Re: [WIRELESS-LAN] netflix question
Dual networks. The premise is that the student pay a fee for connectivity and should get to enjoy the same level of service they would get off campus. Ideally the two networks could use each other's unused bandwidth but I never looked into that. Since Netflix appears to be the biggest issue, you might want to review on how to get Netflix closer to your residences. See https://openconnect.itp.netflix.com/ When you talk to them, classify yourself as an ISP for Resnet (which you are). Fortunately, no residences at my current campus so it's not something I have to deal with :-) Jonn Martell Director of Technical Operations FDU Vancouver Campus On Thu, Mar 19, 2015 at 8:46 AM, Alexander, David alexa...@ohio.edu wrote: I wanted to know if Netflix has been a problem for other schools, specifically those with large residential campuses. We’ve seen usage on our campus grow a lot over the past few years, and our response has been to implement a bandwidth cap on Netflix from 8 am to 10 pm. This pretty much makes Netflix unusable during the day. When we lift the bandwidth cap at night, Netflix takes up around 40% of our total traffic. I’m curious if other schools are dealing with Netflix bandwidth issues and what solutions you have implemented that allows students to enjoy Netflix without impacting the usability of the network. Thanks, Dave ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] CWNP acquired by Certitrek?
Interesting, You can still go to http://www.cwnp.com/ but CWNP was in fact was acquired by the new company in August 2012. Other co-founders exited out before then (I won't get into details but it was interesting). The new company appear to be keeping the CWNP brand but the stuff on the CWNP site seems dated. Although I have been a CWNA, CWSP, CWNE, CWNT etc for some time. I always know that certifications as as good as the organisation (and people) them. The CWNP organisation was a private company that is now part of another private organisation. How good is Certitrek? I don't know, never heard of them. All these private Certification organisations highlight the fact that I missed my calling! I should have founded a Certification Company! I remember looking at PMI for my PMP certification and asking who are these guys?. I stopped being too interested in CWNP certifications when they started to ask for yearly fees to maintain certifications (and/or requiring CWNE to work for free to maintain theirs!) Right, I'll use my time to review your curriculum and certifications so I can maintain my CWNE or CWNT? The private for profit commercial aspect of the relationship became intolerable. I was a CWNT but since I don't pay the yearly fee I am no longer officially certified to teach the wireless certification courses? I'm not that in love with the curriculum; it misses the mark for the general audience and without input from its members, there us no way that one or two guys can keep up. The specialized certifications are good depending on the target audience. For my general classes, I just expand on the wireless portion of my network (Network+) courses to cover the important wireless LAN topics that are relevant for most. I'd would actually love to see an Educause (type) Wireless Certification. Specializing on large organisation networks such as the ones found in Universities and other large and diverse organisations. How many Fortune 2000 needs to deal with Airplay and other countless consumer wireless devices on their networks?How many EDUs? What's the trend? :-) Build a course from the extensive amount of knowledge on this mailing list! What we need is a true non-profit, open, approach to IT certification. Otherwise, certifications are just another product being sold by a commercial entity to generate revenues. Jonn Martell, CWTS, CWNA, CWAP, CWSP, CWNE (CWNT-ex). PMP Instructor, Networking and Wireless, UBC and FDU Director of Technical Operations, FDU Vancouver (note, I normally don't list my certs but felt it was relevant in this case :-) On Fri, Jan 30, 2015 at 5:14 AM, Hinson, Matthew P matthew.hin...@vikings.berry.edu wrote: It’s very possible it’s been this way for some time, but I noticed this morning on the CWNP homepage that the logo had changed to include another company’s name. Apparently, Certitrek has acquired CWNP. That, or it’s been this way for a while and they’re just getting around to changing the logo. http://www.certitrek.com/ -Matthew ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Trying to get the Wi-Fi Alliance's Attention
Hi Lee, The WiFi Alliance has never, ever, really cared about end user input from Enterprises. Years ago, when I was leading a very large WLAN deployment, I was able to attend as many IEEE sessions as I wanted. I attended mostly to see what was coming (to plan accordingly) and to provide enterprise feedback. Quite the humbling experience to sit in a ballroom full of the brightness engineering minds in networking. But I only ever managed to attend a WiFi Alliance conference once and that was because I was invited to speak as a keynote speaker discussing our large deployment (which was leading edge at the time). I then used the opportunity to sit in (quietly) in the various sessions to see what how the Alliance did its work. I was very interesting and showed me that the IEEE conference were really engineering-based while the WiFi Alliance discussions were much more market driven (ie, they are vendors, they want to sell stuff and not get returns). The root problem with the WiFi Alliance is that it's only made up of manufacturers who have to pony up a large sum of money to be part of the Alliance. So they don't hear from enterprise users directly - they only hear it second hand from the vendor's marketing teams representing enterprise customers. And as we know, some vendors don't care much about enterprises so enterprises are left without a voice in these areas. I think the WiFi Alliance will continue to get it wrong because they lack the right level of enterprise scale input. So the challenges of integrating these consumer based products into the enterprise will continue to be a challenge. What the Alliance needs is an enterprise certification and input from that market segment and EDUs should be represented. We are not. Having said that, I like the article and I hope it's a step in the right direction! ... Jonn Martell On Thu, Jan 22, 2015 at 11:47 AM, Lee H Badman lhbad...@syr.edu wrote: I know self-promotion is in poor taste, but wanted to share this http://www.networkcomputing.com/wireless-infrastructure/the-case-for-wlan-interoperability/a/d-id/1318718? and encourage anyone of like (or opposing) mind to add comments. I'm told that the Alliance is at least reading along, FWIW. -Lee *Lee H. Badman* Network Architect/Wireless TME ITS, Syracuse University 315.443.3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] requests for open, unauthenticated, no portal WiFi
This in an interesting topic. It seems to be all over the map. If the coffee shop can provide open access, then what is the argument against a University having an SSID coffee-shop that is back ended to a standard cable modem? Yes, the argument against having an open SSID on your main EDU network is valid if you carry unauthenticated traffic on your backbone but some EDUs appear to do it. UBC in town has an open unauthenticated network these days. If you need to balance providing access or not, I always try to make the network accessible. Closing it off is too much is really a denial of service created against good users because of a very small number of bad users. I see a lot of inadvertent denial of service under the security umbrella... If it was my decision, I would make a network open but back-ended to a speed limited, commodity cable network ISP type of connection. If it goes down or gets taken down, it only impacts that link, not the whole campus. Jonn Martell (not speaking on behalf of my EDU). Director of Technical Operations Vancouver Campus On Thu, May 15, 2014 at 4:16 PM, Steve Bohrer skboh...@simons-rock.edu wrote: On May 15, 2014, at 4:54 PM, Hugh Flemington hugh.fleming...@queensu.ca wrote: I’m curious about the freedom of coffee shops and airports to have open internet access. Don’t they have to meet the same sorts of standards as we do? In terms of CALEA at least, a college campus looks a lot more like an ISP than a typical coffee shop with a wifi router does. In the coffee shop case, presumably any CALEA requests would go to their upstream provider, who I assume could capture all the packets to or from that customer’s modem. Conversely, many campuses don’t have a simple single “upstream”, and the total volume of campus traffic may be Gigabits rather than the few tens of Megabits. Educause provided a general document when CALEA was new, with suggestions for how a campus might be classified as a exempt or not. I found it on the Educause CALEA summary page ( http://www.educause.edu/library/calea ) in the main paragraph, which links to Thinking Through the CALEA Exempt/Non-Exempt Issue” : http://www.educause.edu/ir/library/pdf/CSD4607.pdf Based on the above, any local coffee shops I’ve encountered would be exempt, as they merely have a “commercial” cable or DSL account. A big airport with centrally provided open enterprise-class wireless might be a harder call, but it seems dependent on the details of their connection to their upstream, e.g. who owns the electronics at each end of their link. Steve Bohrer ITS, Bard College at Simon's Rock 413-528-7645 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] School blocks Wi-Fi access to smartphones to address IP usage issues
I agree, the school newspaper only shows it from a user's perspective. The smartphones are shutting down the network while it's more the network has run out of public address space and the use of private address space on this network is ___ We all know the major flaw in using private address space is logging and tracking but there are solutions to this. Shutting down access (by MAC block ID?) would not be one of mine. Jonn Martell, speaking as a network instructor and Director but not on behalf of the Universities I work at On Thu, Feb 2, 2012 at 8:00 AM, Frank Bulk frnk...@iname.com wrote: http://www.vsuspectator.com/2012/02/02/outage-linked-to-usage/ Looks like VSU had to make some hard choices and is blocking Wi-Fi access by smartphones. Not sure why they couldn't add another RFC 1918 block, but I'm sure there's more going on than the school paper shared. Frank ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] High client density WiFi?
Absolutely possible to have a huge number of active clients in a single room. When I attended the IEEE plenary and interim meetings between 2001 and 2004, there were 500-800+ engineering types *all* with active laptops all downloading the latest versions of working group drafts. Back then, we started on 802.11b (DSSS) without the benefit of OFDM and some of the newer technology in 802.11n (that's the technology there were crafting up! :) It all worked even if the people installing the APs were an outside firm that did the site surveys when the rooms were empty! ;-) I was shocked to be at IEEE 802.11 engineering meetings and seeing APs on the floor. :) They fixed that in subsequent meetings but even with the APs on the floor and a room full of humans, the stuff still worked! Now, when everyone downloaded these huge documents simultaneously the latest draft of TGi is up on the server... when announced, the speed would drop but still downloaded fairly fast considering the number of people and temporary deployment of these meetings. No special sauce needed, these were autonomous Cisco APs with standard omni-directional antennas. There's a lot more you can do these days to optimize your setup. I wish we were allowed to take pictures! 700+ laptops all lined up and active on a ballroom floor is quite the scene! All I could do was stand at the back with a big smile on my face: This stuff is amazing! ... Jonn Martell On Thu, Apr 21, 2011 at 8:11 AM, Palmer J.D.F. j.d.f.pal...@swansea.ac.uk wrote: Hello, I've been posed a tricky question by someone on a planning committee for a new campus building. ...is it actually feasible for 500 simultaneous WiFi connections in a lecture room? I was hoping that there would be someone that might have experience of answering (or providing a solution to) such a question who could offer some input as to whether this is possible, or how close to the figure of 500 could we realistically achieve with the technology currently available? We are Cisco a site so ideally any solution would need to be one Cisco is capable of delivering, but if there are other vendors that are proven to be able to provide this kind of coverage to good effect, then I'd be glad to hear of your experiences. All the best, Jezz Palmer. - Jezz Palmer Library Information Services Swansea University Singleton Park Swansea SA2 8PP - ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] High client density WiFi?
Hi John, I knew I should have broken the rules and taken a few pictures! ;-) If I remember right, they stayed with 1,6,11 (!). Although there was a time where the 4 channels worked (for 802.11b only). They just had huge overlapping cells. It's important to note that during many of the meetings, the huge ballrooms are closed off with large partitions so the actual working groups end up sharing smaller RF space. So it's not always that crazy and each one of these partitions add a 3dB loss but during the opening/closing, there is work being done and the partitions are all open. Worth the price of the admission if there is an IEEE meeting in your area (although I don't think the meetings are as well attended because there's nothing really pressing to fix these days but I could be wrong ;-) With 6 APs to service 90 people - you should be ok but it all depends on the applications.I should add that the bulk of the work being done was email, VPN, and file sharing to a server. Nothing fancy like time sensitive VOIP apps or video conference. That's when you would see possibly break down in that environment. I still remember some vendors recommending a max of 7 VOIP client per AP (!). Anything that doesn't tolerate retries would have a hard time in such a congested environment but for most apps, it just works (just more slowly but not an issue for most users). PS: As a rule of thumb, I'm a big fan of not playing around too much with AP power unless you can do the same on the client-side... Why let your client scream louder than your infrastructure? ... Jonn Martell On Thu, Apr 21, 2011 at 4:29 PM, John Kaftan jkaf...@utica.edu wrote: That is a crazy story. How did they do it, just with managing cell size and channels? I mean back in those days they only had 2.4 Ghtz. I have heard of folks cranking down the power in tight big rooms and going with a 4 channel plan. We have an event next weekend where we are going to have 90 people in a 50' x 50' room and I am freaking out about that. Maybe I shouldn't be. I was planning on putting in 6 APs and having only 3 radios going on 2.4 to avoid co-channel interference. John On 4/21/2011 5:34 PM, Jonn Martell wrote: Absolutely possible to have a huge number of active clients in a single room. When I attended the IEEE plenary and interim meetings between 2001 and 2004, there were 500-800+ engineering types *all* with active laptops all downloading the latest versions of working group drafts. Back then, we started on 802.11b (DSSS) without the benefit of OFDM and some of the newer technology in 802.11n (that's the technology there were crafting up! :) It all worked even if the people installing the APs were an outside firm that did the site surveys when the rooms were empty! ;-) I was shocked to be at IEEE 802.11 engineering meetings and seeing APs on the floor. :) They fixed that in subsequent meetings but even with the APs on the floor and a room full of humans, the stuff still worked! Now, when everyone downloaded these huge documents simultaneously the latest draft of TGi is up on the server... when announced, the speed would drop but still downloaded fairly fast considering the number of people and temporary deployment of these meetings. No special sauce needed, these were autonomous Cisco APs with standard omni-directional antennas. There's a lot more you can do these days to optimize your setup. I wish we were allowed to take pictures! 700+ laptops all lined up and active on a ballroom floor is quite the scene! All I could do was stand at the back with a big smile on my face: This stuff is amazing! ... Jonn Martell On Thu, Apr 21, 2011 at 8:11 AM, Palmer J.D.F. j.d.f.pal...@swansea.ac.uk wrote: Hello, I've been posed a tricky question by someone on a planning committee for a new campus building. ...is it actually feasible for 500 simultaneous WiFi connections in a lecture room? I was hoping that there would be someone that might have experience of answering (or providing a solution to) such a question who could offer some input as to whether this is possible, or how close to the figure of 500 could we realistically achieve with the technology currently available? We are Cisco a site so ideally any solution would need to be one Cisco is capable of delivering, but if there are other vendors that are proven to be able to provide this kind of coverage to good effect, then I'd be glad to hear of your experiences. All the best, Jezz Palmer. - Jezz Palmer Library Information Services Swansea University Singleton Park Swansea SA2 8PP - ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- -- ** Participation and subscription information for this EDUCAUSE Constituent Group
Re: [WIRELESS-LAN] Wireless to the Rescue...
Philip, A better idea is to *attract* students to class not punish them for not being there. After extensive research and development. Universities in Canada have created a consortium to create a Facebook robot which will initially assist professors but will ultimately replace them. The legacy type of instructors are too boring according to our research and students prefer Facebook to food so this was a no brainer. Of course the robot will be connected using WiFi and will feature some neat Canadian technology such as the Ballard Hydrogen Fuel cell. The official press release is due out later today I think ... On Fri, Apr 1, 2011 at 9:22 AM, Hanset, Philippe C phan...@utk.edu wrote: All, University of Tennessee has had some class attendance issues lately, especially with Sophomores. We came up with a location based wireless solution that could fix this issue. We have built a database of rooms surrounding Access-Points that we correlate with a class roster. Basically if a student is supposed to be in room x at time y, our filtering only allows the student access to a set of access points surrounding that room during that time. No wireless elsewhere. Dormitories are included in the algorithm. If you are doing something similar, we would like to know some of the caveats. Thanks, Philippe Hanset University of TN (Constituent Group Leader of Wireless-LAN@educause) (what's the date?) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Observed Signal Strength On Encrypted Wireless
Hi David, One of the unfortunate things about wireless LANs is the standards never really addresses what parameters a vendors should use for a client to decide when to roam and when to stay on the previously associated AP. The algorithms are generally based on RSSI (relative signal strength indicator) which is a value that each manufacturers determine. All proprietary algorithms that are generally not advertised. Other things that vendors *might* use to decide when to roam vs staying on the AP includes the number of retries and the SNR. A vendor for example might have messed up, their roaming algorithms might be fine for Open but not so good for WPA2. They won't advertise it - they will just release an updated driver which the users generally don't upgrade unless told to. So roaming is all over the map for different client stations. So for one manufacturer, they might have a higher threshold and remain on a previously associated AP longer. That could be the cause of a lower perceived signal strength. With WPA2, the addition of encryption and keys does add a layer of complexity and possible variables to this. Do some vendors include other variables relating to WPA2 in their proprietary roaming algorithms? I'm not sure but I would not be surprised to see that some have... There's a bunch of stuff in 802.11i that are optional in the WPA2 certification. The re-authentication adds some time but I don't think that's the case here because unless you do very time sensitive work (like VOIP), most users won't see the 802.1x/EAP re-auth latency. The whole PKC-Fast Roaming 802.11i thing will help in this area but although it's supported in WPA2, I don't think it's mandatory I'm guessing that if you ask your help desk to record the usernames and MAC addresses, you might find a pattern for poorly implemented client drivers and supplicants? That's where I might start to focus my attention. If you can, get driver versions as well. To determine if sticky roaming is the issue, I would also get the helpdesk to work with users to disassociate when they have an issue and re-associate seeing if they end up using a stronger AP (with stronger signal strength). That can help determine if it's a roaming issue or not to help you narrow the problem. If it's not a roaming issue, they you should check your stats when the client is associated. If the clients runs CCX (the Cisco extentions), you can also get a bunch of info from the controller using: show client roam-history client-MAC You can also run show and debug on l2roam My guess is that it's a client issue. If you called Tier1 support from vendors they would advise: Upgrade the drivers and try again :) Hope that helps. ... Jonn Martell, speaking as a CWNE/CWNT instructor ;) On Fri, Nov 5, 2010 at 1:12 PM, David Blahut dabla...@vassar.edu wrote: Hello All, We are a Cisco CAPWAP shop and recently switched from non-encrypted web portal authenticated wireless to WPA2/802.1X/AES encrypted wireless with RADIUS and LDAP in the back end. I have received several help desk tickets with reports along the lines that “now that we are using the encrypted wireless the signal is weaker or unusable”. Anyone else experience this phenomenon? I can’t believe it’s the wireless network, same radios after all. I could see the client interpreting the signal level differently or the client associating to a more distant access point because the closer one is more heavily taxed due to the encryption. I could even see that the encrypted wireless is more sensitive to RF interference. Anyway, any thoughts or ideas are welcomed. Thanks, David ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] WCS Error
Hi Chris, MIC (message integrity check) was really a patch for TKIP to prevent replay attacks. I happened to be in the IEEE TGI working group when this feature was heavily discussed. Many felt that the countermeasures were more harmful than beneficial. I still remember the notion passing after the argument was made that TKIP will be short lived and this will be a non-issue. This is another reason to move from TKIP (WPA) to AES (WPA2). My understanding is that the countermeasures impact any new connection for 60 seconds. So effectively one trigger creates a DOS for all new users! I would consider reducing or turning off the countermeasure. On WLC (4.1 or greater) config wlan security tkip hold-down X wlan id. Where X is the number of seconds to deny access to your WLAN on a MIC trigger. Use 0 to disable MIC. Jonn Martell, Director of Technical Operations, FDU Vancouver On Fri, Oct 22, 2010 at 1:26 PM, Chris Wandell cwand...@binghamton.edu wrote: Hello All, We have been seeing a lot of MIC errors on WCS this semester, The AP 'xx' received a WPA MIC error on protocol '0' from Station 'xx.xx.xx.xx.xx.xx'. Counter measures have been activated and traffic has been suspended for 60 seconds. What I have read is that this may be a problem with the mac addresses for the IPAD, as well as out of date device drivers for other wireless card vendors. I have also found you can turn the reporting of these errors off, but am a little wary of that. Has anyone run into this and what would be the downside to disabling this? The upside I would think would be that the ap wouldn't be suspending traffic for 60 seconds at a clip when this error occurs. Thanks for any input Chris Wandell Binghamton University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] List Guidelines reminder
Vendors are nuts to auto-subscribe people from the posting on this list. I'm always leery of unsolicited communications (regardless of the medium). It's good to know that it's happening to watch for it - we can pick off the bad ones and selectively ignore the rest :) The world currently can read all our list ramblings at http://www.mail-archive.com/wireless-lan@listserv.educause.edu/ I'm not sure the list should be *that* public? I'd say that vendors have always been part of our community. You have to know Devin to understand that fundamentally, his posting wasn't really commercial. He was the wireless god technie at CWNP (wireless courseware vendor) before his new employment with a hardware vendor. This list is (and should remain) very non-commercial - he probably didn't really understand this (until now :). I hope he stays on the list - from discussions off-line, it looks like he got a good lashing on this one and likely feels he received mixed-messages... Devin lives, breathes and is fully immersed in Wireless LANs. My only beef with him is that he invented terminology when he was with CWNP. Personally, the inventors of the technology should be the ones naming it! :) He probably agrees with me now. :) He is a wireless LAN encyclopedia, hope he stays... Personally, I wish I had a Devin-type contact for all the companies I deal with! Most of these very knowledgeable people get locked up and aren't allowed to talk to anyone :-) It's one of the reasons I attended the IEEE802 meetings when I was wireless-lan centric years ago - I was able to get to the key wireless engineers companies like Microsoft and others. I received very early confirmation that Microsoft would never support EAP TTLS (even if they should! :-) Communicating with vendors on this list is great, if you have a problem with product X and Y working together, and you can't get help via the regular channels, post it here and there are good chances that vendors will follow up on it. For really difficult problems, it's much better than entering at Tier 1 or 2 of a call-center tech support or escalating via sales (which is the second best way to get a serious issue resolved if your account manager knows your name...). I remember a few serious Cisco/Centrino issues years ago that received a lot of deep internal reviews at both Cisco and Intel because of postings on this list. It's a delicate balance because you want to get help without enraging companies but it's a great way to escalate. This is a great list for vendors as well (as already mentioned) - no other list can give them an insight into large scale wireless deployments (typical in EDUs). PS If my previous post sounded as it I was against startups, I am not. They drive a lot of the innovation that gets acquired by established players. We need them especially in the early days But most seasoned IT decision makers will generally go with an established vendor/solution first and then look for new/startup solutions if there is nothing (or nothing good) available. Colubris and Bluesocket are good examples of two startups that provided very valuable products in the early days of wireless LANs. Good to see Colubris technology surviving with HP. I agree that the discussions should be started and/or focussed on EDUs (regardless of the domain name used as part of someone's email address). Vendors have to be very careful in how they post or use postings...I'd say this is a good clarification of the list culture for all of the many vendors on the list! Jonn Martell On Thu, Aug 12, 2010 at 4:26 PM, Jeffrey Sessler j...@scrippscollege.edu wrote: What I'm tired of is being subscribed to vendor communications shortly after I post here. I'll unsubscribe, and then after a new post/reply, I'm suddenly added to their marketing lists again. It tells me that while vendors may not be posting here, they are mining the lists for email contacts. Jeff Peter P Morrissey 08/12/10 9:57 AM Thank you Philippe! I'm surprised we even let vendors on the list. Have we ever considered limiting it to .edu's? Pete M. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Philippe Hanset Sent: Thursday, August 12, 2010 12:55 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] List Guidelines reminder All, Having education affiliated people asking questions about vendors on the list is part of the purpose of this medium. Having vendors doing the same is not. please read the guidelines of the listserv at: http://www.educause.edu/Community/ConstituentandDiscussionGroups/ConstituentandDiscussionGroupP/892 Thank you for your understanding. Regards, Philippe Hanset Wireless-LAN Constituent Group leader ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups
Re: [WIRELESS-LAN] Aerohive?
they will be in business in X years. PS2 For a small deployment with smaller expose, I would consider Aerohive, Xirrus and others smaller players with neat technology, the only challenge there is you can't buy these things through CDW, Tigerdirect and other distributors smallers orgs would use. So I'd day, focus on your distribution channel and fix your how to buy page on your website!! :-) Jonn Martell, Director of Technical Operations with an EDU (but not speaking on the behalf of this EDU, just based on my experience with various large scale wireless LANs) j...@martell.ca On Thu, Aug 12, 2010 at 9:26 AM, Devin Akin de...@aerohive.com wrote: I've been pleasantly surprised at all of the pro/con discussions on various vendors on this list. I think it's wonderful for everyone to be sharing their experiences (both positive and negative) about each vendor. That kind of open honesty helps everyone in the end. To that end, I would love to pose a completely open-ended question to this group. What has everyone's experience been with Aerohive? Please feel free to do the pro/con thing, the my experience thing (for better or worse), and any other 'things' that might come to mind. I've learned quite a bit by reading everyone's posts, and I appreciate the openness...you just don't see that much anywhere else. I'm in large part responsible for Aerohive's customer advocacy, and so in order to do my job well, I need to know the goods, bads, and uglies of how we're doing, even if it means asking for people to air our dirty laundry in public. I'm sure I'll get a good talking to by the powers-that-be soon enough, but sometimes it's easier to get forgiveness than permission. ;) If you just can't bring yourself to say something publicly, my contact info is below, and I'd love to hear from you...even if it's just to yell at me. :P Feel free to use the email alias unha...@aerohive.com which drops right in my inbox. Thanks for any positive or negative feedback. Your time is very much appreciated. Devin K. Akin Chief Wi-Fi Architect Aerohive Networks E: de...@aerohive.com C: +1.404.483.2681 O: +1.770.854.8554 W: www.Aerohive.com ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Update: Cisco APs and Smartnet
In a previous post, I referred to Smartnet on APs as being silly. I was informed by someone at Cisco that effective March/April 2010, you no longer need to get Smartnet on newer APs - they have limited lifetime warranty (5 years after EOS). They still get you on the controller if you run in LAP mode... :-) ... Jonn Martell ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Density and Cisco LWAPP
Hi Chip, I'm curious why you would not be using 802.11n on a new deployment? Are you planning to purchase the APs new? I imagine a great pre-owned market for abg only APs. I can think of one site that would love to be able to sell their 1132s to migrate to the new 1142s (assuming appropriate discounts from Cisco because the price is currently a little high). There's tons of features on the newer APs that prepares it for the future (including multiple streams, beamforming etc). What's your technology cycling timeframe? At this point, I'd be tempted to say that the pendulum has swung toward the 1142 as the prime standard AP (from the 1132). It seems you are focusing on the 5 GHz range which is good on a dense deployment. About 20 non-overlapping channels on a standard 20MHz and 9 using 40 MHz (double-wide) channels. Dense deployment on 2.4GHz is difficult with the 3 non-overlapping 20MHz channels. Newer products in the 5GHz range support TPC (transmit power control) which I think is essential in a dense environment. This is an important technology because although people think it helps tuning down the transmit power on the AP, that doesn't really solve the problem unless you can do the same on the client? That's where TPC comes in handy. ... Jonn Martell, CWNE Director of Technical Operations with a multinational EDU On Tue, Feb 17, 2009 at 7:23 AM, Greene, Chip cgree...@richmond.edu wrote: We are currently looking to go totally wireless in two of our classrooms on campus. The rooms are back to back and we anticipate 90 users in each classroom, simultaneously. We are a totally Cisco shop and will not be using N for this deployment. The initial design plan calls for 5 APs in each classroom. 3APs will be A only and 2 will be G only. The G requirement is the only requirement we have for student laptops at this time. I am seeking feedback from anyone with experience in this type of deployment for large classrooms, specifically with Cisco products. Suggestions and recommendations would be appreciated. Thanks in advance. ___ Chip Greene Senior Network Specialist, CCSP Jepson Hall G-12 28 Westhampton Way Richmond, VA 23173 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless Upgrade Approach (phased vs. overhaul)
Hi Ryan, When we deployed at the first EDU, we installed two cable drops per location to facilitate an inlay of another technology (at that time b was deployable and we know that a 5GHz was just a matter of time). We also added additional drops to plan for 5GHz (about 40% more which didn't have APs) for the 2.4GHz deployment. The second cable per drop was strategically important as a leverage with vendor #1 since they knew we could easily overlay a competitor or competing/complimentary technology At the latest EDU I work for, I strongly recommended doing it but it was a much smaller scale and it was designed for 5GHz, high capacity from the start. So we decided to just deploy high capacity from the start and we didn't have leverage with the small scale. I would budget for an overhaul (because that's really the best end goal) but phase it in one building at a time. I would start with the locations that need the extra capacity as a pilot. With 5GHz, your range isn't has far so in your pilot, you'll likely find that you'll need additional cable drops to provide good 5GHz coverage. If you go out to the market with an RFP to overhaul a strong vendor, you might newer vendors wanting to be part of this migration, so that might be an important factor for you on the pricing/budget side. Jonn Martell, [EMAIL PROTECTED] www.martell.ca Director of Technical Operations with EDU #2 Wireless LAN Technology instructor (and ex-PM) with EDU #1 CWNE, CWNT On Thu, Nov 20, 2008 at 7:15 AM, Ryan Lininger [EMAIL PROTECTED] wrote: Good Day Everyone, I'm currently looking into a wireless infrastructure upgrade and was wondering how others have approached this challenge. I'm interested in the phased vs overhaul debate. We currently have a campus wide mixed vendor 802.11b/g environment and would like to go to a controller based 802.11b/g/n environment. How did you implement, or how do you plan to implement, this change on your campus? What method did you choose (multi-year phased deployment or single year/summer overhaul) and why? Thanks for the help. Ryan. -- Ryan Lininger Network Systems Engineer Denison University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless coverage for bus riders
Hi Lee, I would not even dare to do it with WLAN if the plan is to get connectivity to a moving bus from outside the bus. If the goal is to get users connectivity in a non-moving bus, not sure how significant that would be for users (how long do buses stay stationary?). To make it of real use, I would use licensed stuff (3G and 4G) to the moving bus and have an AP inside the bus for end-user connectivity. Not sure why the transportation and transit systems haven't gone that route (no pun intended!). ... Jonn Martell, [EMAIL PROTECTED] www.martell.ca On Wed, Nov 19, 2008 at 12:26 PM, Lee H Badman [EMAIL PROTECTED] wrote: In the name of what if, wondering if any school has installed infrastructure specifically intended to provide WLAN to bus riders on campus? I'm talking strictly outside-in coverage, no radio magic on the bus itself. If so, how's it working for you and just as important, do you get the sense that anyone appreciates it? Regards- Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless coverage for bus riders
Hi Lee, The reason why I'm not optimistic about WLAN outside-in for this use is because it was never designed to provide roaming at anything more than walking speeds. I'm sure that some vendors are better than others using proprietary ways but in my vehicular tests on campus, the roaming capability didn't prove to be a success. Even bicycle speeds might be too much. For a modern day WLAN network to be a success (IMHO), they would have to implement Enterprise WPA2 and if you think we have re-authentication fun on a campus mobile level, I can just imagine doing this at a XX AP per second level while moving on a bus. I'd advocate that a per-bus Wi-Fi AP is the best architecture. The outside-to-outside(WWAN)+inside-to-inside(WLAN) wireless seems to be the best architecture especially in regards to user experience, frequency reuse and power management. ... Jonn Martell, [EMAIL PROTECTED] www.martell.ca On Wed, Nov 19, 2008 at 5:56 PM, Lee H Badman [EMAIL PROTECTED] wrote: Hi John- Actually some busses have gone the route you describe. Here's one in San Francisco: http://thecityfix.com/the-wireless-on-the-bus-makes-the-wheels-go-round- and-round/ and a bus line in Singapore does it as well, for examples. But back to my notion of outside-in coverage... If you think about the classic activity of war-driving, you're typically trying to find wireless networks from within a vehicle, which is largely a rolling Faraday cage- just like a bus. I have external antennas, but rarely bother with them during my often very successful, shall we say, explorations in this area. So perhaps another somewhat simplistic way of looking at the idea of outside-in coverage for rolling busses is that you're setting up a really good war-driving target for passengers (as casual users) to be able to find and use. Seems like even a less-than-optimal WiFi corridor along a 30 MPH or less bus route *may* provide throughputs as good as a cellular-based access point that's at one end of a bus full of signal-attenuating people. Maybe. Not really trying to prove a point- just free wheelin' here:) -Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Jonn Martell Sent: Wednesday, November 19, 2008 7:01 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless coverage for bus riders Hi Lee, I would not even dare to do it with WLAN if the plan is to get connectivity to a moving bus from outside the bus. If the goal is to get users connectivity in a non-moving bus, not sure how significant that would be for users (how long do buses stay stationary?). To make it of real use, I would use licensed stuff (3G and 4G) to the moving bus and have an AP inside the bus for end-user connectivity. Not sure why the transportation and transit systems haven't gone that route (no pun intended!). ... Jonn Martell, [EMAIL PROTECTED] www.martell.ca On Wed, Nov 19, 2008 at 12:26 PM, Lee H Badman [EMAIL PROTECTED] wrote: In the name of what if, wondering if any school has installed infrastructure specifically intended to provide WLAN to bus riders on campus? I'm talking strictly outside-in coverage, no radio magic on the bus itself. If so, how's it working for you and just as important, do you get the sense that anyone appreciates it? Regards- Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] WPA Cracked (Sorta)
Thanks for the note. Some questions I would have before panicking. At the low end, the common wisdom has been to use WPA-PSK (TKIP ) with a very long passphrase. I'm not sure this attack works with long passphrase but if it's not a dictionary attack, maybe it does? WPA-PSK (with long passphrase) is very valuable for devices that only supports it and for Home/Soho environments. The other question I would have is does it impact WPA-Enterprise (TKIP encryption with rotating keys?). Yes, WPA2 with AES is great but it's slower and takes up more processing (meaning less battery life on handheld devices). I get a sense that all some people are interested in saying is wireless security is futile, we told you! which is a little annoying and counterproductive. OK, the motive is to publish papers and fill conference seats but it's still annoying for wireless LAN architects, sysadmin and instructors. Half the secret to a successful deployment is understanding where the flaws really are. In Infosec (the other stuff I teach), risk assessment is a huge portion of information security. Where exactly are the risks here? I guess we'll only find out after the full house presentation at PacSec? ;-) You can't buy this type of advertising! :-) Jonn Martell, CWNE #47 [EMAIL PROTECTED] (not speaking on behalf of my EDU). On Thu, Nov 6, 2008 at 6:14 AM, Mike King [EMAIL PROTECTED] wrote: Just saw this on one of my RSS feeds http://www.pcworld.com/businesscenter/article/153396/once_thought_safe_wpa_wifi_encryption_is_cracked.html The short list of points: 1. Only affects WPA (NOT WPA2) 2. Only affects TKIP (NOT AES) 3. Only affects traffic from router to PC (NOT PC to router) Can also be used to send bogus info from router to PC 4. Takes approx 12-15 minutes to crack key 5. Some of the code used to demonstrate this was added to Aircrack-ng two weeks ago. Authors state this is not the dictionary attack that has been around for awhile, but a new way to trick the router into sending the attacker larges amount of data, and a new cryptographic attack that decodes the WPA TKIP key. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.11n
I won't speak for Bret but considering the cost differential of 11xx and 12xx models in Cisco, I'm not sure there is a cost/benefit value of deploying the 1250 at this point? Fundamentally, the biggest hurdle I see for Cisco's 802.11n strategy is the fact that you can't use installed 802.3af (POE) infrastructure! That means that the thousands of ports installed in some environments can't be used to power the new Cisco 802.11n dual radio APs. Fine, the new installation can install the new POE Plus (to be?) standard but at what cost? It seems that some vendors are supporting bonding multiple POE ports to provide the POE Plus output required for the dual radio support but it seems that Cisco has decided not to go this route (at least for now until they hear from the installed base! :-) Also wonder what type of mid-span POE 802.3af to 802.3at devices will exists in the coming year to address this shortfall. Hope there aren't any patent issues on what should be commodity devices based on standards. ... Jonn Martell (wearing a consultant hat) CWNE martell.ca The cost/benefit On 1/14/08, Frank Bulk [EMAIL PROTECTED] wrote: Bret: What do you perceive the risks to be? There's no doubt that the price is higher, though the price/Mbps is lower. The standard is already viable, there's no question in my mind regarding that, though 2008 won't be the year that 802.11n APs match the price of enterprise 802.11b/g APs today. Frank -Original Message- From: Bret Jones [mailto:[EMAIL PROTECTED] Sent: Monday, January 14, 2008 5:50 AM To: [EMAIL PROTECTED]; WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: RE: [WIRELESS-LAN] 802.11n 1. The technology is very new in the enterprise market and when rolling out thousands of AP's is just too risky at this point. 2. The cost is much higher for now I do expect the standard and cost will become much more viable over the next year and will consider this again in 2009 Thanks Bret Bret Jones Managing Director Technology Operations and Engineering The George Washington University 801 22nd Street NW, Suite B148 Washington, DC 20052 Phone: (202)994-5548 Fax: (202)994-0730 Email: [EMAIL PROTECTED] -Original Message- From: Frank Bulk - iNAME [mailto:[EMAIL PROTECTED] Sent: Saturday, January 12, 2008 1:02 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.11n Can I ask why you've decided to skip 802.11n at this time? Do you have plans to do a round of hardware replacements in 3 years, and take advantage of lower 802.11b/g AP pricing? Frank -Original Message- From: Bret Jones [mailto:[EMAIL PROTECTED] Sent: Saturday, January 12, 2008 4:12 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.11n We are doing a large AP rollout in 2008 (1500 AP's) we are going with Cisco, but not with n, we will not be putting the AP's under smartnet because it is expensive and much more cost effective to just replace AP's when they fail. The failure rate for us has been very low I think 3 out of 1000 in the last 2 years. We will have smartnet on the other components i.e. controllers and location appliances. Thanks Bret Bret Jones Managing Director Technology Operations and Engineering The George Washington University 801 22nd Street NW, Suite B148 Washington, DC 20052 Phone: (202)994-5548 Fax: (202)994-0730 Email: [EMAIL PROTECTED] -Original Message- From: Jonn Martell [mailto:[EMAIL PROTECTED] Sent: Friday, January 11, 2008 5:46 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.11n This is where size and your relationship to your Cisco AM is important. I don't think that you should have to put all your APs on Smartnet if you do local sparing. At one of my last EDU, we had 2000+ APs deployed and only a handful on Smartnet (required to call TAC) If your Cisco AM doesn't understand this, that's when competition starts to look really interesting! Forcing maintenance on the small stuff is ridiculous especially for thin APs that are controlled by the controllers (these APs aren't autonomous anymore). If you want to stay with Cisco, then waiting for the WiFi 802.11n compliance certification is likely your best bet. ... Jonn Martell On 1/11/08, Lee H Badman [EMAIL PROTECTED] wrote: Hi Lee- Where I find fault with this is the requirement to keep APs under maintenance. Our model has always been that the APs are cheap enough and reliable enough that it's more cost effective to keep a dozen spares on hand than to keep 1600 APs on maintenance. so in my opinion, Smartnet isn't the right silver bullet for protection against changes to the standard- but I do concede that every environment has their own circumstances. Lee From: Lee Weers [mailto:[EMAIL PROTECTED] Sent: Friday, January 11, 2008 11:46 AM To: WIRELESS-LAN
Re: [WIRELESS-LAN] 802.11n
This is where size and your relationship to your Cisco AM is important. I don't think that you should have to put all your APs on Smartnet if you do local sparing. At one of my last EDU, we had 2000+ APs deployed and only a handful on Smartnet (required to call TAC) If your Cisco AM doesn't understand this, that's when competition starts to look really interesting! Forcing maintenance on the small stuff is ridiculous especially for thin APs that are controlled by the controllers (these APs aren't autonomous anymore). If you want to stay with Cisco, then waiting for the WiFi 802.11n compliance certification is likely your best bet. ... Jonn Martell On 1/11/08, Lee H Badman [EMAIL PROTECTED] wrote: Hi Lee- Where I find fault with this is the requirement to keep APs under maintenance. Our model has always been that the APs are cheap enough and reliable enough that it's more cost effective to keep a dozen spares on hand than to keep 1600 APs on maintenance… so in my opinion, Smartnet isn't the right silver bullet for protection against changes to the standard- but I do concede that every environment has their own circumstances. Lee From: Lee Weers [mailto:[EMAIL PROTECTED] Sent: Friday, January 11, 2008 11:46 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.11n We have a campus wide wireless project just starting that we are going to do 802.11n everywhere we can place a Cisco 1252. We couldn't get a guarantee from Cisco that there won't be a hardware change. Just that if the AP is under smartnet they will then do the upgrade for free. I have also heard the same thing from Xirrus with their AP arrays. If they are under maintenance then they will send you the 802.11n radios to swap out. From: Lee H Badman [mailto:[EMAIL PROTECTED] Sent: Friday, January 11, 2008 9:39 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] 802.11n Wondering who is taking the early plunge on 802.11n, who's system you are going with (beyond small pilots), and if you are requiring commitment from the manufacturer that if the standard does change in ways that make pre-standard hardware incompatible, free replacements would be provided? On list or off is OK- just trying to gather data for our own 11n research. Kind regards- Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Authentication method comparison
Hi Donald, You don't need to have AD to support PEAP. Your RADIUS/LDAP infrastructure does need to support MSCHAPv2 (aka native NT users and domains). Look how RADIATOR does it for a good off-the-shelf solution to supporting PEAP on a non-Microsoft backend. ... Jonn Martell, CWNE On 10/23/07, Wright, Donald [EMAIL PROTECTED] wrote: We currently have a WPA wlan using TTLS as the auth method and SecureW2 for the PC client software. We occasionally receive trouble calls from users having issues with SecureW2, and are now being asked if there is a more user-friendly auth method we could move to. I know the short list of other reasonable possibilities comes down TLS and PEAP. Since we don't have our users credentials stored in AD, and we don't currently have a PKI, neither of those would seem to be a possibility for us right now. I am wondering about others experiences with using any of the above auth methods, in particular from the user perspective. Are there still client issues with TLS or PEAP? Are those configurations scriptable for the client? How well do these other methods work with Macintoshes? Is anyone else having significant user issues with SecureW2? Has anyone had success with the supported third-party TTLS clients, Odyessy. etc? Don Wright Network Technology Group Brown University** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Restricting Students Wireless Access Based on In Class Roles
When were asked about this at my previous EDU, we said it couldn't be done. There's simply too many loop holes and doing it with technology would result in students finding a creative way around it (wimax, edvo, hsdpa, peer wesh...) It would also create account sharing: tell me when you don't need your account (when back in the residences for example) and I'll share mine when you need it. As stated, it has to be with the instructor setting the rules and providing a dynamic enough class for student to follow. If a student is absent, he's absent. ... Jonn Martell, [EMAIL PROTECTED] www.martell.ca On 7/21/07, Ryan Lininger [EMAIL PROTECTED] wrote: We haven't tried any technical solutions to tackel this problem. Our take on wifi use in class is that it is a policy issue that the professor should take care of. It should be dealt with in the same way as cell phones... The professor should tell them to turn it off. As simple as that. Our faculty are interested in a solution like this but the ROI just doesn't seem to be there. All a professor has to do is tell the students to put their laptops and phones away while a technical solution has to worry about so many other issues. Take, for example, non class members trying to use an AP that has been disabled by a class, the student that is skipping a class to work on research for their next class that gets booted because they are on the first classes roster, etc. Just my take, Ryan On Jul 20, 2007, at 3:57 PM, Ringgold, Clint [EMAIL PROTECTED] wrote: I'm also interested in what everyone has to say about this because we had a pilot. We setup a website to allow the professors to turn on or off the wireless network for their class. This would look in RADIUS and find all students for that professor and change their access to professor denied. Then all students from his class would not be able to login. At the end of class the RADIUS would change back to access normal. The problem is that for the students that come in early you must do a manual sweep of the network the professor is in, thus you need to know exactly what location. This becomes very delicate when you have to scan to turn off or kick out 500 students in one auditorium class. Be sure you have enough capacity to perform API functions (scanning for users already logged in) and service clients. On another note, it became an issue of, are you going to provide a technical issue to an instructional problem. If you have a math class and you don't want calculators do you frisk all students to make sure they don't have a calculator or do you have just make sure they are put away. It ran for a full semester, I do not have the feedback from all involved yet, and I have no idea if we are going to continue this or not. Because of this I'm interested to hear if anyone else is going to try this or if they think it isn't necessary, what does your faculty think? Thank you for the information. From: Gary Moore [mailto:[EMAIL PROTECTED] Sent: Friday, July 20, 2007 12:37 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Restricting Students Wireless Access Based on In Class Roles My apologies ahead of time if this thread subject has been posted before. We are looking to shut off wireless access of students based on a scheduled system of when they are in class. We are using the Bradford networks security system and are looking to implement roles for each class taught at the school. However, at this moment, it looks like we have to manually add the students to each class/role until we have our university implemented switchover to Windows/Active Directory from Novell which will not be for at least another year (we are using SCT Banner for our campus integrated system). I was wondering if there is anyone out there that has done this and how they accomplished it. Greatly appreciate any responses to this. Thanks. Gary Moore Assistant Dean for Information Systems Hofstra University School of Law [EMAIL PROTECTED] (516) 463-6067 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1x and iPhone
This bring up a good argument to maintain a lowest common denominator BSSID/VLAN that is captive portal protected. It's too soon to be 1x only IMHO... If you don't also provide a common network, people will critisize you for making your network more complicated that the average hotspot at the airport or coffee shop and you effectively create a denial of service condition. :-) Include the name insecure in the SSID just in case the device doesn't warn users. ... Jonn Martell On 7/11/07, Peter Morrissey [EMAIL PROTECTED] wrote: It looks like the iPhone doesn't support 1x. We plan to be all 1x by next semester. We are also apparently already getting calls about wireless support for the iPhone and anticipate that a lot of students will come in with them. Does anyone know if Apple has any plans to support 802.1x? Pete Morrissey** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] The strategic importance of 802.11a
802.11a is very strategic; the question is not an if, but a when. The regulatory bodies released new spectrum in the 5.35 to 5.475 GHz with better power capabilities than what was seen in the fledging UNI-1 (5.15 to 5.25). So, if you throw away UNI-1, add the four non-overlap channels in UNI-2 (5.25-5.35) to the four channels in the 5.8 GHz range and add the 11 new channels, you magically get a *lot* of real estate not available in the 2.4 GHz range. It's the best way to support a high number of users and applications such as VoWLAN and the reason why pico cells will win out in the long term (IMHO). With the new spectrum comes the requirement to use dynamic frequency selection (DFS) and Transmit Power Control (TPC) which means better battery life, less interference and generally a better RF environment. Not sure if there is a Wi-Fi certification for the new 802.11a products but there should be. I'd be very careful to deploy products that can't support the new frequencies in the 5 GHz range, if you do, make sure it's at throw away pricing... .. Jonn Martell, Martell Consulting CWNT, CWNE, CWSP, CWAP, Wireless# [EMAIL PROTECTED] www.martell.ca On 6/17/07, Tom Zeller [EMAIL PROTECTED] wrote: In considering a major wireless overhaul, we're having a serious discussion about the real importance of 802.11a in upcoming dual-mode cellular/WiFi devices. Our current WLAN is b/g. 802.11a seems to be in about 10% of our laptops, judging from an experimental AP we put in one of our busiest sites. I understand it is now part of the Centrino set, so I would expect that to increase over time. The real question seems to be the role of dual-mode phones and the support of voice over WiFi. 1) Is support of voice over WiFi really strategic and why? One could argue that cell phones are sufficient in most locations. Getting free voice over WiFi vs cell minutes doesn't seem to be worth the cost alone. Of course, WiFi adds coverage for such devices in the interiors of buildings. Does that justify a rather large additional cost for infrastructure? 2) If the answer to the above question is yes, is installation of 802.11a going to be important for mobile voice devices, especially dual-modes? There seem to be very few 802.11a dual mode devices on the market now, though I read there will be at least 80 more certified this year. For many vendors, the additional cost of adding 11a to the mix is substantial. The cost of denser deployment (we currently have what I think of as edge-to-edge coverage, with little overlap) is also non-trivial. I would be interested to hear other's opinions on these questions. Tom Zeller Indiana University [EMAIL PROTECTED] 812-855-6214 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- ... Jonn Martell, BSc, PMP Director of Technical Operations Fairleigh Dickenson University – Vancouver [EMAIL PROTECTED] 877-338-8002 604-802-2022 (cell) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] First-time rollout of 802.1x, opening of Fall semester madness
Hi Lee, 1. Based on my experience at UBC, the captive portal lowest common denominator network will continue to be the best way to bootstrap users for 802.1x/WPA/WPA2 (until MS and Apple builds something better). It's interesting to see that the corporate world is catching up by adding captive portal functionality for guest access (and possibly to bootstap their own users). 2. The users at EDUs (students) are the self-service generation, they are the first to adopt things like Yahoo, MySpace, YouTube etc and their culture is to get up and running without anyone's intervention, help or special software. If it's too hard to use, dissatisfaction rises and adoption drops and you might not hear about it directly. 3. Installing *any* software on machines is difficult in my opinion unless that machine is totally managed (something rare at EDUs). Even with this, it's easy for a user to say the thing you had me installed has completely messed up my machine...fix it I'm probably biased here because of my early days in PC support... All my deployments for student machines avoid having to install anything that wasn't provided and supported by someone else (ideally the vendor of the OS). The world is going the other direction, moving away from having to install and support things on individual machines. Google Apps (AJAX) is a good example of what users will expect to see in the future ... Jonn Martell, PMP, CWNE, CWNT [EMAIL PROTECTED] [EMAIL PROTECTED] On 3/15/07, Lee Badman [EMAIL PROTECTED] wrote: Here at Syracuse University, we are feeling pretty good about 802.1x and will be transitioning to it (for the wireless network only) before the Fall semester. Our topologies are defined, our building blocks are in place, and our WLAN skills in general are quite solid. One issue we are wrestling with though, is how to effectively get a large number of user machines ready for 802.1x from a client cnfiguration perspective. We are piloting self-developed utilities based on keyboard macros and the tool that Aruba was kind enough to float to many of us on this list, along with an Apple-scripted configurator for the Mac folks. We are loosely playing with a home-grown framework that is akin to part of what Identity Engines does in their product set, and are also mildly considering a commercial solution just for supplicant configuration. I also know that many schools forego the automation of client configuration and rely on detailed how to pages provided on paper and the web. My questions after all this- for those who have recently moved to one 802.1x in conjunction with the usual rigors of the start of a new academic year- how did you transition users over to 802.1x? What worked, what failed? Was there a tidal wave of support calls? Did a supplicant configuration tool prove to be essential, or were instructions on manually configuring the native Windows and Mac supplicants sufficient? We are envisioning that once the 802.1x culture is created on our campus, we'll be fine- it's the getting over the hump, so to speak, where we fully expect to see challenges- and so would love to glom on to the wisdom gained from the experience of others for this rollout. Regards- Lee Badman Lee Badman Network/Wireless Engineer Syracuse University 315 443-3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Upgrade 1200 to lwapp
Good thread. The number one worry about autonomous mode (IOS) APs from Cisco is that they no longer seem to have any effort in developing it. Yes, they will support it but that's not where the RD is. If you read the various information from the Web site, they migrated WLSE (autonomous NMS) to WCS (LWAPP NMS). Which means you no longer have a Cisco management platform for them. You need to touch every AP or use a 3rd party tool to manage them. And 3rd party tools are at the mercy of the autonomous/IOS firmware and features (which likely won't evolve much on Cisco IOS APs except for fixes). Unlike wired devices that you can typically install and forget, the wireless environment causes the most problems because of the dynamic nature of things both on the RF side and introduction of new features. I've lost track on the challenges of our massive deployment (1700 APs) but I can tell you that at that scale, you want something that will manage the network in an automated way. I'm currently deploying a small location (12 APs) but I don't feel comfortable going down the autonomous mode way because of the lack of development from Cisco and the high level of interference that we'll be seeing in this downtown location. The client needs something fairly automatic and is a 100% Cisco shop. In that case, I'm not sure I have a choice (except the type of controller :-) ? If I was deploying autonomous APs, I'd likely see what the 3rd party tools support the best (expecially in terms of RF management) and seriously consider that platform. ... Jonn Martell On 3/1/07, Lee Badman [EMAIL PROTECTED] wrote: Any IT system ends up being a series of trade-offs, these new wireless systems are no different... I would argue that what of what is gained is also balanced by a lot that is given up, depending on what system is bought. Whatever you plan on buying- talk at length with customers that have already gone down the road that you're interested in, and know that there is much, much more to ferret out than all the promises of reduced burden. Regards- Lee Lee Badman Network/Wireless Engineer Syracuse University 315 443-3003 Earl Barfield [EMAIL PROTECTED] 3/1/2007 9:54 AM From:Simon Kissler [EMAIL PROTECTED] Okay, so I've been trying to figure this out and figured I may as well ask. Where is the cost benefit of the using the controllers and LWAPPs. The controllers aren't cheap and the APs don't get cheaper even though they are light ? I assume there are some management benefits in this kind of solution, but have you found them to be worth the money ? Are there other benefits that aren't as obvious to me that are ? I like the idea of making management easier and just like any technologist like shiny new toys, but in the context of overall funding priorities with aging network equipment in places and other challenges find it hard to justify since our APs mostly just work and require little touching beyond initial config and occasional firmware upgrades. What about this am I missing ? -Simon Management is much easier,especially if you have multiple SSIDs on multiple VLANS. With thick APs, you have to trunk each VLAN to each AP which can be a daunting and error-prone task. If one of the VLANs is discontiguous between your core and a single AP, there's no easy way to tell unless a user complains and can tell you which AP he was associated to when he lost connectivity. With the Wireless Lan Controllers, you only have to trunk the multiple client-traffic VLANs to the controllers. -- Earl Barfield -- Academic Research Tech / Information Technology Georgia Institute of Technology, Atlanta Georgia, 30332 Internet: [EMAIL PROTECTED][EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] wireless guest access
What we did at UBC, was to allow any faculty and staff to sponsor guests. Much like a faculty member can grant a visiting faculty member the use of their office, meeting room etc. we felt it sense to allow them to do this for network access. The Faculty/Staff is effectively responsible to properly identify the user by providing all the details and ultimately, the sponsors are responsible since they granted them access. Since I left IT last year, I won't comment on things that aren't public. For non-affiliated commercial users, the two options available was to create a commercial/hotspot service to validate users based on billing information or just partner with a commercial Hotspot provider. Last summer, the decision was made to partner with a private sector operator for a one year pilot/trial. So UBC students, staff and faculty have free roaming to Fatport locations in exchange for Fatport selling commercial services on campus via a dedicated SSID/BSSID which they are responsible for on the AUP side of things. Not a bad approach if you have the size to attract the commercial provider(s). I can't provide any information except what is in the public domain; please refer to the URLs below for more specific info and contact information. http://www.it.ubc.ca/internet/wireless/fatport.html http://fatport.com/aboutus/press_releases/press58.php It should be interesting to see if the trial agreement turns into a long term one. .. Jonn Martell, PMP, CWNE, CWNT Martell Consulting, www.martell.ca [EMAIL PROTECTED] Tech instructor - UBC [EMAIL PROTECTED] On 2/26/07, Landau, Gary [EMAIL PROTECTED] wrote: At LMU we have a guest/visitor account that a faculty/staff member can request the password to and we change the password periodically. This is akin to what Ken Connell indicated they're doing at Ryerson Univ. Our library also provides paid admittance to the Library for people in the community and they give out the password when that is done. This was initially a concern, but we learned that libraries are exempt from CALEA. -Gary Gary Landau, CISSP, CCNP Director | Network Services - Loyola Marymount University Information Technology One LMU Drive | Los Angeles, CA 90045 p.310.338.4434 f.310.338.2326 [EMAIL PROTECTED] | http://its.lmu.edu - LMU|LA IT: We Deliver! From: Scholz, Greg [mailto:[EMAIL PROTECTED] Sent: Monday, February 26, 2007 10:16 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] wireless guest access Very timely. I am about to launch a project called public port security and guest access that will attempt to define exactly this. I would like to hear all other responses as well. (I suggest if you are considering Wireless guests, you should be considering wired as well) · Currently we have NO guest access on wireless. · We recently changed all our public lab computers to use AD authentication (e.g. no more public/guest access) · We use CCA in reshalls and enable the guest button JUST FOR THE SUMMER (for all the conferences/camps we have during that time) so effectively no guest access except for summer · The ONLY real guest access we have right now is any network port in a publicly accessible location can be used by anyone without any type of check. (These are the public ports referred to in my project title above). INCLUDING if someone unplugs a lab/office/kiosk computer and plugs in their own. · We will attempt to balance the tremendous desire for wireless wired guest access, CALEA, security and manageability. I am thinking we may wind up with a 1x solution to determine appropriate port settings (security/vlan/etc) based on recognition of user, computer, or both and then computer health for non-campus managed computers. _ Thank you, Gregory R. Scholz Director of Telecommunications Information Technology Group Keene State College (603)358-2070 --Lead, follow, or get out of the way. (author unknown) -Original Message- From: Lee Badman [mailto:[EMAIL PROTECTED] Sent: Monday, February 26, 2007 1:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] wireless guest access Would like to expand out Kevin's question- what of wireless access for guests, and for the non-affiliated folks (anonymous) that might end up on campus? Anybody rethinking any of their sponsored guest/open access policies because of CALEA concerns? Regards- Lee Badman Network/Wireless Engineer Syracuse University 315 443-3003 Kevin Lanning [EMAIL PROTECTED] 2/26/2007 12:46:48 PM Wondering what academic institutions are doing these days regarding wireless access for guests? -- -- Kevin Lanning lanning at unc.edu ** Participation and subscription information for this EDUCAUSE Constituent
Re: [WIRELESS-LAN] VISTA, Broadcast and Infrastructure
Hi Philippe, The only elegant way is to broadcast any SSID that is widely used (and to reduce the number of SSID to the minimum.) You probably have a ton of users walking around today with wireless laptops (XP) what don't connect because they can't see it. A faculty member that doesn't read your documentation might buy a cheap AP and broadcast the SSID because you aren't there (not visibly there...) And yes, to support multiple SSIDs you need the equivalent number of BSSIDs. You cannot have true virtual APs without it. What equipment do you have that doesn't support multiple BSSID?I hope it's not a modern vendor? We could likely start another thread on this: What is the life cycle of your wireless LAN infrastructure? When I was at UBC IT, it was 3 years. That's what I use to refresh the equipment my wireless labs when I teach and what I recommend to clients in a wireless-centric environment. ... Jonn Martell, PMP, CWNE On 2/20/07, Philippe Hanset [EMAIL PROTECTED] wrote: We have not explored any hacks yet. I would rather find an elegant solution first (hacks take time and are not user friendly) Maybe lobby Microsoft if necessary! Philippe Philippe: Have you tried using the zwlancfg program to hack it in? Frank -Original Message- From: Philippe Hanset [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 20, 2007 8:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] VISTA, Broadcast and Infrastructure All, Our Customer Service folks were informed by Microsoft that Vista Home Basic doesn't let you add an SSID. Only broadcasted SSIDs could make it through the system. Also, there is no option anymore to select infrastructure only, which we used extensively to defend ourselves from ad-hoc networks. University of Tennesse Knoxville doesn't broadcast SSIDs mostly because of XP not able to join a non-broadcasted SSID, when a broadcasted SSID is present. We use 3 SSIDs in our design (one for 802.1x, one for Web-Auth, and one for Visitors). Is there an fix to this besides writing in big on our Wireless website that VISTA Home Basic is not supported on our campus Wireless, have us buy another AP vendor that let's you create multiple BC SSID, or have everyone switch to MAC OS ? Has anyone faced this great feature yet? (XP fighting VISTA!) Philippe Hanset University of TN ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Desire for Windows native TTLSv0
Having TTLS support in Windows would be great. It would make so much sense for implementers. It would be a miracle really! I'm all for it. Call me skeptical but I don't see it happening. I participated in the IEEE working groups a few years back and had the opportunity to ask that specific questions to some of the key Microsoft engineers working on the stacks. At that time, it was an *absolute* NO - if that has changed, great but I see no indication of Microsoft doing it. As of December 2006, the official word from http://www.microsoft.com/technet/network/ias/iasfaq.mspx is Microsoft does not plan to support Tunneled TTLS. In my opinion, the only way it would appear in Windows is if they saw market share loss to another desktop OS because of lack of EAP-TTLS support. Last time I visited the local computer stores a few days ago, I found it hard to find a laptop that had Windows XP, let alone other types of OS - they are all Vista! I admire our friends in Europe and their support for TTLS and cross edu roaming with eduroam. But having years of experience supporting clients, the last thing I would advise an EDU client to do is support a 3rd party client on Microsoft. One patch can ruin your day and users would blame your 3rd party app. Not that I don't trust Microsoft... In an environment as diverse EDUs, it's a little scary to support 3rd party apps. So far, I've been a supporter of doing the work on the back end to support PEAP (MS-Chapv2) As for supporting PEAP - there's is always a way to do it but it's not always pretty :-) I call be being a Microsoft compatible backend. :-) As for inventing and supporting other EAP types - oh goodness - no... I think we already have a good collection to do almost all the things we need to do :-) ... Jonn Martell, Martell Consulting, [EMAIL PROTECTED] www.martell.ca On 2/8/07, Walt Reynolds [EMAIL PROTECTED] wrote: In a conversation I had with Microsoft, it was implied that if there is a demand for it, Microsoft would add TTLSv0 into the native Vista OS. Since there is a lot of talk on the EAP types today, I thought I would post my own question. How many of you out there would like to have TTLSv0 native within Windows. Many out there will of course be using PEAP. But for those out there that don't, or can't, please let me know. As a secondary question, who would be interested if there was some sort of Kerberos EAP (not TTLS with PAP). Thanks. -- Walt Reynolds Principle Systems Security Development Engineer Information Technology Central Services University of Michigan (734) 615-9438 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Farewell from Jonn Martell - UBC
Hi everyone, Over the years, I've had the opportunity to develop relationships with a number of you. I'd like to take this opportunity to inform you that I moving from the public sector to the private sector. Managing UBC's very large wireless deployment was a valuable experience and I want to thank the many Universities that had forged the way with large scale wireless LAN deployments. Learning from your installations was instrumental in deploying the best possible network for our campus. This is the real value of peer mailing lists like this one. I hope that UBC's contribution back to the list and directly back to individuals on this list helped with your installations. On behalf of the many talented team members that made up the UBC Wireless team, I want to thank you! I plan to continue in the area of Project Management for new technology projects so I'll certainly be following the discussions on this very valuable EDU list. My new contact information is [EMAIL PROTECTED] or www.martell.ca Thank you again! ... Jonn Martell [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] BSOD on Wireless Network
Hello fellow wireless EDUs; A while ago, we experienced BSOD (blue screen of death) on Intel Centrino laptops when we were testing new (beta) code on our Cisco Wireless IOS based wireless network. It's surprised everyone! How could an infrastructure change impact the ability for laptops to boot or get crash-free connectivity? With that particular instance, the problem was reproducible; Centrino laptops with XP would bluescreen on *bootup* if the Centrino wireless card was active when connecting to a beta AP. We had to turn off the Centrino wireless cards in the BIOS (or hardware switch) to boot Centrino based laptops (Panasonics, Toshibas, IBMs etc), we also reverted back to production code on the APs and became a little more conservative on AP upgrades. It was an interesting event and clearly showed that wireless network was different than wired networking (we've never seen a wired network card BSOD a computer based on the firmware installed on a switch!). It's odd that XP would fault protection on a device driver; it brings back memories of Windows 9x! But considering how complex the whole wireless client-AP interaction is, it's not that surprising. In our latest upgrades, from production IOS to production LWAPP code, we are encountering these obscure XP crashes but they are impossible to reproduce (which is the most difficult type of problem to work with!). We haven't seen a patterns except in one case where it occurred when trying to log in to a Colubris captive portal (in one building but not in another!). In other cases, they are highly random. The problem is compounded by the fact that most end users who experience a BSOD would not assume it's an infrastructure issues. End users would likely ask themselves what have I added or changed to my computer or am I infected by a worm or virus. Most end users would not report a BSOD especially if it's random and not reproducible. With over 2 unique users on our UBC wireless network, it's difficult/impossible to pro-actively tell all Centrino users to update in order for us to prepare for an infrastructure upgrade. We've also seen this issue on difference versions of the Intel Centrino drivers so at this point, we don't even know what version of Intel drivers to upgrade/downgrade to (and whether to use manufacturer versions or Intel generic ones). Needless to say, our main technical network leads feel very uncomfortable and frustrated with this type of problem because it's impossible to reproduce. It's also creating great uncertainty with our planned and ongoing migration from IOS to LWAPP; it's difficult to continue without some understanding of root cause. There is great reluctance in creating a Cisco TAC case without being able to reproduce the problem (and rightly so to some extent because the TAC folks want to be able to reproduce the problem in order to be able to fix it). Since the Intel Centrino is the most common client card and the Cisco wireless APs are the most popular enterprise APs, I'm hoping we can continue this Educause BSOD thread to determine exactly the extent of this problem in the community. How common is this problem? Intel and Cisco appear to be working closely together on the CCX side of things but that doesn't help for environments like EDUs that tend to use the native wireless XP clients (for simplicity and consistency). Has anyone made any progress on this mystery? Since we operate a fairly standard network (except for early migration of IOS based APs to LWAPP), and these BSOD threads seem to indicate that we aren't the only ones experience odd problems specific to Centrino/XP crashes. Hoping others can provide additional experiences and insights. Does anyone have any good contacts with the Intel Centrino folks who might be able to shed some light on these continuing Centrino/XP driver issues? Thanks everyone and have a Merry Christmas and Happy New Year! ... Jonn Martell, Manager UBC Wireless, [EMAIL PROTECTED], 604-822-9449 on 12/14/2005 8:32 AM Ken Fischer said the following: I have also seen this on occasion with Dell D600s connecting to Cisco 1231 access points. Updating the network card drivers to the most current has been effective in resolving the issue. -- Ken Fischer Manager, Technology Engineering - Enterprise Networks Information Systems and Services The George Washington University [EMAIL PROTECTED](202) 994-0378 -Original Message- From: King, Michael [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 14, 2005 11:24 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] BSOD on Wireless Network This points to the network card driver. Has the network driver been updated recently? Driver_IRQL_Not Less_or_Equal Tech Info: NDIS.SYS ** Participation and subscription information
Re: [WIRELESS-LAN] [SCFN] offtopic VoIP eavesdropping (fwd)
Agreed. There are a couple of important components. The first is 802.1x but as important is fast roaming (secure handoffs between APs). IEEE 802.11r is still a work in progress. PMK-caching is the way to facilitate secure fast roaming in current generation products but it's likely not going to appear for WPA devices (not sure exactly why?) It appears the handset vendors will have to support WPA2. We're seeing a number of interesting handsets which are starting to just now support WPA but not WPA2. In many cases WPA2 will require brand new handsets which have yet to see the light of day. Needless to say, we aren't buying a lot of expensive VOIP wireless handsets right now but we are testing several... :-) Our VOIP over Wireless pilot uses WPA-PSK and we won't release devices that exposes the PSK. I think that's the best way to deploy secure VOIP over wireless in the short term. Not ideal, as Frank says, vendors aren't very far along. My prediction is that secure VOIP (at the application layer) will open the floodgates on all VOIP (including VOIP over wireless)... We're already starting to see this with Skype... The days for insecure VOIP are numbered IMHO. ... Jonn Martell, Manager UBC Wireless (Wireless and VOIP Project Manager) on 11/29/2005 1:41 PM Frank Bulk said the following: Hear-hear, but the Wi-Fi handset vendors are by far and large not that far long in the thought process Frank -Original Message- From: Michael Griego [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 29, 2005 2:33 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] [SCFN] offtopic VoIP eavesdropping (fwd) This highlights the exact reasons that VoFi systems *should* use 802.1x authentication with per-station keys. That way, each handset has its own key to encrypt its traffic over the air with, stopping the easy sniffing of traffic passing through the air. This, of course, does nothing for beyond-the-AP sniffing, but it is presumed that is handled by other security measures in the environment. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas Lee Barken wrote: Any comments? (Originally sent to socalfreenet.org) -- Forwarded message -- Date: Tue, 29 Nov 2005 09:20:11 -0800 (PST) From: Lee Barken [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [SCFN] offtopic VoIP eavesdropping This is somewhat offtopic for a wireless list-- but kinda relevent considering our plans to implement VoIP in our wireless clouds VoIP, in essence, uses CLEARTEXT protocols... making passive capture trivial in a wireless environment. (?) What is the risk that somebody will capture unauthorized recordings of voice communication? Is there a legal precendent for prohibiting wiretapping in a digital environment? http://oreka.sourceforge.net/ The open source, cross-platform audio stream recording and retrieval system Oreka is a modular and cross-platform system for recording and retrieval of audio streams. The project currently supports VoIP and sound device based capture. Recordings metadata can be stored in any mainstream database. Retrieval of captured sessions is web based. Record VoIP RTP sessions by passively listening to network packets. Both sides of a conversation are mixed together and each call is logged as a separate audio file. When SIP or Cisco Skinny (SCCP) signalling is detected, the associated metadata is also extracted. Take it easy, -Lee ___ SoCalFreeNet.org General Discussion List To unsubscribe, please visit: http://socalfreenet.org/mailman/listinfo/discuss_socalfreenet.org ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1x rollout
UBC rolled out our WPA network this summer on 802.1x PEAP. Our next milestone is fast-roaming support by caching the PMKs - not too sure if we really have to wait for WPA2 or not We expect 2 unique users this year... We are actively encouraging users to move from the standard campus wireless network to the WPA network. With the WPA network, we can start sending back various VLAN assignments which is the best way to continue to scale. 1. Not using Kerberos 2. Not using Active Directory (it's used mostly for Exchange Admin email) 3. Using native supplicants at all cost :-) . Maintaining 3rd party software on Windows works on a small scale but can be a disaster on a large scale. All that's required is a new service pack from Microsoft (not that Microsoft would actively try to break other supplicants; it's just not a priority for them). The trick to supporting PEAP is to store the MSCHAPv2 hashes in your backend. Using RADIATOR as it provides a commercial supported source option (best of both worlds). It would have been better to see native support for TTLS but Microsoft IEEE 802.11 members confirmed that MS had no plans for it (surprise, surprise). With students bring all types of laptops on campus, starting to support a network client bring us back to late 80's-early 90's. Been there done that... Good way to kill your HelpDesk :-) We see no problems with PEAP MSCHAPv2 with long passwords. We implemented it to prepare for native Windows 802.1x support and to support PPTP VPN (also native). This was very beneficial for the Version 1 wireless network because PPTP ended up being supported on most non-windows platform as native VPN client (Mac, Linux, Palms etc) Although we support both IPSec (for higher security) and PPTP (for simplicity), most people felt ok with PPTP. ... Jonn Martell, Manager - UBC Wireless on 9/15/2005 11:46 AM Wyman Miles said the following: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 We're about to pilot an 802.1x project for one of the larger departments on campus and I had a few questions for the universities who've gone before: - - is anyone using Kerberos as an authentication resource for your wireless clients. Any pitfalls? Did you have to distribute a 3rd party supplicant for the Windows clients? - - is anyone using ActiveDirectory as an authentication resource? - - who's using native 802.1x supplicants versus who is distributing additional software? Of the latter group, any recommendations? (my personal leanings are Funk's 802.1x supplicant mated with the Open.com Radiator RADIUS server). Thanks for the feedback! Wyman Miles Senior Security Engineer Cornell University, Ithaca, NY (607) 255-8421 -BEGIN PGP SIGNATURE- Version: Mulberry PGP Plugin v3.0 Comment: processed by Mulberry PGP Plugin iQA/AwUBQynBasRE6QfTb3V0EQJHKACeOvnuJeBfY3tzU9IyDnMHNzvcIkwAn3fj ujGVkElKhJx1/6nFnhBR1r9o =eEo2 -END PGP SIGNATURE- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Cisco WLSM Recommendations
Hi Frank, It's not my network :-) It's UBC's wireless network which was really put together by a great wireless team (which includes Sheldon Epp and Peter Vido as the two wireless technical leads). I'm just involved in the architecture and management (which is relatively minor work :) I'm not sure we can comment on this because we are still working through it. What I can say is that Cisco is serious about wireless because of both the Airespace and WLSM/WLSE investments. We're confident that they will be delivering and protecting our investment. They appear to be serious on delivering a solution for both small, medium and large wireless networks. And if that is not the case, you'll hear about it because we have a huge investment in the platform. I think they have seen market erosion by Meru and Aruba, so they have no choice but to get a fully working solution to address competition from these relatively small players. The final solution remains to be seen. Specifically on WLSM, the 300 limit was just a recommendation (soft limit), we pushed it a lot more than that; we purchased 3 blades to support the network (500-750 APs/blade). The limit has to do more with the number of roams than APs. But as you note, there are other issues that have to be addressed including the number of blades/chassis and redundancy. The other big issue is the PMK caching for things like WPA-PEAP (critical for time sensitive applications like secure VOIP over wireless). Our initial VOIP over wireless implementation uses PSK which dramatically limits the distribution and support channels. Our big focus in the past months has been deploying a new WPA SSID (which is critical to handle the high adoption rate we have seen with wireless) so we've put the WLSM implementation on hold for now. Here is Peter's feedback from Networkers Wireless session this year which might help provide some insight: 'At Networkers, the wireless business unit was adamant that SWAN will not be killed. Cisco will run with parallel SWAN and Airspace tracks for the foreseeable future. During a general wireless session (an open form on any wireless topic) I asked if any organizations were using WLSM and thinking of changing. There were many colleges and several financial corporations that use WLSM. [...] Most of the groups have only a few hundred APs. A few asked about deploying WLSM, everyone discouraged it. The Cisco moderator had no comment. Generally, WLSE was used for config/firmware mgmt only. Peter V.' Hope that helps! ... Jonn Martell, Manager, UBC Wireless and VOIP Original Message Subject: Re: [WIRELESS-LAN] Cisco WLSM Recommendations Date: Thu, 30 Jun 2005 14:36:18 -0500 From: Frank Bulk [EMAIL PROTECTED] To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Chris: I looked at this solution in great detail during a review last fall: http://www.nwc.com/showitem.jhtml?articleID=59301907pgno=5 To answer your specific questions, there is no advanced roaming capabilities between the WLSMs, just as Chip described. In our tests we didn't try inter-WLSM roaming, but we had two 6503's that were configured in 1:1 redundancy. It took several minutes for the AP's to rehome and for the wireless client to reconnect. The last time we spoke to Cisco about this there were plans to enhance the redundancy either intra-chassis or inter-chassis, but with the acquisition of Airespace plans might have changed drastically. As for more than 300 AP's per blade, I would recommend that you talk to Jon Martell of UBC and see if any progress has been made on that front in his 1,500+ AP network. Kind regards, Frank -Original Message- From: Chris Hart [mailto:[EMAIL PROTECTED] Sent: Thursday, June 30, 2005 12:00 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Cisco WLSM Recommendations At 03:43 PM 5/11/2005, you wrote: We have begun the final phase of our wireless rollout at the University of Richmond, and have decided to implement Layer Three Roaming with the Cisco WLSM. The demo WLSM has been installed in one of our 6500 chassis and we have been successful at configuring it to work in our test lab. If anyone is willing to share their experiences in design, configurations, limitations or dynamic VLAN uses with a current installation, we would greatly appreciate the feedback. Thank you in advance. Sincerely, Chip Greene Network Specialist University of Richmond Jepson Hall - G12 University of Richmond, VA (804) 287-6056 [EMAIL PROTECTED] Was wondering how this rollout went? ( or any others) We are again looking at the WLSM blade for the 6509. The questions/issue I have relates to a limit of 300 AP's per blade and not being able to have multiple blades in a chassis. How does roaming work from an AP managed by WLSM/6509-1 when the user roams to an AP managed by WLSM/6509-2. Even if you plan the division of AP's per WLSM geographically
Re: [WIRELESS-LAN] Peap info
Hi Chris, At UBC, we have rolled out PEAP (MS PEAP). We looked at TTLS but since we already have MSChap support cooked into our single sign-on system to support VPN PPTP, PEAP support was relatively easy. TTLS was considered but it wasn't well supported when we made the decision and Microsoft has no plans to support TTLS which means that an XP Service Pack could potentially break thousands of client machines over night. We can control the backend but we can't control end-user machines (especially student machines). We also felt that PEAP would have more chances to take off as the primary EAP method since it's built-in to the windows client and windows backends. Our implementation is Radiator for RADIUS and Sun Directory for LDAP (non-windows). We use mutual authentication to avoid the man-in-the-middle attacks. With mutual authentication, the conversation is safe from client-side attacks from what we can tell. I keep challenging anyone to hack into PPTPv2 (with MSChapv2) but nobody has yet to show me a working solution so we feel very confident with PEAP. Lot of old hacks on poorly implemented system but nothing working on the latest systems when properly implemented. So my feeling is that it's very secure when properly implemeted (I'm even willing to send anyone the MSCHAP hash that we store in our database to see if it's crackable, it's certainly not stored in plain text...:-) My ideal solution would be to have an easy PKI platform that allows users to obtain wireless certs via a one time secure web login and use the client-side certs to then authenticate over wireless but that's just a dream I think. PEAP or TTLS appear to be the two EAP contenders with no clear winner... Too bad that MS didn't bundle TTLS in their supplicant, if they had, that would have been our choice. We feel the safest is to support Microsoft natively at the client-side even though our backend platform is not... In the meantime, feel free to look at our documentation at www.wireless.ubc.ca/wpa/ It has info on native PEAP support on Windows XP, 2000, Pocket PC and Mac OS. I'll have to check on the various flavors of Unixes but that type of user is normally capable of self-support. ... Jonn Martell, UBC IT on 6/23/2005 12:33 PM Chris Hart said the following: At Northwestern University we are looking to move away from using VPN for Authentication and Encryption for our wireless users. We do not want to have to use 3rd party supplicants because of end user support issues. We are currently using Funk Steel Belted Radius and have tested using 802.1X with PEAP on Windows and MAC so far in small numbers with success. TTLS does not have a built in supplicant for Windows XP and TLS requires a per client certificate so these are not good options. This leaves PEAP or using an appliance of some sort to provide an IPSEC tunnel or a Secure desktop SSL connection. So my questions are 1. Am I missing other options? 2. Is PEAP a good solution - is it secure, client issues? thanks Chris Chris Hart (847) 467-7747 IT-TNS Northwestern University, Evanston [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless lan equipment for instruction
The RF policy is an interesting one. If the federal laws allow the speed limit to be 55 MPH, or your city as a limit of 25 MPH does that mean that your institution won't restrict speed to something lower on campus? It seems to me that imposing something outside the institution would be difficult but land owners tend to have a higher ability to be more restrictive. Wish us luck, we have such a policy in front of our legal council. ... Jonn Martell, UBC Wireless, [EMAIL PROTECTED] Ruiz, Mike wrote: We have chose Meru networks as our wireless vendor. That provides us with the ability to keep our production network all on one channel. Combining that with the ability to suppress rogue AP's and do access control at the wired ports using our Enterasys Secure Network technology we don't have much of an issue with Faculty teaching labs. They are generally quite willing to work with us to make sure any impacts are minimal. The concern we have is faculty setting up rogue AP's in areas where we don't yet provide wireless. Interestingly enough when we were drafting our AUP I suggested including language to keep IT in control of RF on campus but legal counsel shot that down. They informed us that while we can tell students they cannot connect wireless to our network we cannot restrict them from using federally open bands. Mike -- Michael Ruiz Network and Enterprise Systems Engineer Hobart and William Smith Colleges Information Technology P 315-781-3711 F 315-781-3409 - HWS Faculty, Staff, Students and Alums Can purchase technology online and with an HWS DISCOUNT! http://www.cdwg.com/hws -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Paul Grieggs Sent: Friday, March 04, 2005 10:18 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wireless lan equipment for instruction Our campus wireless policy reserves the 2.4GHz bands for our production wireless network. In situations where our professors want to teach about wireless networks, we have been using 802.11a equipment to isolate the wireless teaching labs. With the dual-band chip sets, it is getting hard to find 802.11a only equipment. Most new equipment that supports 802.11a can also do 802.11g. Currently, we cannot find 802.11a only PCI cards. We expect we will not be able to find 802.11a only Access Points and PC Cards in the near future. Short of building RF shielded labs, how are others supporting instruction about wireless networks without damaging production wireless networks? == Paul Grieggs Technical Services Manager Indiana University of PA [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless Staffing
We added Project staff to get our 1400 APs up and running as a single system but only added a single Network Analyst for operational support. We likely have another FTE equivalent in various groups (RADIUS, networking etc). A considerable amount of effort was taken to make sure the system were as homogenous as possible. Supporting 1400 is not really more difficult than support 200 because when you reach the high numbers, you need to develop the management and scripting tools. We also expect to have a partial help desk person focus on proactive network client testing so we don't drown in end-user problems. When you reach the high AP numbers, limiting the number of AP models that one needs to deal with help provide a more advanced network while keeping support costs to a minimum. ... Jonn Martell, Wireless Project Manager, www.wireless.ubc.ca Caruso, Holly wrote: We are in the process of developing a plan to cover the campus with wireless and I am looking for statistics from other colleges about how they are staffed. We current have about 11,000 wired network ports have added about 100 APs are expecting to add about 500 additional. Has anyone done any research into what an appropriate staff to AP ratio would be for wireless LAN connectivity? If you added wireless lately was your regular network staff able to handle the additional effort or have you put on additional staff? I have checked the archive and didn't found any previous discussion. Any help would be appreciated. Thanks Holly Holly Caruso Manager of Network Services University of Richmond Jepson Hall G-12 University of Richmond, VA 23173 Phone: (804)287-6401 Fax:(804)289-8988 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/.
Re: [WIRELESS-LAN] linux 802.1x client
Unfortunately no, but we would be very interested in getting this WPA-PEAP going on Linux. On a related not, has anyone found a good 802.11g Linux compatible WLAN NIC? It's amazing that vendors are making it this difficult! Jonn Martell, UBC Anton Royce wrote: Hi, Im trying to connect to a 802.1x authenticated wireless LAN using the linux open1x xsupplicant client. The server is using PEAP-MSCHAP-V2 for the authentication. When I attempt to connect to the server the log shows a failure with an incorrect username or password, both of which are correct (I can connect to the same server in windows with no trouble) The log is as follows User tcol036 was denied access. Fully-Qualified-User-Name = ad.ec.auckland.ac.nz/ec_users/tcol036 NAS-IP-Address = 130.216.93.239 NAS-Identifier = wap-409-g18 Called-Station-Identifier = 000e.8325.1d20 Calling-Station-Identifier = 0004.235d.4e52 Client-Friendly-Name = City Access Points Client-IP-Address = 130.216.93.239 NAS-Port-Type = Wireless - IEEE 802.11 NAS-Port = 510 Proxy-Policy-Name = Use Windows authentication for all users Authentication-Provider = Windows Authentication-Server = undetermined Policy-Name = Authenticate to EC AD Authentication-Type = PEAP EAP-Type = undetermined Reason-Code = 16 Reason = Authentication was not successful because an unknown user name or incorrect password was used. The client logs show a failure just after sending the client identity details to the server. In particular the server log seems to not have the correct EAP-Type set, although this is specified correctly in the client config file. Has anyone had experience (and success) getting PEAP-MSCHAP-V2 going with a linux client, are the any alternative open source linux clients to the open1x xsupplicant? Thanks, Anton K. Royce Ph:(09) 373 7599 Ext: 82953 Mob: 021 533 418 Email: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/.
Re: [WIRELESS-LAN] Flavors of RADIUS
Martin Jr., D. Michael wrote: I am interested in what specific types of RADIUS servers are being used by individuals out there in the higher education community for wireless applications? Are people using Unix-based, Linux-based, or Windows-based RADIUS systems? Unix/Linux. We run on Linux but might migrate to Solaris. (The project staff was more familiar with Linux while the operational staff is more Solaris). Are people using OpenSource or Commercial? Our first version for wireless was OpenSource FreeRADIUS with custom hooks to Oracle. Support is an issue with OpenSource (using up internal staff time is not free). It supported dial-in, VPN, IAP (internet access ports) and Colubris (Web wireless login). Our RADIUS guy was happy to work with FreeRADIUS to migrate the dial-in (which is still used!) so we could have Oracle-based usage accounting. Our final version for wireless is not using Radiator because of its support for 802.1x EAP types (PEAP in particular) and our ability to add the custom coded needed to check MSCHAP hash stored in our LDAP directory. We were able to feed some of our code back to them and it will hopefully make it into the main distribution (I see that they have added some of the functionality). We prefer not to have custom code and have it supported commercially via well-planned annual maintenance costs. With Radiator, you get the benefit of having supported open code. What RADIUS systems have been the easiest to configure? Depends on the skillsets and requirements. We needed to be able to have custom hooks into LDAP (at least when we started 2 years ago). Only a few provided this, that is why we started with FreeRADIUS and migrated to Radiator. With Perl support, you can take any smart programmer and they can learn Perl very easily, the only concern is scalability but we are testing this on our deployment :-) What RADIUS systems have been the biggest headaches? The problem with both IAS (MS) and ACS (Cisco) is the lack of custom hook ability. If it does what you want out of the box, great, if not, then you are in trouble. Funk was fairly good and had a good front end for configuration. We tested Funk and Interlink but based on cost, we selected the others. .. Jonn Martell, Wireless Network Project and Service Manager University of BC - ITServices, Vancouver, Canada (604)822-9449 [EMAIL PROTECTED] www.wireless.ubc.ca ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/.
Re: [WIRELESS-LAN] RADIUS authentication
I agree with Philippe but I would say RADIUS *has already become* the core of any large wireless network. Version 1.0 of our network was FreeRADIUS and we had to do some custom work to get it to work with Oracle. We are now using RADIATOR with a MSCHAP to LDAP EAP check to support native MS PEAP. We are almost there from what I can see. Cisco can't advertise the WPA network and Microsoft doesn't like non-broadcast SSIDs. We need more voices telling MS to allow users to use non-broadcast network with the level of preference as broadcast SSIDs. ... Jonn Martell, UBC Philippe Hanset wrote: Martin, RADIUS will become a very predominant piece of Wireless LANs as it is required by 802.1x (and 802.11i) as you mentioned. (you don't have to use RADIUS for 802.1x...) You might want to consider other cheap options like: freeradius (supports all kinds of EAP-types like TLS, TTLS etc...) Microsoft is big on EAP-PEAP but you might restrict yourself by using a RADIUS server from Microsoft for future deployments. Philippe Hanset University of Tennessee On Thu, 19 Feb 2004, Martin Jr., D. Michael wrote: Is anyone out there using Microsoft Internet Authentication Service (IAS) for RADIUS authentication with their wireless access points? (We use Cisco 802.11b/g radios...Aironet 340s, 350s, 1100s) IAS is free and included with Microsoft Windows 2000 Server and we have needed to get into using RADIUS authentication with our wireless implementation. Using PEAP, EAP, etc.. and 802.1x is not out of the question (at least long term) but I have many applications were MAC authentication is the only recourse (wireless printers, bridges, etc...). Any advice (or help) would be greatly appreciated. Thanks, D. Michael Martin, Jr. Network Administrator University of Montevallo ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/.
Re: [WIRELESS-LAN] Wireless Networking in Large Classrooms
I used to be very worried about high density until I started to attend the IEEE meetings a few years ago where there is close to 800 engineers with laptops downloading PDFs, PPTs and DOCs. Quite the sight! I wish there was a way to take pictures but these aren't allowed at IEEE meetings. Worth the trip to one of their conference as an observer if you want to increase your comfort level on high density deployments. Every wireless engineer has a laptop and they are all in the same ballroom at the beginning and end of the conference. During the conference, all the attendees are in close proximity as the large conference hall gets broken up into a dozen smaller large meeting rooms. I'm not convinced that tuning the radios below the power of most clients is a good idea and our RF research group has found that power control in its current state is really inadequate (as a result, we aren't focusing on power tuning in our deployment). To do load balancing, the trick I think at this point is to make sure that you turn off support for the lower speeds to force roaming to the other stronger APs. There is no standards-base way of doing load balancing. What the IEEE is doing with IEEE 802.11k is an attempt to provide a standards-based resource management information so that radios can help tune down the power of clients (as it's done in the cell phone industry) so that clients don't keep blasting away if they don't have to. So this problem is getting fixed because the market needs it. I'm not too sure if the problem is going to be fully fixed with 802.11k but Cisco, with its Cisco Compatible CCX program, is doing the same today. They are just ahead of the slower moving standards bodies but now have several vendors supporting CCX (this list was empty last year at this time). http://www.cisco.com/en/US/partners/pr46/pr147/partners_pgm_partners_0900aecd800a7907.html Until this is widely available, directional antennas at the APs for these special circumstances makes a lot of sense. For large theaters, we deployed a single AP for now but we have three AP drops (each AP drop has 2 cable/circuits) so we can scale to 6 APs if we need to. I predict the ultimate answer for high density in large rooms will be the next generation of 802.11a possibly combined with standards-based client radio management. In the 5 GHz WLAN spectrum there is 200 MHz of available spectrum versus just 83 MHz in 2.4 GHz range. IEEE 802.11a is just not there today... ... Jonn Martell, UBC Wireless, www.wireless.ubc.ca Sean Che wrote: High density is a big challenge to wireless deployment. We are currently facing the same issue. In one of our wireless projects, we were told that there might be up to 250 simultaneous users ( Even worse: Did I mention they are all Pocket PCs with wireless cards? ) in one large lecture hall for class. In this kind of noise crowded environment, not only the APs will interfere with each other, the clients radio cards will also join the choral society.. What a nightmare! We are thinking of using directional antennas to help distributing the clients evenly; tuning the transmitting power to minimum. The problem is we couldn't really get a feeling how it works before we really install it and those 250 students really start using it ( and maybe complain about it. ) Sean Arnold Hassen wrote: We are designing two new 200 seat classrooms that will be adjacent to one another. Discussion is focussing on whether we should hardwire or go wireless. Functionally we must be capable of simultaneous networking which means 400+ simultaneous links. Is this doable with wireless? Thanks for any help Arnie Hassen West Virginia School of Osteopathic Medicine ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/. -- - Sean Che Network Engineer Network Services Wayne State University Voice: (313)577-1922 Pager: (313)990-5403 Email: [EMAIL PROTECTED] - ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/.
Re: [WIRELESS-LAN] Detecting clients.
This is a good topic. AP management tools should be able to tell you which AP a client is connected to but I do not think there are any AP management platforms that can triangulate on clients (yet). Finding the AP for a client is also possible via the syslogs (we also have a web interface to a syslog so we can easily track IPs and MACs to APs.) Cisco's WLSE can triangulate on rogue APs with some success. I assume that Cisco might be able to add client triangulation via RF (we have been asking for triangulation on non-AP interference). But this is the type of feature that only makes it in if there are enough customer requesting it. So all you Cisco sites... please call your SE and AM :-) Without some form of triangulation (over time), manually finding a client once you have the AP is very difficult. RF bounces and it can be difficult to pinpoint any source especially if it's not chatty. We started some testing with a portable spectrum analyser but that only works for general RF, not from a specific client (at least not right now). Our short term plan is to test Airmagnet handheld sw on iPaqs with directional antennas, we just have to find a combination that works and is highly portable (directional antennas don't seem to be compact). If anyone has a good solution, let us know. ... Jonn Martell, wireless.ubc.ca Date:Mon, 5 Jan 2004 22:23:59 -0500 From:Cal Frye [EMAIL PROTECTED] Subject: Detecting clients. looking for recommendations... We just spent a couple of hours trying to locate a machine misconfigured for interface bridging. The wireless interface was the bad boy, and all the address we had. I walked around a while with Netstumbler, but only found my access points, not the client I was looking for. Does anyone know of a device or software package (perhaps for the iPaq) that shows reliable signal strength and preferably MAC address at a minimum for ÀLL 802.11 devices in the vicinity? -- --Cal Frye, Network Administrator, Oberlin College www.ouuf.org, www.calfrye.com MCSE - Minesweeper Consultant and Solitaire Expert ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/. -- End of WIRELESS-LAN Digest - 23 Dec 2003 to 5 Jan 2004 (#2004-1) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/.
Re: [WIRELESS-LAN] Wireless enclosures
If it's the same tile mounted enclose that our local Cisco office, it's from American Access Technologies aatk.com They have enclosures for the 350, 1100 and 1200 Now distributed via http://www.chatsworth.com/main.asp?id=143 Not a bad unit although fire resistant plastic would be more RF friendly than metal On the downwards and horizontal planes, they do have holes for the standard Cisco antennas. A little on the expensive side but quite professional looking and it is lockable. If anyone finds UL rated enclosures in plastic that are similar, we do need to include them in the specs for our new buildings under construction. In the meantime, we'll likely go with the AAT-CAP-12 (AP1200 version). ... Jonn Martell, UBC Wireless Charles R.Bartel wrote: Todd: We visited Cisco at the Akron wireless HQ. They had some enclosures mounted as panels in a drop ceiling. I'm not sure of the manufacturer, but they can likely get you the info. Best regards, Chuck Bartel Carngie Mellon University -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Joyce, Todd N Sent: Tuesday, December 23, 2003 10:50 AM To: [EMAIL PROTECTED] Subject: [WIRELESS-LAN] Wireless enclosures We are in the process of deploying wireless campus wide with Cisco 1200s. Our concern is theft from plain site view locations. We would like to find out what enclosures others are using? Are they lockable? Do they have integrated antennas? Any other suggestions? Thanks todd Todd Joyce Network Services Radford University [EMAIL PROTECTED] (540) 831- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/.
Re: [WIRELESS-LAN] Wireless enclosures
When we started a few years ago, we searched and found little options. American Access makes a few units but they are expensive and metal. We did a review recently with not much success; we continue with our custom ABS/plastic boxes. We worked with a local contractor to come up with custom boxes that cost about $100 each. At that price range we could afford to secure the APs. Half of them are surface mount with enclosures and the other half are just above the false ceilings. Ironically, out of the 1300 units deployed, the only one that went missing was a surface mount one, they took the entire enclosure off the wall (!) Hopefully the cost of a power supply for the unit will discourage them from striking again. Are few dozen are mounted external to buildings (dorms), we use Hoffman metal enclosure with external antennas (Superpass) but plastic is a much better material for wireless enclosures. ... Jonn Martell, UBC Wireless Joyce, Todd N wrote: We are in the process of deploying wireless campus wide with Cisco 1200s. Our concern is theft from plain site view locations. We would like to find out what enclosures others are using? Are they lockable? Do they have integrated antennas? Any other suggestions? Thanks todd Todd Joyce Network Services Radford University [EMAIL PROTECTED] (540) 831- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/.
Re: [WIRELESS-LAN] Dorm utilization
Twenty potential users per AP is exactly what we have for our largest ResWireless location although we could infill with a second AP dropping this to 10 students per AP. This complex is 700 students and we have 35 APs (with a potential of 70 total). Since this is a wireless only location (because cabling was too expensive), I wouldn't go much higher than that for the students per AP ratio. Two other locations have about 8 users per AP because of the type of building. It wasn't cost effective for us to look at special solutions like Vivato for these locations. We decided to follow the same model (and equipment) as the main campus wireless network (for now). We do not allow servers on reswireless (but will tolerate them if they do not impact other users). ... Jonn Martell, Manager, UBC Wireless John Hofmann wrote: One obvious (to me) rule of thumb is to try to have no more than about 20 connections per access point. -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Larry Press Sent: Monday, November 24, 2003 1:59 PM To: [EMAIL PROTECTED] Subject: [WIRELESS-LAN] Dorm utilization As mentioned in a previous posting, we are planning to connect a 500 student dorm complex on our campus (see http://som.csudh.edu/fac/lpress/471/hout/dorm/dormdescription.htm). Have you any rules of thumb as to the bandwidth we would need to provide to give a DSL like quality of service? Have you had trouble with students running server farms, and, if so, how have you coped with them? Larry Press ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/.
Re: [WIRELESS-LAN] wireless funding models
Hi Scott, We were lucky in having the capital wireless deployment for all education and research space covered as part of a campus wide network upgrade. The approach that we are using to sustain the wireless network funding is: 1. Try to minimize the cost of operations (zero cost goal) by standardizing and automatic tasks. 2. Fund the network centrally (for education and research). 3. Mandate that all new buildings under construction include wireless deployment as part of the initial building budget (like they include lights, power outlets etc). 4. Charge a per port (or per person) fee for each ethernet port and use part of this to fund wireless operations. The non-academic research space at UBC covered by a mix of funding model: the tenants can pay more per month/user if they don't contribute to the initial investment or can pay for the infrastructure and get wireless operations at cost. At cost includes operational and capital replacement (3 years AP and wireless items, 5 years for the more stable switches and core). In any case, wireless is free to UBC Faculty, Staff and Students. We will be coming out with a cost per user after a full school year of campus-wide operation and using this fee to charge non-UBC entities using the network. Commercial operations on campus might be paying a higher fee which is still very competitive. We are up over 4700 unique users per month, so we'll be able to reach some fairly impressive economies of scale. My prediction is that we'll have over 7000 unique users after Christmas. We also don't have to worry about the whole accounting side in terms of cost recovery per user since any revenues are collected by the building contacts for non-UBC tenants (these includes the student residences and affiliate colleges). We also have a hotspot model cooking for non-UBC visitors but I'm a little reluctant to start collecting money over the network. The number of external users is actually very low when you exclude visitors that can be sponsored for free by Faculty or Staff. The problem you might face if you get departments to pay for equipment is they might not see the benefit of paying for the enterprise type of equipment when, for their purpose, cheap soho equipment might do the job. The only problem with this is when you calculate the TCO on a campus wide network. Hope that helps. ... Jonn Martell, Wireless Manager, wireless.ubc.ca Scott Genung wrote: All, I'm assuming that many of you are in my shoes when it comes to determining what type of funding model is needed to support the deployment of wireless coverage areas throughout your campus. We are looking at a cost recovery approach based upon the deployment of a coverage area that have been requested for non-public spaces. We are picking up the costs of deploying wireless in public spaces ourselves. So, how many of you are looking at internal fund sources to pay for the deployment of your wireless coverage areas? What are they? Who is looking at external fund sources such as grants? What opportunities are available? Thank you in advance for your responses. Scott Genung Manager of Networking Systems Telecommunications and Network Support Services 124 Julian Hall Illinois State University (309)438-8731 http://www.tnss.ilstu.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/.
Re: [WIRELESS-LAN] Printing....
We are looking at the PrintMe solution from EFI. My vision is to have any printer on campus participate in a large print-serving type of system in which jobs can be released from wireless laptops. The vision is to have wireless printers all over campus! :-) There are some missing components in the base design. The main one is how to get page accounting back from network printers (to get stored in some standard accounting system like a RADIUS server (AAA).) With Windows 2000 and XP supporting TCP/IP printing natively, the options are much better than before. Add high speed network printers/copiers and it's a matter of time before a great solution appears. If anyone is interested in sharing information on getting page accounting from network printers, please let me know. The cheap way to doing this (already used by many on camopus) is to use a mechanical system that plugs a debit card reader on the printers with a local print release station but I would prefer to do everything online if possible. . Jonn Martell, Wireless Network Project and Service Manager University of British Columbia - ITServices 420 - 6356 Agricultural Road, Vancouver, Canada, V6T 1Z2 (604)822-9449 [EMAIL PROTECTED] http://www.wireless.ubc.ca Bradford B. Saul wrote: Morning everyone I have a question for the list. How are people handling printing on their WLAN's? In particular, how would a user in the Library print to a local public printer? Any solutions that do not require the user to install drivers, etc. Maybe a e-dropbox or something. Thanks Brad --- Bradford B. Saul Lead Network Engineer IT - Network Engineering Hoffman Hall Room 10, MSC 1401 James Madison University Harrisonburg, VA 22807 V: (540) 568-2379 F: (540) 568-1696 M: (540) 435-3079 [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/.
Re: [WIRELESS-LAN] Wireless Survey
wireless.ubc.ca 1. No static WEP (doesn't scale past the workgroup). Plan to use WPA/802.11i which uses dynamic WEP/TKIP (and ultimately AES) 2. We use captive portals (Colubris CN3500) which uses a secure Web page to authenticate back to RADIUS (FreeRADIUS) which is then connected to our back end LDAP/Oracle user repository. We also run a parallel VPN service (until 802.11i/WPA matures although we still to worry about our users connecting from insecure remote sites) also connected via RADIUS. We support both PPTPv2 and IPSec (although VPN is a pain to support). 3. We use open DHCP, with planned filtering at the AP to prevent DHCP spoofing. There is extensive logging. 4. No fee for Faculty/Staff/Student. Will be charging for guests not associated some way with the University. 5. We use Cisco AP1200 and AP1100s 6. Suggestions: Get a large scale pilot going first; this will flush out important (and sometimes controversial) network design issues. Don't assume that people will be understand/use security. You need to balance usability with security. Set (and reset) expectations at every level. If you don't make the system simple to use, you won't get large scale adoption. More info on our implementation: www.wireless.ubc.ca Jonn Martell, Wireless Network Project Manager University of British Columbia - University Networking Program 2011 West Mall, Vancouver, Canada, V6T 1Z2 [EMAIL PROTECTED] http://www.wireless.ubc.ca -Original Message- From: Daniel, Colin [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 21, 2002 1:37 PM To: [EMAIL PROTECTED] Subject: [WIRELESS-LAN] Wireless Survey All: After monitoring this list for quite a while, the time has come to start rolling out (on a small scale) wireless here at Montana State University. I have a few questions that I could use your (the voice of experience) help with. I'll try and keep this brief, and thanks in advance for your time. Do you use WEP and if so what level of encryption? Do you use a Radius server or another means of authentication? Do you use DHCP and if so is it open or reserved? Do charge a fee for wireless access and if so how much? Which vendor did you select for your wireless infrastructure? If you have any additional information/suggestions/warnings I would greatly appreciate the advice. Thanks, Colin Daniel Network Analyst Montana State University [EMAIL PROTECTED] (406)994-4981 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/memdir/cg/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/memdir/cg/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Re: [WIRELESS-LAN] Wireless Network Hubs Article Washington Post.
Hi Dewitt, We are in process of evaluating WAN wireless equipment. Have you had a chance to look at the Wi-Lan equipment (Ultima3). I would be insterested in your opinion in how it compares with Canopy. Jonn Martell, Wireless Network Project Manager University of British Columbia - University Networking Program 2011 West Mall, Vancouver, Canada, V6T 1Z2 (604)822-9449 [EMAIL PROTECTED] http://www.wireless.ubc.ca On Thu, 10 Oct 2002, Dewitt Latimer wrote: Date: Thu, 10 Oct 2002 09:59:59 -0500 From: Dewitt Latimer [EMAIL PROTECTED] Reply-To: 802.11 wireless issues listserv [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [WIRELESS-LAN] Wireless Network Hubs Article Washington Post. Not to steal John's corporate thunder, but... I'm have a test environment of Motorola's new Canopy technology stood up here in South Bend. See http://www.motorola.com/canopy/ The base station is mounted about 220 ft' up a local tower. We're covering about a 4 mile radius with line of site to the tower at speeds up to 6 meg (lower speeds at up to 10 miles but we haven't tested it). We have a 74 meg point-2-point link back to the campus to provide ND employees campus connectivity and act as their ISP. Canopy uses TDMA technology (you know...the battle that Motorola lost with Qualcom) and uses the unlicensed U-NII mid and upper bands. Cost model projects delivering package at less than DSL and/or cable. pretty slick in an area sparse with DSL and cable modems. -d - Dewitt Latimer, Ph.D. Deputy CIO and Chief Technology Officer The University of Notre Dame [EMAIL PROTECTED] - Original Message - From: MacKinnon, John [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 10, 2002 9:26 AM Subject: [WIRELESS-LAN] Wireless Network Hubs Article Washington Post. FYI article from Today's Washington Post on Wireless Networking Hubs and a graphic testing the latest providers http://www.washingtonpost.com/wp-dyn/articles/A3773-2002Oct9.html 'til then. Carpe Diem. Make it a Great Day. --John Teligent provides a fixed-wireless alternative to 802.11B connecting buildings via our own spectrum without the same security or interference issues. Fully funded and debt free, Teligent maintains spectrum in 74 markets nationwide and over 2,000 radios in stock to create a custom solution at mass prices. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/memdir/cg/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/memdir/cg/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/memdir/cg/.