Re: [WIRELESS-LAN] Limit on Airplay?
I'm not sure if it's the same problem, but we couldn't get more than 16 apple tv's to show up on a 21 tv / 21 ipad room until we enabled AirTunes on the mDNS profile. They were all on the network, they just wouldn't show up in the list. This is on 5508's running 7.6.120. On Fri, Aug 22, 2014 at 3:11 PM, Eric T. Barnett ebarn...@astate.edu wrote: Has anyone ran into a limit on the Airplay connection menu? We are running Cisco 5508's and just ran into a hard limit of 64 devices in the menu on our phones. Any ideas on how to get around that would be fantastic. Regards, Eric Barnett Wireless Administrator Information and Technology Services Arkansas State University 870 680 4243 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] account lockouts when changing passwords
We use ManageEngine ADAudit for this. It's reasonably priced and a lot easier than searching event id's in the AD logs. On Mon, Apr 14, 2014 at 4:03 PM, Danny Eaton dannyea...@rice.edu wrote: I had this problem due a VM trying to connect to a shared network drive using cached credentials and locking out the account. I'll pass this info on to my AD folks - thanks! *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Jeffrey Sessler *Sent:* Monday, April 14, 2014 4:00 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] account lockouts when changing passwords If you're using AD as your authentication source, look at implementing Password history check (N-2) With Password history check (N-2), as long as the password being used is one of the last two in the history file, the bad password count is not incremented... thus, no account lockout when using an old, but valid password. That is, while the user can't authenticate using the old password (it still fails as an incorrect password), account lookout doesn't occur. It works around the problem where a user changes their password on say their desktop, and then their mobile device instantly locks their account as it attempts to auth on WPA. Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] List abuse? SecureW2
I received enough junk mail from vendors before I joined the educause lists that I can't blame it on that, but the vendors definitely actively monitor the lists. Just say something negative and wait for your phone to start ringing (I'm looking at you Cisco and Fortinet). I don't particularly mind, but it did catch me off guard the first time. On Wed, Mar 5, 2014 at 11:28 AM, Peter P Morrissey ppmor...@syr.edu wrote: I'm sure that happens even more then we realize. Anyone can join the list, and harvest data from it. What vendor wouldn't want such a source of targeted customers? I have often thought that it would be great to have a listserv without vendors. The other challenge to having vendors on the list is that I sense that a lot of people are fearful of having candid discussions regarding their experiences with the vendors present. The result is that we as consumers are left at a severe disadvantage in obtaining data to make informed decisions. Pete Morrissey *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Jeffrey Sessler *Sent:* Wednesday, March 05, 2014 12:03 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* [WIRELESS-LAN] List abuse? SecureW2 I'd be interested in knowing if other members on the list who are Cloudpath customers have recently been contacted by SecureW2? I received and unsolicited marketing email from them today touting their product, including the fact that quite a few former XpressConnect customers have switched to them. As proof, the marketing email links back to a Jan 16th discussion on this list where someone from Rutgers posted about their experience. I suspect they collected my email from the list thus why I'm interested in knowing if other Cloudpath customers on the list got a similar email. Do the educause list rules allow use of posts in marketing? For Rutgers, are you aware Securew2 is using you in their marketing material? best, Jeff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Arduino
We created a PSK wlan that allows p2p for student projects and left it in the same dmz as our guest wlan. On Friday, January 31, 2014, Matt Williams mcw...@bucknell.edu wrote: We are seeing a huge influx of Arduino based projects from our Engineering college. Two years ago, there was a single senior project, now there are four courses using the devices and a desire to incorporate them even more. Naturally, these devices don't use 802.1X authentication and require special attention to provide network access. Right now our model is to statically assign them IPs on our guest wireless network. The issue with this becomes, We want to be able to communicate with everything, and we restrict p2p on our guest network for obvious reasons. I was wondering if any of you have ran into these types of devices/projects and if you have, what kinds of solutions have to come up for them? Respectfully, Matthew Will Williams Assistant Director, Networking Bucknell University 570.577.1491 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Experience with Meru
Thanks everyone for the response. Stability and support issues seem very common, but there are some who are happy overall with the product. I was really hoping to hear how great they were, as some of the things their product promises could resolve some of our nagging issues. *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Randy Ethridge *Sent:* Tuesday, September 24, 2013 7:53 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Experience with Meru We have Meru in our dorms. We had no issues for the first year and a half where we only had a single type of AP. We added wireless to more dorms using another model of AP and now the controller has bounced twice without explanation from Meru TAC. I agree that we are seeing a better effort put forth in keeping us up to date and support was quick to respond (even if we had to request the 'unknown' issue be pushed up the ladder). From what I've heard from other Meru customers mixing AP models can result in issues. Randy Ethridge Network Engineer V Information Services Eastern Illinois University rlethri...@eiu.edu Office Ph. 217-581-7640 Proud to say I am EIU EIU THINKS GREEN: Before printing this e-mail think if it is necessary -- *From: *Walter Reynolds wa...@umich.edu *To: *WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Sent: *Tuesday, September 24, 2013 7:25:26 AM *Subject: *Re: [WIRELESS-LAN] Experience with Meru I will second the bumpy ride. While I can not say we specifically had problems in dense areas, I think overall stability of controller/AP/Radio's is still problematic. They have made changes and are trying to fix things, but it is a slow go. Walter Reynolds Principal Systems Security Development Engineer Information and Technology Services University of Michigan (734) 615-9438 On Mon, Sep 23, 2013 at 12:14 PM, Gonzalo Cervantes gcervan...@barnard.edu wrote: Hi John, Barnard College has been a Meru shop since 2007. I came on board two years ago and it has been a bumpy ride. We often had controller reboots (sometimes twice in a 24 hour period) and getting answers of the root cause took a long time (if ever found). We have a couple of event rooms that have a high density deployment and have not heard of any issues there. I wish I had some metrics (head bowed in shame and frustration) for you but their reporting tool is not good. I opted not to renew and hold back on trying to do a POC for their latest EzRF Network Manager (reporting tool). They are going back to their secret sauce, virtual cell (for clean hand off between APs), which was neglected because they had to turn their focus on stabilizing their System Director OS and AP hardware. The new APs have a new chip set with new features but we don't have those on our campus. It seems that this will not be a problem for you but if you have two different AP models with the two different chip sets, they will ask you to completely isolate them and create new ESS profiles for them. Their support is average but improving. For what its worth, in the last year they have also gone through some organizational changes at the top. I have seen some significant outreach to us since. If you have some specific questions feel free to email me. Thanks, Gonzalo --- Gonzalo Cervantes Associate Director Network Services Barnard College, Columbia University gcervan...@barnard.edu 212-854-8795 barnard.edu/bcit On Wed, Sep 18, 2013 at 12:30 PM, John McMillan jmcmil...@southalabama.edu wrote: Hello all, Has anyone here worked with Meru Networks gear? We’ve got some client density issues (primarily in auditorium spaces) that our Cisco gear doesn’t support very well and we’re investigating alternative solutions for those areas. We met briefly with Meru and the technology looks interesting, but I’m curious to hear if it lives up to the hype. Thanks, John McMillan University of South Alabama Computer Services Center ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Experience with Meru
Hello all, Has anyone here worked with Meru Networks gear? We’ve got some client density issues (primarily in auditorium spaces) that our Cisco gear doesn’t support very well and we’re investigating alternative solutions for those areas. We met briefly with Meru and the technology looks interesting, but I’m curious to hear if it lives up to the hype. Thanks, John McMillan University of South Alabama Computer Services Center ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] What Cisco WLAN controller code are you running?
We’ve got about 70 3602i’s running on 7.4.110.0 for about a month with no reported issues. *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Jeff Obrizok *Sent:* Wednesday, September 04, 2013 2:42 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] What Cisco WLAN controller code are you running? Has anyone else that installed 3602i/e’s experienced similar issues where wireless clients are having difficulty maintaining a wireless connection? Thanks, Jeff nbs p; *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU [mailto:The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Paul Sedy rps...@masters.edu *Sent:* Wednesday, September 04, 2013 1:42 PM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] What Cisco WLAN controller code are you running? We are currently running 7.4.100.60 on a 5508. Over the summer, we actually introduced some new 3602i APs into our environment as well. Everything was working well until our students returned and placed a more significant load on system. At that point, many wi ndows clients seemed to have difficulty maintaining a connection. After further investigation, and tinkering around with a few settings as well as a couple of TAC calls, we decided to remove the 3602i APs and swap them out for 3502i APs to see what impact it would have. As soon as we did so, the client issues were resolved. I would be interested to hear how other folks are doing on 7.5. Paul Sedy The Master's College Director of IT Operations 21726 Placerita Canyon Rd, Santa Clarita, CA 91321 661.362.2340 | rps...@masters.edu -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [ mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUWIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Eric T. Barnett Sent: Wednesday, September 04, 2013 8:06 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU brSubject: Re: [WIRELESS-LAN] What Cisco WLAN controller code are you running? We're running 7.5 and so far it's the most stable of any code I've run in ages. I've had problems with my 5508 rebooting spontaneously for a long time on several different code versions. I've been running for 28 days now which is longer than I've seen in a while. No major bugs that I'm aware of currently short of the new mDNS discovery by the APs, but I'm working with the engineers on that one. Regards, Eric Barnett Senior Network Engineer/Wireless Administrator Information and Technology Services Arkansas State University (870) 680-4243 http://wireless.astate.edu -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [ mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUWIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Tristan Gulyas Sent: Thursday, Augus t 29, 2013 7:25 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] What Cisco WLAN controller code are you running? Hi, We're running an engineering variant of 7.2.113.0 to resolve some issues we were having with AP stability. We're looking into 7.5 for 802.11ac support. Is anyone running 7.5 out there or should we wait? Tristan On 30/08/2013, at 4:19 AM, Philip Theruvakattil ptheruvakat...@andover.edu wrote: We upgraded our 5508 controllers to 7.4.110.0 code a couple of weeks ago, primarily to take advantage of the mDNS features. No reported problems so far but the real test will be when students get back. Had issues with mDNS/bonjour. From the iPads could see the AppleTVs but not from iPhones. From iPads could not mirror to any AppleTV. Opened a TAC case and issue was resolved by adding AirTunes as a service name - see attached screenshot. We have about 25+ AppleTV (wired) and all can now be mirrored to, from two different WLANs. Phil -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [ mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUWIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Rick Coloccia, Jr. Sent: Thursday, August 29, 2013 1:42 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] What Cisco WLAN controller code are you running? On 7.4.100.60, we can get most bonjour/mDNS traffic from wireless sources to wireless clients. On 7.4.110.0, very little seems to get through. Nothing is reliable. We can make airplay work from appletvs to ios devices but not phones on 7.4.100.60 but not on 7.4.110.0. We can't get anything shared on a wire to pass through to wireless clients on 7.4.110.0. I agree entirely - it worked pretty good on 7.4.100.60 but not so well on 110.0. We are using an app called papercut to manage printing, we have it installed on an osx server, it's role is to share queues that the apple ios devices should see. We can't seem to make that work reliably, either - but there I am beginning to suspect the
RE: [WIRELESS-LAN] [Off-Topic] Computer Labs
Our labs are run by departmental staff, and several of them have moved to the zero client / VDI model (with the vmware deployment centrally managed) in the last 12 – 18 months. I only know of one department that tried to get rid of their labs and just provide network power connections. They ran like that for several years and were one of the first VDI lab deployments we put in. So far everyone seems pretty happy with it. The departmental guys are just happy they don’t have to ghost their labs at the end of every semester. *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Mike King *Sent:* Friday, August 23, 2013 10:10 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] [Off-Topic] Computer Labs On the same vein, Has anyone tried zero clients and VDI infrastructure instead of computers in a renovation? On Fri, Aug 23, 2013 at 11:03 AM, Eric T. Barnett ebarn...@astate.edu wrote: This is great! Please keep up with the information! To sum up, it looks like the idea of no computer labs at all is a bit ahead of its time still. Thanks for the information. Eric Barnett Senior Network Engineer/Wireless Administrator Information and Technology Services Arkansas State University (870) 680-4243 http://wireless.astate.edu *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Coehoorn, Joel *Sent:* Friday, August 23, 2013 9:21 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] [Off-Topic] Computer Labs Labs aren't going away entirely, but the last time we renovated a lab space we didn't put in any computers. We added tables with power modules in the surface for kids to plug in their own laptops, and printers connected via a PaperCut page where students can upload documents to print. The students absolutely love this. I'm hoping to add a terminal services install to set up a virtual lab that will allow students using these spaces to have access to college-specific applications. I see us adding more spaces like this in the future. Joel Coehoorn Director of Information Technology York College, Nebraska 402.363.5603 jcoeho...@york.edu *The mission of York College is to transform lives through Christ-centered education and to equip students for lifelong service to God, family, and society* On Fri, Aug 23, 2013 at 8:04 AM, Hall, Rand ha...@merrimack.edu wrote: In a day when all students have a computer, we're still providing plenty of labs. Students want them because, we know the college computers will work when we need to write a paper. It's almost like they treat their PCs like disposable burners or something :-) Rand Rand P. Hall Director, Network Services askIT! Merrimack College 978-837-3532 rand.h...@merrimack.edu If I had an hour to save the world, I would spend 59 minutes defining the problem and one minute finding solutions. – Einstein On Wed, Aug 21, 2013 at 4:56 PM, Eric T. Barnett ebarn...@astate.edu wrote: We have a new Liberal Arts building that is currently in construction. The floor plans aren't quite nailed down yet but there was something on the current plans that made me wonder. There's no less than six computer labs in the building. Seeing that we make all of our Freshmen buy iPads and that laptops are super cheap nowadays, I was wondering just how useful computer labs are now/will be in the next two years or so. Getting rid of most or all of those labs would cut down on costs considerably. I've heard of some colleges dumping computer labs as they seem to be needed less and less as users have more and more tech available cheaply. What's your take? Regards, Eric Barnett Senior Network Engineer/Wireless Administrator Information and Technology Services Arkansas State University (870) 680-4243 http://wireless.astate.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Verifying or Validating Server Certificate when using WPA/WPA2 and 8021x WLAN
We use a public CA, but the default configuration for PEAP on windows is to verify the certificate and not trust any CA. As part of our client configuration guide we have them scroll through the CA list and select it as trusted. Our Apple clients have to click through to accept the certificate. *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Scott Stapleton *Sent:* Wednesday, April 17, 2013 4:15 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Verifying or Validating Server Certificate when using WPA/WPA2 and 8021x WLAN Assuming PEAPv0 is used, this is expected behavior when you're using a private PKI (Microsoft CA for example) as the client won't trust the private CA unless you've used a method to get the private PKI root certificate to the client. In enterprise environments you've got group policy to do this for you (by default no less). In education if you don't have clients on the domain I can't see why you wouldn't purchase a server-side certificate from a public PKI CA. Your clients *should* trust this CA already and shouldn't be prompted. You would want to verify that the bulk of the clients types you support do in fact contain the root CA certificate of whichever CA you purchase from; some CA's are pretty crap in this regard. On 17/04/13 9:13 AM, Jason Cook wrote: Vote 2 for cloudpath, we have found the software to be extremely helpful in configuring, updating and troubleshooting clients. As already stated this is expected behaviour. Like most IT Security “pains” the best approach is good communication documentation to set user expectations and educate why it is important. One day it will feel normal like locking the doors of your house to protect assets. -- Jason Cook Technology Services The University of Adelaide, AUSTRALIA 5005 Ph: +61 8 8313 4800 *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUWIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Williams, Mr. Michael *Sent:* Wednesday, 17 April 2013 4:11 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Verifying or Validating Server Certificate when using WPA/WPA2 and 8021x WLAN Thanks Lee. I am going to take a look at Cloudpath. mike *Michael M. Williams* Network Systems Analyst Information Technology Services Tarleton State University 201st St. Felix Str. Box T-0220 Stephenville, TX 76402 Tel: (254) 968-1850 Fax: (254) 968-9393 mmwilli...@tarleton.edu *Information Technology Services staff will never ask for your password in an email. Don't ever email your password to anyone or share confidential information in emails.* * * *Confidentiality Notice: This electronic message, including any attachments, is for the sole use of the intended recipients(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.* *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUWIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Lee H Badman *Sent:* Tuesday, April 16, 2013 8:38 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Verifying or Validating Server Certificate when using WPA/WPA2 and 8021x WLAN We found Cloudpath ExpressConnect to be wonderful at setting things like approved certs for the client- if you can get them to use it. We have a great mechanism with a Help SSID that allows for initial self-config, then self-remediation if you ever find your client not behaving. Works so sweet... except that new OS X and Win 7 machines also want to self-configure and onboard clients with just credentials needed (like for MS-CHAP v2/PEAP) and so our help tool gets unused. Expressconnect also lets you do things like disable IPv6, clear out extra profiles that accumulate, and other nice tweaks along with elegent cert handling. *Lee H. Badman* Network Architect/Wireless TME ITS, Syracuse University 315.443.3003 -- *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Tim Cappalli [ cappa...@brandeis.edu] *Sent:* Tuesday, April 16, 2013 9:12 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Verifying or Validating Server Certificate when using WPA/WPA2 and 8021x WLAN This is definitely normal behavior. The only way to get around this would be to configure the client to not verify the server certificate which is a security risk and is not best practice. The idea is that if someone threw up a rogue AP with the same SSID and your users associated to it, they would receive a different certificate prompt which should throw a red flag
RE: [WIRELESS-LAN] Verifying or Validating Server Certificate when using WPA/WPA2 and 8021x WLAN
I hadn’t heard of those, I’ll have to take a look. We’ve only recently had real demand for Apple on the secured network, it’s mostly been personal iPhones and iPads on the guest wireless, but that’s really changing. *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Ian McDonald *Sent:* Wednesday, April 17, 2013 9:13 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Verifying or Validating Server Certificate when using WPA/WPA2 and 8021x WLAN Don’t you use a .mobileconfig file? -- ian *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUWIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *John McMillan *Sent:* 17 April 2013 14:54 *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Verifying or Validating Server Certificate when using WPA/WPA2 and 8021x WLAN We use a public CA, but the default configuration for PEAP on windows is to verify the certificate and not trust any CA. As part of our client configuration guide we have them scroll through the CA list and select it as trusted. Our Apple clients have to click through to accept the certificate. *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Scott Stapleton *Sent:* Wednesday, April 17, 2013 4:15 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Verifying or Validating Server Certificate when using WPA/WPA2 and 8021x WLAN Assuming PEAPv0 is used, this is expected behavior when you're using a private PKI (Microsoft CA for example) as the client won't trust the private CA unless you've used a method to get the private PKI root certificate to the client. In enterprise environments you've got group policy to do this for you (by default no less). In education if you don't have clients on the domain I can't see why you wouldn't purchase a server-side certificate from a public PKI CA. Your clients *should* trust this CA already and shouldn't be prompted. You would want to verify that the bulk of the clients types you support do in fact contain the root CA certificate of whichever CA you purchase from; some CA's are pretty crap in this regard. On 17/04/13 9:13 AM, Jason Cook wrote: Vote 2 for cloudpath, we have found the software to be extremely helpful in configuring, updating and troubleshooting clients. As already stated this is expected behaviour. Like most IT Security “pains” the best approach is good communication documentation to set user expectations and educate why it is important. One day it will feel normal like locking the doors of your house to protect assets. -- Jason Cook Technology Services The University of Adelaide, AUSTRALIA 5005 Ph: +61 8 8313 4800 *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUWIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Williams, Mr. Michael *Sent:* Wednesday, 17 April 2013 4:11 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Verifying or Validating Server Certificate when using WPA/WPA2 and 8021x WLAN Thanks Lee. I am going to take a look at Cloudpath. mike *Michael M. Williams* Network Systems Analyst Information Technology Services Tarleton State University 201st St. Felix Str. Box T-0220 Stephenville, TX 76402 Tel: (254) 968-1850 Fax: (254) 968-9393 mmwilli...@tarleton.edu *Information Technology Services staff will never ask for your password in an email. Don't ever email your password to anyone or share confidential information in emails.* * * *Confidentiality Notice: This electronic message, including any attachments, is for the sole use of the intended recipients(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.* *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [ mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUWIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Lee H Badman *Sent:* Tuesday, April 16, 2013 8:38 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* Re: [WIRELESS-LAN] Verifying or Validating Server Certificate when using WPA/WPA2 and 8021x WLAN We found Cloudpath ExpressConnect to be wonderful at setting things like approved certs for the client- if you can get them to use it. We have a great mechanism with a Help SSID that allows for initial self-config, then self-remediation if you ever find your client not behaving. Works so sweet... except that new OS X and Win 7 machines also want to self-configure and onboard clients with just credentials needed (like for MS-CHAP v2/PEAP) and so our help tool gets unused. Expressconnect also lets you do things