Re: [WIRELESS-LAN] Non-802.1x devices on wireless...
We are in the process of switching our entire SSID infrastructure around for the same reasons you are asking about. We have a number of devices that don't support 802.1x. For this and a handful of other reasons, we are rolling out 3 brand new SSID's. wustl-2.0 = Open SSID. Authentication is based on a DHCP captive portal from Infoblox (our IPAM system). wustl-guest-2.0 = Guest network. Only ports 80 and 443 are open. The bandwidth is also limited per IP. This is our way of making it painful so normal users won't try to use this. wustl-encrypted-2.0 = 802.1x SSID. Note: we use a version number on our SSID's so we can make major changes without affecting old users during the transition period. Our theory behind the open ssid with captive portal was this... The vast majority of our users are used to coffee shop style wireless. A large number of high visibility servies are using end-to-end (https) encryption. If this does not work for you, we have a SSID with the word encryption in it. The end users can make their own decision for what works best for them. We originally thought about running WPA2 with a common shared key for encrypting the connection, but there are security issues with this. Anyone with the key could decrypt the traffic if they wanted. We felt like we would be giving our users a false sense of security if we offered a shared key WPA2 solution. I would be happy to discuss this further if you want, my phone number is in the sig below. -- Jason E. Murray Sr. Systems Engineer Washington University in St. Louis Phone: 314-935-4865 Email: jemur...@wustl.edu Web: http://nts.wustl.edu/~jemurray/ On Tue, Jun 4, 2013 at 2:37 PM, Danny Eaton wrote: > I seem to remember seeing some discussion a while ago about non 802.1x > capable devices on wireless. We’re a Cisco wireless shop, and currently > run 2, about to be 3 (with the addition of eduroam) SSID’s. Is anyone > running a specific SSID for these non-802.1x capable devices? Perhaps > using WEP and MAC address authentication? Feel free to contact me off > list… I’m just trying to get some examples of “best practice” (or at least > implemented practices) from other institutions. > > ** ** > > ** ** > > ** ** > >Respectfully, > > ** ** > >Danny Eaton > > ** ** > >Snr. Network Architect > >Networking, Telecommunications, & Operations > >Rice University, IT > >Mudd Bldg, RM #205 > >Jones College Associate > >Staff Advisory Committee > >Employee Activities Subcommittee Chair > >Office - 713-348-5233 > >Cellular - 832-247-7496 > >dannyea...@rice.edu > > ** ** > >Soli Deo Gloria > >Matt 18:4-6 > > ** ** > > G.K. Chesterton, “Christianity has not been tried and found wanting. It’s > been found hard and left untried.” > > ** ** > > ** ** > > ** ** > > ** ** > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > -- Jason E. Murray jemur...@zweck.net http://www.zweck.net/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Cisco WISM-2 version 7.4.110.0 controller problems.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 We are running Cisco WISM-2 controllers, code 7.4.110.0 at 11AM this morning all our clients were dropped and could not reconnect. To get the clients back online we manually failed all access points to a secondary controller. This worked great for about 30 minutes then all the clients were dropped off again. At this point we experienced a total wireless outage. In the logs we see the following errors: Sep 25 12:52:55.726: #LWAPP-3-MSG_SEND_ERR: spam_api.c:11712 The system is unable to send delete mobile message to LWAPP; AP 08:cc:68:62:9d:40 Sep 25 12:52:55.727: #LWAPP-3-MSG_SEND_ERR: spam_api.c:1489 The system is unable to send free AID message to LWAPP; AP 08:cc:68:62:9d:40 Sep 25 12:52:55.727: #LWAPP-3-MSG_SEND_ERR: spam_api.c:11616 The system is unable to send add mobile message to LWAPP; AP 70:10:5c:b9:7e:a0 Sep 25 12:52:55.728: #LWAPP-3-MSG_SEND_ERR: spam_api.c:11712 The system is unable to send delete mobile message to LWAPP; AP 08:cc:68:b8:58:b0 Sep 25 12:52:55.728: #LWAPP-3-MSG_SEND_ERR: spam_api.c:11712 The system is unable to send delete mobile message to LWAPP; AP 08:cc:68:62:98:e0 Sep 25 12:52:55.728: #LWAPP-3-MSG_SEND_ERR: spam_api.c:1489 The system is unable to send free AID message to LWAPP; AP 08:cc:68:b8:58:b0 Sep 25 12:52:55.728: #LWAPP-3-MSG_SEND_ERR: spam_api.c:1489 The system is unable to send free AID message to LWAPP; AP 08:cc:68:62:98:e0 Sep 25 12:52:55.729: #LWAPP-3-MSG_SEND_ERR: spam_api.c:11712 The system is unable to send delete mobile message to LWAPP; AP f4:1f:c2:02:48:f0 Sep 25 12:52:55.730: #LWAPP-3-MSG_SEND_ERR: spam_api.c:1489 The system is unable to send free AID message to LWAPP; AP f4:1f:c2:02:48:f0 Sep 25 12:52:55.730: #LWAPP-3-MSG_SEND_ERR: spam_api.c:11616 The system is unable to send add mobile message to LWAPP; AP 70:10:5c:b9:73:c0 Sep 25 12:52:55.730: #LWAPP-3-MSG_SEND_ERR: spam_api.c:1489 The system is unable to send free AID message to LWAPP; AP f4:1f:c2:02:48:f0 Sep 25 12:52:55.731: #LWAPP-3-MSG_SEND_ERR: spam_api.c:1489 The system is unable to send free AID message to LWAPP; AP 08:cc:68:62:98:e0 Sep 25 12:52:55.731: #LWAPP-3-MSG_SEND_ERR: spam_api.c:11616 The system is unable to send add mobile message to LWAPP; AP 08:cc:68:62:e7:90 Sep 25 12:52:55.733: #LWAPP-3-MSG_SEND_ERR: spam_api.c:1489 The system is unable to send free AID message to LWAPP; AP f4:1f:c2:03:2b:f0 Sep 25 12:52:55.733: #LWAPP-3-MSG_SEND_ERR: spam_api.c:11712 The system is unable to send delete mobile message to LWAPP; AP 08:cc:68:62:8a:10 Sep 25 12:52:55.734: #LWAPP-3-MSG_SEND_ERR: spam_api.c:11616 The system is unable to send add mobile message to LWAPP; AP f4:1f:c2:98:99:20 Sep 25 12:52:55.735: #LWAPP-3-MSG_SEND_ERR: spam_api.c:1489 The system is unable to send free AID message to LWAPP; AP 08:cc:68:62:8a:10 Sep 25 12:52:55.736: #LWAPP-3-MSG_SEND_ERR: spam_api.c:11616 The system is unable to send add mobile message to LWAPP; AP 08:cc:68:62:93:c0 Sep 25 12:52:55.737: #LWAPP-3-MSG_SEND_ERR: spam_api.c:11616 The system is unable to send add mobile message to LWAPP; AP 08:cc:68:b8:66:50 Sep 25 12:52:55.737: #LWAPP-3-MSG_SEND_ERR: spam_api.c:11712 The system is unable to send delete mobile message to LWAPP; AP 70:10:5c:b9:7e:a0 Sep 25 12:52:55.737: #LWAPP-3-MSG_SEND_ERR: spam_api.c:1489 The system is unable to send free AID message to LWAPP; AP 70:10:5c:b9:7e:a0 Sep 25 12:52:55.738: #LWAPP-3-MSG_SEND_ERR: spam_api.c:11712 The system is unable to send delete mobile message to LWAPP; AP 20:bb:c0:e7:8f:60 Sep 25 12:52:55.738: #LWAPP-3-MSG_SEND_ERR: spam_api.c:11712 The system is unable to send delete mobile message to LWAPP; AP 44:ad:d9:61:f8:c0 Sep 25 12:52:55.738: #LWAPP-3-MSG_SEND_ERR: spam_api.c:11616 The system is unable to send add mobile message to LWAPP; AP 08:cc:68:b8:68:a0 Sep 25 12:52:55.738: #LWAPP-3-MSG_SEND_ERR: spam_api.c:1489 The system is unable to send free AID message to LWAPP; AP 20:bb:c0:e7:8f:60 Sep 25 12:52:55.738: #LWAPP-3-MSG_SEND_ERR: spam_api.c:1489 The system is unable to send free AID message to LWAPP; AP 44:ad:d9:61:f8:c0 Sep 25 12:52:55.739: #LWAPP-3-MSG_SEND_ERR: spam_api.c:11616 The system is unable to send add mobile message to LWAPP; AP 20:bb:c0:e7:8f:60 In order to get something back online we rebooted one of the WISMs, failed 50% of the AP's back to the newly rebooted WISM.At this point both controllers started working. TAC was online with us the entire time. They are still reviewing the logs, but at this point they have no idea what the problem is (was). Controller uptime was 22 days, memory around 30-40%, cpu 5-10%, 5000-6000 active clients. This just happened, we are still reviewing all the logs, graphs, stats, etc... I wanted to post this up right now just to see if anyone else has experienced an issue like this. Once TAC gets back with us, I will post additional updates. Thanks, - -- Jason E. Murray Sr. Systems Engineer Washington
Re: [WIRELESS-LAN] Experience with Meru
We have been a Meru shop since 2006. We currently have 23 Meru controllers (31XX, 41XX, 42XX) Version: 4.0-165 or 5.3-132 (depending on controller). AP types: 200, 208, 302, 310, 311, 320 (At peak we had over 2500 APs) Over the years we have had a number of unexplained problems. Here is a brief bullet point of the top issues (I am pulling most of this from memory): * Controller upgrades have been painful. Many times requiring support to get involved. * Lots of client disconnect issues, where a user gets bumped off and can't get back on. The root cause of many of these problems have never been determined. * There are issues where clients look like they are connected, but no data is able to be passed. This is also still an issue. * PMK caching does not work at all. Meru had us disable it. This was painful, it requires meru to get involved every time we change ess profiles, add ssids, etc because it requires custom backend scripts to disable. * Single channel is a challenge to deal with in dense areas * Mixing different AP types is a problem and requires lots of manual configuration * Mixing APs from multiple controllers (controller roaming) is a problem, and requires lots of AP location planning. This is a issue when you fill up one controller and have to shift around a lot of access points. * Virtual cell does not work on 2XX series, Meru had us disable it. * Even their newest controllers with the 320 series AP's only still had random problems like controller lockups, client disconnects, ap drops, etc. * Support tries to fix the problem. Over the life of the system they have sent out 3 different engineers to help us resolve these issues. * To this day we still have unexplained client disconnect issues where are clients are dropped from wireless and it may take several minutes to reconnect. If you want to talk about this I am happy to discuss further. Just drop me a email. On Wed, Sep 18, 2013 at 11:30 AM, John McMillan wrote: > Hello all, > > > > Has anyone here worked with Meru Networks gear? We’ve got some client > density issues (primarily in auditorium spaces) that our Cisco gear doesn’t > support very well and we’re investigating alternative solutions for those > areas. We met briefly with Meru and the technology looks interesting, but > I’m curious to hear if it lives up to the hype. > > > > Thanks, > > > > John McMillan > > University of South Alabama > > Computer Services Center > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > -- Jason E. Murray jemur...@zweck.net http://www.zweck.net/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Network Name recommendations
We use an open SSID with NAC backend. The name is WUSTL-1.0 for old wireless controllers and WUSTL-2.0 for new gear. This way we can bump the version number as we drastically change wireless technology. On Tue, Jul 22, 2014 at 6:49 AM, Osborne, Bruce W (Network Services) < bosbo...@liberty.edu> wrote: > We use our open network for 802.1X onboarding with CloudPath Wizard and > for registered non-802.1X devices (game consoles, etc.) > > We call this open network Liberty-Wireless. Our 802.1X secured network is > Liberty-Secure. > > We are not very creative in our naming. > > Bruce Osborne > Network Engineer - Wireless Team > IT Network Services > > (434) 592-4229 > > LIBERTY UNIVERSITY > Training Champions for Christ since 1971 > > -Original Message- > From: Marcelo Lew [mailto:marcelo@du.edu] > Sent: Monday, July 21, 2014 2:30 PM > Subject: Network Name recommendations > > Hi guys, we are in the process of changing our "entertainment" SSID to one > that covers more than just Gaming Consoles, as we now also put streaming > devices, TVs, glasses, alarm clocks, etc on this network. Is an open > network secured via NAC enforcement. Wondering if I can get some examples > of what are you guys naming these type of networks? Ours is currently > called "DU Game Consoles ONLY". Looking for something short preferably as > many of these devices have no keyboard. > Thanks! > > Marcelo > > > Marcelo Lew > Wireless Network Architect & Engineer > University Technology Services > University of Denver > Desk: (303) 871-6523 > Cell: (303) 669-4217 > Fax: (303) 871-5900 > Email: m...@du.edu > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > -- Jason E. Murray jemur...@zweck.net http://www.zweck.net/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] RADIUS Server preference for 10K+ Client Environments?
We use FreeRadius 2.1.x servers running on pair HP DL360-G7s with Linux. We have around 8k simultaneous users online at any one time. Authentication type is 802.1x MS-CHAPv2/PEAP which is proxied though the FreeRadius servers to a cluster of MS AD servers, where our single-sign-on system terminates. We also terminate our captive portal and various other radius enabled devices to these same servers. Appreciations: It just works. Pretty simple setup, we try to keep as much of the configs as stock as possible. The huntgroups feature is good for grouping different devices together, we then apply special rules to these certain devices. The flexibility to rewrite usernames has helped out greatly during some of legacy migrations. Centralized logging via syslog. Issues: (I don't consider this a problem, but you should be aware of it). Our system is all console based. There is no GUI. Log file analysis requires a bit of shell experience with cat, grep, awk, etc.. Personally I like this better, but YMMV. On Tue, Nov 1, 2011 at 1:25 PM, Lee H Badman wrote: > We’re feeling some frustration with our current RADIUS solution (ACS 5, > virtual appliances) that are frequently attributed to the size of our client > base. (At the same time, the logging and reporting on ACS is among the best > I’ve ever seen.) > > > > For those of you with large (10,000 + users) RADIUS deployments, what > servers are you using and what are your points of pain and/or appreciation? > > > > We currently only use the servers in question for wireless client support, > doing MS-CHAPv2/PEAP. > > > > > > Regards- > > > > Lee Badman > > > > > > Lee H. Badman > > Wireless/Network Engineer > > Information Technology and Services > > Adjunct Instructor, iSchool > > Syracuse University > > 315 443-3003 > > > > > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. -- Jason E. Murray jemur...@zweck.net http://www.zweck.net/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] NAT Logging Storage Requirements
We have a single Linux server running rsyslog collecting all our NAT translation logs. We generate up to 5gb of data per hour. This is for ALL our firewall/NAT devices (wireless, resnet, etc). We roll each log file every hour. The first 2 logs are kept uncompressed then everything after that is gzip'ed down to a few hundred MB. After compression storage is not that bad. We keep around 30 days of logs and have plenty of storage with a 1TB array. Everything is CLI based, you need some grep, sed, awk skills to search though the log files. Overall this works out well in our environment. On Wed, Nov 2, 2011 at 11:32 AM, Johnson, Neil M wrote: > We are looking at having to move our wireless net's to private address > space and NAT/PAT ing traffic from the wireless nets to the Internet. > > > What are you using to store your NAT logs (Systems, Disk space, Database)? > > Thanks. > -Neil > > -- > Neil Johnson > Network Engineer > The University of Iowa > Phone: 319 384-0938 > Fax: 319 335-2951 > Mobile: 319 540-2081 > E-Mail: neil-john...@uiowa.edu > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > -- Jason E. Murray jemur...@zweck.net http://www.zweck.net/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Cisco Bonjour gateway webinar- anyone attend?
I would like to know how this differs from the option " Multicast Vlan Feature = Enabled" in the WLAN configuration? On 7/25/12 9:59 AM, Lee H Badman wrote: > > Did anyone sit in on this > http://tools.cisco.com/gems/cust/customerSite.do?METHOD=W&LANGUAGE_ID=E&PRIORITY_CODE=&SEMINAR_CODE=S16814 > ? > > > > Any impressions? > > > > Thanks- > > > > Lee > > > > Lee H. Badman > > Wireless/Network Engineer > > Information Technology and Services > > Adjunct Instructor, iSchool > > Syracuse University > > 315 443-3003 > > > > > > ** Participation and subscription information for this > EDUCAUSE Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. signature.asc Description: OpenPGP digital signature
Re: [WIRELESS-LAN] sizing NAT and leases for the explosion
We have been running PAT (NAT) for over 5 years now on our wireless network. This year we have over 10k concurrent users on wireless. Meru provides the majority of our wireless network gear. We have 3 SSIDs (captive portal, 802.1x, and guest). Each of these 3 SSID's is assigned a single /19 of 172.18. space (Meru suppresses broadcast at the AP). We use Cisco ASA 5580's as the devices managing the PAT translations and L3 interfaces. We assign 1 overload address per 256 addresses. Our DHCP timeout is set to 2 hours. From a network perspective this has been working just fine. If you want any other details let me know. -- Jason E. Murray Sr. Systems Engineer Washington University in St. Louis Phone: 314-935-4865 Email: jemur...@wustl.edu Web: http://nss.wustl.edu/~jemurray/ On 9/27/12 3:48 PM, Hanset, Philippe C wrote: > This is official, we have almost reached the capacity of our public IP > addresses (20,000 just on Wireless) > We love IPv6, but for the moment it's not going to solve our issue! > > So, NAT it is, and we have zero experience besides our visitor network that > handles 1000+ users. > > Our plan is to terminate NAT on our Fortinet firewalls, and assign 32 VLANs > (in our Aruba VLAN pools) > with a private /21 in each subnet. So ~64,000 IP addresses. We block mDNS > etc... no worries there. > > We can now move away from the 30 minutes lease time and go to... I was > thinking 12 or 14 hours. > > We plan to do NAT-PAT 1 public to 8 private IP ratio or 1 to 16. > > People with similar size networks: Anything to worry about? > DHCP capacity, NAT capacity, Logs, ... ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. signature.asc Description: OpenPGP digital signature
Re: [WIRELESS-LAN] Cisco 7.3 Code and ISC DHCP
This is not completely related, but we just upgraded one of our Cisco routers, after the upgrade dhcp stopped working because one dhcp option was blank.'Debug IP dhcp server' was the only way we would have noticed this problem. The router was silently discarding the replies. ...sent from my mobile device spelling and grammar my suffer... On Oct 16, 2012 1:43 PM, "Revital Gorsht" wrote: > Our most recent shipment of Cisco 3600 APs came with a preloaded 7.3 image > and appear to be ignoring the DHCP offers being sent to them from our ISC > DHCP server. While spanning the port the AP is on, it is evident the > offers are being sent from the DHCP server, yet the AP's debug messages > insist its discovers are going unanswered. Once the AP is configured with > a static IP, it will then connect to the controller, running 7.2, and > downgrade its image, at which point we clear the config (so the static IP > is forgotten and the AP is forced to use DHCP) and the AP accepts the same > DHCP offer without fail. > > Wondering if anyone else who has migrated to 7.3 code with CAP3602I's and > using ISC DHCP is experiencing this, or if this is specific to our DHCP > settings? At the moment, I've got a case open with Cisco and am waiting on > development to respond... > > Thanks. > > * > * > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Cisco 7.3 Code and ISC DHCP
On 10/17/12 6:39 AM, Julian Y Koh wrote: > On Oct 16, 2012, at 19:49 , Jason Murray wrote > This is not completely related, but we just upgraded one of our Cisco > routers, after the upgrade dhcp stopped working because one dhcp option was > blank.'Debug IP dhcp server' was the only way we would have noticed this > problem. The router was silently discarding the replies. > > Can you share router model and software versions? The last time we had this problem, I documented it here: http://blog.zweck.net/2012/10/cisco-fails-to-relay-dhcp-requests.html We have also seen this exact same problem on the Cisco 6509, although I don't remember the exact software versions. -- Jason E. Murray Sr. Systems Engineer Washington University in St. Louis Phone: 314-935-4865 Email: jemur...@wustl.edu Web: http://nss.wustl.edu/~jemurray/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. signature.asc Description: OpenPGP digital signature
