RE: [WIRELESS-LAN] Multi vendor interoperability on Campus
Bruce, Are the clients matching different policies on the ACS server depending on what wireless system they are connected to? If so each policy may be using a different certificate and freaking out the Apple clients when they cross systems. Jason Jason Todd Network Security Officer Western University of Health Sciences From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Entwistle, Bruce Sent: Wednesday, May 01, 2013 9:31 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Multi vendor interoperability on Campus We are currently in the process of installing a second vendors wireless hardware on campus, current Cisco installing Aruba, using the same SSID on all APs. Both systems authenticate against the same ACS server. In our pilot deployment, windows PCs seemed to connected to either network with no intervention, however our Apple products ask to accept the certificate from our ACS server. Once accepted the Apple devices roam between systems. Has anyone had a similar experience and found a solution which did not include any user interaction? Thank you Bruce Entwistle Network Manager University of Redlands From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Keith Jeremy Noah Sent: Wednesday, May 01, 2013 4:42 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Multi vendor interoperability on Campus In our ongoing deployments switching from Cisco to Juniper, we are using the new SSID as a way to advertise the new service and differentiate possible wireless connectivity issues. This has been very useful for campus communication and instructions to our help desk, but has lead to minor issues where some non-technical management have difficulty differentiating between the service and the hardware. Overall, I agree with option 3. Keith Noah University Information Technology Services University of Wisconsin-Milwaukee Network Operations Center Cell:414-810-6789 Office:414-229-4972 From: "Bruce W Osborne" mailto:bosbo...@liberty.edu>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Sent: Wednesday, May 1, 2013 6:12:08 AM Subject: Re: [WIRELESS-LAN] Multi vendor interoperability on Campus I would recommend 3. When we moved from Cisco to Aruba in 2008, we used a different SSID and tried to deploy the new system geographically to minimize multi-vendor interaction. We did a rapid deployment in our dorms over winter break. Bruce Osborne Wireless Network Engineer IT Network Services (434) 592-4229 LIBERTY UNIVERSITY 40 Years of Training Champions for Christ: 1971-2011 From: Becker, Jason [jbec...@wustl.edu] Sent: Tuesday, April 30, 2013 11:34 AM Subject: Multi vendor interoperability on Campus What are others doing to get interoperability when you have multiple wireless vendors on campus? We are transitioning to a new system and trying to think of all the issues we may run into during this. A little background about our layout… a building will have all the same vendor AP's but adjacent building may not, over 100 buildings on campus, total of 4000+ across campus, systems will have different ip pool space, and limited outdoor coverage. Ideas 1. Same ssid across both systems and let the clients choose what system. 2. Same ssid and adjust the probe/reponse thresholds so clients outside of a building don't connect. 3. Have versions of ssids for each system so clients can choose what ssid to connect to. Thanks, Jason ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Wireless Printers Brought into Residence Halls
We have seen some HP printers broadcast an ad hoc SSID (usually very strongly and on an interfering channel) whenever the printer is not configured for Wi-Fi. Like Joann, we have to track these down to fix them. Jason Jason Todd Network Security Officer Western University of Health Sciences From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of David R. Morton Sent: Thursday, March 21, 2013 9:56 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless Printers Brought into Residence Halls Joann, If the printer wifi isn't being used, I wouldn't expect that it would cause much interference. The printers will send some Wi-Fi beacons, and others may see the devices in their Wi-Fi list, but neither of those would pose much of an issue. At the UW, we do allow users to bring and attach their printers to our Wi-Fi network. The bigger problem we see is how to handle AirPrint/AirPlay and other service discovery issues. In the residence halls we have seen this type of traffic use a lot of airtime. In the not to distant future we will be testing Aruba's solution to better manage that type of traffic. David David Morton Director, Mobile Communications Service Owner, HuskyTV University of Washington dmor...@u.washington.edu<mailto:dmor...@u.washington.edu> tel 206.221.7814 On Mar 21, 2013, at 9:42 AM, Joann Williamson mailto:joa...@usca.edu>> wrote: Hi All, Our housing policy states that students should not bring wireless printers and other devices that might interfere with the campus wireless to the residence halls. However, students buy whatever is on sale and bring the printers anyway. They don't try to setup the wireless, but they leave it on (or in setup mode) which broadcasts a wireless signal and interferes with the campus wireless. Computer Services gets complaints and has to go find them and turn off the printer's wireless. This process is never ending! I was hoping for a discussion about what others are doing on this issue. This doesn't have to be a technical conversation, but I am open to technical discussions, too. I am aware of using rogue control to have the AP closest overpower the signal of the printer, but that usually bleeds through the gypsum floor and causes trouble for someone else. Is there an effective way to communicate to the students why we don't allow wireless printers? What seems to work at your university? Thanks, Joann L. Williamson Director of Network Systems, Architecture, & Infrastructure Computer Services Department University of South Carolina Aiken 471 University Parkway Aiken, SC 29801 http://www.usca.edu<http://www.usca.edu/> fax: 803-641-3494 phone: 803-641-3473 joa...@usca.edu<mailto:joa...@usca.edu> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Rogue Device detection. (was "[WIRELESS-LAN] Wireless in dorms")
Our rogue DHCP server problems went away once we started blocking DHCP offers at the edge. Before that we were hooking protocol analyzers up to the segment having problems to detect rogues. Jason Todd Network Security Officer Western University of Health Sciences From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian Helman Sent: Tuesday, September 20, 2011 5:22 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Rogue Device detection. (was "[WIRELESS-LAN] Wireless in dorms") Oh, tell me more about this perl script you are using. Anyone else have good methods for identifying and terminating rogue DHCP (and rogue AP's for that matter) servers? -Brian From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Ray DeJean [r...@selu.edu] Sent: Monday, September 19, 2011 12:11 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless in dorms We do have dorms segregated on separate vlans behind a firewall from the rest of the network. However, the Rogue DHCP server issue is one of the main reasons we find out that a student is trying to run their own router. We have a roguedhcp perl script that sends out dhcp requests every hour or so and sees who responds... if any rogue's respond we quarantine them and tell them to unplug the router. However that's not good enough for the BYOD policy. So we're currently testing out ACLs and qos profiles on our switches that will just block the dhcp server responses on the endpoint ports. So Timmy can run a dhcp server in his room all he wants without affecting anyone else. I don't know why we didn't think of that years ago... ray -- Ray DeJean Systems Engineer Southeastern Louisiana University email: r...@selu.edu<mailto:r...@selu.edu> http://r-a-y.org On Mon, Sep 19, 2011 at 10:54 AM, Matthew Gracie mailto:grac...@canisius.edu>> wrote: On 09/19/2011 11:04 AM, Ray DeJean wrote: > All, > > We don't currently provide wireless in our dorms, and our official > policy is to not allow students to bring their own wireless devices. We > don't actively enforce this policy though, and as long as the students' > device isn't causing problems, they typically don't hear from us. (We > do provide at least a 100mbps wired connection to each student). > > We are considering changing our policy to allow BYOD (bring your own > device) in the dorms. I know lots of students already BYOD, but we're > not policing it. We're considering the costs associated with deploying > our Aruba system to all the dorms, and the fact that students are going > to BYOD anyway. Rather than fight them, allow it. We'll secure our > wired network obviously, but also have workshops and online instructions > to show the students how to properly connect and secure their device. > Of course we realize the interference issues that may arise in a crowded > 2.4ghz space... > > The University of Wisconsin-Madison > (http://www.housing.wisc.edu/resnet/gameConsoles.php) already has a > policy like this in place. Just looking to hear from other > universities who have or are considering a policy such as this. You don't mention what kind of network architecture you have - if you're using a relatively flat topology, with comingling of residence hall, administrative, and academic traffic, be sure that you've got technology and procedures in place to shut down misconfigured endpoints. Nobody will be happy when they start getting RFC1918 addresses from the DHCP server on little Timmy's free-with-rebate Linksys AP. -- Matt Gracie (716) 888-8378 Information Security Administrator grac...@canisius.edu<mailto:grac...@canisius.edu> Canisius College ITSBuffalo, NY http://www2.canisius.edu/~graciem/graciem_public_key.gpg ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Same Radius server, more than one SSID, different groups of users?
We're not using Cisco but what we do is evaluate the NAS Identifier (which is the same as the SSID in our environment) along with AD group membership to determine what wireless networks our users can connect to. We are using Windows Network Policy Server and FreeRADIUS for our RADIUS servers. Jason Todd Western University of Health Sciences From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Urrea, Nick Sent: Monday, September 19, 2011 1:07 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Same Radius server, more than one SSID, different groups of users? I would like to limit the SSID so only a certain group can access it. I want to use different QoS rates on different SSIDs so one network has more bandwidth available to individual users than the other. SSID for students 5 MB/s SSID for staff/faculty 20 MB/s -Nick From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mike King Sent: Monday, September 19, 2011 11:42 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Same Radius server, more than one SSID, different groups of users? Nick, I've used both NPS (New RADIUS server from Microsoft) and IAS. What you want to do is Extremely simple. FYI: Do NOT under any circumstances roll out a new SSID using WPA. Use WPA2. I have 3 SSID's that go back to the same RADIUS server. Is there anything special you want to do? Limit the groups so that only one SSID is availble to them? with VLAN id's you can even have users on the same SSID be in different VLAN's, amoung other tricks. Mike On Mon, Sep 19, 2011 at 12:24 PM, Urrea, Nick mailto:urr...@uchastings.edu>> wrote: We at UC Hastings would like to create a new SSID that only allows certain users with WPA-Enterprise authentication to access. We currently have two SSIDs one which uses WPA-Enterprise with RADIUS which checks against and Active Directory group and the other which uses Web-Auth which checks against the same Active Directory. We are using the Cisco Solution for enterprise wireless. I would like to use the same RADIUS server for both WPA-Enterprise SSIDs. Any ideas? --- Nicholas Urrea Information Technology UC Hastings College of the Law San Francisco, CA, 94102 urr...@uchastings.edu<mailto:urr...@uchastings.edu> help desk: 415-581-8802 helpd...@uchastings.edu<mailto:helpd...@uchastings.edu> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.