using Meraki. Are there any schools who have gone with Aruba and regretted it? If so, why? Are there any schools out there using HP Procurve (formerly Colubrius) or Merkai? What do you think of them? Did you have any surprises after you deployed? Ethan -- Ethan Sommer Associate Director of Core Services 507-933-7042 somm...@gustavus.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Private IP space for wireless users- anyone?
I wish we had your volume, 650 peak -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Tuesday, December 15, 2009 3:36 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Private IP space for wireless users- anyone? Thanks for all of the responses- I wonder if anyone with a peak usage like ours is doing NAT- almost 6500 clients? -Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [wireless-...@listserv.educause.edu] On Behalf Of Jason Appah [jason.ap...@oit.edu] Sent: Monday, December 14, 2009 11:03 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Private IP space for wireless users- anyone? Yes, that is what we do. I just wondered how big if a bear it would be to track pat in a university wireless environment. In a second related note, we recently changed our NAT timeout from 3 to 2 hours as we were beginning to run out of 1 to 1 NAT ranges Sent from my iPhone Jason Appah Systems Administrator Oregon Tech On Dec 14, 2009, at 6:33 PM, Phil Trivilino p...@stlawu.edu wrote: We do 1to1 dynamic NAT on the ASA firewall and log all the translations to a syslog server. Easy to get the private ip from the log given the time and global ip. It is all we've seen the need for to this point. Phil On Dec 14, 2009, at 8:55 PM, Lee H Badman wrote: Wondering how many other schools are using private IP space for wireless users, how you accomplish the NAT, and what mechanisms you use for user tracking for the private-public mappings for forensic/ investigatory purposes. Thanks- Lee ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Private IP space for wireless users- anyone?
How does the user tracking work with pat? usually when we get a dmca or virus or spam it doesn't come with a port? Sent from my iPhone Jason Appah Systems Administrator Oregon Tech On Dec 14, 2009, at 6:09 PM, Hector J Rios hr...@lsu.edu wrote: Lee, We use private IPs, we PAT at the border and we log all transactions on a Juniper firewall so that we can keep a log of the private-to-public translations. We keep 30 days of logs right now. We are buying more disk space to save up to 90 days. It's been very effective. As a side note, we would not be able to maintain our wireless if we did not have a private IP space. Just this semester we had to increase the IP subnet for our library. On finals week we saw over 800 users!! Thanks, Hector Rios Louisiana State University -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Monday, December 14, 2009 7:55 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Private IP space for wireless users- anyone? Wondering how many other schools are using private IP space for wireless users, how you accomplish the NAT, and what mechanisms you use for user tracking for the private-public mappings for forensic/investigatory purposes. Thanks- Lee ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] wireless DHCP lease time
Sounds like a great use case for ip mobility... what are you running for wireless controllers? From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Garrett Harmon Sent: Wednesday, September 30, 2009 11:09 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] wireless DHCP lease time We're running into some issues at the ramp up of a quarter with our DHCP lease time attempting to utilize the /24's we currently pool for our main essid. We moved from 1hr. to 30 minutes, but are still running out of leases occasionally. For instance, we have 160 users in a /24, but due to the transient nature of wireless/classes leases that are used for a brief moment the cycle isn't quite efficient enough. What is everyone else using for wireless DHCP lease times? I know I can just add another /24 to the pool, but the networks are not being utilized enough. We want to try 15 minutes but are wondering if we will start to run into issues related with that? Your input is greatly appreciated!! Garrett Harmon Network Engineer Office of Information Technology The Ohio State University 614.292.2122 (o) 614.747.5539 (c) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
BW capping
Also on the subject, do you all cap per user bandwidth? We recently reconstructed our dorms, and began support of the resnet (before the recession they had their own foot soldiers taking care of it ).The old resnet had a hodge podge of homegrown bandwidth caps tools that they used to limit people from excessive downloading (essentially anyone who downloaded more that 10 Gig a month). We are currently looking into continuing to do this but were split as to whether or not it is an antiquated process. We would like to purchase a standards based tool but have been unable to located one that works on a large scale. 1) What do people use who do bandwith cap? 2) Do you Bandwith Cap? Why or Why Not? ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] wireless per user bandwidth control with 11n
We shape at the internet pipe as well... we only shape when user loads dictate it, then we extend a per user bandwidth contract for the affected AP's -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Sam Stelfox Sent: Friday, September 25, 2009 10:05 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] wireless per user bandwidth control with 11n We kind of do... We shape the bandwidth of all of our student subnets at our internet pipe. Internal bandwidth is only limited by the speed of the link. Sam Stelfox Network Administrator Vermont Technical College Dennis Xu wrote: We have been doing per user bandwidth control (1.5Mbps) for years (just increased it to 3M this fall). As we are installing new 11n APs for mixed deployment with legacy clients, this bandwidth cap would disappoint 11n users. I want to ask the group: 1. Do you still use per user bandwidth control for 11n deployment? If you do, what is the your bandwidth cap? 2. If you don't apply bandwidth control, do you see any problems? Thanks, Dennis Xu Network Analyst Computing and Communication Services University of Guelph 5198244120 x 56217 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Large numbers of clients in one room
I know that with aruba, we summarily have more than 40 people in a single room , we have two access points and band steering turned on. Nary a complaint (knocks on wood) it seems to load balance just fine. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of John York Sent: Tuesday, August 11, 2009 8:05 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Large numbers of clients in one room Hi We have a small installation with about 40 Cisco lwap's (b/g) running on a Cisco 4402. I've just gotten a request from a group that wants to run 50+ clients in one room. The last time we tried that about 4 years ago, it was a disaster. We had fat AP's at the time. There were a lot of Mac's, and they kept grabbing each other instead of the AP's. Ugh. How do folks handle this now? With my current system can I just throw a couple more AP's in the room and let them have at it? Thanks John John York Blue Ridge Community College, VA ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Student 802.1x
group determined by cisco? or by impluse? how do you enforce this? From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Lee H Badman Sent: Wed 6/24/2009 4:54 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Student 802.1x For wireless, we don't differentiate between students/staff. We certainly do for NAC, but for RADIUS it's simple go/nogo. Then once you're on the WLAN, what group you fall into drives how you're handled for NAC. -Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [wireless-...@listserv.educause.edu] On Behalf Of John Rodkey [rod...@westmont.edu] Sent: Wednesday, June 24, 2009 2:11 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Student 802.1x What attribute do you use to transmit the user's group within RADIUS? On Wed, Jun 24, 2009 at 11:08 AM, Lee H Badman lhbad...@syr.edumailto:lhbad...@syr.edu wrote: Hi Tom, We use forwarding of RADIUS accounting data (as users authenticate to 802.1x) into our NAC system- (using Cisco LWAPP, ACS and Impulse NAC)- works pretty well for single sign-on effect. Especially with the cached credentials for the supplicant- the whole thing ends up transparent to the user. Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Tom Parenti Sent: Wednesday, June 24, 2009 9:25 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Student 802.1x Hello All, We are looking to start doing 802.1x authentication on our student wireless. We are an Aruba customer and we use Cisco NAC. Today we have an open SSID. The students connect to the SSID, open a web browser and are redirected to the Cisco NAC log on page. We would like to continue with the single sign on with NAC if possible. I think that would mean the students would have to cache their credentials in the supplicant to get authenticated to the new 802.1x SSID. Student computers are not part of our domain. Has anyone had any experience setting up 802.1x with NAC? Thanks, Tom Tom Parenti Network Administrator Johnson Wales University 8 Abbott Park Place Providence, RI 02903 (401) 598-1557 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] configuration script
As would I. thanks for sharing! From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lunceford, Dan Sent: Wednesday, June 17, 2009 9:01 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] configuration script I'd love to see it. Thanks so much for sharing. -drl -- Dan Lunceford Manager of Networking Services New Mexico Tech dluncef...@admin.nmt.edu, 575-835-5961 If you don't know how to do something, then you don't know how to do it with a computer _ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Chris Brauchli Sent: Wednesday, June 17, 2009 9:50 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] configuration script Here at Williams we wrote an in-house solution based on the Native WiFi API (http://msdn.microsoft.com/en-us/library/ms706556(VS.85).aspx) that is doing the job well so far. If anybody wants to see the source code, feel free to email me and I'l happily share it. The nice thing about this solution is that it deletes saved credentials and sets up the 802.1X network for the user. Also, since it's based on Microsoft's provided API, it's likely to continue working for a while. It works on XP SP2 with the Wireless LAN API up. Chris Brauchli ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
ARuba VLAN pooling
What is this VLAN pooling? How does it work? ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Enforcing and Ensuring Machine Auth 802.1x
Idengines From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Johnson, Neil M Sent: Thursday, May 21, 2009 3:09 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Enforcing and Ensuring Machine Auth 802.1x What are you using for your RADIUS server ? -Neil -- Neil Johnson Network Engineer Information Technology Services The University of Iowa Work: 319 384-0938 Mobile: 319 540-2081 Fax: 319 355-2618 E-mail/MSN: neil-john...@uiowa.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jason Appah Sent: Friday, May 15, 2009 1:01 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Enforcing and Ensuring Machine Auth 802.1x At our little campus we have about 100 computers that are pure wireless workstations provided in the library for student use. From time to time they will refuse to machine auth to the network. Typically they are reported after the fact as the student will bounce from workstation to workstation until they find a Hot one. Troubleshooting: We have tried JAMAP (Just add more access points). (for a stretch there we had 36 to 50 people, including wireless workstations on a single access point). Modifying the power settings so the machines never sleep. Updating drivers for the mix of Broadcom, intel and Linksys wireless cards. All to no avail. We are an all aruba shop and are quite pleased with their entire line, the system never bogs, higgs or given us any hint of trouble just the 802.1x problem. The problem is difficult because there are so many workstations and that they don't do it on any predicable scale. So. any tips for 802.1x machine auth? Thanks! Jason Appah Systems Administrator Oregon Institute of Technology http://www.oit.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Windows 7 to include Virtual Wifi
I'd be interested to see how the packets look... and it also means rogue detection just got a little funner L From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Monday, May 18, 2009 6:55 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Windows 7 to include Virtual Wifi Mike- In the comments, someone pointed this out: http://www.cnet.com.au/intel-s-my-wi-fi-makes-my-internet-yours-33929433 5.htm http://www.cnet.com.au/intel-s-my-wi-fi-makes-my-internet-yours-3392943 35.htm (My Wifi from Intel), and someone else commented FINALLY I can play my Nintendo DS online without screwing the rest of my network by turning off WPA. Will be interesting to see what scale this sort of thing gets used, how hard it is for the average joe to understand, and what it means or doesn't mean to those of us trying to keep peace in WLANvilleJ -Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Mike King Sent: Monday, May 18, 2009 9:22 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Windows 7 to include Virtual Wifi http://www.engadget.com/2009/05/18/microsofts-virtual-wifi-will-make-win dows-7-wireless-adapters-d/ Quote from the article:The tech lets one piece of WiFi hardware be represented in Windows as two separate adapters, meaning you can connect to two hotspots simultaneously if you like, or turn your virtual device into an access point that others can connect to. This should make the airwaves interesting.. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] WLAN Deployment-High number of users
vlans -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of reflect ocean Sent: Friday, May 15, 2009 10:52 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] WLAN Deployment-High number of users Hi I run a medium-sized wifi network.We are cisco shop (autonommous access points).Recently wifi users number have reached limits we didn't expect.Because of that,we had to adjust our subnet network in order to support more users associated to the only SSID our wireless network use. I've been looking for alternative to create another ssid and associate it to another different subnet but I can't find any related to. Our wireless lan is currently reaching 1000 users or so.I'm not very confortable with the idea of having such number of users in wireless subnet. We have deployed around 60 cisco autonomous acess points throughout the campus and this subnet is firewalled and routed in our core switch which is a hope away to accessing Internet.It's very simple design. What would be a recommended deployment in this case with a growing number of users? Would deploying lwap bring any advantage to this design? We want to keep a single ssid and mobility for wireless users. Would mesh network bring any benefit? Thank you ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] WLAN Deployment-High number of users
You could still get away with that with FAT AP's That is since they are autonomous, you could assign different vlans and in turn different ip scopes to the same ssid as they are all unawares of each other. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Scott Irey Sent: Friday, May 15, 2009 11:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Not sure if Cisco has anything like this but Aruba has vlan pooling which allows multiple vlans to be assigned to the same SSID and the algorithm will assign clients to each vlan based on that. That works well if you want to continue to broadcast the same ssid over all of campus. Not sure if Cisco does anything similar. We have multiple profiles here (per building) all using the same ssid but depending on what AP you associate to you will get assigned that profile which has the vlan assignment. Scott Irey Network Telecom Systems Engineer Oakland University Office: 248.370.2808 Mobile: 248.505.9827 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of reflect ocean Sent: Friday, May 15, 2009 1:52 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] WLAN Deployment-High number of users Hi I run a medium-sized wifi network.We are cisco shop (autonommous access points).Recently wifi users number have reached limits we didn't expect.Because of that,we had to adjust our subnet network in order to support more users associated to the only SSID our wireless network use. I've been looking for alternative to create another ssid and associate it to another different subnet but I can't find any related to. Our wireless lan is currently reaching 1000 users or so.I'm not very confortable with the idea of having such number of users in wireless subnet. We have deployed around 60 cisco autonomous acess points throughout the campus and this subnet is firewalled and routed in our core switch which is a hope away to accessing Internet.It's very simple design. What would be a recommended deployment in this case with a growing number of users? Would deploying lwap bring any advantage to this design? We want to keep a single ssid and mobility for wireless users. Would mesh network bring any benefit? Thank you ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] WLAN Deployment-High number of users
The only thing about that is training your users to accept the limited or no connectivity state when connecting to the assigned vlan... From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Mike King Sent: Friday, May 15, 2009 12:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users You don't mention if your using 802.1x, but if you are, you can utilize Vlan Override. http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_e xample09186a0080665ceb.shtml which allows you to throw users int specific VLAN's based on RADIUS return attributes. All off the same SSID. Mike On Fri, May 15, 2009 at 2:39 PM, Jason Appah jason.ap...@oit.edu wrote: You could still get away with that with FAT AP's That is since they are autonomous, you could assign different vlans and in turn different ip scopes to the same ssid as they are all unawares of each other. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Scott Irey Sent: Friday, May 15, 2009 11:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Not sure if Cisco has anything like this but Aruba has vlan pooling which allows multiple vlans to be assigned to the same SSID and the algorithm will assign clients to each vlan based on that. That works well if you want to continue to broadcast the same ssid over all of campus. Not sure if Cisco does anything similar. We have multiple profiles here (per building) all using the same ssid but depending on what AP you associate to you will get assigned that profile which has the vlan assignment. Scott Irey Network Telecom Systems Engineer Oakland University Office: 248.370.2808 Mobile: 248.505.9827 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of reflect ocean Sent: Friday, May 15, 2009 1:52 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] WLAN Deployment-High number of users Hi I run a medium-sized wifi network.We are cisco shop (autonommous access points).Recently wifi users number have reached limits we didn't expect.Because of that,we had to adjust our subnet network in order to support more users associated to the only SSID our wireless network use. I've been looking for alternative to create another ssid and associate it to another different subnet but I can't find any related to. Our wireless lan is currently reaching 1000 users or so.I'm not very confortable with the idea of having such number of users in wireless subnet. We have deployed around 60 cisco autonomous acess points throughout the campus and this subnet is firewalled and routed in our core switch which is a hope away to accessing Internet.It's very simple design. What would be a recommended deployment in this case with a growing number of users? Would deploying lwap bring any advantage to this design? We want to keep a single ssid and mobility for wireless users. Would mesh network bring any benefit? Thank you ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] WLAN Deployment-High number of users
Correct, but it generated a ton of support calls.. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Johnson, Bruce T Sent: Friday, May 15, 2009 12:45 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Is that a temporary condition until DHCP completes? Bruce T. Johnson | Network Engineer Partners Healthcare | Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org BLOCKED::mailto:bjohns...@partners.org From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jason Appah Sent: Friday, May 15, 2009 3:43 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users The only thing about that is training your users to accept the limited or no connectivity state when connecting to the assigned vlan... From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Mike King Sent: Friday, May 15, 2009 12:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users You don't mention if your using 802.1x, but if you are, you can utilize Vlan Override. http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_e xample09186a0080665ceb.shtml which allows you to throw users int specific VLAN's based on RADIUS return attributes. All off the same SSID. Mike On Fri, May 15, 2009 at 2:39 PM, Jason Appah jason.ap...@oit.edu wrote: You could still get away with that with FAT AP's That is since they are autonomous, you could assign different vlans and in turn different ip scopes to the same ssid as they are all unawares of each other. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Scott Irey Sent: Friday, May 15, 2009 11:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Not sure if Cisco has anything like this but Aruba has vlan pooling which allows multiple vlans to be assigned to the same SSID and the algorithm will assign clients to each vlan based on that. That works well if you want to continue to broadcast the same ssid over all of campus. Not sure if Cisco does anything similar. We have multiple profiles here (per building) all using the same ssid but depending on what AP you associate to you will get assigned that profile which has the vlan assignment. Scott Irey Network Telecom Systems Engineer Oakland University Office: 248.370.2808 Mobile: 248.505.9827 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of reflect ocean Sent: Friday, May 15, 2009 1:52 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] WLAN Deployment-High number of users Hi I run a medium-sized wifi network.We are cisco shop (autonommous access points).Recently wifi users number have reached limits we didn't expect.Because of that,we had to adjust our subnet network in order to support more users associated to the only SSID our wireless network use. I've been looking for alternative to create another ssid and associate it to another different subnet but I can't find any related to. Our wireless lan is currently reaching 1000 users or so.I'm not very confortable with the idea of having such number of users in wireless subnet. We have deployed around 60 cisco autonomous acess points throughout the campus and this subnet is firewalled and routed in our core switch which is a hope away to accessing Internet.It's very simple design. What would be a recommended deployment in this case with a growing number of users? Would deploying lwap bring any advantage to this design? We want to keep a single ssid and mobility for wireless users. Would mesh network bring any benefit? Thank you ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. The information in this e-mail is intended only for the person to whom it is addressed. If you believe this e-mail was sent to you in error and the e-mail contains patient information, please contact the Partners Compliance HelpLine at http
RE: [WIRELESS-LAN] WLAN Deployment-High number of users
It wasn't particularly difficult and many attributes from login name, authenticator type, location, machine name, and snmp names can be used to differentiate and pass different vlans... just do your research on what the cisco is looking for when passing a vlan.. As an aside, the scenario we've seen both wired and wireless goes like this: We have a vlan ascribed to authentication/Updates only, no internet, nothing but a domain controller login conduit; then we have staff, student, lab vlans, and so forth... The clients perform machine authentication via 802.1x... the machines are placed in the auth only vlan.. then the student staff or user logs in, and is placed in the proper vlan.. the ip address is invalid and for a few moments 10 -15 seconds they get limited or no connectivity until Microsoft retries the dhcp requests... Having one or two SSIDS is king, and when it works, its magic! From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Johnson, Bruce T Sent: Friday, May 15, 2009 1:25 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Yes I can imagine. Thanks for the heads-up. How hard has it been to provision via RADIUS? I am in favor of the reduced SSID load over the air. Are MAC addresses the only thing can you use to map attributes to? What about machine names? Thanks for your feedback, Bruce T. Johnson | Network Engineer Partners Healthcare | Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org BLOCKED::mailto:bjohns...@partners.org From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jason Appah Sent: Friday, May 15, 2009 4:10 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Correct, but it generated a ton of support calls.. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Johnson, Bruce T Sent: Friday, May 15, 2009 12:45 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Is that a temporary condition until DHCP completes? Bruce T. Johnson | Network Engineer Partners Healthcare | Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org BLOCKED::mailto:bjohns...@partners.org From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jason Appah Sent: Friday, May 15, 2009 3:43 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users The only thing about that is training your users to accept the limited or no connectivity state when connecting to the assigned vlan... From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Mike King Sent: Friday, May 15, 2009 12:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users You don't mention if your using 802.1x, but if you are, you can utilize Vlan Override. http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_e xample09186a0080665ceb.shtml which allows you to throw users int specific VLAN's based on RADIUS return attributes. All off the same SSID. Mike On Fri, May 15, 2009 at 2:39 PM, Jason Appah jason.ap...@oit.edu wrote: You could still get away with that with FAT AP's That is since they are autonomous, you could assign different vlans and in turn different ip scopes to the same ssid as they are all unawares of each other. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Scott Irey Sent: Friday, May 15, 2009 11:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLAN Deployment-High number of users Not sure if Cisco has anything like this but Aruba has vlan pooling which allows multiple vlans to be assigned to the same SSID and the algorithm will assign clients to each vlan based on that. That works well if you want to continue to broadcast the same ssid over all of campus. Not sure if Cisco does anything similar. We have multiple profiles here (per building) all using the same ssid but depending on what AP you associate to you will get assigned that profile which has the vlan assignment. Scott Irey Network Telecom Systems Engineer Oakland University Office: 248.370.2808 Mobile: 248.505.9827 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of reflect ocean Sent: Friday, May 15, 2009 1:52 PM To: WIRELESS-LAN
RE: [WIRELESS-LAN] Wireless-only in residence halls
X2 to that! We'd love to be able to put an 80% loaded fair bandwidth rule on our arubas... -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Philippe Hanset Sent: Monday, April 27, 2009 9:20 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless-only in residence halls we do, but for visitors only. for all users: Our wish list to Aruba includes a fair bandwidth request. Instead of a permanent rule per user, it would be an automatic rule that would kick in when too much load is on the AP. QoS for 802.11n ! There is not point to restrict a user if the AP is not overloaded. Philippe On Apr 27, 2009, at 10:59 AM, Michael Dickson wrote: So, for anyone who is offering 802.1n is anyone putting bandwidth restrictions for per-role or per-user? Mike Peter P Morrissey wrote: Thanks Matt, I ordered a Dell that has one of those. Looking forward to testing it. All of this confirms though that there is no compelling reason for us to move to 802.11n. I was worried that I wasn't using the best equipment for the testing that I've done thus far with a couple of vendors. The testing shows a little over 100mbps down and maybe 90 up, and that is peak in the best case scenario lab conditions with an expensive, good quality adapter and all 11n parameters tuned. With cheaper, consumer grade adapters it was much lower than that. And, I would imagine it is even lower yet in real world scenarios. We're also finding that the range is usually no better, and in some cases worse than a/b/g. We tend to deploy with a lot of density anyway, so that isn't a big problem for us, but it contradicts what we had heard about the technology. It just doesn't look like users are going to notice any difference between current generation 11n and a solid a/b/g environment. And, when considering the cost difference and increased support complications that are inevitable when deploying a new technology, it is hard to make a case for moving to 11n with any urgency. If anyone has done any testing shows better results, please share it. Pete Morrissey -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Barber, Matt Sent: Monday, April 27, 2009 9:49 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless-only in residence halls Hi Pete, They do not do 3x3. I don't know of any adapters that do besides the Intel 5300. I haven't done any extensive throughput testing with those adapters. In terms of actual, real-world use though, they are performing fine. We have a few dozen people using them without issues. Matt Barber Network Analyst Morrisville State College 315-684-6053 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS- l...@listserv.educause.edu] On Behalf Of Peter P Morrissey Sent: Monday, April 27, 2009 9:29 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless-only in residence halls Do they do 3x3 MIMO? What is the best up/down throughput that has been achieved on them with channel bonding? Pete Morrissey -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS- l...@listserv.educause.edu] On Behalf Of Barber, Matt Sent: Monday, April 27, 2009 8:42 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless-only in residence halls Hi Bruce, We went with two different Linksys dual-band adapters, one PCMCIA and one USB. The USB is really only for the few desktops that some students bring in. We sell it (the WUSB600n) at our bookstore. The PCMCIA one is the Linksys WPC600n, and we use it for some older laptops that don't have any wireless or only have 11b. Matt Barber Network Analyst Morrisville State College 315-684-6053 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS- l...@listserv.educause.edu] On Behalf Of Osborne, Bruce W. (NS) Sent: Sunday, April 26, 2009 6:43 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless-only in residence halls Matt, We are looking into selling dual band 11n adapters. Whish ones did you choose? What about desktop computers? Do you provide any solution for wireless? There do not seem to be any dual band 11n desktop cards. You can buy adapters and use some of the laptop cards, though. Thanks, Bruce Osborne Liberty University -Original Message- From: Barber, Matt [mailto:barbe...@morrisville.edu] Sent: Saturday, April 25, 2009 1:21 PM Subject: Re: Wireless-only in residence halls This is similar to our approach. We push the 5 GHz as much as possible. Between the microwaves, Xbox 360 controllers, Bluetooth, and everything else, the 2.4 GHz in the dorms is a
RE: [WIRELESS-LAN] Spectrum load balancing/Band steering
We have tried both with great results. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Brian J David Sent: Wednesday, April 22, 2009 7:33 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Spectrum load balancing/Band steering This question is for those Aruba deployments. Has anybody tried the spectrum load balancing feature yet, if so, how have your results been? We are using the Band steering feature and have found that it works very well and was wondering what others have been experiencing? -Brian Brian J David Network Systems Engineer Boston College ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Student printing accounting
802.1x On 3/17/09 7:57 AM, Paul Crittenden paul.critten...@simpson.edu wrote: We are in the process of making our entire campus wireless. One of our concerns is student printing. Currently our printer queues are on servers that are on AD. We use a printer accounting software called Papercut so we can manage student printing. So when a student prints they must be using a computer that is on AD so when they log in Papercut can keep track of their printing. When we go wireless and a student wants to print from their laptop, which is not on AD, how can we keep track of the amount of printing they are doing? Does anyone have a solution for this? Paul Crittenden Computer Systems Manager Simpson College Phone: 515-961-1680 Email: paul.critten...@simpson.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. image.gif
Re: [WIRELESS-LAN] Big Aruba Environments- Management of multiple controllers
I just upgraded to 6.2 airwave and all is well with the world... I have noticed that a few of the access points are showing duplicate names, even though they arent... Re-provisioning fixed the problem, but it was still strange, apart from that, 3.3.2.11 is much faster IMHO than 3.3.2.8... (of course there my whole deploy is smaller than probably one of your buildings) On 3/16/09 1:33 PM, Travis Schick trsch...@ucdavis.edu wrote: Just FYI - airwave just released their 6.2 update - and I believe there was mention of specifically supporting 3.3.2.x ArubaOS versions. had the pdf open: 2. Enhancements/Changes 2.1 Aruba Enhancements Support for firmware version 3.3.2.x So appears something has changed in the 3.3.2.x arubaos that impacts how airwave gather's its stats... I've got a few building worth of AP's doing an advance test of 3.3.2.11 - before upgrading our entire aruba infrastructure - so far no issues. Would like to hear that your migration 3.3.2.11 is going well... Travis Schick UCDavis From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jason Appah Sent: Friday, March 06, 2009 9:31 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Big Aruba Environments- Management of multiple controllers On that note, when we moved to 3.3.2.11 the other week, Airwave stopped reporting bandwidth, was there a change to the MIB from 3.3.2.8 to 11 that would have affected this? Airwave still reportes users connected fine, but no bandwidth? On 3/6/09 8:11 AM, Philippe Hanset phan...@utk.edu wrote: We gave up on MMS (or MMS gave up on us, I forgot) and went straight to Airwave that we use in monitoring mode. For configs: the web is ok but the command line is preferred. Philippe Hanset Univ. of TN p.s. I believe that Aruba is pulling MMS out of their price list (to be confirmed) On Mar 6, 2009, at 8:11 AM, Steely, John wrote: I am curious if we have any Aruba shops on the list who have Airwave, but also had experience with the Aruba MMS appliance and would be willing to share your thoughts on comparing the two? Thanks in advance, John John Steely Associate Director Infrastructure Systems Department Library and Information Services Dickinson College P.O. Box 1773 Carlisle, PA 17013 717-245-1613 (Voice) 717-245-1690 (Fax) ste...@dickinson.edu mailto:ste...@dickinson.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Thursday, March 05, 2009 9:55 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Big Aruba Environments- Management of multiple controllers Wondering how bigger Aruba shops are centrally managing multiple controllers? From what I can tell right now, AirWave is pretty much an effective graphical monitoring tool, but is pretty anemic at configuration of Aruba. Am I missing something? -Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Big Aruba Environments- Management of multiple controllers
No, we had to format and rebuild the whole server, however we found that it was a hardware failure and not airwave at all (3 hours later) On 3/16/09 2:12 PM, Manoj Abeysekera ma...@american.edu wrote: Hi Jason, Did the upgrade retain old data and statistics? I had problems last time when i did the upgrade. Thanks Manoj x2702 --- P. Manoj Abeysekera Network Engineer American University 4200 Wisconsin Ave, NW Washington DC. 20016 Jason Appah jason.ap...@oit.edu Sent by: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 03/16/2009 05:07 PM Please respond to The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU To WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU cc Subject Re: [WIRELESS-LAN] Big Aruba Environments- Management of multiple controllers I just upgraded to 6.2 airwave and all is well with the world... I have noticed that a few of the access points are showing duplicate names, even though they arent... Re-provisioning fixed the problem, but it was still strange, apart from that, 3.3.2.11 is much faster IMHO than 3.3.2.8... (of course there my whole deploy is smaller than probably one of your buildings) On 3/16/09 1:33 PM, Travis Schick trsch...@ucdavis.edu trsch...@ucdavis.edu wrote: Just FYI - airwave just released their 6.2 update - and I believe there was mention of specifically supporting 3.3.2.x ArubaOS versions. had the pdf open: 2. Enhancements/Changes 2.1 Aruba Enhancements Support for firmware version 3.3.2.x So appears something has changed in the 3.3.2.x arubaos that impacts how airwave gather's its stats... I've got a few building worth of AP's doing an advance test of 3.3.2.11 - before upgrading our entire aruba infrastructure - so far no issues. Would like to hear that your migration 3.3.2.11 is going well... Travis Schick UCDavis From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU ] On Behalf Of Jason Appah Sent: Friday, March 06, 2009 9:31 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Big Aruba Environments- Management of multiple controllers On that note, when we moved to 3.3.2.11 the other week, Airwave stopped reporting bandwidth, was there a change to the MIB from 3.3.2.8 to 11 that would have affected this? Airwave still reportes users connected fine, but no bandwidth? On 3/6/09 8:11 AM, Philippe Hanset phan...@utk.edu phan...@utk.edu wrote: We gave up on MMS (or MMS gave up on us, I forgot) and went straight to Airwave that we use in monitoring mode. For configs: the web is ok but the command line is preferred. Philippe Hanset Univ. of TN p.s. I believe that Aruba is pulling MMS out of their price list (to be confirmed) On Mar 6, 2009, at 8:11 AM, Steely, John wrote: I am curious if we have any Aruba shops on the list who have Airwave, but also had experience with the Aruba MMS appliance and would be willing to share your thoughts on comparing the two? Thanks in advance, John John Steely Associate Director Infrastructure Systems Department Library and Information Services Dickinson College P.O. Box 1773 Carlisle, PA 17013 717-245-1613 (Voice) 717-245-1690 (Fax) ste...@dickinson.edu ste...@dickinson.edu mailto:ste...@dickinson.edu mailto:ste...@dickinson.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU ] On Behalf Of Lee H Badman Sent: Thursday, March 05, 2009 9:55 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Big Aruba Environments- Management of multiple controllers Wondering how bigger Aruba shops are centrally managing multiple controllers? From what I can tell right now, AirWave is pretty much an effective graphical monitoring tool, but is pretty anemic at configuration of Aruba. Am I missing something? -Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/ http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE
Re: [WIRELESS-LAN] Big Aruba Environments- Management of multiple controllers
Sorry we are running Airwave Version 5 On 3/6/09 9:31 AM, Jason Appah jason.ap...@oit.edu wrote: On that note, when we moved to 3.3.2.11 the other week, Airwave stopped reporting bandwidth, was there a change to the MIB from 3.3.2.8 to 11 that would have affected this? Airwave still reportes users connected fine, but no bandwidth? On 3/6/09 8:11 AM, Philippe Hanset phan...@utk.edu wrote: We gave up on MMS (or MMS gave up on us, I forgot) and went straight to Airwave that we use in monitoring mode. For configs: the web is ok but the command line is preferred. Philippe Hanset Univ. of TN p.s. I believe that Aruba is pulling MMS out of their price list (to be confirmed) On Mar 6, 2009, at 8:11 AM, Steely, John wrote: I am curious if we have any Aruba shops on the list who have Airwave, but also had experience with the Aruba MMS appliance and would be willing to share your thoughts on comparing the two? Thanks in advance, John John Steely Associate Director Infrastructure Systems Department Library and Information Services Dickinson College P.O. Box 1773 Carlisle, PA 17013 717-245-1613 (Voice) 717-245-1690 (Fax) ste...@dickinson.edu mailto:ste...@dickinson.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Thursday, March 05, 2009 9:55 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Big Aruba Environments- Management of multiple controllers Wondering how bigger Aruba shops are centrally managing multiple controllers? From what I can tell right now, AirWave is pretty much an effective graphical monitoring tool, but is pretty anemic at configuration of Aruba. Am I missing something? -Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Aerohive 340AP
Todd, As a small school, nearly 95% of our WLAN traffic is bound for the internet, so sooner or later it is destined for the core, so at least for us, edge or core wlan switching makes little difference when its all going there anyways. Maybe I¹m missing something? On 3/2/09 1:36 PM, Smith, Todd todd.sm...@camc.org wrote: Hello Bruce, Like I said, this is a personal opinion and not hard engineering fact. My issue is that you are trunking everything from the edge to the network core to process and then switch to available resources. Unless you are installing 10G at the core or many, many 1G ports then I feel that you run the risk of network saturation from traffic from the AP at 802.11n speeds. This is vendor agnostic as far as I can see since oversubscription is a component of all of the centralized controller environments that I know of. I like the edge switching architecture that several vendors are promoting, Trapeze, Hi-Path Wireless and Aerohive are at least three vendors that have edge switching in the product line. Of course, Aerohive is completely edge switched and the others offer that for certain classes of traffic. GB edge switches are generally cheaper then core switches but maybe that is our enevimrnt and not typical in other places. Todd Smith Charleston Area Medical Center From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Osborne, Bruce W. (NS) Sent: Saturday, February 28, 2009 10:09 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aerohive 340AP Todd, I¹m not sure why you would say that. We now have almost 600 802.11n APs on 3 controllers that are managed centrally from the master controller. We can handle up to 500 APs per controller (2000 per chassis). This allows you to standardize configurations OS versions. We are supplementing this with Airwave Wireless Management Suite for monitoring. We moved from 450 Cisco 1231G ³fat² APs. The centralized solution scales much better for us. From: Smith, Todd [mailto:todd.sm...@camc.org] Sent: Friday, February 27, 2009 4:28 PM Subject: Re: Aerohive 340AP I reviewed their product in our environment and it worked pretty well. I don¹t think that we are going to be purchasing anything this year due to the economic downturn but they are on my short list as well as Xirrus and Meru simply because they use non-standard architectures. My personal opinion is that centralized controller environments don¹t scale very well when you are considering large 802.11n rollouts. Todd Smith Charleston Area Medical Center From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Frank Bulk Sent: Friday, February 27, 2009 15:34 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aerohive 340AP I¹ve have had several opportunities to talk to AeroHive. Competitors like to poke holes at their product, but my (un-tested) impression is that it¹s pretty solid. If you ask for references, they do have some small to medium-sized build outs, but I¹m not sure if they have any 500+ AP installations, yet. Frank From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Friday, February 27, 2009 2:31 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aerohive 340AP I have been contacted by Aerohive recently (www.aerohive.com http://www.aerohive.com/ ) and had never heard of them before. Is interesting- they are a controller-less model, that *seems* to scale and compete with controller-based functionality based on the glossy. No idea how they are on the likes of fast roaming, etc. But part of my brain yearns for the days when there were no controllers, and wireless life was a lot simpler. (You never see WLAN controllers in Norman Rockwell paintings). Is anyone using Aerohive, even on a small scale? Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Joseph Clark Sent: Friday, February 27, 2009 2:32 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Aerohive 340AP Is anyone currently using Aerohive AP¹s in a classroom deployment? In particular their 802.11N 340AP. I am interested in how they handle a large number of users in a large auditorium style classroom. Thanks, Joseph Clark ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at
Re: [WIRELESS-LAN] Transitioning to dot1x
There isnt, which is a real bummer, as there are many many drawbacks to the WZC client On 2/19/09 8:41 AM, Johnson, Bruce T bjohns...@partners.org wrote: One useful application with WZC-based PEAP is machine authentication for unattended devices that need to stay connected. I'm not sure any non-native supplicant supports this. Bruce T. Johnson | Network Engineer | Partners Healthcare Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org | 149 13th Street, 10th Floor, Mailstop 10055B, Charlestown, Ma 02129 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Charles Bisel Sent: Thursday, February 19, 2009 11:35 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x True, WZC doesn't support CCKM, however unless I missed something, I don't recall Bob mentioning a specific supplicant. Clients who use WZC (why anyone would is beyond me) will still be able to connect without issue, as it is considered optional on the WLAN. Charles Bisel IT Operations Bayer Business and Technology Services LLC 100 Bayer Road Pittsburgh, PA 15205 PHONE 412.778.1268 FAX 412.778.1299 EMAIL charles.bi...@bayerbbs.com mailto:charles.bi...@bayerbbs.com WEB http://www.bayerus.com http://www.bayerus.com/ Johnson, Bruce T bjohns...@partners.org Sent by: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 02/19/2009 11:20 AM Please respond to The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU To WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU cc Subject Re: [WIRELESS-LAN] Transitioning to dot1x Charles, CCKM is supplicant-dependent (via Intel PROSet or other hardware client utility). Native Windows WZC won't support this. You'll need WPA2. Bruce T. Johnson | Network Engineer | Partners Healthcare Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org | 149 13th Street, 10th Floor, Mailstop 10055B, Charlestown, Ma 02129 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Charles Bisel Sent: Thursday, February 19, 2009 11:18 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x If you are using WPA/TKIP, change your Auth Key Mgmt to 802.1X + CCKM on your WLAN in order to activate Fast Secure Roaming. Charles Bisel WLAN Architect Bayer Corporation 100 Bayer Road Pittsburgh, PA 15205 EMAIL charles.bi...@bayerbbs.com mailto:charles.bi...@bayerbbs.com WEB http://www.bayerus.com http://www.bayerus.com/ Johnson, Bruce T bjohns...@partners.org Sent by: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 02/19/2009 11:08 AM Please respond to The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU To WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU cc Subject Re: [WIRELESS-LAN] Transitioning to dot1x Check your WLAN Session timeout - this forces a full re-auth at the specified interval. The default for dot1x is every 30 minutes. You may want to make this value larger. The User Idle Timeout will do the same thing, but most laptops generate enough incidental traffic to keep the idle timer open. Smaller form factors may not be as chatty. If its due to roaming, you may want to use WPA2/AES rather than TKIP, as this supports Proactive Key Caching. Do a sh pmk-cache all on the controllers to verify. Bruce T. Johnson | Network Engineer | Partners Healthcare Network Engineering | 617.726.9662 | Pager: 31633 | bjohns...@partners.org | 149 13th Street, 10th Floor, Mailstop 10055B, Charlestown, Ma 02129 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Bob Richman Sent: Thursday, February 19, 2009 10:38 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x We are using MS IAS for radius with PEAP. We don¹t have trouble getting folks configured and connected. Just after that we get complaints of getting kicked off¹ and was wondering if anyone else sees this sort of behavior. I suspect this mostly occurs during roams, but don¹t really have any hard data to back that up. Thanks, Bob Richman Network Engineer University of Notre Dame rrichma...@nd.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Daniel Bennett Sent: Thursday, February 19, 2009 8:20 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Transitioning to dot1x We have a separate PDA network with MAC filtering and
Re: [WIRELESS-LAN] Broadcast Flood
Does anyone have this command for aruba mc2400? I'm too lazy to look it up :) On 2/19/09 11:46 AM, Tupker, Mike mtup...@mtmercy.edu wrote: :) Just had to ask. Sometimes the solution is an easy one. The only other way I know of to control broadcasts on the AP420s is bc-mc-limiting command from the command line for the Ethernet interface. Actually I may try this for our issue as well. The release notes for firmware version 2.1.2 has some documentation on the bc-mc-limiting feature. ftp://ftp.hp.com/pub/networking/software/Release-Note-v2-1-2-59906007-1105.pdf Mike Tupker Systems Administrator Mount Mercy College Office: (319) 363-1323 x1401 Mobile: (319) 538-1644 If you need assistance with an computer issue please contact the helpdesk at x4357 or http://help.mtmercy.edu. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Martin Jr., D. Michael Sent: Thursday, February 19, 2009 12:27 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Broadcast Flood Thanks for the reply. Yes, we do have VLAN tagging enabled and, in fact, that is how the placement of the computers in the correct VLAN typically works and has worked for the last several years. It has only become a problem, and the problem is intermittent, in the last 3 or 4 months. HP has stated it looks, possibly, like a flaw in the firmware but when we attempt to control the ARP and other broadcast traffic on our student wireless VLAN the problem goes away for everyone on campus. Anyone have any suggestions on controlling broadcast (and ARP) traffic on wireless using HP Procurve access points and/or switches? Thanks again, Michael Martin University of Montevallo -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Tupker, Mike Sent: Thursday, February 19, 2009 12:13 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Broadcast Flood We also have AP420s setup with radius auth using 802.1x, however our RADIUS server is a 2008 network policy server. The only thing I can think of is in the web config on the wireless interfaces page on the APs do you have the VLAN tagging enabled on for the SSID? The only issue we've had with the AP420s is sometimes the wired port will lock up and won't pass or respond to traffic. The only fix I've been able to find is to yank the power on the AP and reboot it. We are actually considering and upgrade to HPs newly acquired colubris line because of that issue. Mike Tupker Systems Administrator Mount Mercy College Office: (319) 363-1323 x1401 Mobile: (319) 538-1644 If you need assistance with an computer issue please contact the helpdesk at x4357 or http://help.mtmercy.edu. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Martin Jr., D. Michael Sent: Thursday, February 19, 2009 10:03 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Broadcast Flood We have currently expanded our wireless coverage on our campus to include most of our residence halls. Our wireless network infrastructure consists of HP Procurve 420 access points throughout most of our campus and we are using RADIUS MAC authentication (no additional encryption) to place wireless users (academic and students) in the proper VLAN when they connect to our University wireless SSID (UMNET). Problem: Our student wireless network VLAN is being flooded with broadcast traffic (mostly ARP requests). Because of this, we suspect, we are starting to experience intermittent connectivity with other wireless users. In particular, what is happening is that when a user attempts to connect to our HP 420 access points, MAC authentication ensues and our RADIUS server (FreeRADIUS) gives the proper information to the access point to place the wireless client into the proper VLAN. Unfortunately, the HP 420 is not placing the client into the proper VLAN and instead is placing the client into the default VLAN for the SSID. We are not experiencing this problem with our older Cisco access points on campus. We have been working with HP about this issue but they do not believe that the flooding broadcast traffic on the student wireless VLAN is causing the problem. Questions: 1. Does anyone else out there believe that the flood of broadcast traffic on our student wireless VLAN could be causing the intermittent connection problem described above? 2. Are there any suggestions on controlling the wireless broadcast traffic from our students? Any suggestions anyone could offer would be greatly appreciated. Thanks, D. Michael Martin, Jr. Network Administrator University of Montevallo
Re: [WIRELESS-LAN] Question about public access
We use an aruba system with an aruba generated page, aruba also has a concierge system that allows you to created automatically provisioned and deprovisioned accounts to anyone who has the concierge login, and can allow you to create multiple concierge systems as well as multiple captive portal web pages We¹re quite pleased with it if you want more information contact me off list. The nice-ness of not having guest access sullying up your directory, and or not having to maintain multiple directories is nice, Calea as we understand it isn¹t as issue as we require identification to go with public access. It also makes it nice when the Pesky DMCA takedown notices come around as you can attach a drivers license or state issued id and address to an IP... Just my .02 On 2/6/09 6:47 AM, James R. Pardonek pardo...@calumet.purdue.edu wrote: I was looking for some information on what other Universities do to provide WLAN access to non-university individuals such as contractors, vendors, candidates for positions, etc. We currently only have a ³public² SSID in our conference center which is located far enough away from the academic buildings that it is inconvenient for many that would like to use it. It uses a ³hotel page² and we provide a password for access. I was also looking for thoughts on how this fits in to CALEA and other regulations. Thank you. James R. Pardonek, CISSP Senior Network Administrator Network Infrastructure Management and Maintenance Computing Technology and Information Systems Purdue University Calumet Hammond, Indiana ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless Design for Arenas
802.1x or MAC filtering, or both... In a previous life I supported wireless for a large manufacturer with myriad dumb devices (thatis devices that couldn¹t do 802.1x) so we did a mix an SSID that did MAC filtering for DUMB devices and a SSID for 802.1x On 12/10/08 3:30 PM, John Duran [EMAIL PROTECTED] wrote: Scenario: RF Design for an Arena area. We can easily design for the known devices we are anticipating will connect to the Wi-Fi. Challenge: How are others restricting connectivity to the Wi-Fi for those devices (e.g. Dual mode cell phones and other Wi-Fi enabled personal devices) that do not have a business need for connecting to the Enterprise wireless network? This number is only expected to grow exponentially in the near future. We are certain no one wants to provide IP addresses for all these devices and accept any potential security risks. Essentially how are you preventing these devices from obtaining IP addresses and associating to the wireless network? This will also create a degradation of service to those that do have a business need during sporting events. We can see the potential number of devices exceeding the APs load threshold very quickly. John V. Duran Network Engineer University of New Mexico Information Technology Services Ph: (505) 249-7890 Fax: (505) 277-8101 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Problems with internal DHCP server servicing requests from LAN port on Aruba controllers
I we¹ve experienced this a few times so I thought I¹d put it up to post: There are times of heavy usage where our Aruba controller stops allowing DHCP requests from the LAN port it continues to allow DHCP via the Aruba Access points but will not respond to any DHCP over the fast Ethernet port. Also, once it starts it will no longer do DHCP over that port regardless of load. We are running Aruba OS 3.3.1.9 and rebooting the controller fixes the issue, but alas this isn¹t a fix at all as far as we are concerned. We are thinking that we may have to move to a real DHCP server as opposed to the internal and just allow it to forward dhcp, the issues but we arent sure that this will fix the issue as if it¹s dropping DHCP the obviously it wont allow the forward to happen either. Any suggestions? Has anyone ran into this? Thanks! Jason Appah Systems Administrator Oregon Institute of Technology ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless Upgrade Approach (phased vs. overhaul)
Man I wish I had your budget, were about to pull the trigger on an aruba deploy of 80 radios... On 11/20/08 9:07 AM, Philippe Hanset [EMAIL PROTECTED] wrote: Our latest strategy was phased ovehaul (but it might change!), one building at a time with some tricky VLAN trunking when buidling are close to each other. That was buildings To give you a timiline idea: We plan on overhauling the entire main campus (120 buildings, 1500 APs) in less than 6 months. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] GPO for controlling access to the wireless settings
All, We recently switched a few departments to an all 802.1x wireless solution, using machine authentication; in the lab we had great success now that we have this in the wild, we¹re having problems . For infrastructure we have Aruba access points that broadcast three different SSID¹s. One 802.1x enterprise WPA2 and WPA, one static WPA, and one totally Open (secured through a guest services captive portal). We¹ve created a GPO that enforces the settings for 802.1x however people will go in and change (or perhaps windows itself) will migrate it to the open wireless over which the machines cannot perform machine authentication. My question is, does anyone have a GPO that keeps users fingers out of selecting different access SSID? - Jason D. Appah Systems Administrator Oregon Institute of Technology [EMAIL PROTECTED] Office:541-885-1719 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Vista and 802.1x
I would second this step as well as updating drivers for the HP, most of our problems with 802.1x are with older drivers -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Cottrell, Charles P. Sent: Monday, July 28, 2008 1:01 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Vista and 802.1x We had this problem and engaged Microsoft support. On Vista devices without service pack 1 you must install a hotfix. I believe you can reference kb932063 (http://support.microsoft.com/kb/932063), but we had to get the patch file directly from Microsoft. The hotfix is actually included in SP1. Do both have laptops have SP1? We had this same problem and it was very frustrating! Hopefully this helps. Charles Charles P. Cottrell Network Engineer Medical University of South Carolina 843.792.9938 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Youngquist, Jason R. Sent: Monday, July 28, 2008 3:50 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Vista and 802.1x I have a two Windows Vista laptops. One is an IBM which connects just fine to the network with the following settings: Security: WPA2-Enterprise Encryption: Any supported PEAP with EAP-MSCHAP v2 and automatically us my Windows login name and password (and domain if any) is unchecked. The other is a HP laptop which is having problems. When I select a network to connect to it shows the network name and the following message The settings saved on this computer for the network do not match the requirements of the network. I've tried removing the SSID and manually adding it in and still get the same error. The HP laptop is using a Linksys USB wireless card which I downloaded the latest drivers from the Linksys website. I've tried unchecking IPV6, but it doesn't seem to have an effect. I've done some googling, but can't seem to find anything useful. Suggestions? Thanks. Jason Youngquist ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] PDA 802.1x WPA2 or WPA
Most Windows Mobile 6 devices do WPA2 and 802.1x but a better client to use would be Funk, (now juniper) odyssey client... http://www.juniper.net/products_and_services/aaa_and_802_1x/odyssey/inde x.html -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Bennett Sent: Friday, May 30, 2008 7:57 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] PDA 802.1x WPA2 or WPA Does anyone know a thirdy party piece of software that will allow me to connect Windows Mobile 5 or 6 to our WPA2 with 802.1x using PEAP wireless network? We don't use personal certificates for authentication, only a username and password. We are using Windows 2008 Network Policy Servers as our radius server. Below is an event log entry. We can get the PDA connected, it transmits the username and password but the EAP isn't working. I have tried enabling all EAP protocols and all encryption options and I still get the EAP error below. Any help? Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information. User: Security ID:xx\xx Account Name: xx\xx Account Domain: xx Fully Qualified Account Name: xx\xx Client Machine: Security ID:NULL SID Account Name: - Fully Qualified Account Name: - OS-Version: - Called Station Identifier: 00-18-74-F8-4D-F0:ssid Calling Station Identifier: 00-1A-6B-93-62-ED NAS: NAS IPv4 Address: 10.x.x.x NAS IPv6 Address: - NAS Identifier: WiSM-B NAS Port-Type: Wireless - IEEE 802.11 NAS Port: 29 RADIUS Client: Client Friendly Name: WiSM2 Client IP Address: 10.x.x.x Authentication Details: Proxy Policy Name: Authenticate pct.edu Users Network Policy Name:Employee Wireless Policy Authentication Provider:Windows Authentication Server: NPS2.pct.edu Authentication Type:EAP EAP Type: - Account Session Identifier: - Reason Code:22 Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server. Daniel R. Bennett CompTIA Security+ Information Technology Security Analyst Pennsylvania College of Technology One College Ave Williamsport, PA 17701 (P) 570.329.4989 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] PDA 802.1x WPA2 or WPA
I have only used it as a part of windows mobile 5 on Intermec scanners and touch screen devices, so I admit, I've only used it as a pre-installation. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Lee H Badman Sent: Friday, May 30, 2008 8:09 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] PDA 802.1x WPA2 or WPA I have found Odyssey to be great on iPAQs and such that had it packaged as part of the original software build that shipped with the device, but less than 50% effective/reliable as an add-on to other hand-helds. -Lee -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Jason Appah Sent: Friday, May 30, 2008 11:05 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] PDA 802.1x WPA2 or WPA Most Windows Mobile 6 devices do WPA2 and 802.1x but a better client to use would be Funk, (now juniper) odyssey client... http://www.juniper.net/products_and_services/aaa_and_802_1x/odyssey/inde x.html -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Bennett Sent: Friday, May 30, 2008 7:57 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] PDA 802.1x WPA2 or WPA Does anyone know a thirdy party piece of software that will allow me to connect Windows Mobile 5 or 6 to our WPA2 with 802.1x using PEAP wireless network? We don't use personal certificates for authentication, only a username and password. We are using Windows 2008 Network Policy Servers as our radius server. Below is an event log entry. We can get the PDA connected, it transmits the username and password but the EAP isn't working. I have tried enabling all EAP protocols and all encryption options and I still get the EAP error below. Any help? Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information. User: Security ID:xx\xx Account Name: xx\xx Account Domain: xx Fully Qualified Account Name: xx\xx Client Machine: Security ID:NULL SID Account Name: - Fully Qualified Account Name: - OS-Version: - Called Station Identifier: 00-18-74-F8-4D-F0:ssid Calling Station Identifier: 00-1A-6B-93-62-ED NAS: NAS IPv4 Address: 10.x.x.x NAS IPv6 Address: - NAS Identifier: WiSM-B NAS Port-Type: Wireless - IEEE 802.11 NAS Port: 29 RADIUS Client: Client Friendly Name: WiSM2 Client IP Address: 10.x.x.x Authentication Details: Proxy Policy Name: Authenticate pct.edu Users Network Policy Name:Employee Wireless Policy Authentication Provider:Windows Authentication Server: NPS2.pct.edu Authentication Type:EAP EAP Type: - Account Session Identifier: - Reason Code:22 Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server. Daniel R. Bennett CompTIA Security+ Information Technology Security Analyst Pennsylvania College of Technology One College Ave Williamsport, PA 17701 (P) 570.329.4989 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. No virus found in this incoming message. Checked by AVG. Version: 8.0.100 / Virus Database: 269.24.4/1474 - Release Date: 5/30/2008 7:44 AM ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] PDA 802.1x WPA2 or WPA
Daniel, I am glad to see this worked for you! Check with Gov Connection they resell a lot of juniper's gear, they'd be my best bet for a good price on the supplicant. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Bennett Sent: Friday, May 30, 2008 9:04 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] PDA 802.1x WPA2 or WPA The Odyssey Client worked great! Does anyone have a reseller they use for this? The list price is $50 per license but I am hoping to get better prices being education. Daniel R. Bennett CompTIA Security+ Information Technology Security Analyst Pennsylvania College of Technology One College Ave Williamsport, PA 17701 (P) 570.329.4989 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Jason Appah Sent: Friday, May 30, 2008 11:24 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] PDA 802.1x WPA2 or WPA I have only used it as a part of windows mobile 5 on Intermec scanners and touch screen devices, so I admit, I've only used it as a pre-installation. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Lee H Badman Sent: Friday, May 30, 2008 8:09 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] PDA 802.1x WPA2 or WPA I have found Odyssey to be great on iPAQs and such that had it packaged as part of the original software build that shipped with the device, but less than 50% effective/reliable as an add-on to other hand-helds. -Lee -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Jason Appah Sent: Friday, May 30, 2008 11:05 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] PDA 802.1x WPA2 or WPA Most Windows Mobile 6 devices do WPA2 and 802.1x but a better client to use would be Funk, (now juniper) odyssey client... http://www.juniper.net/products_and_services/aaa_and_802_1x/odyssey/inde x.html -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Bennett Sent: Friday, May 30, 2008 7:57 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] PDA 802.1x WPA2 or WPA Does anyone know a thirdy party piece of software that will allow me to connect Windows Mobile 5 or 6 to our WPA2 with 802.1x using PEAP wireless network? We don't use personal certificates for authentication, only a username and password. We are using Windows 2008 Network Policy Servers as our radius server. Below is an event log entry. We can get the PDA connected, it transmits the username and password but the EAP isn't working. I have tried enabling all EAP protocols and all encryption options and I still get the EAP error below. Any help? Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information. User: Security ID:xx\xx Account Name: xx\xx Account Domain: xx Fully Qualified Account Name: xx\xx Client Machine: Security ID:NULL SID Account Name: - Fully Qualified Account Name: - OS-Version: - Called Station Identifier: 00-18-74-F8-4D-F0:ssid Calling Station Identifier: 00-1A-6B-93-62-ED NAS: NAS IPv4 Address: 10.x.x.x NAS IPv6 Address: - NAS Identifier: WiSM-B NAS Port-Type: Wireless - IEEE 802.11 NAS Port: 29 RADIUS Client: Client Friendly Name: WiSM2 Client IP Address: 10.x.x.x Authentication Details: Proxy Policy Name: Authenticate pct.edu Users Network Policy Name:Employee Wireless Policy Authentication Provider:Windows Authentication Server: NPS2.pct.edu Authentication Type:EAP EAP Type: - Account Session Identifier: - Reason Code:22 Reason: The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server. Daniel R. Bennett CompTIA Security+ Information Technology Security Analyst Pennsylvania College of Technology One College Ave Williamsport, PA 17701 (P) 570.329.4989 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information
RE: [WIRELESS-LAN] Using Private IP addresses for wireless users.
We do the same, it's an extra step, but our Network Engineer scripted the lookup for the DMCA notices allowing an almost instantaneous response. Its quite nice once you have it setup. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Tom Klimek Sent: Thursday, May 29, 2008 12:11 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Using Private IP addresses for wireless users. At ND we've been NAT'ing our wireless network for a couple years. We NAT 1:1 at the border router and log all translations giving us the ability to identify end users. We are fortunate to have ample Public address space and this allows more efficient utilization. Tom Klimek University of Notre Dame -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Johnson, Neil M Sent: Thursday, May 29, 2008 2:49 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Using Private IP addresses for wireless users. Identifying users is a big concern for us. We need to be able to identify users for DMCA purposes, for example. -- Neil Johnson Network Engineer The University of Iowa W: 319 384-0938 M: 319 540-2081 http://www.uiowa.edu -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Brooks, Stan Sent: Thursday, May 29, 2008 10:52 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Using Private IP addresses for wireless users. Neil, At Emory, we've been NAT'ing wireless users since last fall - ResNet users since before move in weekend, and regular academic users since last fall break. We've not had any issues from the users that have been NAT'ed. By far the more complicated NAT was ResNet as we use NetReg and CAT for network access control and scanning. We end up internally routing the NAT addresses for NetReg - it hands out the DHCP addresses. Once a ResNet client gets an IP address, the NAT function is handled by our Aruba controllers. On the academic side, the controllers themselves handle DHCP for the wireless users along with NAT'ing the traffic. We have 4 class C non-routeable subnets per controller (4 ResNet controllers and 6 Academic controllers). The Aruba gear will load-balance users across those subnets for us. The Aruba gear also NATs the traffic though a pool of (routeable) addresses. IDS is handled by Tipping Points on the (routeable) network, just like any wired device. We don't have any way of easily tying a user/session on the non-routeable subnets to an IP on the routeable network. We can see the session as it happens, but there is not good way to go back through the logs and determine that this user hit a particular IP address on the Internet. To date, we haven't needed to. We originally moved to NAT because of scarce IP resources, and the number of wireless users was increasing at alarming rates. With NAT'ed IP addresses, we can support huge numbers of wireless users and ease some of the pressure on our allocated IP addresses. We felt and still feel that the benefits outweigh the problems with tracking individual users. - Stan Brooks - CWNA/CWSP Emory University Network Communications Division 404.727.0226 [EMAIL PROTECTED] AIM: WLANstan Yahoo!: WLANstan MSN: [EMAIL PROTECTED] From: The EDUCAUSE Wireless Issues Constituent Group Listserv [EMAIL PROTECTED] On Behalf Of Johnson, Neil M [EMAIL PROTECTED] Sent: Thursday, May 29, 2008 9:55 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Using Private IP addresses for wireless users. We will be out of address space for one of our wireless nets (currently a /21) in the fall. We do not have a larger block available, and attempts to obtain additional address space by fall are not looking promising, so there is a distinct possibility that will have to move our wireless users to private address space. So I'm looking for information from other institutions who use private address space for their wireless networks. We are primarily a Meru shop, although we have about 86 Cisco LWAPP AP's in production. We use 802.1X (WPA2 Enterprise) for authentication. Here are the questions I have: - How do you implement NAT ? - How do you provide DHCP addresses to your clients ? - How do you handle IDS and Flow data collection ? - What tools and processes do you use to tie a public IP address back to an 802.1X authenticated user ? - What kind of application issues have you run into and how do you handle them ? - Are your end-users satisfied with the service ? Thanks. -- Neil Johnson Network Engineer The University of Iowa W: 319 384-0938 M: 319 540-2081 http://www.uiowa.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at
RE: [WIRELESS-LAN] Open source code for AP's
I saw this post this morning also and I concur with Lee; with the price of enterprise class AP's dropping you have two choices go enterprise, or do nothing. That is at least you can manage expectations even if it's no the answer your customers want to hear, it really IS what they want to hear, until they have enough money to do it right, doing it wrong or half-baked is WAYY worse than not at all. At least that's my take on it. Jason D. Appah -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Lee H Badman Sent: Tuesday, April 22, 2008 9:54 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Open source code for AP's Brian- Is interesting, but the question of reliability comes to mind. I've had various consumer boxes with different firmware go belly up days to months after being flashed with various codes. It would also mean that without central management and monitoring, almost every reported trouble might require a service call. Also- regardless of what you do, you may find that students still bring their own... Which begs the question, have you considered just letting them bring their own as an interim solution? (Wince with me, all you security-types:)) -Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Brian J David Sent: Tuesday, April 22, 2008 12:35 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Open source code for AP's I was wondering if there are other schools who have deployed or where thinking of deploying open source code flashed access points. The students want wireless in the dorms as you all know but because of budget and time we are looking into some alternative temporary solutions, like dd-wrt flashed linksys access points. We where thinking of deploying a pre-configured AP with the antenna power setting set to it's lowest power level and a few other minor configuration. I know this could be a challenge in managing these devices (although they have appliances/software out there that can manage them). If we could give the students an alternative to bringing into their dorm a rogue AP until we can get a permanent wireless infrastructure the benefits could out weight the headaches. Comments? Brian J David Network Systems Engineer Boston College ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. smime.p7s Description: S/MIME cryptographic signature
RE: [WIRELESS-LAN] many clients, one room
I just wish I could get them to call me. From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Jon Freeman Sent: Sat 4/12/2008 1:49 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] many clients, one room Added a couple of notes to Frank's message below... Jon 303-808-2666 Xirrus(tm) Array...the Air is the Network(tm)...visit us at www.xirrus.com From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Frank Bulk - iNAME Sent: Saturday, April 12, 2008 2:03 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] many clients, one room John: Thanks for responding. Two points: - It's not reasonable to ignore retransmits. One of Meru's key technology strengths is its claim to pseudo-schedule client access. This reduces retransmits due to collisions (JON - true but what they don't point out is that this is similar to the 11g collision avoidance technique already part of the spec - I've not seen them argue they do any better than 22Mbs which is only a 10% difference resulting in a few seconds difference from the calculated result, not enough to compare to the 4 times faster demonstrated). Meru argues (and the last Novarum study appeared to demonstrate) that in dense client situations Meru's approach provides a higher aggregate throughput per AP (JON- as noted in my last comment, this may be, but the small percent difference can't come close to lighting up more total channels). If you recall one of the first graphics on their web site many years ago was of a chart with the number of clients along the x axis and aggregate throughput along the y-axis. I don't want to ignore the fact that the other vendors involved in Novarum's test didn't have an opportunity to optimize their product or want to participate, but not unlike ATM and Token Ring, it appears that Meru's approach, in situations of high client density, should outperform the traditional approach (JON - actually the opposite is true as the stand alone AP environment offers a new pool of capacity per AP where the Meru blanket approach only offers a single pool of capacity across multiple APs that everyone share, in effect creating a single hub for the entire area of coverage that is only 3 channels in size, so depending on the size of the coverage area the Meru approach could provide a significantly less amount of total bandwidth). In other words, in the PowerPoint scenario you described, Meru would do better than their competitors (JON - yes, this is true for everyone except the example used for the Xirrus Array which provides 4 times the speed, and since we're talking about classroom teaching time this difference is significant in terms of impact on the learning effect of students). Their competitors would argue that the network should be designed differently.(JON - actually most competitors might say that you can't support this number of people in a closed space since they will deal with near field interference issues) - More (non-overlapping) channels is almost always better (JON - we agree on this point completely). The enterprise WLAN vendors could stack multiple APs on top of each other, each operating at one or more non-overlapping 5 GHz frequencies, but omni-directional antennas will make channel planning difficult (JON - actually the planning would be more likely impossible as any APs placed in close proximity would cause each other near field interference, like what you hear when your cell phone is near your telephone, both operate on difference frequencies but their close proximity causes interference...the Array has several passive and active technologies that eliminate this problem, a benefit of integration that can't be solved by stacking APs, anyone who's tried stacking can offer their experience). Xirrus does a nice job of packaging that up, and it's directionality increases coverage and limits co-channel interference with neighboring arrays. (JON - agreed, and thank you!) My summary viewpoint: most enterprise WLAN vendors have been able to avoid the channel-stacking and co-channel interference challenges because actual usage levels have been low, they haven't had to worry about it (JON - true but we're seeing this problem coming to a head in about 30% of the Wi-Fi implementations today with a very rapid growth). They've been granted a reprieve with 802.11n (JON - .11n is now set for ratification in 2009, it does provide a good indication of the need for speed if you review the level of interest, FYI - the array with .11n will provide fast Ethernet switch replacement speeds - 12/24/48 port speeds, allowing you to get the switch benefit without the costs of the wires). While one might be tempted to say that this will catch up on them, I believe that raw speed will continually increase, either through
RE: [WIRELESS-LAN] many clients, one room
WOW?! Two radios and 250 users? Please describe your setup! Jason D. Appah -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of John Center Sent: Monday, April 14, 2008 5:28 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] many clients, one room Hi Don, We are a Meru customer we've had great success with their system in our large lecture rooms. On Friday, we had 250 Engineering students taking an exam, which required MathCAD, on 2 Meru AP208s. The exam ran flawlessly. HTH -John Don Wright wrote: I know this has been talked about and debated on this list before, but what are people doing today when faced with a request like the need for 100 students simultaneously downloading a powerpoint presentation. Recently there was discussion on MCA vs. SCA vendors and how each handles this worst case scenario. Since we are an MCA (Aruba), I'd be interested in hearing what others have done or are planning for large classrooms and auditoriums. -- Don Wright Network Technologies Group Brown University wire --- less, wi-fi ))) more ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. smime.p7s Description: S/MIME cryptographic signature
RE: [WIRELESS-LAN] Open Wireless in Higher Ed
I would second that, their technical support service is incredible, and are patient and supportive, and in terms of ease of use, flexibility, and overall power, they ignition server has all others beat. Jason D. Appah -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Chad Frisby Sent: Wednesday, March 26, 2008 5:55 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Open Wireless in Higher Ed If you want a best in class 802.1x integration box - tailored to Higher-ED please have a look at these guys. Identity Engines www.idengines.com For a customer reference account using this product - please contact Todd below: Brigham Young University, Idaho Todd Smith Director Of Infrastructure 208-496-1230 [EMAIL PROTECTED] Cheers, Chad Frisby 303.406.3222 [EMAIL PROTECTED] -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Bennett Sent: Wednesday, March 26, 2008 5:44 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Open Wireless in Higher Ed We are looking at technologies such as Radius, Cisco Clean Access, etc. to require our wireless client to authenticate to our network. Currently we have an open, unsecured wireless network. What are you Higher Ed institutions implementing to make sure that only valid users are using your wireless networks? If your policy is to do nothing then please indicate that as well. Thanks Daniel R. Bennett CompTIA Security+ Information Technology Security Analyst Pennsylvania College of Technology One College Ave Williamsport, PA 17701 (P) 570.329.4989 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. smime.p7s Description: S/MIME cryptographic signature
RE: [WIRELESS-LAN] IAS Logging
I've tried this with our current implementation of IAS and it works fine, re-challenges for correct password, and throws an event in ias evenlog... perhaps its something else? although I am glad to be moving to a idengines igition server... albeit for different reasons. From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Mike King Sent: Sat 3/8/2008 5:12 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] IAS Logging I have to clarify something for myself here. When you enter the wrong password into the Windows PEAP Client, IAS will lock the account out because the client will keep trying the wrong password? Wow. The major RADIUS servers all have the correct behavior, in that if you put the wrong password, it will send the correct response back to the client to force it to reprompt the client to re-enter the username/password. I've tested this with FreeRadius (Everything from .97 up has it) Funk (Juniper now) Steel Belted Radius (SBR) and IDEngines Ignition server. I figured Microsoft would use they're own API, and perform the correct action. I guess that would be a false assumption. (To clarify my point, I'm blaming IAS for not following the RADIUS specs that Microsoft created when they made the PEAP client in Windows XP. ) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Feedback needed for WiFi manufacturers
We have looked at and are currently using HP Procurve 420, and Proxim/Orinoco 4000 AP the HP Procurves are great midrange devices, the proxim was deployed before I started with this university, and I am not pleased at all with it. on paper the proxim have a great feature set unfortunatley I found that lackluster documentation and command line issues left me wanting. really if you do deploy these the best way to manage them is via airwave. I dont reccomend them. the HP procurves are comptitively priced, intuituve in their design and implementation, however they dont quite have the feature set that I am looking for , e.g. aruba switched wireless or xirrus We are starting to look at the xirrus as a means to deploy in environs were we dont want to pay to (re) cable.. Has anyone used their solutions? Jason Appah [EMAIL PROTECTED] Information Services Systems Administrator / Network Analyst II Oregon Institute of Technology SAN GIAC Silver, MCP Active Directory, Security+ From: Scott Smith [mailto:[EMAIL PROTECTED] Sent: Thu 12/6/2007 12:40 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Feedback needed for WiFi manufacturers For years we have been a Cisco and Vivato WiFi shop. I am now being asked to evaluate other WiFi manufacturers. In the past I've looked at 3com, Lucent, and Symbol. However, that's been over 7 years ago at this point. So I'm wanting any feedback for other types of WiFi other Universities are currently utilizing, pros and cons, and even ones in the past you may have used. I started looking at Colubris, Xirrus, and Symbol as those are the ones specifically I was asked to look at. However, I'm just wanting to see what other options there may be, besides Cisco. -- Scott Smith Network Engineering Services Southern Illinois University Carbondale [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.