RE: PoE Load Tester Recommendation
Yessir on the $$ - that’s why I suggested maybe borrowing one They are worth the money 10x over for most organizations but it’s a hefty ask up front especially with tighter post-COVID recovery budgets. Other dumb thing to check – sometimes when they punch down they accidentally mix and match A and B. It’s less common/likely but easy to check. If the switch isn’t Auto-MDIX you could try a crossover cable if the patching isn’t easily accessible. Additional info… http://securityuncorked.com/2008/02/cabling-568-a-vs-b/ - super old blog post I wrote on this (and graphic MIA) https://www.truecable.com/blogs/cable-academy/t568a-vs-t568b# - newer blog post from someone else with much more detail Good luck!! -jj _ Jennifer Minella, CISSP Founder, Principal Advisor- Security Architecture Viszen Security 919.539.2726 mobile/text j...@viszensecurity.com<mailto:j...@viszensecurity.com> https://www.viszensecurity.com<https://www.viszensecurity.com/> [cid:image001.png@01D7AB05.C65A6CC0] Get free network security insights delivered to your inbox https://zc.vg/K5Fzk From: Floyd, Brad Sent: Thursday, September 9, 2021 11:54 AM Subject: Re: PoE Load Tester Recommendation Hey JJ, Good to hear from you, thanks for the reply. It looks like (from the description) the LinkRunner G2 and above will do the actual PoE load test I’m looking for (not just repeating what LLDP/CDP is saying the capabilities are). The LinkRunner 10G also appears to test the NBASE-T / 802.3bz standard for M-Gig. I’ve had some new construction recently where most all APs in a building link up at 5 Gbps, but a couple only link up at 2.5 Gbps. I would like to be able to test for that too. However….. The $6k+ price tag is fairly steep. Hopefully we can catch up again post-pandemic at WLPC soon. Is the domain change from CAD to Viszen a good thing? We can discuss offline if you prefer. Thanks, Brad From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Jennifer Minella Sent: Wednesday, September 8, 2021 4:25 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] PoE Load Tester Recommendation [EXTERNAL SENDER] Hi Brad, If your team or a friend has a NetAlly tool around, that would kill a few birds with one stone and provide detailed PoE reporting (among a million other things). https://www.netally.com/products/<https://secure-web.cisco.com/15G1-zjskAQZK3ke-wSb4YLgMTRAkIS8-b7nRbi8gypQ0gQNACk7LnL7gwooKmvBltOu3H1sqUM0bi_KSmse4lJB5PoWf3wzAa-MArqPHp9dtxGYg-_sVp0Sq7UBmwYoJktmHbOKfdpD5bYTJl-uqnKx2i_Pud81faNS9CTv-U7ol7jXN6pR_Kl3ykxYJJHKpYRONEYPqpDlG2poiIvwrCV_aGGklypVZQWiNoCiNgkHgQUDXoc0otivYAoIiZtilDyGXRpgNwMk8if7Nv0m6A17Vr_3FzQ_uxsIddXXs4dw/https%3A%2F%2Fwww.netally.com%2Fproducts%2F> Specifically, these are the wired products. Starting at the LinkRunner AT model and going up, those have various PoE validation capabilities, increasing in capability as you head up to the LinkRunner G2 and then EtherScope nXG (which also does WiFi testing and makes coffee for you). Some of them can also be remotely controlled, so you can throw it to NOC, a tech, intern, whatever – and control it from the Interwebs. [cid:image002.jpg@01D7AB05.C65A6CC0] _____ Jennifer Minella, CISSP Founder, Principal Advisor- Security Architecture Viszen Security 919.539.2726 mobile/text j...@viszensecurity.com<mailto:j...@viszensecurity.com> https://www.viszensecurity.com<https://secure-web.cisco.com/1h7bzKq5UpwKUIkxWIPDQOITL_rS1ORktBEyBtGdTzFDPoTokPnPyKo1kXh7LIC5n2F8EGVqh2dDmA1KqUqmaFhaxzOBMalQqHn20vexBGhpO2DuyRLKVSW7qvKFo9E_F2WGE5X_SEQkcP1jD_yoXX_QYyEvTK4mdIz3EubYQvNGDm_RaVdBmzO5irkE-jkHCkyHSCTkt6lx13LBywetrfkrEl0hB02R45GceGd_j5826TNOv56_fOFDVOtOpaX3rHXiMvvL7_ETdMUf7bN5iLjST2MGcxLZK5YP8sce-AJg/https%3A%2F%2Fwww.viszensecurity.com%2F> [cid:image003.png@01D7AB05.C65A6CC0] Get free network security insights delivered to your inbox https://zc.vg/K5Fzk<https://secure-web.cisco.com/13xhyIFYROMnAwr_mbob9F7R-XBK4PvVHWV-1kb4xHrqbgXTw0_QDL41azKmGkE0tcaCX4I3ewuGl1xCs-AiLHa8JVeOlv4qFbrnE_Kj4qA7JamA9LsxL1dVeiuYz4S0M8c52Ogzv5qvYFlAF8JuNralLvDzkssIDMihGJ9dvV6lXBnWiNykCOLyZFNkgtAPi6HzrNAOXO4YxJBTReJ3JsPNEI4sBXdtdO95XLuRCoDAk0iMn69co0FsacXOzYsDgpbkHs88xW9gZSsB-tFwwky7Py_hMxxCbM1WB6_9t3Ag/https%3A%2F%2Fzc.vg%2FK5Fzk> From: Floyd, Brad mailto:bfl...@mail.smu.edu>> Sent: Tuesday, September 7, 2021 5:43 PM Subject: PoE Load Tester Recommendation Can anyone recommend a device to PoE load test network jacks? I have some jacks that pass the installer’s Category Certification, but are not passing the appropriate PoE to bring the APs online. I would like to be able to load test for 802.3af, 802.3at, and 802.3bt (at both 60W and 90W), as appropriate. I assume I would need to be able to set the load to apply (in Watts) and see the voltage level at the Powered Device. The u
RE: Multi sim 4G routers
Hi Luke, +1 on Cradlepoint but also here are some misc. other options assuming multiple APs (vs 1 single Remote AP). * Talk to your Aruba team about some possible upcoming roadmap items which might be relevant to your needs. Ask if there might be APs and/or Gateways with LTE support. It may be there are options here but they may only support 1 SIM/link but worth checking out. * Use a SOHO/Branch firewall with multi SIM support (the Fortigates someone mentioned are great, I’m sure most firewall vendors have a similar solution). * Depending on distance and LoS, you may be able to use a long haul wireless bridge back to a main connection (e.g. Siklu) or leverage longer-range private cellular- CBRS/PrivateLTE for remote/rural coverage (e.g. Celona / OnGo Alliance). Note CBRS is the band used for Private LTE in the US – in UK it’s different bands and even though I sat through an update on that yesterday I didn’t take notes on that Both of these options would not require cellular service and therefore reduce ongoing costs, but may not be viable depending on location and distance. -jj ___ Jennifer Minella, CISSP Consulting Advisor, Network & Cyber Security Carolina Advanced Digital, Inc. www.cadinc.com<http://www.cadinc.com/> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] IMPORTANT UPDATES: Starting August 1st my role with the company will change to a part time contractor advisory role, and you may be working with other teammates for certain projects. From: Luke Whitworth Sent: Wednesday, July 21, 2021 9:54 AM Subject: Multi sim 4G routers Hi all, We’ve got a requirement to support some learning spaces in remote locations. We use Aruba wireless so if we can have some remote APs there, we just need to work out how to backhaul them. In the past I’ve resorted to a Raspberry Pi and a 4G USB dongle (as although some Aruba access points have USB modem support it was a nightmare that I gave up on). However, for this people are wanting more bandwidth and resiliency, and a plug in and go solution. I’ve found https://teltonika-networks.com/product/rutx09/, which seemingly ticks lots of boxes but I was wondering if anyone has any experience with products / vendors in this area that they’d be happy to share? Ideally we’d like multiple SIMs that we can load balance over, so we just plug in a few APs and live in hope that all users don’t associate with just one AP! Cheers, Luke Luke Whitworth Network Specialist Information Services Building 63 (IT) G46, Cranfield University, Cranfield, Bedfordshire MK43 0AL E: luke.whitwo...@cranfield.ac.uk<mailto:luke.whitwo...@cranfield.ac.uk> T: +44 (0) 1234 75 4007 W: www.cranfield.ac.uk<http://www.cranfield.ac.uk> This email and any attachments to it may be confidential and are intended only for the named addressee. If you are not the named addressee, please accept our apology, notify the sender immediately and then delete the email. We request that you do not disclose, use, copy or distribute any information within it. Any opinions expressed are not necessarily the corporate view of Cranfield University. This email is not intended to be contractually binding unless specifically stated and the sender is an authorised University signatory. Whilst we have taken steps to ensure that this email and all attachments are free from any virus, we advise that, in keeping with good computing practice, the recipient should ensure they are actually virus free. ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
RE: Fortinet Wireless?
Yep so... maybe one thing I should clarify - with Fortinet APs you don't need their switches for any of the WiFi portfolio. For the FortiGate-managed APs you DO need a Fortinet firewall, even if it's only purpose is to act as a "controller" or "gateway"; meaning you don't have to replace your existing firewall in that process if you don't want to. The longer story there is that in the last ~18 months we've seen the early stages of a shift towards what I call a converged edge. Here are some random bullets/thoughts on that- * Converged edge means WiFi and LAN edge switches are being managed together more now (vs separate platforms) * Aruba brough AOS then CX switches in to Central; Mist brought Juniper EX platform in; Fortinet moved from FortiAP cloud to FortiLAN cloud; Juniper is sunsetting Sky in favor of unified platform * In addition most vendors are also rolling in a subset of their gateway/SD-WAN/SD-Branch security hardware to that central management as well * Aruba modified legacy controllers to gateways for tunnel termination and firewall features now managed by Central; Mist recently rolled in Juniper SRX appliances; Fortinet obviously supports cloud firewall management * Most of the convergence is of course moving to the cloud to leverage computing resource for AI, reduce CapEx, (plus offer a model for recurring revenue for the vendor which they love) * Mist has IMO the strongest AI platform which simply can't run on-prem; Aruba is also touting their AIOps and Insights; Cisco has their new XDR platform available to digest and act on security data from licensed Cisco infrastructure * Zero touch for WiFi is good-to-great across vendors, while Zero touch and centralized cloud-config for switching doesn't have parity among vendors; some are uber-easy, others are clunky and borderline useless And because of this convergence and AIOps * Pretty much ALL vendors have some extra secret sauce you get by combining the WiFi + Edge Switching - auto VLANs, mechanisms for micro segmentation for zero trust, data integration and correlation, troubleshooting, visibility, update coordination, security enhancements, etc. _______ Jennifer Minella, CISSP Consulting Advisor, Network & Cyber Security Carolina Advanced Digital, Inc. www.cadinc.com<http://www.cadinc.com/> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] IMPORTANT UPDATES: Starting August 1st my role with the company will change to a part time contractor advisory role, and you may be working with other teammates for certain projects. From: Lee H Badman Sent: Tuesday, July 20, 2021 12:06 PM Subject: Re: WIRELESS-LAN Digest - 15 Jul 2021 to 16 Jul 2021 (#2021-109) Fortifantastic, JJ- thanks for sharing that. I know every solution is "better" when same vendor is used for switching and WLAN under the Single Glass of Pain paradigm, but I can't be the only one contemplating our WLAN future decoupled from the desire to also change out thousands of switches. Just shouldn't need to... would be nice to see more vendors seizing the "THIS is how we help you change WLAN systems without disrupting your LAN" opportunities. I like what I see in Fortinet presentations, but those are always so expansive and sll-inclusive you (I?) don't get the feel that Forti-Fi was meant to play on other LAN environments. FortiLee Lee Badman | Network Architect (CWNE#200) Information Technology Services (NDD Group) 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w its.syr.edu Campus Wireless Policy: https://answers.syr.edu/display/network/Wireless+Network+and+Systems SYRACUSE UNIVERSITY syr.edu From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Jennifer Minella Sent: Tuesday, July 20, 2021 11:58 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] WIRELESS-LAN Digest - 15 Jul 2021 to 16 Jul 2021 (#2021-109) Ah. Nope I haven't seen any larges ones yet. No truckloads of AI for you! Their go-to changed from (legacy MC) controllers to FG-managed, with cloud (AFAIK) in a distant 3rd . I may get in trouble for saying that, and it's likely changing as all the vendors are (as you noted) leveraging the cloud compute power for AI. Fortinet has a strong R team and process, puts most of their money back in to product development vs. marketing so they have that going for them and could certainly come of from behind in the WiFi arena. I believe it is still free to create a cloud account and take it for a spin (at least with the UI) - FortiAP Cloud is now FortiLAN Cloud - https://fortilan-login.forticloud.com I will say in the lab our team has played with some o
RE: WIRELESS-LAN Digest - 15 Jul 2021 to 16 Jul 2021 (#2021-109)
Ah. Nope I haven't seen any larges ones yet. No truckloads of AI for you! Their go-to changed from (legacy MC) controllers to FG-managed, with cloud (AFAIK) in a distant 3rd . I may get in trouble for saying that, and it's likely changing as all the vendors are (as you noted) leveraging the cloud compute power for AI. Fortinet has a strong R team and process, puts most of their money back in to product development vs. marketing so they have that going for them and could certainly come of from behind in the WiFi arena. I believe it is still free to create a cloud account and take it for a spin (at least with the UI) - FortiAP Cloud is now FortiLAN Cloud - https://fortilan-login.forticloud.com I will say in the lab our team has played with some of the FortiSwitches and they have some neat features and have their place in the world, especially for highly distributed/branch office use cases. There's even what I'd call "NAC-light" built in - which is confusing when they have an actual FortiNAC product - but it's neat nonetheless. [cid:image002.png@01D77D5E.7C8C8260] ___ Jennifer Minella, CISSP Consulting Advisor, Network & Cyber Security Carolina Advanced Digital, Inc. www.cadinc.com<http://www.cadinc.com/> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] IMPORTANT UPDATES: Starting August 1st my role with the company will change to a part time contractor advisory role, and you may be working with other teammates for certain projects. From: Lee H Badman Sent: Monday, July 19, 2021 7:15 PM To: Jennifer Minella ; WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: WIRELESS-LAN Digest - 15 Jul 2021 to 16 Jul 2021 (#2021-109) Duh! Cloud. And buckets of AI. Truckloads full. Lee Badman | Network Architect | CWNE #200 Information Technology Services 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 f 315.443.4325 e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w its.syr.edu<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fits.syr.edu=E,1,YJRfe-URuUNKQ4jg_adjmEQVQSNAdlNTAe13moItABtftm8TUeFocJNuJEDQIZ-TUnsp8GM0ETfRaJf_EwyvXhJ8qxTPTIIQ7xOoGT6aMD5oLl8,=1_add=1> SYRACUSE UNIVERSITY syr.edu<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fsyr.edu=E,1,qdD9q8WQBRUBgcou7pwI-dSEH-z4WdOEIrW9Z-dS8NeC01y23N8vgGSLCYbhD8EQhV3Y3j1PtBd_mkaDcNvbR8jYu218sNSjNf-DkOh_eQo,=1_add=1> From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Jennifer Minella mailto:j...@cadinc.com>> Sent: Monday, July 19, 2021 5:53 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] WIRELESS-LAN Digest - 15 Jul 2021 to 16 Jul 2021 (#2021-109) Hey buddy! Which 'flavor' of Fortinet Wireless? * Legacy controller /Meru * Cloud * Firewall-managed ___ Jennifer Minella, CISSP Consulting Advisor, Cyber Security Carolina Advanced Digital, Inc. www.cadinc.com<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.cadinc.com%2f=E,1,CrUxd-DZhMQelCHcNRKflOFpueCLM3PYw0Khql8MF7Ne1o_MWYzpTQCxQQJ6ZGtIbpEkmNgNA7IYYLt7N9yhPKij6HRYZxuqlpX-w-BI0DNIbBwp=1> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] IMPORTANT UPDATES: August 1st my role with the company will change and you may be working with other teammates for certain projects. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of WIRELESS-LAN automatic digest system Sent: Friday, July 16, 2021 5:00 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: WIRELESS-LAN Digest - 15 Jul 2021 to 16 Jul 2021 (#2021-109) [LISTSERV mailing list manager]<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.lsoft.com%2f=E,1,_JNZeaRXLfZAJB9ooJvaxkNewkruAGN9fxCeVBxdoot1tvhQcLazHu7G9IpxtoNx8r_--jdmXXe40VwRepMc5rqz0l2rl_dVsOZMwcH-4T1bqw,,=1> [LISTSERV 15.0]<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2flistserv.educause.edu%2fscripts%2fwa.exe%3fLIST%3dWIRELESS-LAN=E,1,qDNU6YQ-g3Mv4Gm44KwIwGi355Vr_7QTadH5OOvpPwXQ-thV2AeHWqEU0rm4UK23ypSk5UXebpdK_AS1q7eZBcFqveLX03l3p75h_YFkp5YV5qg,=1> WIRELESS-LAN Digest - 15 Jul 2021 to 16 Jul 2021 (#2021-109) Table of contents: * Fortinet Wireless? (3) 1. Fortinet Wireless? * Fortinet Wireless? (07/16) From: Lee H Badman mailto:lhbad...@syr.edu>> * Re: Fortinet Wireless? (07/16) From: "Floyd, Brad" mailto:bfl...@mail.smu.edu>> * Re: Fortinet Wireless? (07/16) From: Lee H Badman mailto:lhbad...@syr.edu>> Browse the WIRELESS-LAN onl
RE: WIRELESS-LAN Digest - 15 Jul 2021 to 16 Jul 2021 (#2021-109)
Hey buddy! Which 'flavor' of Fortinet Wireless? * Legacy controller /Meru * Cloud * Firewall-managed ___ Jennifer Minella, CISSP Consulting Advisor, Cyber Security Carolina Advanced Digital, Inc. www.cadinc.com<http://www.cadinc.com/> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] IMPORTANT UPDATES: August 1st my role with the company will change and you may be working with other teammates for certain projects. From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of WIRELESS-LAN automatic digest system Sent: Friday, July 16, 2021 5:00 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: WIRELESS-LAN Digest - 15 Jul 2021 to 16 Jul 2021 (#2021-109) [LISTSERV mailing list manager]<http://www.lsoft.com/> [LISTSERV 15.0]<http://listserv.educause.edu/scripts/wa.exe?LIST=WIRELESS-LAN> WIRELESS-LAN Digest - 15 Jul 2021 to 16 Jul 2021 (#2021-109) Table of contents: * Fortinet Wireless? (3) 1. Fortinet Wireless? * Fortinet Wireless? (07/16) From: Lee H Badman mailto:lhbad...@syr.edu>> * Re: Fortinet Wireless? (07/16) From: "Floyd, Brad" mailto:bfl...@mail.smu.edu>> * Re: Fortinet Wireless? (07/16) From: Lee H Badman mailto:lhbad...@syr.edu>> Browse the WIRELESS-LAN online archives.<http://listserv.educause.edu/scripts/wa.exe?LIST=WIRELESS-LAN> [Anti-Virus Filter]<http://www.lsoft.com/products/default.asp?item=secured-by-FS=LISTSERV.EDUCAUSE.EDU=http://listserv.educause.edu/scripts/wa.exe>[Powered by the LISTSERV Email List Manager]<http://www.lsoft.com/products/listserv-powered.asp> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
RE: Ekahau Licensing & Alternatives
Just a quick but relevant clarification- “Non transferable” means not transferrable outside the organization. So, for example, a reseller can’t purchase it and then give it to someone else. One university can’t purchase it and then give it/transfer it to another university, etc. In the cases here, it’s the organization/school that owns the license, not the individual. They are not transferring it when using it internally. Certainly I don’t think anyone on this thread is advocating for violating terms of use. Everyone is simply adjusting to a new licensing model and the original request was asking for alternatives specifically so they aren’t violating any terms. The other clause is related to “leasing” the software out like VRBO. However a product manager and someone else at corporate has stated this is allowed with the hardware, so this is the only ambiguous statement (for me). And if you look at the reply from NetAlly’s Director of Marketing in that same thread, you see it looks like they plan to address the confusion/ambiguity. Hope that helps and I’ll verify this is correct just in case. -jj ___ Jennifer Minella, CISSP Consulting Advisor, Cyber Security Carolina Advanced Digital, Inc. www.cadinc.com<http://www.cadinc.com/> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] IMPORTANT UPDATES: Starting August 1st my role with the company will change and you may be working with other teammates for certain projects. From: Samuel Clements Sent: Monday, July 19, 2021 3:18 PM Subject: Re: Ekahau Licensing & Alternatives Great thread everyone - I love watching (and occasionally contributing) to all of the things that go on in the edu space! For my part, the licensing restrictions that people face using Ekahau products are also present in their competitors' products. For example, here is a twitter thread that highlights netally's TOS that includes very similar language to Ekahau: https://twitter.com/theITrebel/status/1383187080910499840 Be careful about listening to what's said/advertised publicly compared to what's documented in the legal terms of service you're accepting when you click "I Accept" on any software anywhere. As another brief word of caution - this is a public list and advocating software piracy and methods for circumventing Terms of Service is likely to be frowned upon by someone, somewhere. It's worth taking a moment in your replies to make sure you're not saying anything that could give the impression of impropriety - both on behalf of you individually, as well as the organization you work for. -Sam On Mon, Jul 19, 2021 at 1:15 PM Matt Wierzgac mailto:mwierz...@wzcnetworking.net>> wrote: I don’t think Ekahau sends anything to the end user unless they seek support in the case of an issue. When you send an email to support or call them, they always ask what product key your device is using, and if there is a different name on file for them vs. what was registered through the software, they whine about it and threaten to shut it down. The only way around this is to use a company email address, that has a user name that isn’t suspicious of being generic, but the password being generic so all users using this account knows it so they can login. Just remember if calling upon support for that account, to tell them you are the person with the name on the email account. Not ideal, but I understand why they do it. If only they made a license for more than 1 user that’s slightly higher in price to reflect this, but not as high as purchasing an entire new Ekahau license that’s $1200+ Thanks, Matt Wierzgac Engineering Manager From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of James Helzerman Sent: Monday, July 19, 2021 10:16 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Ekahau Licensing & Alternatives Hi, how did they know it was a generic account? Are they sending back information about the device it's on and mapping the login? Or they just using some heuristic that looks to see if it may be a generic account such as sending emails to thT user account and getting no response. Jimmy On Sun, Jul 18, 2021, 10:56 PM Jason Cook mailto:jason.c...@adelaide.edu.au>> wrote: This frustrated us a bit too. Their licensing seems to be aimed primarily at Wifi professionals who use this all the time/profit from it as part of their business. Doesn’t really fit our environments at all. Over the course of a year lets say at best we’d use this at .5 of an FTE (I’m probably overstating that, would prefer to use it more but we just don’t have time) There’s 5 people in our team. We aren’t going to pay for 5 licenses for something that is use so little… not at the license cost they have anyway. Oh
RE: Ekahau Licensing & Alternatives
Coming from a company works with clients using these products & that sells several, here’s my opinion: * Ekahau: I’m sad with the direction they’re going and echo the sentiments here- I believe in non-concurrent use which is how the rest of licensing usually works. There are times we move our own licenses between endpoints (same user). So their model is not sustainable for you guys with large teams nor even for us. Ekahau probably has the best training around, not only for their product but it includes the basic WiFi knowledge needed to do proper designs, regardless of the design product. * NetAlly: We were unsure where/how the design and survey products were going to go- they let them kinda drift for a while but have re-energized development in these and while they may only be ~80% of what Ekahau has offered, the truth is most users (esp end users vs integrators) don’t need that other 20% of features AND their licensing is MUCH more flexible. The cloud service is free and really neat. You can remotely control the hand held devices, and everything syncs, etc. They also have a free viewer and ways to share. The downside is there is no equivalent of a Sidekick but if that’s not critical I’d recommend you check out their solutions. * iBwave: Also a very neat product, but geared for environments outside of standard WiFi and is very very expensive and probably not as intuitive to use. These are really the 3 mainstream products for WiFi design and survey. -jj ___ Jennifer Minella, CISSP Consulting Advisory, Cyber Security Carolina Advanced Digital, Inc. www.cadinc.com<http://www.cadinc.com/> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] IMPORTANT UPDATES: Starting August 1st my role with the company will change and you may be working with other teammates for certain projects. From: Paul Smith Sent: Monday, July 19, 2021 9:51 AM Subject: Re: Ekahau Licensing & Alternatives Depends on your needs, for me as annoying as their licencing hounds have become since the acquisition there is nothing that remotely matches the Ekahau offering at this point. I’m sure the community annoyance is being noticed by the likes of NetAlly AirMagnet and iBwave though. I’d add those to your list to evaluate. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of McClintic, Thomas Sent: 19 July 2021 14:44 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Ekahau Licensing & Alternatives Thanks everyone for the feedback, it sounds like many of us are in the same boat. We like Ekahau, but I’m always open to other options on any products we use. Here is a list of options I’m flirting with and would love to know if anyone has utilized them. VisiWave - $849 TamoGraph - $1399 Acrylic - $879 ($2199 perpetual) I’ve used Acrylic products for personal use and the value was incredible. We have had AirMagnet in the past and I feel the price they spend on R doesn’t justify the cost. If someone has recent experience and seen improvements with that software let me know. For around $4000 per seat I just don’t see the value. On a side note, both the compliance manager and our account manager are in the in the Philippines. In the past we had local team contacts, not sure where in the last few years that changed, but I find it interesting. All of my previous contacts are no longer with the company. TJ McClintic From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Rick Brown Sent: Monday, July 19, 2021 8:06 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Ekahau Licensing & Alternatives EXTERNAL EMAIL In some ways having it tied to the Sidekick was better in that it did allow multiple users but not simultaneously. The problem there was most IT policies on campuses these days don't allow multiple uses of a single device without it being tied to an individual login. I certainly don't want to share my iPad. It would be good if they'd take a closer look at university users and determine a way to allow for multiple users but only the number of licenses purchased simultaneously. This would mean that you couldn't work they files unless the Sidekick was present or if a license was not being used at the time. Rick On 7/18/2021 10:43 PM, Jason Cook wrote: This frustrated us a bit too. Their licensing seems to be aimed primarily at Wifi professionals who use this all the time/profit from it as part of their business. Doesn’t really fit our environments at all. Over the course of a year lets say at best we’d use this at .5 of an FTE (I’m probably overstating that, would prefer to use it more but we
RE: Lead time for Wi-Fi gear?
IDK if this helps but the lead time will vary per manufacturer and model, depending on what they had in stock and their allocations internally and at various distributors. Behind the scenes, the manufacturers can do an allocation and hold for what they think are most critical needs. E.g. during the peak of COVID they prioritized healthcare end-users. So some models may have already been built and get out the door quickly, while others were low inventory/high demand and therefore not in production yet due to the chip shortage. https://www.cnbc.com/2021/05/12/the-global-chip-shortage-could-last-until-2023-.html Also worth noting, the status can change daily. Work with your VAR/reseller and they can usually get a bit more info via disti and/or the manufacturer. As always, mileage may vary. A valid and easy question is – what IS available and see if that suits your needs. Good luck and happy Friday! -jj ___ Jennifer Minella, CISSP VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com<http://www.cadinc.com/> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] From: Mike Atkins Sent: Thursday, May 20, 2021 10:24 AM Subject: Lead time for Wi-Fi gear? What's the word on lead time for your Wi-Fi gear? We are primarily Cisco but have some Aruba and see ship times six months out. Is that what everyone else is seeing? I know some Meraki gear can be shipped within a week or so. I just wanted to get a feel from the group as to what they hear on the street. -- Mike Atkins Infrastructure Architect Office of Information Technology University of Notre Dame Phone: 574-631-7210 ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
RE: WPA3/OWE as campus solution?
Jeff – Yes, that’s exactly right for connections to apps/services - but what if we’re talking about an infected machine or malicious user? They’re not necessarily connecting to anything specific in terms of an application that would further auth them. That’s actually why I’m saying if it’s Internet-only and inter-station blocking is on then let them have at it, as long as the org’s legal team is OK with it. Otherwise, if they could access internal resources at the network level then those non-app based connections (L1-4) should be given some consideration and protection. I don’t agree that there are enough breadcrumbs from the network admin side to identify a user on a device with anonymous login/auth. You’d need to either access data or artifacts on the device for that, or have some other means of traffic analysis on-network to try and piece that together. And some kind of extra special magic is needed if they’re on a device with private/randomized MAC. Very valid point of course on the stolen creds or stolen device with device certs. That’s just a risk but from a compliance/audit standpoint that’s a different risk than an open network. ___ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com<http://www.cadinc.com/> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] From: Jeffrey D. Sessler Sent: Wednesday, April 21, 2021 4:05 PM Subject: Re: WPA3/OWE as campus solution? Jennifer, I would hope that the service itself has authorization/admittance controls vs relying on the user’s device and/or the particular network the device is in for permission. I’d also argue that there is enough breadcrumbs about any given device to determine the user without the need for them to authenticate to wireless. Then again, the device could just as easily be stolen, or the user’s account could have been compromised, and the attacker self-enrolls his/her machine/uses the credentials to gain access. Jeff From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Jennifer Minella Sent: Wednesday, April 21, 2021 12:30 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] WPA3/OWE as campus solution? Oh my goodness. I forgot the biggest one – if you’re going to give that user or device access to internal resources/assets you probably want to know who it is – even if it’s printers, screen casting, etc. If the user or device has access to critical internal resources, then you definitely need to know who it is. From a infosec due diligence standpoint, it would be hard to argue a defense on that one if a significant event were to occur. ___ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com<http://www.cadinc.com/> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] From: Jennifer Minella mailto:j...@cadinc.com>> Sent: Wednesday, April 21, 2021 3:22 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: RE: WPA3/OWE as campus solution? Ooh Lee what a great thread! I didn’t have a chance yesterday but catching up now. Here’s what I throw in the mix for consideration… (no recommendations just free flow thoughts) Sorry this is long; WPA3 gets me really excited 1. OWE/Open Enhanced (not technically part of WPA3 but #semantics) ONLY provides OTA encryption; it does nothing for authenticating the user to the network NOR the network to the user. 2. …that means you could use a guest portal experience, with or without user ID, and add encryption vs historically having to use a Pre-Shared Key or 802.1X for key exchanges and encryption. 3. If you care about who the user is, you can still use a portal with self-registration and whatever duration you feel is appropriate. Depending on how much you care, a self-registration portal may (or may not) be sufficient. 4. If you care about protecting the user/device against a MiTM or evil twin attack, then you probably prefer a mechanism that allows some type of authentication, which is typically mutual authentication (e.g. 1X). 5. Under WPA3, security is increased across the board and will be ongoing (not fixed). Including replacing Pre-Shared Key (PSK) with SAE- which looks/feels JUST like PSK to admins/users but further protects assets by using unique key derivations for each endpoint. So… if someone has the passcode they can get on, but they can’t decrypt any other traffic even if the endpoint(s) are using the same key. The list of enhancements goes on and on. 6. Does your organization require traceability of users for any internal or external policies or compliance?
RE: WPA3/OWE as campus solution?
Oh my goodness. I forgot the biggest one – if you’re going to give that user or device access to internal resources/assets you probably want to know who it is – even if it’s printers, screen casting, etc. If the user or device has access to critical internal resources, then you definitely need to know who it is. From a infosec due diligence standpoint, it would be hard to argue a defense on that one if a significant event were to occur. ___ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com<http://www.cadinc.com/> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] From: Jennifer Minella Sent: Wednesday, April 21, 2021 3:22 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: RE: WPA3/OWE as campus solution? Ooh Lee what a great thread! I didn’t have a chance yesterday but catching up now. Here’s what I throw in the mix for consideration… (no recommendations just free flow thoughts) Sorry this is long; WPA3 gets me really excited 1. OWE/Open Enhanced (not technically part of WPA3 but #semantics) ONLY provides OTA encryption; it does nothing for authenticating the user to the network NOR the network to the user. 2. …that means you could use a guest portal experience, with or without user ID, and add encryption vs historically having to use a Pre-Shared Key or 802.1X for key exchanges and encryption. 3. If you care about who the user is, you can still use a portal with self-registration and whatever duration you feel is appropriate. Depending on how much you care, a self-registration portal may (or may not) be sufficient. 4. If you care about protecting the user/device against a MiTM or evil twin attack, then you probably prefer a mechanism that allows some type of authentication, which is typically mutual authentication (e.g. 1X). 5. Under WPA3, security is increased across the board and will be ongoing (not fixed). Including replacing Pre-Shared Key (PSK) with SAE- which looks/feels JUST like PSK to admins/users but further protects assets by using unique key derivations for each endpoint. So… if someone has the passcode they can get on, but they can’t decrypt any other traffic even if the endpoint(s) are using the same key. The list of enhancements goes on and on. 6. Does your organization require traceability of users for any internal or external policies or compliance? This could be for security reasons, compliance with IP and digital rights, or other needs. One Uni org I’ve worked with successfully stopped a student from a suicide attempt when the student posted online- they physically located the person and saved them from what they were about to do… There are a lot of things to consider and every org is different. 7. Whether or not portal acceptable use and/or user ID/registration is needed is a hotly-debated topic and has a lot of “it depends”. I recently asked several CISOs, lawyers, auditors, and cyber security friends at the FBI. * The CISOs feel it’s “window dressing” except that per … * …Lawyers, there may be some legal protection if a user compromised while on your network comes after you (e.g. policy says “org not responsible for anything resulting from use of their network”). * The FBI says they need “something” to open a case and prosecute (e.g. Acceptable Use clause or access banner). * In Europe (I’m told) orgs providing public internet access fall under ISP laws, and therefore must be diligent about registration/acceptable use/etc. By policy/compliance they have stricter rules for requiring accountability and registration. ___ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com<http://www.cadinc.com/> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] From: Enfield, Chuck mailto:cae...@psu.edu>> Sent: Friday, April 16, 2021 4:57 PM Subject: Re: WPA3/OWE as campus solution? I’ve been floating this idea to IT leadership for years, with no interest on their part. We implemented an open guest network with no rate limiting about 18 months ago, so now any student who doesn’t want to onboard doesn’t have to. I figured that would get the bosses asking why we bother to authenticate on the other SSID, but still no. It’s ironic that the people who constantly stress the importance of customer experience and regularly complain to me about the onboarding experience can’t be bothered to consider obvious alternatives. I wouldn’t be so disappointed if we discussed the pros and cons and they came to a different conclusion than I have, but it sounds so radical to them that they don’t even care to discuss it. Chuck From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE
RE: WPA3/OWE as campus solution?
Ooh Lee what a great thread! I didn’t have a chance yesterday but catching up now. Here’s what I throw in the mix for consideration… (no recommendations just free flow thoughts) Sorry this is long; WPA3 gets me really excited 1. OWE/Open Enhanced (not technically part of WPA3 but #semantics) ONLY provides OTA encryption; it does nothing for authenticating the user to the network NOR the network to the user. 2. …that means you could use a guest portal experience, with or without user ID, and add encryption vs historically having to use a Pre-Shared Key or 802.1X for key exchanges and encryption. 3. If you care about who the user is, you can still use a portal with self-registration and whatever duration you feel is appropriate. Depending on how much you care, a self-registration portal may (or may not) be sufficient. 4. If you care about protecting the user/device against a MiTM or evil twin attack, then you probably prefer a mechanism that allows some type of authentication, which is typically mutual authentication (e.g. 1X). 5. Under WPA3, security is increased across the board and will be ongoing (not fixed). Including replacing Pre-Shared Key (PSK) with SAE- which looks/feels JUST like PSK to admins/users but further protects assets by using unique key derivations for each endpoint. So… if someone has the passcode they can get on, but they can’t decrypt any other traffic even if the endpoint(s) are using the same key. The list of enhancements goes on and on. 6. Does your organization require traceability of users for any internal or external policies or compliance? This could be for security reasons, compliance with IP and digital rights, or other needs. One Uni org I’ve worked with successfully stopped a student from a suicide attempt when the student posted online- they physically located the person and saved them from what they were about to do… There are a lot of things to consider and every org is different. 7. Whether or not portal acceptable use and/or user ID/registration is needed is a hotly-debated topic and has a lot of “it depends”. I recently asked several CISOs, lawyers, auditors, and cyber security friends at the FBI. * The CISOs feel it’s “window dressing” except that per … * …Lawyers, there may be some legal protection if a user compromised while on your network comes after you (e.g. policy says “org not responsible for anything resulting from use of their network”). * The FBI says they need “something” to open a case and prosecute (e.g. Acceptable Use clause or access banner). * In Europe (I’m told) orgs providing public internet access fall under ISP laws, and therefore must be diligent about registration/acceptable use/etc. By policy/compliance they have stricter rules for requiring accountability and registration. ___ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com<http://www.cadinc.com/> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] From: Enfield, Chuck Sent: Friday, April 16, 2021 4:57 PM Subject: Re: WPA3/OWE as campus solution? I’ve been floating this idea to IT leadership for years, with no interest on their part. We implemented an open guest network with no rate limiting about 18 months ago, so now any student who doesn’t want to onboard doesn’t have to. I figured that would get the bosses asking why we bother to authenticate on the other SSID, but still no. It’s ironic that the people who constantly stress the importance of customer experience and regularly complain to me about the onboarding experience can’t be bothered to consider obvious alternatives. I wouldn’t be so disappointed if we discussed the pros and cons and they came to a different conclusion than I have, but it sounds so radical to them that they don’t even care to discuss it. Chuck From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Lee H Badman Sent: Friday, April 16, 2021 10:09 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] WPA3/OWE as campus solution? One more for you all- anyone contemplating ditching 802.1X for the BYOD side of your WLAN (not managed laptops and “business” clients) and simplifying with OWE/WPA3? Like… the open network that’s actually moderately secure leveraging the latest security options? Thanks, Lee Badman | Network Architect (CWNE#200) Information Technology Services (NDD Group) 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w its.syr.edu Campus Wireless Policy: https://answers.syr.edu/display/network/Wireless+Network+and+Systems<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fanswers.s
RE: Wi-Fi and Covid
Piggy backing on Lee, Felix and all the others... as someone who works for an organization that sells this stuff- WiFi location services are (IMO) useless (or nearly useless) for this type of contact tracing. The best you'll get (per the manufacturers) is "a region" which is going to be a large square footage (not a single room) and not even necessarily on the same floor of the building. Nor even IN the building (could be outside) etc. Having said that, if you want to try it, as someone noted there are plugins for not only Splunk but I know Aruba has an overlay they're offering for free and Cisco has something that I hesitate to say is free but might be. So if you have time and resources and wanted to play, you have some no-cost options. The best location solutions that may be integrated in to APs are BLE-based and out of that, the level of accuracy will always be orders of magnitude better than WiFi location but will vary depending on the other end - standard BLE chirping from things is not accurate. A BLE tag and/or phone with BLE and an app will be quite accurate. ___ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com<http://www.cadinc.com/> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] From: Jerry Bucklaew Sent: Thursday, April 1, 2021 4:09 PM Subject: Re: Wi-Fi and Covid We had the same discussions and the same conclusion, wifi is not good for this. One reason is you can't trust the result. You can't say a person was in a certain building because they may have forgot their phone, not registered yet. You can't say a person was not in a building because many devices registered to a person are stationary and connect even when the person is not there. So any data you pull is inconclusive at best. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Dan Lauing Sent: Thursday, April 1, 2021 3:53 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Wi-Fi and Covid I don't believe Wi-Fi is a good technology for this. It's nice when you can reuse existing overhead, but I don't think 2.4/5/6 radio is the answer. You're just begging for false positives. On Thu, Apr 1, 2021 at 2:47 PM Seth Bean mailto:seth.b...@mcla.edu>> wrote: We ducked this by explaining our wireless design was created for coverage, not security/triangulation, which is true. Many of our buildings do not have the capability to do triagulation because of AP positions. We didn't even get into the privacy item, which was honestly a relief. Seth Bean Administrator of Networks and Telecommunications APA Union Chapter President Massachusetts College of Liberal Arts 413.662.5022 413.663.1276 375 Church Street North Adams, MA 01247 "National Top Ten Public Liberal Arts College" 2020-2021 US News & World Report From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Lee H Badman <00db5b77bd95-dmarc-requ...@listserv.educause.edu<mailto:00db5b77bd95-dmarc-requ...@listserv.educause.edu>> Sent: Thursday, April 1, 2021 3:33 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] Wi-Fi and Covid CAUTION: This email originated from outside of MCLA. Do not click links or open attachments unless you recognize the sender and know the content is safe. Several vendors are trying to monetize COVID... the Wi-Fi part (in my opinion) falls apart fairly quickly in spots when you start talking it through for contact tracing- and usually to do it you may have to buy things you don't have to round out the system. FWIW. Lee Badman | Network Architect (CWNE#200) Information Technology Services (NDD Group) 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w its.syr.edu<https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fits.syr.edu%2F=04%7C01%7Cjpb%40buffalo.edu%7C52b426d20fc6439f21b008d8f547c2d9%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C637529036839945739%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0=f67ekdnMYSazPHMuZAVABnCdj0K9O8YWwiQ7RvkHioY%3D=0> Campus Wireless Policy: https://answers.syr.edu/display/network/Wireless+Network+and+Systems<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fanswers.syr.edu%2Fdisplay%2Fnetwork%2FWireless%2BNetwork%2Band%2BSystems=04%7C01%7Cjpb%40buffalo.edu%7C52b426d20fc6439f21b008d8f547c2d9%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C63752903683994573
RE: Aruba AP2xx vs. AP5xx apples-to-apples
Martin, thanks for sharing the KB link. For context – that is not an Aruba issue, it was due to wireless NIC drivers, I think they were primarily Intel and maybe one other- but it was the client that was unable to see any SSIDs that were set to also broadcast for Wi-Fi 6. That happened with every AP brand and is/was resolvable only by updating the client drivers or disabling WiFi 6 on the infrastructure side. Jason, as for the model comparison, I’m eager to hear about everyone’s experience if they’ve tested it. There are a few other nuggets I’ll throw out while we wait for that feedback. Some of my more propeller-hat-minded WiFi friends are going to undoubtedly slap me for some gross over-simplifications but I’m happy to elaborate (as I’m sure others are) if more technical detail is of interest. Here’s my best TL:DR attempt… 1. WiFi Standards: In general when you move to newer WiFi technology based on newer standards, there should be an expectation that your AP density will actually increase, which I realize may feel counter-intuitive. The higher data rates correlate to much shorter distances and have a steeper fall off. 2. 5GHz vs 2.4GHz: Due to differences in the technology and the radio aperture, 5GHz Wi-Fi doesn’t “go as far” as legacy 2.4GHz WiFi. If I dive in to this it may start a coup so I’ll leave it at that, but this is another reason we tell customers to expect higher AP density as they move towards more 5GHz clients. All that being said, the 5GHz of WiFi 5 and the 5GHz of WiFi 6 will be same/similar from a layer 1 perspective, but you have the higher data rates (closer range requirements) with WiFi 6 now. 3. RF Profiles in AOS 8: Unrelated to the WiFi technology itself, but something Aruba-specific you may encounter is that if you are also moving from AOS 6 to 8 as you add 500-series APs, it is highly likely even custom converted RF profiles, specifically radio power, will somehow vanish- or the default is used, which is possibly lower than your current/prior deployment. I’ve seen this a few times so check that out – obviously if the radio power or range is different you may get wildly different results from a client-perspective. How AOS 8 handles profiles is also different depending on whether a MM is in use ,or not, and there are some settings which may be set one place but are superseded another. So be sure to check what’s actually being used, not what’s set in the controller(s). 4. Other testing: Some of the other testing will be hard to compare apples to apples because you’re talking about a Wave 1 ac AP compared to a WiFi 6/ax AP. So airtime utilization and things like that can also vary widely with the technology, client capabilities, and ambient RF (from SSIDs in the airspace plus non-WiFi interference). Some/most of that (throughput, RSSI, roaming, etc.) is very client-driven as well. However it would be interesting to see those results if anyone has tested. ___ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com<http://www.cadinc.com/> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] From: Martin Reynolds Sent: Monday, February 8, 2021 3:21 PM Subject: Re: Aruba AP2xx vs. AP5xx apples-to-apples Hi Jason, We have not had the opportunity to do the apples to apples comparison that you have but in a few new installs we have run into this issue which you may have already seen but in case, here you go.for reference sake at time we were running 8.5.0.7 code but are now on 8.5.0.9 (the upgrade was not related to the below post) https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=27788 Thanks, Martin On Mon, Feb 8, 2021 at 1:12 PM Jason Trinklein mailto:jtrinkl...@clarku.edu>> wrote: In the early days of Aruba's AP5xx series, I heard rumblings in peer institutions and on Educause about the AP5xx series having poor RF properties compared to the AP2xx and AP3xx series. For example, when replacing an AP315 with an AP515, signal coverage was worse, sometimes bad enough to cause service loss in distant locations. We are considering our next wifi upgrade to 802.11ax and are thinking about performing an apples-to-apples wifi survey by surveying our 2xx APs in-place, then performing the same survey with 5xx APs in-place. Has anyone performed such an apples-to-apples comparison with Ekahau, measuring RSSI, throughput, jitter, and latency? Any comparisons of airtime utilization using EyePA or similar? If anyone has experience they can share to help us make a data-driven and informed decision, I'd be appreciative. In a broader question - for those who have moved from .ac to .ax, have you seen measurable increases in quality of service to your community? Thanks! -- Jason Trinklein Information Technology Services - Infrastructure Clark Univer
RE: android 11 upcoming changes Feb 15th 2021
There’s a fine, grey line between optimal security and usability ___ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com<http://www.cadinc.com/> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] From: Tim Cappalli Sent: Monday, February 1, 2021 5:53 PM Subject: Re: android 11 upcoming changes Feb 15th 2021 Jennifer, this has been extensively discussed on this list for the past few months which I why I said that nothing has changed since those conversations. This current thread makes it seem like more changes are coming in Android on February 15th which is NOT the case. There have been no changes since the December update and I'm not aware of any other changes in the Android 11 code train. RE: Apple already does this: Android is the only operating system that requires a properly configured supplicant. Apple's TOFU model does not result in a proper configuration. RE: wildcard, from the bottom of the message: For example: If the RADIUS server certificate’s Common Name = radius.domain.com Connect to these server names should be radius.domain.com If the RADIUS server certificate’s Common Name = radius.lab.department.domain.com Connect to these server names should be *.department.domain.com or *.domain.com They're recommending wildcard subject name matching if the environment uses a non-standard configuration. This is poor guidance and will result in credential compromise via MitM. tim From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Jennifer Minella mailto:j...@cadinc.com>> Sent: Monday, February 1, 2021 17:25 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 I may disagree with some of the other feedback here… I think this is a big deal. It sounds like Google will be enforcing proper server validation for 802.1X-secured networks, based on what Trent sent originally. I believe Apple already has been enforcing this for a bit. If my guess is correct (I’ll try to find a link) then what it means is – after this update, you can’t tell the endpoint to ignore or bypass the server certificate for 802.1X (any EAP method). The impact of this is… * If you’re organization has any endpoints that have been configured to use a secured network but are ignoring the server’s certificate – then that will STOP working suddenly at the update. * This setting (ignore/don’t validate server cert) is not ideal but it’s prevalent especially for things like BYOD or HED device onboarding, testing, etc. It should be fixed but this is one of those things that could have a huge widespread impact if the endpoints/networks aren’t configured properly now. * Typically proper settings for secured 1X networks are pushed through GPO, MDM, or an onboarding process through vendor tools (can be a server-based tool or a client-based config assist tool). If that wasn’t done then the endpoints may not have the server certificate installed and trusted, and if that’s the case they will just cease to work after the device upgrade. Tim it’s not referencing a wildcard cert; they’re still using the specific FQDN for the COMMON NAME. The article references the connect to domains as a different field which is not the certificate CN.. ? Yeah, here are some links… ·A reddit article I hope is accurate b/c I only skimmed it https://www.reddit.com/r/networking/comments/j7ero1/psa_android_11s_december_security_update_will/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.reddit.com%2Fr%2Fnetworking%2Fcomments%2Fj7ero1%2Fpsa_android_11s_december_security_update_will%2F=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C626023000f32465c5d5108d8c7005106%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637478151479129555%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=hWVzPRr1HtwblLWs1GSsG%2Bfl8wr7166fI8ROWZI47z4%3D=0> The security patch for Android 11 (QPR1) will remove the "Do not validate" option under "CA certificate" for EAP server certificate validation to prevent misconfiguration resulting in credential leaks. This is very good news from a security standpoint! ·Secure W2 article with the setting in reference to WPA3 (which removes several less-secure options for confgs) https://www.securew2.com/blog/android-11-server-certificate-validation-error-solution/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.securew2.com%2Fblog%2Fandroid-11-server-certificate-validation-error-solution%2F=04%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C626023000f32465c5d5108d8c70
RE: android 11 upcoming changes Feb 15th 2021
Aruba added the ClearPass QuickConnect app/tool recently - specifically to allow end users to easily provision secure/1X networks. It's obviously geared for BYOD but perfect for HED. I don't know how well it works, it's relatively new. Have y'all seen it used anywhere? https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.arubanetworks.com%2fassets%2fds%2fDS_ClearPass_QuickConnect.pdf=E,1,PbDzKBXmgYWw5ZSEl0LejlGZKeAtDuH2fFD6rMFPbgTc4EIC37SzOLJ6oeHa6GHVcZCfvdpROSroTWjH20472Y4nq-qHt99yV14dkj3iwOiOww,,=1 >From the datasheet: How it works Aruba's exclusive cloud-hosted provisioning utility lets IT create a ClearPass QuickConnect deployment package with all necessary endpoint variables. It can then be run from a web server or distributed via a USB storage device or CD.The cloud-hosted utility also lets IT quickly create and distribute new packages that contain configuration changes as your network changes. For example, IT can quickly push out SSID changes and support new features in a timely and transparent manner. Supported supplicants* Windows native supplicant - Vista and 7* Macintosh native supplicant* iPhone, iPad and iPod native supplicants* Android native supplicant Supported EAP methods** PEAP - EAP-MSCHAPv2, EAP-GTC, EAP-TLS* EAP-TLS* EAP-TTLS - PAP, MSCHAPv2 * EAP-FAST ___ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.cadinc.com=E,1,7ibcnlS3iFZVLjlthdWrn6ymfGDpuJi7tEYiEA0nrf_RQnI4PRd90IQMbUcMS1eRlDw3ljDz4O1tae_orokmFBqy1ImABenp0gV9I7q6N6V7JKmDrLIGu0U,=1<https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.cadinc.com%2f=E,1,LdSsRbpNN0u1AS7ZoHOWef--Qhz36MFwNKgp5Keu0n-of0wgh0w4wwMkBV5Ig-409dpf-W6jAlS57yBs8zH-FYXXX2eTbYko_eSAzRpoR3bLJA,,=1> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] From: Michael Holden Sent: Tuesday, February 2, 2021 1:16 PM Subject: Re: android 11 upcoming changes Feb 15th 2021 We've seen much the same. A Pixel 2XL and a Pixel3XL fully updated, the 2XL had the Don't Validate option, but the Pixel3XL did not. We added the CA cert to a subpage on the guest captive portal for ease of access to the Wireless device, and provided some instructions for the devices. The workflow to manually add the Wireless Trust was a bit flaky too with Modify Settings not really working. The instruction set that appeared to work as of the current (January 2021) Android software release on the Pixel 3XL not tested on Pixel 4/4a/5: 1. Download the CA cert from the ClearPass Guest Captive Portal Page 2. Go to Settings 3. Network & Internet 4. Wi-Fi 5. Wi-Fi preferences 6. Advanced 7. Install Certificate 8. Choose the Certificate downloaded in the first step 9. Name the Certificate 10. Connect to the Secure SSID a. Change the Certificate from System Certs to the Certificate name entered in the previous step b. Domain to c. Identity as the username d. Password as the user's password e. Connect 11. Confirm Wireless is connected to the WPA2-Enterprise SSID a. You may have to forget and add network as the Modify Setting on the SSID does not appear to work properly as of January, 2021 Android Software release There is a QR code that can be created for PSK networks, has anyone seen if this is possible for WPA2/3-Enterprise? From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu<mailto:0194c9ecac40-dmarc-requ...@listserv.educause.edu>> Sent: Tuesday, February 2, 2021 12:54 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 Screenshot please. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Walter Reynolds mailto:wa...@umich.edu>> Sent: Tuesday, February 2, 2021 12:46 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 Can someone explain something to me? I have a Pixel 3 that I did a factory rest on. Next I did all the updates needed and it is running Android 11. The build number is RQ1A.210205.004 which includes the latest security patch for the phone. When I go to configure a WPA2 Enterprise network I still have the "Don't validate" option. What am I missing here? Walter Reynolds Network Architect Information and Technology Servi
RE: android 11 upcoming changes Feb 15th 2021
I may disagree with some of the other feedback here... I think this is a big deal. It sounds like Google will be enforcing proper server validation for 802.1X-secured networks, based on what Trent sent originally. I believe Apple already has been enforcing this for a bit. If my guess is correct (I'll try to find a link) then what it means is - after this update, you can't tell the endpoint to ignore or bypass the server certificate for 802.1X (any EAP method). The impact of this is... * If you're organization has any endpoints that have been configured to use a secured network but are ignoring the server's certificate - then that will STOP working suddenly at the update. * This setting (ignore/don't validate server cert) is not ideal but it's prevalent especially for things like BYOD or HED device onboarding, testing, etc. It should be fixed but this is one of those things that could have a huge widespread impact if the endpoints/networks aren't configured properly now. * Typically proper settings for secured 1X networks are pushed through GPO, MDM, or an onboarding process through vendor tools (can be a server-based tool or a client-based config assist tool). If that wasn't done then the endpoints may not have the server certificate installed and trusted, and if that's the case they will just cease to work after the device upgrade. Tim it's not referencing a wildcard cert; they're still using the specific FQDN for the COMMON NAME. The article references the connect to domains as a different field which is not the certificate CN.. ? Yeah, here are some links... * A reddit article I hope is accurate b/c I only skimmed it https://www.reddit.com/r/networking/comments/j7ero1/psa_android_11s_december_security_update_will/ The security patch for Android 11 (QPR1) will remove the "Do not validate" option under "CA certificate" for EAP server certificate validation to prevent misconfiguration resulting in credential leaks. This is very good news from a security standpoint! * Secure W2 article with the setting in reference to WPA3 (which removes several less-secure options for confgs) https://www.securew2.com/blog/android-11-server-certificate-validation-error-solution/ * _______ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com<http://www.cadinc.com/> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] From: Hurt,Trenton W. Sent: Monday, February 1, 2021 4:54 PM Subject: Re: android 11 upcoming changes Feb 15th 2021 Ok thanks as always for clarification as ive been seeing android 11 on campus and they work with our current eap tls onboard workflow. I wasn't sure if something else was coming on feb 15th that would cause some issue with this setup From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Tim Cappalli Sent: Monday, February 1, 2021 4:51 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 CAUTION: This email originated from outside of our organization. Do not click links, open attachments, or respond unless you recognize the sender's email address and know the contents are safe. This is a bit misleading IMO. There are no further changes in Android 11 after the December update. Seems like this is specific to Secure W2's product. As a general best practice, you should be using a single EAP server certificate, signed using a PKI in your control, across your all your RADIUS servers. It is very poor practice to use a wildcard for EAP subject name matching. I'm very disappointed to see vendors making that recommendation. tim From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Hurt,Trenton W. mailto:trent.h...@louisville.edu>> Sent: Monday, February 1, 2021 16:46 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021 FYI I just received the following from securew2 about some additional security changes coming to android 11. This action will need to take place before the upcoming Android application update that is planned for February 15th, 2021. As you may already be aware, Google mandates server validation to be properly configured for WiFi from Android version 11. This means that any 802.1X WiFi configuration without the following two settings will fail to connect. 1. Server Validation 2. Connect to these server names For more information about these configurations, please read below. What is Server
RE: WIRELESS-LAN Digest - 31 Jan 2021 to 1 Feb 2021 (#2021-21)
Ya know... at least for now, if you have the cable drops and ports to support it, (you already know this but sharing for everyone else) you can convert an Aruba campus AP to Instant mode and manage it locally and/or with Airwave without using a controller license. For Airwave of course you'd still need an AW license but if you were just going to have a few to move around as-needed that would be low overhead. As long as they're not servicing clients and they're just being used to scan-only that should work fine. And like Frank said, if you're looking for basic specan, then as long as it has 2.4 and 5 radios you're good. I'd just make sure you're keeping it under software support to keep the code up to date to update capabilities and keep security vulns patched. Or, put them on a different network not routed to production assets and not even worry about that if they go out of support. ___ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com<http://www.cadinc.com/> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of WIRELESS-LAN automatic digest system Sent: Monday, February 1, 2021 5:00 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: WIRELESS-LAN Digest - 31 Jan 2021 to 1 Feb 2021 (#2021-21) [LISTSERV mailing list manager]<http://www.lsoft.com/> [LISTSERV 15.0]<http://listserv.educause.edu/scripts/wa.exe?LIST=WIRELESS-LAN> WIRELESS-LAN Digest - 31 Jan 2021 to 1 Feb 2021 (#2021-21) Table of contents: * Wireless Segmentation and NAC * Dedicated IDS/IPS monitors (2) * [EXT] Re: [WIRELESS-LAN] Dedicated IDS/IPS monitors * android 11 upcoming changes Feb 15th 2021 (3) 1. Wireless Segmentation and NAC * Re: Wireless Segmentation and NAC (01/31) From: "Curtis, Bruce" mailto:bruce.cur...@ndsu.edu>> 2. Dedicated IDS/IPS monitors * Re: Dedicated IDS/IPS monitors (02/01) From: Jennifer Minella mailto:j...@cadinc.com>> * Re: Dedicated IDS/IPS monitors (02/01) From: "Miller, Keith C" mailto:keith.mil...@unc.edu>> 3. [EXT] Re: [WIRELESS-LAN] Dedicated IDS/IPS monitors * Re: [EXT] Re: [WIRELESS-LAN] Dedicated IDS/IPS monitors (02/01) From: "Sweetser, Frank E." mailto:f...@wpi.edu>> 4. android 11 upcoming changes Feb 15th 2021 * android 11 upcoming changes Feb 15th 2021 (02/01) From: "Hurt,Trenton W." mailto:trent.h...@louisville.edu>> * Re: android 11 upcoming changes Feb 15th 2021 (02/01) From: Tim Cappalli mailto:tim.cappa...@microsoft.com>> * Re: android 11 upcoming changes Feb 15th 2021 (02/01) From: "Hurt,Trenton W." mailto:trent.h...@louisville.edu>> Browse the WIRELESS-LAN online archives.<http://listserv.educause.edu/scripts/wa.exe?LIST=WIRELESS-LAN> [Anti-Virus Filter]<http://www.lsoft.com/products/default.asp?item=secured-by-FS=LISTSERV.EDUCAUSE.EDU=http://listserv.educause.edu/scripts/wa.exe>[Powered by the LISTSERV Email List Manager]<http://www.lsoft.com/products/listserv-powered.asp> Visit https://cadinc.com/blog for tech articles and news. ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
RE: Dedicated IDS/IPS monitors
Keith, I'm curious to hear what everyone is doing. I can tell you what our experience has been and that is, in the last several years, all purpose-built overlay WIPS systems have become basically extinct. There are a few purpose-built, broad-spectrum wireless sensor/monitoring systems targeted for DoD and highly regulated environments and they're focused not only on WiFi but other non-802.11 wireless. Aside from that all of the standard WIPS overlays have really gone away. A few thoughts/bullets on that in case it helps... * Dedicated WIPS were popular for organizations that needed to meet requirements for PCI compliance and other regulations which effective said "if you're using WiFi, you have to prove it's in scope and secured" and "if you're not using WiFi in these areas/for this purpose you have to prove there is no WiFi there". Those expectations have changed over the years and even now in federal (civ) that language is virtually non-existent. Sometimes they'll say there needs to be occasional validation of no WiFi in specific areas but they can use other tools, handheld devices, and/or free laptop software for that audit. * Most (probably all?) manufacturers have pretty mature spectrum monitoring at least in the WiFi spectrum space. * Although current radios can't both service clients and do containment, as you pointed out containment has been less of an issue especially in HED environments. The type of containment WIPS was good at was malicious source containment, but even then that is limited to managing a subset of RF-based attacks. The rest of the more common containment features/needs can be managed via endpoint and/or infrastructure settings. (e.g. keep managed devices off the guest network, etc.) Of course other containment like those associated with rogue APs has become a bit tricky due to FCC rulings about the ownership (or lack of) of airspace. * As you already mentioned the cost and complexity of managing *anything* overlaid is expensive. And if you're looking at controller-based APs (regardless of the mfr) it gets way more messy. * If someone were going to deploy an overlay (even though I don't think it's recommended in 95% of cases), it's probably less expensive and easier to use a cloud-managed solution that can be easily moved, deployed, and managed. I have heard of orgs deploying things like Mist to use a dedicated scanning radio for this purpose in limited areas. There are also 3rd party monitoring devices that also look at SLAs for applications - specifically I'm thinking about tools like 7Signal and Aruba's UXI (whatever they call it- it used to be Cape Sensor). Just food for thought.... -jj _______ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com<http://www.cadinc.com/> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] From: Miller, Keith C Sent: Saturday, January 30, 2021 8:22 AM Subject: Dedicated IDS/IPS monitors Hello all, I know IDS/IPS has been discussed a couple of times over the past few years, so I apologize if this has been asked and answered in the past, but I wanted to see what folks were doing across the larger EDU landscape, especially those using Aruba as a Wi-Fi vendor. Despite some recent blog posts and webinars from Extreme Networks and David Coleman, IDS/IPS doesn't seem to be a popular topic; almost as if it's not worth the investment to deploy dedicated IDS/IPS especially since you typically cannot take action through mechanisms like containment. Anyway, we lifecycle our APs on a fairly regular schedule here at UNC Chapel Hill and last night it hit me that perhaps we could reuse some of the older generation APs as dedicated air monitors (AM) or spectrum monitors (SM). It seemed like a no brainer at first, but the more I thought about it the more I realized this is not a decision to take lightly. To do something like this, we'd have to run more cables, burn additional switch ports, provide more power from our switches' power budgets, and manage and troubleshoot additional hardware should something go wrong. That's more money and time investments, but for how much gain? In addition, adding additional APs that aren't servicing clients in an environment with 10,000 APs already seems a bit ridiculous for alerts that we might not even have the time to fully monitor and/or pursue due to lack of resources. So what are you doing if anything? Are all of your APs in AP mode? How about hybrid-mode? Hybrid-mode provides home channel scanning, but there could be some performance degradation for clients during off-channel scanning. Aruba recommends 1 dedicated AM per 4 APs which would likely not happen here, but deploying some strategically around campus that could be used as AMs or converted to SMs when needed might not be
RE: Issues with Zoom in Res Halls
Charles, I doubt this is the issue but I'm just sharing because we had another edu customer with this issue in the last 2 weeks. Students returned to the campus and/but were still taking instruction via Zoom (even when on campus and sitting in a classroom). They don't use proxies and the added bandwidth (latency-sensitive audio and video streams going in/out) were simply tanking their Internet connection and well - more specifically - not overloading the Internet bandwidth but overloading what their firewall/gateway security tools could handle. Not as likely in your situation but sharing anyway. -jj ___ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com j...@cadinc.com 919.460.1313 Main Office 919.539.2726 Mobile/text -Original Message- From: Charles Rumford Sent: Friday, January 22, 2021 10:22 PM Subject: Issues with Zoom in Res Halls Hey - We have started getting reports of issues with Zoom calls in our Res Halls. Most of the complaints have been around multiple drops during calls or lagging calls. Our res halls are currently only at 40-50% capacity if that. I was curious if anyone else has been seeing any issues with an increase of Zoom calls from on campus students. -- Charles Rumford (he/his/him) IT Architect ISC Tech Services University of Pennsylvania OpenPGP Key ID: 0xF3D8215A ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community Visit https://cadinc.com/blog for tech articles and news. ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
RE: [External] Re: [WIRELESS-LAN] Wireless Segmentation and NAC
Joey, If you are interested in the differences between the various NAC/AAA solutions I can answer that privately including/especially Bradford/FortiNAC and ClearPass. They do not do the same things and the thing they _do_ do that are similar, they do in very different ways. The TL:DR version is that 90% of the time, we integrate both together and use ClearPass for Wi-Fi and FortiNAC for Wired (specifically for non-RADIUS based enforcement). ClearPass’s built in RADIUS and TACACS+ services are amazing so if you’re doing AAA-only (vs non-RADIUS based auth) that is perfect. If you’re talking wired then that’s a different (longer) story. FortiNAC historically (as Bradford) did not have a RADIUS server built-in but that is changing with the next major release. P.S. The Aruba Instant mode can currently operate with hundreds of APs in a local cluster (not 25). A cluster of Instant (when not managed with something) is determined by L2 adjacency. This will grow with the AOS 10 and can e extended even further with on-prem gateways (a tunnel aggregator/terminator not a controller). -jj ___ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com<http://www.cadinc.com/> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] From: Rodolfo Nunez Sent: Monday, January 25, 2021 10:42 AM Subject: Re: [External] Re: [WIRELESS-LAN] Wireless Segmentation and NAC Hi Joey, All those are really good questions and I think most of the answers really depend on your architecture guidelines, needs, expertise, and risk management. As a data point, this is how we are doing wireless: We are an Aruba shop, we have on prem controllers. I would rather be controller-less but the Aruba technical team advised against it for an institution of our size (1000 employees, 2600 students). More than 1300 WAPs (this is growing since we are replacing a different wireless technology in three buildings) We have 3 SSIDs: Secure, EduRoam and Guest We have two vlans: The first vlan is for Secure that behaves like being on the wired network, the second vlan is for EduRoam and Guest and has very limited access to administrative resources. Flat networks (it sounded more work than gain for us to split by buildings, not everyone is happy with this choice. Glad that the overhead and complexity has not been needed.) . This also helps with IP managements (used to use public IP addresses years ago currently we NAT) but MAC capturing is easier this way. Roaming seems to work better. We use radius on prem (then again, we would rather do cloud radius but we have not investigated this option with our SSO cloud provider) BYOD, IoT, gaming, all are around, it cannot be stopeed. We provide best effort support (unless it is an IT managed device), they connect to the Guest network. No NAC Hope this helps. Rodolfo -- Rodolfo Nunez pronouns: he/him/his Director, IT Infrastructure Barnard College, Columbia University 212-854-1319 rnu...@barnard.edu<mailto:rnu...@barnard.edu> www.barnard.edu/bcit <http://www.barnard.edu/bcit> On Sun, Jan 24, 2021 at 8:58 PM Ricardo Stella mailto:ste...@rider.edu>> wrote: Aruba + Clearpass + Eduroam On Fri, Jan 22, 2021 at 1:31 PM Martin MacLeod-Brown mailto:mmacl...@london.edu>> wrote: We are a controller based network trying Aruba Central for the first time. It shows promise and Im sure it is going to improve with every release but (for us) it is not production ready yet. Things we have to deal with include config conflicts, or valid config that refuses to push to the controller, or the sheer delay between the config and the push to the controller.. For instance we were setting up site to site VPN’s today and some config went over instantly, other config took 40mins before it synced across It seems to be a work in progress still… Martin Macleod-Brown | Network Infrastructure Engineer | Information Technology [cid:image002.jpg@01D6F33F.D60947F0] From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of John Pertalion Sent: 22 January 2021 16:45 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Wireless Segmentation and NAC Aruba Instant can manage 25 access points per network. Aruba Central can handle thousands of access points. Moody would be best served by Central, if they wanted to go controllerless. On Fri, Jan 22, 2021 at 11:31 AM Enfield, Chuck mailto:cae...@psu.edu>> wrote: Just curious, but for the respondents recommending Aruba, would that be the controller-based flavor or the Instant/Central flavor? We have over 80K simultaneous clients in the normal times (I think. The normal times seem so very long ago.) so we still need controllers for traf
RE: Wi-Fi 6E Branding Rant
LOL. You’re not wrong… it’s a tough challenge. It *is* still WiFi 6 (802.11ax) so WiFi 7 would be confusing. I think the best way I’ve seen it consistently used with non-Wi-Fi pros is to call it “WiFi 6- Extended” meaning it’s extended in to other RF spectrum. That’s not official but I think even Chuck uses that moniker for it. The more common confusion we run in to is people thinking the “6” in WiFi 6E means 6GHz. I’m sure other folks here have some additional ideas for keeping it straight for non-WiFI peeps. As for us, we just constantly re-iterate what 6E is (and isn’t) pretty much every time the phrase comes out of our mouths, even if that means multiple times in a webinar, Tech Talk, or client meeting. You’re in good company with your frustration though -jj ___ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com<http://www.cadinc.com/> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] From: Green, William C Sent: Monday, January 18, 2021 6:52 PM Subject: Wi-Fi 6E Branding Rant "Wi-Fi 6E” is not a good branding for what 6GHz provides, in my personal opinion. I hope the Wi-Fi Alliance reconsiders. I've been discussing Wi-Fi 6E in my organization for over a year-- and nobody can keep that “E” in their heads. They constantly confuse "Wi-Fi 6" as the same as "Wi-Fi 6E" in meetings, products, and strategies. The whole point of the Alliance branding was to make things more understandable to non-technical audiences right? Doesn’t 6 vs 6E fly in the face of that? I’m not good at naming things, so am use to recognizing branding failures like this. I understand most of the underlying technology is the same-- other than 6GHz capability. Most people don't care about the underlying technology unless it accomplishes something they need. 6GHz is a once in a generation differentiator that will enable far more than the changes from 802.11ac to 802.11ax, which was deserving of a new number. Not having that capability reflected in a more differentiated branding is causing and will continue to cause unneeded confusion. I understand the Alliance has already placed a lot into marketing of the term "Wi-Fi 6E", but that's sunk cost. Pick a new branding. Perhaps, Wi-Fi 7. You can leave all 6E materials and just say its the same thing as Wi-Fi 7. Have everything in the futures pipeline do a +1 on their PowerPoints. Will the Alliance incur some ridicule, yes, but less than continuing with 6E in my personal opinion. Do I think this rant will change anything? No. But naming a frustration is sometimes useful for dealing with it. I’m moving on. -- William Green, Director of Networking and Telecommunications The University of Texas at Austin | ITS | 512-475-9295 | gr...@austin.utexas.edu<https://www.utexas.edu> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community Visit https://cadinc.com/blog for tech articles and news. ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
RE: ArubaOS 8.5.0.11 or 8.6.0.6 Experiences?
We have a few customers on 8.6.0.6 (and similar) code and have seen some issues that sound similar to what you're describing below. One college case has been open for 2 months now, with the issue being some weirdness with a config that was applied to MM but didn't get pushed down correctly to the controllers; it caused a mismatch between controllers. the result has been issues ranging from controllers crashing every time a commit change is performed to HA failover not working (for obvious reasons). I believe we're in the final stages of getting that resolved but it's been painful. The other major issue at a healthcare customer has been resolved, and I think those are the only 2 major issues we've seen on the 8.5/8.6 so far. TAC is unable to determine root cause and with the customers' resources limited and the fact that we're doing the work/assist for free, we've all agreed to just get it working and move on vs try to identify root cause; which is not my preferred choice but no one can afford the time to keep hammering at it. As for the 'rare' bug it sounds similar to the original 8-code issue with some of the older 100-series; the bootrom version didn't support the upgrade code and they had to be dealt with differently. Once we knew what was going on the resolution was quick from Aruba, but it took us weeks to figure out the issue because even though there was a known bug, the manufacturer decided that notice should only be distributed internally for some reason. Somehow neither the field team nor TAC knew about it until we (jointly, our team with much help/time from the customer team) figured out what it was and sent it to product management to which they replied "oh yeah, we know - here's the (internal) bug notice). Keith with that issue, I'll have to look back at my notes but I feel like Aruba was able to give us some incremental Bootrom update we could push without touching the APs and then do the firmware upgrade. -jj ___ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com<http://www.cadinc.com/> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] From: Miller, Keith C Sent: Thursday, December 17, 2020 9:04 PM Subject: Re: ArubaOS 8.5.0.11 or 8.6.0.6 Experiences? Hi Christopher, We just went to 8.5.0.11 from 8.5.0.8 and .9 this week and I'll be honest, I'm not thrilled with it. I've run into a handful of issues, some minor, some cosmetic, but we've also hit a couple of bugs that leave you scratching your head: 1. 2 controllers in the same cluster ended up acting as VRRP master, even though communication was seemingly okay with L2 connected status across all controllers. One of those controllers had higher priority configured to control which controller should be master so I'm still unsure how this happened. I'm still having problems getting logs to TAC because we can't see the files from the web UI and SCP/TFTP fails from the CLI on the interesting controller. I'm going to have to have someone get in front of it and resort to copying the logs to USB. 2. We hit a "rare" bug that's only affected a small number of 515s worldwide where the AP gets stuck in a boot/image upgrade loop and you must physically console into the AP to fix it and boot from the upgraded partition. I have no idea what the 8.6 train is like so I can't help you there, but buyer beware with 8.5. The penalties of trying to be proactive I suppose. Regards, Keith M: (803) 464-2397 O: (919) 962-6564 Sent from my mobile device so please excuse any typos. From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Johnson, Christopher mailto:cbjo...@ilstu.edu>> Sent: Thursday, December 17, 2020 3:49:31 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: [WIRELESS-LAN] ArubaOS 8.5.0.11 or 8.6.0.6 Experiences? We're considering doing some pre-emptive maintenance before winter-break ends to resolve a couple issues, and was curious if anyone is running ArubaOS 8.5.0.11 or 8.6.0.6 (200/220 and 270 Series APs) and what their experiences have been? Christopher Johnson Wireless Network Engineer Office of Technology Solutions | Illinois State University (309) 438-8444 Stay connected with ISU IT news and tips with @ISU IT Help on Facebook<https://www.facebook.com/ISUITHelp/> and Twitter<https://twitter.com/ISUITHelp> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.edu
RE: Fast transition roaming
Eric, Admittedly I'm skimming here, but wanted to just throw in the note that ultimately it's up to whether the client supports the various roaming protocols. Not all do, and there's no (IMO) intuitive line there, no pattern or specific date, etc. at which point you can easily say "this client would support xyz". I'm not cool enough to remember all the details of what all clients support. There's some info at https://clients.mikealbano.com/ I refer to regularly - if you pop that out it has the 11v protocol but it doesn't look it lists 11k or 11r unfortunately. Someone else here may have another resource that's better for roaming info. +1 on CTS (Clear to Send) podcast links Jethro sent, great peeps and info! Hope that helps a tiny bit! -jj ___ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com j...@cadinc.com 919.460.1313 Main Office 919.539.2726 Mobile/text -Original Message- From: Jethro R Binks Sent: Thursday, December 3, 2020 5:08 AM Subject: Re: Fast transition roaming Clear To Send podcast had several episodes/posts covering these (and v): https://www.cleartosend.net/802-11k-802-11v/ https://www.cleartosend.net/cts-206-a-look-into-802-11k/ https://www.cleartosend.net/cts-211-a-look-into-802-11v/ https://www.cleartosend.net/fast-bss-transition-802-11r/ Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks, Network Manager, Information Services Directorate, University Of Strathclyde, Glasgow, UK The University of Strathclyde is a charitable body, registered in Scotland, number SC015263. On Wed, 2 Dec 2020, Glinsky, Eric wrote: > Hi everyone, > > We are reviewing our WLAN-level settings and are curious about what others > institutions are doing for fast transition. > > > 1. Do you use 802.11r? > > 2. How about .11k? > > 3. If you do, did you notice improvements in device roaming, whether > they are stationary or moving? > > 4. Were there any implementation pains? > > 5. Would you mind sharing exactly which settings you use; in Cisco > terms, Fast Transition enabled or adaptive; over the DS checked or not; FT > 802.1x/FT psk or no; 11k neighbor list enabled or not > > 6. If you do not use 802.11k and/or 802.11r, why not? > > We don't have 801.11r or 802.11k enabled at this point and are leery of > enabling it due to potential compatibility issues, though it could certainly > improve the client experience if it works. > I looked through the archives and this hasn't been discussed for at least a > couple years, and it seemed like more of a Cisco code issue at that time, so > looking forward to hearing about your experiences now with the last code, > drivers, devices, etc. > > I found an interesting blog on various FT settings with Cisco, which leads me > to believe that if we were to enable 802.11r on our Cisco controller, we > would set it to Enabled, and check off both 802.1x and FT 802.1x for > compatibility. Interestingly, the Adaptive setting is specific to Cisco-Apple. > > https://mac-wifi.com/ciscos-802-11r-ft-settings-adaptive-mode-explaine > d/ > > Also the Cisco Best Practices for iOS Devices guide has a couple sections on > 802.11r and Adaptive 802.11r. One takeaway from that is it's best for > high-density, enterprise environments to use over-the-air FT (i.e. over the > over-the-distribution system unchecked). > https://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/technote > s/8-6/Enterprise_Best_Practices_for_iOS_devices_and_Mac_computers_on_C > isco_Wireless_LAN.pdf#%5B%7B%22num%22%3A40%2C%22gen%22%3A0%7D%2C%7B%22 > name%22%3A%22XYZ%22%7D%2C105%2C570%2C0%5D > > Thanks, > Eric Glinsky > Network Administrator > University of Connecticut > ITS - Network Operations > Temporary Administration Building > 25 Gampel Service Drive | Storrs, CT 06269-1138 > (860) 486-9199 > e...@uconn.edu<mailto:e...@uconn.edu> > > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email > reply. Additional participation and subscription information can be > found at https://www.educause.edu/community > ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community Visit https://cadinc.com/blog for tech articles and news. ** Replies to EDUCAUSE Co
RE: Weak Security
+1 on removing TKIP as an option and staying with AES as a minimum. TKIP has been deprecated for years and even in a BYOD/high ed environment, it is exceptionally unlikely any devices won’t support the AES/CCMP suite; if they *don’t* support it, you may not wan them on that network anyway With the new Wi-Fi security standards out, including WPA3 (in addition to Open Enhanced/OWE), even our current AES will be at the low end of the security totem pole (down the road). ___ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com<http://www.cadinc.com/> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] From: Entwistle, Bruce Sent: Tuesday, December 1, 2020 7:14 PM Subject: Weak Security Apple devices that are updating to IOS 14 are now reporting that wireless security is weak. We are currently using a combination of WPA/TKIP and WPA2/AES for security, but are considering the move to WPA2/AES only. I was looking to see what others have done and what challenges you faced in making these changes. https://discussions.apple.com/thread/251805737 Thank you Bruce Entwistle Network Manager University of Redlands ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community Visit https://cadinc.com/blog for tech articles and news. ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
[WIRELESS-LAN] Heads-up possible Apple update prevents WiFi Internet from working
Message was discarded by filter '\Newsletters\as17_NEWSLETTERS\updates\Normal' on line 80 Envelope (RCP file content): Message-ID: b0114827...@smtp.cranbrook.edu Return-path: owner-wireless-...@listserv.educause.edu Received-From-MTA: listserver.educause.edu (unverified [40.122.144.30]) Arrival-Date: 1605034596 (Tue, 10 Nov 2020 13:56:36 -0500) Origin-IP: 40.122.144.30 X-Modus-BlackList: 40.122.144.30=OK;owner-wireless-...@listserv.educause.edu=OK X-Modus-RBL: 40.122.144.30=OK X-Modus-Trusted: 40.122.144.30=NO X-CustID: 15491 X-Modus-BuildNumber: 6.4.298.22009 DomainKey-Status: 0 Resolved-Return-path: owner-wireless-...@listserv.educause.edu X-Modus-BATV: OFF X-Modus-SRSRBL: OK X-Sender-Origin: EXTERNAL Header-From: j...@cadinc.com Recipient: jroo...@cranbrook.edu Original-Address: jroo...@cranbrook.edu Dsn-Original-Recipient: rfc822;jroo...@cranbrook.edu Local-Status: Incoming ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community --- Begin Message --- Hi everyone, we think we just hit this issue with a client. With all the 'quirks' of Apple on Wi-Fi, it took a while to uncover/search (thanks to a team member of mine for digging this up pretty quickly). Sharing in case someone notices similar issues. I don't have feedback yet on whether any of these recommended solutions solves the problem, still just getting this info to the customer tech onsite. Reported issue: Apple devices were connecting to Wi-Fi, getting IP address, etc. but then not able to access any Internet resources. https://www.ikream.com/no-internet-access-on-wifi-iphone-40598 Fix iPhone Connected To WiFi But No Internet Access After iOS 13.3 Update Last Updated on: November 3, 2020 ___ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com<http://www.cadinc.com/> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] Visit https://cadinc.com/blog for tech articles and news. ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community--- End Message ---
Heads-up possible Apple update prevents WiFi Internet from working
Hi everyone, we think we just hit this issue with a client. With all the 'quirks' of Apple on Wi-Fi, it took a while to uncover/search (thanks to a team member of mine for digging this up pretty quickly). Sharing in case someone notices similar issues. I don't have feedback yet on whether any of these recommended solutions solves the problem, still just getting this info to the customer tech onsite. Reported issue: Apple devices were connecting to Wi-Fi, getting IP address, etc. but then not able to access any Internet resources. https://www.ikream.com/no-internet-access-on-wifi-iphone-40598 Fix iPhone Connected To WiFi But No Internet Access After iOS 13.3 Update Last Updated on: November 3, 2020 ___ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com<http://www.cadinc.com/> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] Visit https://cadinc.com/blog for tech articles and news. ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
RE: Wireless Device Policy Questions
I've seen a range from "no lifeguard on duty" aka "good luck" with a basic low-security Internet-only network to managing specific device registrations tied to the user; typically the personal device registrations are going to be MAC -based, and I've seen several unis with home-grown MAC registration systems tied to user accounts and of course as Tim and Mike mentioned, ClearPass also does this. There are some caveats (or specific requirements) with ClearPass though, if you want it (the MAC-registered device) tied to the user's account then you need to be using a user-based authentication at the SSID profile level; meaning, last I saw in POCs, there wasn't a way to have a self-registration portal within CPPM that allowed a user to enter those credentials on something like the portal, then tie a MAC-registration to it. Other products like FortiNAC do meet that specific use case, as possibly other products as well. Most schools we've worked with do have some type of limit for devices that can be registered but those do all have some type of self-service portal so the students can add/remove their devices. The allowed number of devices ranges. _______ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com<http://www.cadinc.com/> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] From: Michael Dickson Sent: Friday, September 25, 2020 10:29 AM Subject: Re: Wireless Device Policy Questions We use Clearpass for user MAC reg portal and for device fingerprinting. We have a special bit set in LDAP (AD) that we check for when a device seeks to auth onto a wireless network. If we need to prevent all user devices from getting connected we disable the bit. A relatively short reauth interval will prevent reauths. Mike Michael Dickson Network Engineer Information Technology University of Massachusetts Amherst 413-545-9639 michael.dick...@umass.edu<mailto:michael.dick...@umass.edu> PGP: 0x16777D39 On 9/25/20 10:25 AM, Tim Cappalli wrote: If you're using Aruba ClearPass, you can add an account check during authorization. From: The EDUCAUSE Wireless Issues Community Group Listserv <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Tristan Gulyas <004c763654fc-dmarc-requ...@listserv.educause.edu><mailto:004c763654fc-dmarc-requ...@listserv.educause.edu> Sent: Thursday, September 24, 2020 20:34 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Wireless Device Policy Questions Hi, We're considering this approach, however we need a way to die this in with AD account status/expiry which needs to be near-instant, i.e. if an AD account/identity for a user is disabled, we need to immediately deregister or suspend ALL devices they have registered to their identity, otherwise things get ugly from an infosec perspective. I'm assuming freeradius+web-based front end for registration? How do you perform the device fingerprinting? That's a very cool solution! Cheers, Tristan -- TRISTAN GULYAS Senior Network Engineer Technology Services, eSolutions Monash University 738 Blackburn Road Clayton 3168 Australia E: tristan.gul...@monash.edu<mailto:tristan.gul...@monash.edu> monash.edu<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmonash.edu%2F=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7C93dbd1aacb044bf22b1f08d860eacbbc%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637365908850239992=p0%2B%2F96rVjy7eQmjgdCJb6kbDbhtUMBZko6r0fYOm5WM%3D=0> On 25 Sep 2020, at 3:11 am, Michael Dickson mailto:mdick...@nic.umass.edu>> wrote: We created a PSK SSID with MAC auth registration for devices. We limit device types to essentially the "consumer grade entertainment devices" genre. We use device fingerprinting to accomplish this. We started from a "deny all then allow" paradigm. Only game consoles during pilot. Then added video streaming devices then AppleTV, Echo, SmartTVs, etc. Easier to add device types then take away. 802.1x capable devices get denied. We also limit number of devices a user can register. All helps to mitigate the flood of industrial IT devices coming in from campus wide vendors, some of which may fall into the life-safety genre. Vendors get stuck and end up asking how they can add "a lot" of sensors (e.g. HVAC) to our wireless. We have a discussion, give it a thumbs up or down, and create rules/policies/networks as needed. Good but not perfect. But starting off closed then letting out the line has helped. Having a PSK network also solves the issue of devices that can't connect to open SSIDs. And if we end up just allowing all on the devices network at least we have a sp
Free Wi-Fi conference next week - CWNP Wireless Technology Forum
Hi everyone, Next week is CWNP's (Certified Wireless Network Professional) annual conference, formerly WiFi Trek, now named Wireless Technology Forum (or aptly for 2020 "WTF"). CWNP is a vendor-neutral wireless technology training and certification organization. They've recently expanded from just Wi-Fi (802.11 wireless) to IoT-based wireless technologies. I worked with a team for the content curation for the main conference sessions and so it's with some bias that I say there's an *amazing* lineup of speakers and the conference is FREE. I'll send this to the COMMTECH crew too. [cid:image002.jpg@01D691E6.4CFD90C0] Bootcamps: These are 3-day classes Sunday-Tuesday, two are on WiFi topics - CWNA (Admin) and CWDP (Design) and two are for IoT- CWICP (IoT Connectivity) and CWIIP (IoT Integration) https://wtf20.com/our-schedule/ Conference: FREE! And there are some heavy hitting speakers including Chuck Lukaszewski (of IEEE WG and Aruba's CTO office) speaking on WiFi 6e; Stephen Orr (of WiFi Alliance and Cisco Distinguished Architect) speaking on the new WPA3 security protocols. Dave Wright (of the CBRS Alliance) speaking on CBRS and Private LTE, and the list goes on. Yes, I'm also speaking on security. You can register free here- https://www.accelevents.com/e/WTF20 ___ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com<http://www.cadinc.com/> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Concealed enclosures > Re: [WIRELESS-LAN]
Jeff & co, Several manufacturers offer a variety of “aesthetics” and concealment enclosures to disguise APs in what look like lights and other more visually pleasing/accepted fixtures. Ventev even has an omni antenna designed to go in existing light fixtures. Other manufacturers have enclosures that are smooth edge or disguised as something else, and many can be painted (with non-metallic paint of course) to blend in to the surroundings. I don’t have all the links at my fingertips, but here’s one of the Ventev options and some Oberon links. Ventev's 2.4/5 GHz 6 dBi Omnidirectional Wi-Fi Antenna for LED Light Globes transforms outdoor light globes into Wi-Fi hot spots. This unique antenna installs inside outdoor lighting globes to ensure concealed, high-performance Wi-Fi. https://ventevinfra.com/products/antennas/wi-fi/dual-band/concealed-dual-band/page/2/ Other bollards are low and green and can be hidden in landscaping https://ventevinfra.com/products/enclosures/concealed-bollards/ Here’s an Oberon bollard and some less obvious outdoor enclosures https://oberoninc.com/solution-finder/?fwp_products_series=3032 https://oberoninc.com/products/1020-c-rab/ https://oberoninc.com/products/3001-00/ ___ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com<http://www.cadinc.com/> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] From: Kushner, Jeff Sent: Tuesday, September 1, 2020 9:44 AM Subject: Re: [EXTERNAL] Re: [WIRELESS-LAN] WIRELESS-LAN Digest - 28 Aug 2020 to 29 Aug 2020 (#2020-156) Ricardo, That is an interesting solution. Our university is very concerned about aesthetics. Just getting APs on the light poles is a battle. Could you send a picture of how and where the batteries are located? Thanks Jeff From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Ricardo Stella Sent: Monday, August 31, 2020 10:11 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] [EXTERNAL] Re: [WIRELESS-LAN] WIRELESS-LAN Digest - 28 Aug 2020 to 29 Aug 2020 (#2020-156) *Message sent from a system outside of UConn.* I think are are in the 5th year and so far we haven’t had to replace the batteries. But they seem to be standard 12v type. I’ll take a look tomorrow since once those go, they go.. --- °(((=((===°°°(((=== On Aug 31, 2020, at 9:25 PM, Glinsky, Eric mailto:e...@uconn.edu>> wrote: Ricardo, have you had to replace the batteries in those yet? Are they similar in lifecycle, type, and cost of replacement to those in a typical small UPS? Eric Glinsky Network Administrator University of Connecticut ITS – Network Operations Temporary Administration Building 25 Gampel Service Drive | Storrs, CT 06269-1138 (860) 486-9199 e...@uconn.edu<mailto:e...@uconn.edu> From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Ricardo Stella mailto:ste...@rider.edu>> Sent: Monday, August 31, 2020 6:21:31 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] [EXTERNAL] Re: [WIRELESS-LAN] WIRELESS-LAN Digest - 28 Aug 2020 to 29 Aug 2020 (#2020-156) *Message sent from a system outside of UConn.* A few years ago we had to "light up" a couple of parking lots. The light poles there are on timers, so there is no power during the day. Trenching was cost prohibitive as well. We ended up setting up a mesh from a nearby building to send data to these two APs. And for power, we used continuous power bridges from Solis Energy. At night, the light circuit provides power (which is 240v) to the bridge, which in turns provides power to the access point while at the same time charging up a battery. Once power is disconnected, the battery kicks in and powers the AP during the day. Only issue we had when they were configured was they gave us 802.11af injectors instead of 802.11at ones, which was required for the AP to work. https://solisenergy.com/product/continuous-power-bridge/<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsolisenergy.com%2Fproduct%2Fcontinuous-power-bridge%2F=02%7C01%7Cjeff.kushner%40UCONN.EDU%7C9339c6a214a44d29cd0e08d84e1c4198%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C1%7C637345230558685093=dUtwmQYHqhrhboYIBtq%2FtRWwUXM9rzdJkKOop4yxsV8%3D=0> On Mon, Aug 31, 2020 at 4:17 PM Brian Helman mailto:bhel...@salemstate.edu>> wrote: I wasn’t planning on powering the AP’s from the poles. I assumed the lights on the poles were locally switched though, so pre-switch should be possible. It’s something to verify though. The
RE: WIRELESS-LAN Digest - 28 Aug 2020 to 29 Aug 2020 (#2020-156)
Brian, This isn't exactly what you were asking but most enclosure manufacturers (like Ventev) make AP concealment / aesthetics products for both indoor and outdoor. As an example, these bollards are popular with several of our university clients. Note, I just skimmed the question/responses and apologize if someone already mentioned these. https://ventevinfra.com/?s=mini+bollard ___ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com<http://www.cadinc.com/> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of WIRELESS-LAN automatic digest system Sent: Saturday, August 29, 2020 5:00 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: WIRELESS-LAN Digest - 28 Aug 2020 to 29 Aug 2020 (#2020-156) [LISTSERV mailing list manager]<http://www.lsoft.com/> [LISTSERV 15.0]<http://listserv.educause.edu/scripts/wa.exe?LIST=WIRELESS-LAN> WIRELESS-LAN Digest - 28 Aug 2020 to 29 Aug 2020 (#2020-156) Table of contents: * Antenna mounting suggestions (3) 1. Antenna mounting suggestions * Re: Antenna mounting suggestions (08/28) From: "Enfield, Chuck" mailto:cae...@psu.edu>> * Re: Antenna mounting suggestions (08/28) From: "Enfield, Chuck" mailto:cae...@psu.edu>> * Re: Antenna mounting suggestions (08/28) From: John Turner mailto:jtur...@nyansa.com>> Browse the WIRELESS-LAN online archives.<http://listserv.educause.edu/scripts/wa.exe?LIST=WIRELESS-LAN> [Anti-Virus Filter]<http://www.lsoft.com/products/default.asp?item=secured-by-FS=LISTSERV.EDUCAUSE.EDU=http://listserv.educause.edu/scripts/wa.exe>[Powered by the LISTSERV Email List Manager]<http://www.lsoft.com/products/listserv-powered.asp> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Re: IoT and Wireless
Ooh I just won $5 珞 thanks Lee #sawthatcoming ___ Jennifer Minella, CISSP VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com<http://www.cadinc.com/> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 x0 Main Office 919.539.2726 Mobile/text ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community Re IoT and Wireless.eml Description: Re IoT and Wireless.eml
RE: High DNS Lookup Time - Aruba Sensor
Hi Aaron (and Lee!)! 1. Where is the new wildcard cert, specifically? 2. RE: Switches, we have completed several upgrades of legacy Provision (Aruba OS) to Aruba CX, totaling ~ 300+ switches for several clients and haven't seen any DNS latency issues. That doesn't mean there's not some relation but we haven't hit in with customers or in our lab to date. 3. Lee- yes the UXI is the rebranding of Cape Sensors, although they've added some stuff now, have new form factors, integrated it with other Aruba-stuffs, etc. ___ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com<http://www.cadinc.com/> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] From: Letts, Richard J Sent: Friday, July 24, 2020 10:53 AM Subject: Re: High DNS Lookup Time - Aruba Sensor I had experience of an aruba product flagging high DHCP response times, and it was somewhat frustrating because there was no evidence in the DHCP server logs that anything was amiss: every received packet had a subsecond response time, there were no drops on any of the network interfaces statistics, but the alerts continued to accumulate. After much digging it turned out that the Linux kernel did not have a large enough internal buffer for received UDP packets and was dropping them after receipt, but before the DHCP server Check to see if you have drops recorded in /proc/net/udp [the statistics are reset when processes restart. The kernel uses more than the data received size to buffer and the limit for all received UDP packets is by default only 131071 bytes, so a relatively small number of packets could overload the buffer]. I'm going to suggest on linux-based DNS and DHCP servers this limit probably wants to be a LOT larger. I've not run DHCP on Windows. Next, you might want to check what the actual DNS lookup is being performed. The default DNS UDP packet size is 512 bytes, so if the queries have a reply larger than that the client MAY switch to TCP, which will cause a redo of the lookups, and latency. I see this in places with AD-connected DNS servers where the DNS server role is added to all of the AD servers or you've a lot of TXT records associated with a domain. [the 'ANY' reply for purdue.edu for example is over 1600 bytes] Hope these pointers provide some help to someone. Richard Letts Director, Networking and Telecommunications Purdue University rle...@purdue.edu<mailto:rle...@purdue.edu> O: 765-496-1663 C: 206-790-5837 From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Ian Lyons Sent: Friday, July 24, 2020 9:18 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] High DNS Lookup Time - Aruba Sensor I too have alot of False positives with "high dns". However, dont throw the baby out with the bathwater I have found 3 problems with flapping circuits or errors of configuration as a result of having these sensors on premise. Mostly in my student vlans-where during the summer I have no users and it is also when I make changes... So helpful big brother. Ian Cheers Ian J Lyons Senior Network Engineer - Rollins College 401.413.1661 Cell 407.628.6396 Desk From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> on behalf of Lee H Badman <00db5b77bd95-dmarc-requ...@listserv.educause.edu<mailto:00db5b77bd95-dmarc-requ...@listserv.educause.edu>> Sent: Friday, July 24, 2020 8:47 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: Re: [WIRELESS-LAN] High DNS Lookup Time - Aruba Sensor * External Email * Aaron, If the UX sensors are evolved from Aruba's Cape acquisition, I can tell you that I had a lot, as in A LOT, of false positives on High DNS lookup times that absolutely could not be replicated by any other sensor or manual attempt when I was evaluating them. See attached- my inbox would fill with these, and again, there were no corroborating data points. It didn't matter where I put the sensors on multiple networks, this alert to many target endpoints that were doing just fine were a fact of life. The sensors were awesome in many other ways, but in this regard became one more thing to ignore, FWIW. Again, I'm assuming that Cape is the underlying technology here. If not, then disregard. Lee Badman | Network Architect (CWNE#200) Information Technology Services (NDD Group) 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w its.syr.edu Campus Wireless Policy: https://answers.syr.edu/display/network/Wireless+Net
RE: Device visibility in Aruba AirGroup + ClearPass
Hi Craig, AirGroups can function with CPPM I think two primarily ways (that I know of). 1. Location-based, which is just what it sounds like. I don’t remember the exact boundary definition of the location (e.g. single AP, or group, etc) but it’s based on where the things are. 2. User-based, with ClearPass you can enable user-based Airgroups, this does require the users register devices while authenticated via 802.1X-secured network with something identifying the user (vs just the machine). Hope that helps! -jj ___ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com<http://www.cadinc.com/> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] From: Yahya M. Jaber Sent: Thursday, March 5, 2020 12:11 AM Subject: Re: Device visibility in Aruba AirGroup + ClearPass Hi, We were in similar position to provide home like access to the students here. The way to solve this was to use Cisco 1815 series AP’s as OEAP, this will give the user an option to access the AP GUI and create his own SSID “and other options” while still being managed by the WLC “having the campus SSID’s also”. We have looked into many vendors, only Cisco provides this functionality. https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-3/b_Cisco_OfficeExtend_Access_Point_/b_Cisco_OfficeExtend_Access_Point__chapter_01100.html Yahya Jaber. Sr. Wireless Engineer IT Network & Communications – Engineering Building 14, Level 3, Rm 308-WS07 KAUST 23955-6900 Thuwal, KSA Email yahya.ja...@kaust.edu.sa<mailto:yahya.ja...@kaust.edu.sa> Office +966 (0) 12 8081237 Mobile +966 (0) 558697555 On Call Rotation Mobile: +966 54 470 1177 From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Craig D Rice Sent: Wednesday, March 4, 2020 18:19 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [WIRELESS-LAN] Device visibility in Aruba AirGroup + ClearPass We are an Aruba shop and are evaluating AirGroup + ClearPass to provide students a more home-like experience in their residence halls. That is, we would like students to be able to register and see only their registered devices. If a user registers a device in ClearPass, is that device visible to non-registered devices (or devices registered to another user) -- even if the devices are associated with the same AP? We have received conflicting answers from our Aruba SEs, account exec, and TAC, so we are hoping to learn how to limit device visibility from others who are using ClearPass. Thanks for your advice! Craig -- Craig D. Rice Director of Enterprise Infrastructure | IT [Image removed by sender. St. Olaf College] Office: +1-507-786-3631 1510 St. Olaf Avenue Northfield, MN 55057-1097 USA stolaf.edu <http://stolaf.edu/> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
RE: Wi-Fi in the Elevator Car
Stephen, I'm curious as to yours and others' experience because in working with healthcare (specifically hospitals with VoWiFI nurse paging systems) in every state we've worked, the safety regulations for elevators have specifically precluded/prohibited installation of such devices within the shaft or attached to the car. -jj ___ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com j...@cadinc.com 919.460.1313 Main Office 919.539.2726 Mobile/text -Original Message- From: Stephen Belcher Sent: Wednesday, November 6, 2019 08:58 Subject: Re: Wi-Fi in the Elevator Car We use Fluidmesh to create a wireless bridge between a base unit at the top of the shaft and a mobile unit on top of the car. This setup is used for security cameras with no issue. We have tested Wi-Fi and it also works although we don't have any in production at the moment. It's fairly inexpensive to install so you can run a pilot without a ton of spend. Steve -Original Message- From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Curtis K. Larsen Sent: Tuesday, November 5, 2019 1:26 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wi-Fi in the Elevator Car Hello, Has anyone designed Wi-Fi specifically to work in the elevator car itself? Willing to share your experience? Thanks, -- Curtis K. Larsen Senior Wi-Fi Network Engineer University of Utah Network Services CWNA, CWDP, CWSP, CWAP Office 801-587-1313 ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Re: [EXT] Re: [WIRELESS-LAN] Aruba Wi-Gi 6 APs
I don't believe ClearPass Device Insight shows driver details - I just skimmed through endpoint details page and attributes and don't see it. At the risk of asking a dumb question, is there a reason not to simply deploy the 500-series with backwards compatibility enabled? That would allow you to offer a seamless experience for clients in a mixed-PHY-standard environment and support current clients on n/ac and even a/b/g etc. Cheers! -jj ___ Jennifer Minella, CISSP, HP MASE VP of Engineering & Security Carolina Advanced Digital, Inc. www.cadinc.com<http://www.cadinc.com/> j...@cadinc.com<mailto:j...@cadinc.com> 919.460.1313 Main Office 919.539.2726 Mobile/text [CAD LOGO EMAIL SIG] From: The EDUCAUSE Wireless Issues Community Group Listserv <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Michael Davis <mailto:da...@udel.edu> Sent: Wednesday, October 9, 2019 7:57 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: [EXT] Re: [WIRELESS-LAN] Aruba Wi-Gi 6 APs We currently have the Wi-Fi 6 extensions disabled because of the Intel Driver issues (https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.intel.com%2Fcontent%2Fwww%2Fus%2Fen%2Fsupport%2Farticles%2F54799%2Fnetwork-and-i-o%2Fwireless-networking.htmldata=02%7C01%7Cfs%40WPI.EDU%7Cbc693525d46e464edc2308d74cafd52b%7C589c76f5ca1541f9884b55ec15a0672a%7C0%7C0%7C637062190393581783sdata=PPsyPwaUPetmfINaNm1FZVxnaI8DN9ydJ%2BA704MhLwM%3Dreserved=0) We've been notifying clients and were updating drivers until instructed to just turn off Wi-Fi 6. This begs the question of trying to identify the problematic machines and seek them out, or just announce a future date to turn on Wi-Fi 6 and go back to dealing with updating drivers as they come up. We'll have a mix (currently ~15% Wi-Fi 6) of AP models for a while, so the issues won't all show right away. Anyone looked into identifying the machines needing updated through fingerprinting (Aruba Insight or Airwave or Clearpass ) ? From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of WIRELESS-LAN automatic digest system Sent: Wednesday, October 9, 2019 15:00 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: WIRELESS-LAN Digest - 8 Oct 2019 to 9 Oct 2019 (#2019-167) [LISTSERV mailing list manager]<http://www.lsoft.com/> [LISTSERV 15.0]<http://listserv.educause.edu/scripts/wa.exe?LIST=WIRELESS-LAN> WIRELESS-LAN Digest - 8 Oct 2019 to 9 Oct 2019 (#2019-167) Table of contents: * WLC & ISE combo issues (5) * Aruba Wi-Gi 6 APs * [EXT] Re: [WIRELESS-LAN] Aruba Wi-Gi 6 APs (3) * Wi-Fi Design Consulting (3) 1. WLC & ISE combo issues * Re: WLC & ISE combo issues (10/09) From: Mathieu Sturm mailto:mathieu.st...@hogent.be>> * Re: WLC & ISE combo issues (10/09) From: "Kenny, Eric" mailto:eric_ke...@harvard.edu>> * Re: WLC & ISE combo issues (10/09) From: Dennis Xu mailto:d...@uoguelph.ca>> * Re: WLC & ISE combo issues (10/09) From: Kitri Waterman mailto:wate...@wwu.edu>> * Re: WLC & ISE combo issues (10/09) From: "Heavrin, Lynn" mailto:lheav...@wustl.edu>> 2. Aruba Wi-Gi 6 APs * Re: Aruba Wi-Gi 6 APs (10/09) From: Michael Davis mailto:da...@udel.edu>> 3. [EXT] Re: [WIRELESS-LAN] Aruba Wi-Gi 6 APs * Re: [EXT] Re: [WIRELESS-LAN] Aruba Wi-Gi 6 APs (10/09) From: "Sweetser, Frank E" mailto:f...@wpi.edu>> * Re: [EXT] Re: [WIRELESS-LAN] Aruba Wi-Gi 6 APs (10/09) From: Michael Davis mailto:da...@udel.edu>> * Re: [EXT] Re: [WIRELESS-LAN] Aruba Wi-Gi 6 APs (10/09) From: "Sweetser, Frank E" mailto:f...@wpi.edu>> 4. Wi-Fi Design Consulting * Wi-Fi Design Consulting (10/09) From: "Enfield, Chuck" mailto:cae...@psu.edu>> * Re: Wi-Fi Design Consulting (10/09) From: Bryan Ward mailto:bryan.w...@dartmouth.edu>> * Re: Wi-Fi Design Consulting (10/09) From: "Enfield, Chuck" mailto:cae...@psu.edu>> Browse the WIRELESS-LAN online archives.<http://listserv.educause.edu/scripts/wa.exe?LIST=WIRELESS-LAN> [Anti-Virus Filter]<http://www.lsoft.com/products/default.asp?item=secured-by-FS=LISTSERV.EDUCAUSE.EDU=http://listserv.educause.edu/scripts/wa.exe>[Powered by the LISTSERV Email List Manager]<http://www.lsoft.com/products/listserv-powered.asp> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community