Re: [WIRELESS-LAN] Cisco WLC5508
On Fri Mar 25 2016 06:40:48 CDT, Lee H Badman wrote: > > It's pretty sad these questions even have to be asked, isn't it? The code > culture has become one where bugs are guaranteed and if we get mediocrity out > if the vendor, we celebrate it. I don't know if I've quite lost hope to that point. :) Our SEs with our various vendors are pretty good at working with us when planning an upgrade to do at least a high level examination of bugs to see if they are things that might impact our environment. Some vendors also have designations for how "safe" they think a given release might be for general deployments. i.e., unless you don't need the specific bug fix or feature that's in version X.Y right now, it's safer to hold off until X.Y.Z or until X.Y has been out in field for a while when it will be designated as "General Availability" or something similar. -- Julian Y. Koh Associate Director, Telecommunications and Network Services Northwestern Information Technology 2001 Sheridan Road #G-166 Evanston, IL 60208 +1-847-467-5780 NUIT Web Site: <http://www.it.northwestern.edu/> PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Who wifi vendors does everyone use?
On Wed Mar 30 2016 10:20:03 CDT, Jeremy Gibbs wrote: > > Utica College - We use Extreme Networks for WiFi, formerly known as Enterasys > IdentiFi Wireless. > In the interest of not having a zillion replies, might I suggest some kind of web-based poll to gather and aggregate this information? :) -- Julian Y. Koh Associate Director, Telecommunications and Network Services Northwestern Information Technology 2001 Sheridan Road #G-166 Evanston, IL 60208 +1-847-467-5780 NUIT Web Site: <http://www.it.northwestern.edu/> PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Who wifi vendors does everyone use?
On Thu Mar 31 2016 21:31:37 CDT, "Whelan, Robert" wrote: > > Northeastern is Aruba with over 3700 APs. Oh fine, I can't resist after that. Northwestern is Aruba with a little over 5000 APs. :) :) -- Julian Y. Koh Associate Director, Telecommunications and Network Services Northwestern Information Technology 2001 Sheridan Road #G-166 Evanston, IL 60208 +1-847-467-5780 NUIT Web Site: <http://www.it.northwestern.edu/> PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Aruba Controller code recommendations
On Mon Jun 13 2016 12:52:09 CDT, "Entwistle, Bruce" wrote: > > We are looking to upgrade our Aruba 7210 controllers which are currently > running software version 6.4.2.4. Looking at the versions currently > available on the web site I see the latest GA version is 6.4.3.9 and the > latest ED version is 6.4.4.8. We're running 6.4.3.3. -- Julian Y. Koh Associate Director, Telecommunications and Network Services Northwestern Information Technology 2001 Sheridan Road #G-166 Evanston, IL 60208 +1-847-467-5780 Northwestern IT Web Site: <http://www.it.northwestern.edu/> PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Aruba and Bradford
On Tue Jul 19 2016 16:09:34 CDT, Brian Helman wrote: > > If you are an Aruba AND Bradford shop, what was you reason for using Bradford > vs Clearpass? Our primary interest in NAC is onboarding and guest networks > (wired and wireless). We are currently a Bradford shop. Back when we were making our initial NAC decision to replace an old open source system for residence hall wired ports, it came down to Avenda vs. Bradford. At the time, Avenda (dangit autocorrect keeps trying to change that to Agenda!) was pretty much brand new, and although we preferred the overall architecture, the end user experience was pretty raw. So we ended up going with Bradford. Later on after Aruba bought Avenda and Amigopod and lumped all that together into ClearPass, we bought into that to replace our old Steel Belted RADIUS servers for authentication purposes and later on used the Amigopod functionality to service our guest wireless network captive portal (we had liked Amigopod from the beginning but gave Bradford a shot at that function first since we already owned that, and Amigopod was a little pricey). Now we use Bradford for device registration on the wired ports in the residence halls and public areas of the library. We also use it to implement quarantine functionality on all wired ports across the institution. Works fine for these purposes. ClearPass is used for central RADIUS authentication for wireless and various other services, guest registration, and quarantining for wireless. Also works fine for those purposes. -- Julian Y. Koh Associate Director, Telecommunications and Network Services Northwestern Information Technology 2001 Sheridan Road #G-166 Evanston, IL 60208 +1-847-467-5780 Northwestern IT Web Site: <http://www.it.northwestern.edu/> PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Disabling LEDs on APs
On Tue Sep 06 2016 08:57:08 CDT, Lee H Badman wrote: > > First-world problems… Curious if others have gone down this road in Residence > Halls. We’re not really being asked to, but are considering wholesale > disabling LEDs on our Cisco APs in the dorms as a quality of life step. Has > this caused anyone any pain when it comes to not being able to see the colors > on the AP as status indication? Have you actually had requests to disable the > LEDs? Overall experience with accommodating or denying the request? > I can't remember the exact sequence of how all the conversations went, but when we did a redesign to start moving the APs into the residence hall rooms, we turned off the lights on those units. I think we got a couple of reports where residents were wondering if the APs were working, but overall not a big deal. -- Julian Y. Koh Associate Director, Telecommunications and Network Services Northwestern Information Technology 2001 Sheridan Road #G-166 Evanston, IL 60208 +1-847-467-5780 Northwestern IT Web Site: <http://www.it.northwestern.edu/> PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Disabling LEDs on APs
Heh. <http://www.networkworld.com/article/3117216/mobile-wireless/lights-out-why-it-shops-are-disabling-wireless-ap-leds.html> -- Julian Y. Koh Associate Director, Telecommunications and Network Services Northwestern Information Technology 2001 Sheridan Road #G-166 Evanston, IL 60208 +1-847-467-5780 Northwestern IT Web Site: <http://www.it.northwestern.edu/> PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Educause Conference
On Fri Sep 16 2016 19:24:14 CDT, "Norton, Thomas (Network Services)" wrote: > > Awesome! That’s good to hear. > Kind of mean to celebrate another man's burning of hamburger..... :):) -- Julian Y. Koh Associate Director, Telecommunications and Network Services Northwestern Information Technology 2001 Sheridan Road #G-166 Evanston, IL 60208 +1-847-467-5780 Northwestern IT Web Site: <http://www.it.northwestern.edu/> PGP Public Key:<https://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] College Sports Venue Wireless- In-House vs 3rd Party
On Tue Nov 08 2016 11:03:51 CST, Norman Elton wrote: > > Just following up on this, were there any additional responses? We've actually started these conversations with our Athletics department as well. One of our facilities will be undergoing significant renovation over the next couple of years, and there is a huge focus on technology for enhancing the fan experience. In general we are looking to have a model where Athletics and a vendor are responsible for real time support for the infrastructure and systems that are reliant on it, but nothing's been finalized. -- Julian Y. Koh Associate Director, Telecommunications and Network Services Northwestern Information Technology 2001 Sheridan Road #G-166 Evanston, IL 60208 +1-847-467-5780 Northwestern IT Web Site: <http://www.it.northwestern.edu/> PGP Public Key:<https://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] on-boarding of personal wireless devices
On Thu Nov 17 2016 12:55:37 CST, "Urrea, Nick" wrote: > > We at UC Hastings would like to create/deploy an automated on-boarding > solution for wireless personal devices such as Xbox, Roku, Apple TV, > Chromecast, etc. > Any advice would be greatly appreciated. The wireless network team here used the ClearPass system this fall to roll out a new SSID for these types of devices this fall for our students. <http://www.it.northwestern.edu/oncampus/device-northwestern/> Basically students can register their devices via self service portal. -- Julian Y. Koh Associate Director, Telecommunications and Network Services Northwestern Information Technology 2001 Sheridan Road #G-166 Evanston, IL 60208 +1-847-467-5780 Northwestern IT Web Site: <http://www.it.northwestern.edu/> PGP Public Key:<https://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] WiFi simple (but useful) tools
Mac equivalents: 1.) option-click on the Airport icon in the menu bar to see instantaneous detailed information on the current connection. 2.) Another command-line Mac tool is available at: /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport This will give you all sorts of other info. Exploring the options is left as an exercise to the reader. :) > On Nov 29, 2016, at 09:13 , Hector J Rios wrote: > > The first thing I do when I notice WiFi issues on my Windows laptop is to > bring up the WiFi Status window on my wireless adapter. This tells me the > signal quality, the speed, and the SSID I'm connected to. If I select details > (Network Connection Details) I then get more info like IP address and my MAC > address. > > But sometimes we need to know more, right? For that I use the netsh commands. > If I open up my command prompt and type "netsh WLAN show interfaces", I now > have more pieces of information to work with. Of special importance is the > BSSID. This is the MAC address of the WAP I'm connected to. I also get Radio > Type, which indicates which 802.11 protocol my adapter is using for the > current connection. > > If you like this command and want to take it an extra step, you can write the > following script into your favorite text editor: > > :loop > netsh WLAN show interfaces > timeout /t 5 > goto loop > > Save this file as a .bat. When you run it, a command prompt will pop up and > the command will run and refresh every 5 seconds. Now you have a pretty cool > and useful tool to monitor your WLAN adapter. > > Regards, > > Hector > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_groups_&d=CwIFAg&c=yHlS04HhBraes5BQ9ueu5zKhE7rtNXt_d012z2PA6ws&r=ITCdJ8r7Mvmi4B5IfM-uUxBCe5N77i8k9OcsASk91Zg&m=-L1wwgsB2ZdCWkgSdYS6aGquIa2nfRbE84wU3lN7PdM&s=r-9mBELadWUo4mM5z8kRajlEiz1hoklcbzJVpJXr4sE&e= > . -- Julian Y. Koh Associate Director, Telecommunications and Network Services Northwestern Information Technology 2001 Sheridan Road #G-166 Evanston, IL 60208 +1-847-467-5780 Northwestern IT Web Site: <http://www.it.northwestern.edu/> PGP Public Key:<https://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Prime Infrastructure Validated Alternatives
> On Jan 11, 2017, at 07:31, Lee H Badman wrote: > > I was a fan of WLSE, actually. > We used it and WLSM quite successfully here as well for our first generation wireless network deployments. It was one of those deals where just about everyone else was complaining constantly about it and we seemed to be just incredibly lucky to not have any of those problems. I have no idea what we were doing differently, but I’ll take it. :) -- Julian Y. Koh Associate Director, Telecommunications and Network Services Northwestern Information Technology 2001 Sheridan Road #G-166 Evanston, IL 60208 +1-847-467-5780 Northwestern IT Web Site: <http://www.it.northwestern.edu/> PGP Public Key: <https://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Re: [WIRELESS-LAN] SSID names
> On Feb 21, 2017, at 14:36, Jim Stasik wrote: > > I am curious how others are naming and separating the SSIDs in their > environment? Northwestern - 802.1X authenticated/encrypted Guest-Northwestern - Public guest access eduroam - self-explanatory Device-Northwestern - MAC registration for devices that can’t do 802.1X authentication -- Julian Y. Koh Associate Director, Telecommunications and Network Services Northwestern Information Technology 2001 Sheridan Road #G-166 Evanston, IL 60208 +1-847-467-5780 Northwestern IT Web Site: <http://www.it.northwestern.edu/> PGP Public Key: <https://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Re: [WIRELESS-LAN] SSID names
> On Feb 21, 2017, at 14:45, Cappalli, Tim (Aruba) wrote: > > Have you considered using eduroam as your primary 802.1X SSID? Yep, it’s been talked about, and we know that a number of schools are doing this quite successfully. Not highest on the priority list though at this point in time. -- Julian Y. Koh Associate Director, Telecommunications and Network Services Northwestern Information Technology 2001 Sheridan Road #G-166 Evanston, IL 60208 +1-847-467-5780 Northwestern IT Web Site: <http://www.it.northwestern.edu/> PGP Public Key: <https://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Re: [WIRELESS-LAN] Disney's Free Wi-Fi
> On Mar 3, 2017, at 13:22, Bob Brown wrote: > > According to a wireless engineer at Disney, the WLAN infrastructure in > Orlando consists of about 3,500 Cisco and Aruba APs across resorts, 4 theme > parks etc. That seems like a low number to me, considering the AP counts I’ve seen us throw around here on the list for our campuses. -- Julian Y. Koh Associate Director, Telecommunications and Network Services Northwestern Information Technology 2001 Sheridan Road #G-166 Evanston, IL 60208 +1-847-467-5780 Northwestern IT Web Site: <http://www.it.northwestern.edu/> PGP Public Key: <https://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Re: [WIRELESS-LAN] Disney's Free Wi-Fi
> On Mar 3, 2017, at 15:01, Thomas Carter wrote: > > But density and usage patterns are much different. Someone is a Disney park > is much less likely to be streaming Netflix in HD compared to someone on a > college campus, for example. Additionally they are covering lots of open > spaces without as many pesky walls to block signals. I suspect their average > bandwidth usage per guest is much lower than the average bandwidth usage per > student. I’m not doubting the design or the results. It just surprised me. The outdoor numbers I’ll definitely believe are very different from our regular indoor usage patterns, but I would think all the hotel rooms have to be kind of similar to our residence halls. -- Julian Y. Koh Associate Director, Telecommunications and Network Services Northwestern Information Technology 2001 Sheridan Road #G-166 Evanston, IL 60208 +1-847-467-5780 Northwestern IT Web Site: <http://www.it.northwestern.edu/> PGP Public Key: <https://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Re: [WIRELESS-LAN] Wireless Door lock systems
> On Mar 11, 2017, at 05:58, Brian David wrote: > > I was wondering what other Universities experience with wireless door locks? > > How have the door locks been working? Is there a lot of maintenance with your > systems? We started using the Assa Abloy locks this academic year in a few renovated residence halls, so we haven’t hit a battery change cycle yet. Overall they seem to be working well. They can do 802.1X auth/encryption. I’m not aware of any major issues that have bubbled up to the networking team here after initial rollout. -- Julian Y. Koh Associate Director, Telecommunications and Network Services Northwestern Information Technology 2001 Sheridan Road #G-166 Evanston, IL 60208 +1-847-467-5780 Northwestern IT Web Site: <http://www.it.northwestern.edu/> PGP Public Key: <https://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Re: [WIRELESS-LAN] Wireless Lighting Controls - impact on Wi-Fi or Wi-Fi's impact?
> On Mar 23, 2017, at 09:06, Williams, Jess wrote: > > Our campus Facilities department is looking at a wireless lighting control > system that uses a "Zigbee based" 2.4GHz wireless protocol. We’ve been getting some similar requests for things like thermostats and the like. I’m thinking that the opportunity exists for conversations that go beyond just frequency band usage and interference avoidance and talking about what possibilities exist to move these devices to the 802.11 network itself. Obviously that’s not going to work for every situation but I think we at least need to try to get ahead of this so that we can be involved in purchasing decisions/discussions. -- Julian Y. Koh Associate Director, Telecommunications and Network Services Northwestern Information Technology 2001 Sheridan Road #G-166 Evanston, IL 60208 +1-847-467-5780 Northwestern IT Web Site: <http://www.it.northwestern.edu/> PGP Public Key: <https://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
macOS Sierra and 802.1X certificate storage/validation
Hey all, My Google-fu is weak today. Can anyone tell me where macOS Sierra (10.12.x) stores the certificate used for wireless 802.1X EAP-PEAP connections? In older versions of the OS, these were stored nicely in the Keychain, but they don’t seem to be there anymore. We’re in the process of renewing the certificate on our RADIUS server, and our fuzzy 3-year old memories are telling us that the Macs used to prompt people again to accept the new certificate, but that doesn’t seem to be happening now either. So all in all I’m a little confused. :) Thanks in advance! -- Julian Y. Koh Associate Director, Telecommunications and Network Services Northwestern Information Technology 2001 Sheridan Road #G-166 Evanston, IL 60208 +1-847-467-5780 Northwestern IT Web Site: <http://www.it.northwestern.edu/> PGP Public Key: <https://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Re: [WIRELESS-LAN] IPTV deployment
> On Apr 26, 2017, at 10:17, Baugh, Craig wrote: > > I am looking for any advice from colleges that have implemented IPTV services. > For many years we had a multicast Haivision/Video Furnace system. We never made the move to get that on wireless, and a few years back we implemented the Comcast Xfinity On Campus service. -- Julian Y. Koh Associate Director, Telecommunications and Network Services Northwestern Information Technology 2001 Sheridan Road #G-166 Evanston, IL 60208 +1-847-467-5780 Northwestern IT Web Site: <http://www.it.northwestern.edu/> PGP Public Key: <https://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Re: [WIRELESS-LAN] Aruba AP Models - 315 vs 325
> On May 2, 2017, at 08:32, McClintic, Thomas > wrote: > > Sorry, this was mentioned previously. I should have read bottom up instead of > top down J > Insert regular tilting at windmills rant about top posting here… :) :) :) -- Julian Y. Koh Associate Director, Telecommunications and Network Services Northwestern Information Technology 2001 Sheridan Road #G-166 Evanston, IL 60208 +1-847-467-5780 Northwestern IT Web Site: <http://www.it.northwestern.edu/> PGP Public Key: <https://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Re: [WIRELESS-LAN] macOS Sierra and 802.1X certificate storage/validation
All fixed in 10.12.5, thanks to Tim for filing the bug report with Apple! <https://support.apple.com/en-us/HT207797>: === > 802.1X > Available for: macOS Sierra 10.12.4 > Impact: A malicious network with 802.1X authentication may be able to capture > user network credentials > Description: A certificate validation issue existed in EAP-TLS when a > certificate changed. This issue was addressed through improved certificate > validation. > CVE-2017-6988: Tim Cappalli of Aruba, a Hewlett Packard Enterprise company ====== -- Julian Y. Koh Associate Director, Telecommunications and Network Services Northwestern Information Technology 2001 Sheridan Road #G-166 Evanston, IL 60208 +1-847-467-5780 Northwestern IT Web Site: <http://www.it.northwestern.edu/> PGP Public Key: <https://bt.ittns.northwestern.edu/julian/pgppubkey.html> > On Mar 28, 2017, at 14:35, Cappalli, Tim (Aruba) wrote: > > As of 10.12.3, it does not seem to be prompting users to store the > certificate anymore. Still trying to track down what changed. > > > > On 3/28/17, 3:27 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv > on behalf of Julian Y Koh" kohs...@northwestern.edu> wrote: > >Hey all, > >My Google-fu is weak today. Can anyone tell me where macOS Sierra > (10.12.x) stores the certificate used for wireless 802.1X EAP-PEAP > connections? In older versions of the OS, these were stored nicely in the > Keychain, but they don’t seem to be there anymore. > >We’re in the process of renewing the certificate on our RADIUS server, and > our fuzzy 3-year old memories are telling us that the Macs used to prompt > people again to accept the new certificate, but that doesn’t seem to be > happening now either. So all in all I’m a little confused. :) > >Thanks in advance! > >-- >Julian Y. Koh >Associate Director, Telecommunications and Network Services >Northwestern Information Technology > >2001 Sheridan Road #G-166 >Evanston, IL 60208 >+1-847-467-5780 >Northwestern IT Web Site: <http://www.it.northwestern.edu/> >PGP Public Key: <https://bt.ittns.northwestern.edu/julian/pgppubkey.html> > > >** >Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss&d=DwIGaQ&c=yHlS04HhBraes5BQ9ueu5zKhE7rtNXt_d012z2PA6ws&r=ITCdJ8r7Mvmi4B5IfM-uUxBCe5N77i8k9OcsASk91Zg&m=ERaN25tueHepduqA5F6d0VOKN62NCdg7vngfRxToX8g&s=AYCkHalzoB5Xo6HrWo2peozbx2E35qV1FNM0nxZfg1k&e= > . > > > > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss&d=DwIGaQ&c=yHlS04HhBraes5BQ9ueu5zKhE7rtNXt_d012z2PA6ws&r=ITCdJ8r7Mvmi4B5IfM-uUxBCe5N77i8k9OcsASk91Zg&m=ERaN25tueHepduqA5F6d0VOKN62NCdg7vngfRxToX8g&s=AYCkHalzoB5Xo6HrWo2peozbx2E35qV1FNM0nxZfg1k&e= > . > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Re: [WIRELESS-LAN] 802.1x expired certificate (Eduroam)
> On Jul 3, 2017, at 17:38, Marcelo Maraboli wrote: > > What happens on the supplicant side of the 802.1x (User) when the > Radius certificate expires ? > > I am interested in what the user will face and HAVE to do. > > We have found 2 possibilities: > a) The user is prompted to "trust" the new certificate and that's it. This has been our experience. Some clients behave differently here and there due to bugs and/or config differences, but generally the worst that happens is that people need to trust the new certificate. -- Julian Y. Koh Associate Director, Telecommunications and Network Services Northwestern Information Technology 2001 Sheridan Road #G-166 Evanston, IL 60208 +1-847-467-5780 Northwestern IT Web Site: <http://www.it.northwestern.edu/> PGP Public Key: <https://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Re: [WIRELESS-LAN] Backup power
> On Jul 20, 2017, at 10:02, Sandra Bury wrote: > > I would be interested to know how many of you include UPS purchases for > switches in each network closet in your campus deployments. We put our switches on UPS. When a larger building UPS is available from facilities, we use that instead of small closet UPS units. > If you do not build in backup power, do you put your switches on a > maintenance contract, or do you pay to replace them when they fail outside of > warranty? > We self-insure on switches and access points. -- Julian Y. Koh Associate Director, Telecommunications and Network Services Northwestern Information Technology 2001 Sheridan Road #G-166 Evanston, IL 60208 +1-847-467-5780 Northwestern IT Web Site: <http://www.it.northwestern.edu/> PGP Public Key: <https://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Re: [WIRELESS-LAN] Campus Wireless in Married or Family Student housing
> On Sep 15, 2017, at 06:41, Michael Davis wrote: > > I was wondering if anyone had policies or thoughts on wireless service in > Married/Family student housing? We have 2 buildings that provide family housing. We offer the same services there as all the other residence halls. -- Julian Y. Koh Associate Director, Telecommunications and Network Services Northwestern Information Technology 2001 Sheridan Road #G-166 Evanston, IL 60208 +1-847-467-5780 Northwestern IT Web Site: <http://www.it.northwestern.edu/> PGP Public Key: <https://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Re: [WIRELESS-LAN] Offline/Spare Gear Inventory Size
> On Feb 26, 2018, at 12:20, Trinklein, Jason R wrote: > > > I’m curious to know the size of your spare gear inventories. Do you keep a > percentage of each model of AP in inventory, and what is your reasoning? > Storms? Last minute/emergency wireless coverage needs? In addition to what’s already been mentioned, there are places where it can be advantageous to buy, say, your entire year’s supply of something so that you get a bigger purchasing discount. -- Julian Y. Koh Associate Director, Telecommunications and Network Services Northwestern Information Technology 2020 Ridge Avenue #331 Evanston, IL 60208 +1-847-467-5780 Northwestern IT Web Site: <http://www.it.northwestern.edu/> PGP Public Key: <https://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Re: [WIRELESS-LAN] Atmosphere Conference next week - higher education gathering
> On Mar 22, 2018, at 16:09, Brian Helman wrote: > > More generically speaking, as many of us go to conferences that may not be > Higher Education-specific, make sure you introduce yourselves to our peers, > and make sure they are aware of the Educause Constituency Groups (especially > this one and the NETMAN group). > I’ll be there Sunday-Wednesday. -- Julian Y. Koh Associate Director, Telecommunications and Network Services Northwestern Information Technology 2020 Ridge Avenue #331 Evanston, IL 60208 +1-847-467-5780 Northwestern IT Web Site: <http://www.it.northwestern.edu/> PGP Public Key: <https://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Re: [WIRELESS-LAN] ClearPass - not so clear anymore
> On Apr 2, 2018, at 16:47, Trinklein, Jason R wrote: > > We are considering clearpass for our guest network captive portal. We have a > case of sticker shock, however…at a cost of nearly $50K, it seems expensive > for a captive portal. As others have said, talk to your account rep - there may be ways to reduce the pricing. ClearPass is expensive, especially if you’re getting it just for a single function. The value IMO comes about when you are able to leverage multiple capabilities, since again purely IMO Aruba has done a pretty good job of integrating disparate/acquired products into a cohesive whole. -- Julian Y. Koh Associate Director, Telecommunications and Network Services Northwestern Information Technology 2020 Ridge Avenue #331 Evanston, IL 60208 +1-847-467-5780 Northwestern IT Web Site: <http://www.it.northwestern.edu/> PGP Public Key: <https://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Re: [WIRELESS-LAN] Wireless network names
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 15:11 -0400 3/31/2009, Nathan Hay wrote: >Would anyone mind sharing their SSID names and a brief description of >their target audience of devices/users? Our first campuswide (non-trial) SSID name was "nuwlan". When we set up a new one for 802.1X/WPA2 authentication, we named it "Northwestern". nuwlan is actually still active, just not broadcasted. Aside from those, we have a few little localized ones for specialty audiences and locations. -BEGIN PGP SIGNATURE- Version: 9.8.3.4028 wj8DBQFJ0mv2DlQHnMkeAWMRAhstAKDHOX00Uzgry3KK8XGSesddbghA8wCgh8N/ xRjwuYDCqHEzrFUicRcn3i0= =AoIi -END PGP SIGNATURE- -- Julian Y. Koh <mailto:kohs...@northwestern.edu> Network Engineer Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless-only in residence halls
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 12:57 -0400 4/24/2009, Kellogg, Brian D. wrote: >We are seeing the same usage stats on wired ports here as well. The >last time we checked it was actually around 92% of ports not being used. I think students are mainly only still hooking up to the wired ports in the rooms to watch our TV service, which is delivered via IP multicast. And even that usage is down quite a bit since we don't have on-demand streaming or DVR-type functionality, so most of the kids end up using Hulu or other similar services to watch the shows they want. Plus the great majority of the wired ports were installed in ~1993-1994, so they're all Cat3 wiring and limited to 10Mbps. -BEGIN PGP SIGNATURE- Version: 9.9.1.287 wj8DBQFJ8f4FDlQHnMkeAWMRAumTAKCFtSbbC3L5OymQ+fSHNm8pV3XMiACgjx/c gv8l7P9tBe3Qmo5+YZkI8sk= =mvu4 -END PGP SIGNATURE----- -- Julian Y. Koh <mailto:kohs...@northwestern.edu> Network Engineer Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] configuration script
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 15:19 -0700 6/2/2009, Entwistle, Bruce wrote: >We are looking at implementing WPA security for our wireless network and >need a simple method of configuring the client computers. At NU, our technical support department wrote one. You can get it from <http://www.it.northwestern.edu/oncampus/wireless/> and <http://www.it.northwestern.edu/oncampus/wireless/wireless-connections/> if you want to look at it. -BEGIN PGP SIGNATURE- Version: 9.9.1.287 wj8DBQFKJmRjDlQHnMkeAWMRAhmIAJ9w9ZhUi/jUgeRySRfBkcaQeEz7RQCgkfQV ZP6ef/q7zhVXSJwqWDBHQXQ= =KgIL -END PGP SIGNATURE----- -- Julian Y. Koh <mailto:kohs...@northwestern.edu> Network Engineer Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] anyone still using TKIP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 11:06 -0300 9/30/2009, Matt Ashfield wrote: >In light of this article I'm wondering if anyone is still sticking with >TKIP (for legacy system issues I would guess) as opposed to using AES >solely? > When we rolled out 802.1X and WPA2, we specifically decided to go with AES-CCMP exclusively as opposed to running both TKIP and AES-CCMP concurrently. The primary reason was reducing complexity and helping with troubleshooting, but we're definitely happy we made the decision now. :) -BEGIN PGP SIGNATURE- Version: 9.9.1.287 wj8DBQFKw2osDlQHnMkeAWMRAqFlAJ9aYjvh03bKNM6lXEBjkzv/NauijwCfV6le PII9uEXcGXrc/0dr3lI2cvQ= =p4dr -END PGP SIGNATURE----- -- Julian Y. Koh <mailto:kohs...@northwestern.edu> Manager, Network Transport Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Encryption and Authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 2:24 PM -0500 12/23/09, David Blahut wrote: >We are beginning to deploy encrypted wireless and I am looking for some >words of wisdom. Mainly what method you used and what reasons as to why >you chose said method or any reason you wish you had not. We went with EAP-PEAPv0 (MS-CHAPv2) for authentication because that's what was supported by the built-in Windows supplicant. Our tech support organization has always had a strong preference for using built-in solutions as opposed to having to support the installation of 3rd-party software. We chose WPA2 encryption, supporting AES/CCMP only, no TKIP. We made this conscious decision because we wanted to reduce complexity and not support legacy hardware. Overall things have worked out well. -BEGIN PGP SIGNATURE- Version: 9.9.1.287 wj8DBQFLMnDyDlQHnMkeAWMRAp0rAKCTmiZX5QRfaL0CtbAbZPKaVaGDAgCg1QGf efmA90WBxk/el54A/FXJ3h0= =l66X -END PGP SIGNATURE----- -- Julian Y. Koh <mailto:kohs...@northwestern.edu> Manager, Network Transport Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Automating WPA Setup
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 10:38 AM -0600 3/9/10, Williams, Mr. Michael wrote: >We have tutorials available for our users, but our helpdesk folks still >have to spend a lot of time manually configuring the wireless supplicant >for some of our less tech savvy users.Does anyone have a solution to >this problem? Here at NU, our Technology Support Services coded up a Windows utility that we use for this purpose. <http://www.it.northwestern.edu/oncampus/wireless/wireless-connections/> -BEGIN PGP SIGNATURE- Version: 9.9.1.287 wj8DBQFLloFbDlQHnMkeAWMRAooNAJ9nfkdjtRMOP1ckbh7JUGDhoMSZ6QCeILAG QcdGjEpz0SPXQzz5owecbaw= =iE+i -END PGP SIGNATURE----- -- Julian Y. Koh <mailto:kohs...@northwestern.edu> Manager, Network Transport Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] WPA2 vulnerability found
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 8:11 AM -0400 7/27/10, Peter P Morrissey wrote: >Makes me wonder if it really matters that much anymore. Are there any >applications that don't already do their own encryption? The problem is that this attack (basically an ARP spoofing attack) ends up having the victims forward their traffic through the attacker's host, so other man in the middle attacks are possible (challenging as always, but still possible). For those of you who have access to Burton/Gartner materials, there was a special session added at the Catalyst conference yesterday about this issue. The slides there do a very good job (IMO) of explaining the issue without the sensationalism you'll see in the press stories. Has anyone heard back from any vendors on specific mitigation techniques? -BEGIN PGP SIGNATURE- Version: 9.9.1.287 wj8DBQFMUXHzDlQHnMkeAWMRAjFvAKDkPpJHnCub7vNeVWJ4hsvq6I2DKACg8E21 O7wmXs3QpzpmEynfeQZPfcc= =dmzb -END PGP SIGNATURE----- -- Julian Y. Koh <mailto:kohs...@northwestern.edu> Manager, Network Transport Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] DAS; are your happy with the DAS installation?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 We have a DAS for a number of buildings, but we paid for it. It's really expensive, but it works. There are a number of carriers and vendors who are working in this space, often they may be coupled with plans to improve your Wi-Fi coverage as well (which only helps the carriers offload data traffic from their cellular networks). Institutions need to balance the costs against the service improvements against how much independence they can maintain with the various arrangements. -BEGIN PGP SIGNATURE- Version: 9.9.1.287 wj8DBQFM5SSZDlQHnMkeAWMRAvikAJ44+a915VdrffBrS9WrsgdiQEIRggCdGIZu 4mmffk6NQATR/ZQVrSfSBfQ= =s95x -END PGP SIGNATURE- -- Julian Y. Koh <mailto:kohs...@northwestern.edu> Manager, Network Transport Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] DAS; are your happy with the DAS installation?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 8:24 AM -0500 11/18/10, Lee H Badman wrote: >What generation of Wi-Fi do you use with your DAS (11a/g/n)? Our DAS isn't used for Wi-Fi, only cellular telephone. -BEGIN PGP SIGNATURE- Version: 9.9.1.287 wj8DBQFM5SpBDlQHnMkeAWMRAshyAKCb8Zwz2iVkTVmhO7LZ/++tg0x8QwCgrzAb n3KD2GZ+ut7GZBlSnV9k5Pk= =ZyJw -END PGP SIGNATURE----- -- Julian Y. Koh <mailto:kohs...@northwestern.edu> Manager, Network Transport Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] WiFi blockers in classrooms
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 1:30 PM -0600 11/18/10, Luis Fernando Valverde wrote: >Can somebody tell me which is the best and cheaper solution (something so >easy as turn a switch on/off)? The best solution that is always presented here is that this is a classroom control issue, not a technology issue. :) -BEGIN PGP SIGNATURE- Version: 9.9.1.287 wj8DBQFM5YHRDlQHnMkeAWMRArbJAKDzn1VaaoeLsmHDfhxU8qO9jocqEQCg68RG g3Aw5+zLk260yf5TxQ+3CmE= =p2U0 -END PGP SIGNATURE- -- Julian Y. Koh <mailto:kohs...@northwestern.edu> Manager, Network Transport Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] WiFi blockers in classrooms
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 10:56 AM -0600 11/19/10, heath.barnhart wrote: >Shouldn't be too >hard, just throwing out some what-ifs. The first one that pops into my mind is what if the student is not in class and expecting to get wireless access elsewhere? Perhaps even in the room next door that's serviced by the same AP? -BEGIN PGP SIGNATURE- Version: 9.9.1.287 wj8DBQFM5qy1DlQHnMkeAWMRAucLAKCedwKGlT3pVMtGHDPgW/+MncxWvgCfSeAk zv1oAXbX0as/rTCRMPTp+dA= =mZnI -END PGP SIGNATURE----- -- Julian Y. Koh <mailto:kohs...@northwestern.edu> Manager, Network Transport Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Apple netbooks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 5:38 PM -0700 1/20/11, Terry Kirkvold wrote: >We are experiencing issues with a subset of Apple netbooks running OSX >10.6.5+ , it seems that they will produce a kernel panic when attaching to >certain wireless network configurations. I've seen occasional kernel panics on my own MacBook Pro here, but I don't believe we've gotten any kind of regular complaints. The problems seems to arise in certain locations where I have a marginal signal and the eapol client gets stuck in a loop of authenticating over and over again. Haven't taken the time to fully characterize it. -BEGIN PGP SIGNATURE- Version: 9.9.1.287 wj8DBQFNOYIDDlQHnMkeAWMRApkVAKCx1gd0u5upYo2vHCJogsk8DBwpKQCgshRM rXcPmUIJCYIZ1rD59cwn98Y= =Sm9m -END PGP SIGNATURE- -- Julian Y. Koh <mailto:kohs...@northwestern.edu> Manager, Network Transport Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] PEAP/MSCHAPv2 using Juniper SBR + AD
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 3:09 PM -0400 3/22/11, Holland, Ryan C. wrote: >Is anyone out there using 802.1X w/ PEAP/MSCHAPv2, leveraging Juniper's >Steel-belted radius pointed to Microsoft Active Directory? Yep, that's how we've been doing our 802.1X authentication since day 1. -BEGIN PGP SIGNATURE- Version: 9.9.1.287 wj8DBQFNiPUnDlQHnMkeAWMRAuaIAKDxAQ7q/0ggSWbm34XTZEeRWxZtKgCfQKo3 aJGlCsK0bvxCZ+DCLOaiN+A= =oLGc -END PGP SIGNATURE----- -- Julian Y. Koh <mailto:kohs...@northwestern.edu> Manager, Network Transport Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Apple Support
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 11:40 AM -0700 4/12/11, Jeffrey Sessler wrote: >engaging Cisco at certain levels can assist you with gaining access to >Apple WiFi development people. Definitely get Cisco involved. I haven't had to deal with this kind of problem on the wireless side, but I had a bug filed with Apple for _years_ about a problem with their L2TP/IPSec VPN client connecting to a Cisco VPN concentrator through a NAT device beginning with Mac OS X 10.3 (or whenever Apple introduced the L2TP/IPSec capability). It didn't get fixed until OS X 10.6.4, and that was after regularly asking Apple after every update why it wasn't fixed yet. The thing that finally got traction at Apple was getting the Cisco product managers to reach out to their contacts at Apple. -BEGIN PGP SIGNATURE- Version: 9.9.1.287 wj8DBQFNpJ+TDlQHnMkeAWMRAnayAKCeCAIBjKBB6IQRXzrBj+AOf34pOgCfdGIk sURVEkCkioZ9NNyeXxWBiBY= =wHaU -END PGP SIGNATURE----- -- Julian Y. Koh <mailto:kohs...@northwestern.edu> Manager, Network Transport Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] iOS devices on wireless
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon Jun 27 18:46:25 2011 Central Time, Michael Balasko wrote: > > We used to call it IPX:) Or AppleTalk. :) - -- Julian Y. Koh <mailto:kohs...@northwestern.edu> Manager, Network Transport Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAk4Jt+sACgkQDlQHnMkeAWN5bgCfcQE++1YAOtP5Pnnjf2rVnA2Q 3gcAmwXCTnX318UKtpzs2a8AfkLEa1jp =Zq47 -END PGP SIGNATURE- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] WPA2 / PEAP / EAP-TTLS / etc - valid 3rd party certificates?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu Jul 21 14:37:48 2011 Central Time, Jeff Kell wrote: > > Has anyone been there/done that with a 3rd party certificate / non-IAS/NPS > solution? We've used Verisign and now InCommon/Comodo certs with Steel Belted RADIUS running on Windows Server and authenticating to Active Directory (which is a mirror of our master LDAP directory). We use EAP-PEAPv0 (MS-CHAPv2), not EAP-TTLS. - -- Julian Y. Koh <mailto:kohs...@northwestern.edu> Manager, Network Transport Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAk4ogyIACgkQDlQHnMkeAWPWVACgmJVH2p/LN3C5qRWKWYv0kwxy eFcAoORZP24YHThK4AYkC3qRfmCOOHRA =Pm59 -END PGP SIGNATURE- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wifi Support Staff
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Wh On Tue Jul 26 00:33:17 2011 Central Time, Brian Deem Williams wrote: > > I’m curious as to the number of staff members dedicated to supporting the > wifi (both from an engineering standpoint and from a helpdesk point of view) > that other educational facilities have deemed necessary. Any input would be > greatly appreciated! > When you say "dedicated," you mean Full Time Employee equivalents? We have 2 engineers who are tasked with being our wireless subject matter experts, but that's by no means their only job. :) We have a little under 2100 APs total. As others have said that's just within our engineering group - first and second level tech support is done by another department. - -- Julian Y. Koh <mailto:kohs...@northwestern.edu> Manager, Network Transport Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAk4uvcAACgkQDlQHnMkeAWPUOgCfb7jvY41+JkSoML+sOlSLtID/ BogAnRc8TWkOWCbr5pQqtQtS53mcIg87 =75xz -END PGP SIGNATURE-
Re: [WIRELESS-LAN] Guest portal vendor recommendations
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri Jul 29 10:00:00 2011 Central Time, "Fleming, Tony" wrote: > > However, we are interested portals that provide advanced functionality. We would also be very interested. In addition to Tony's list of features, we're looking for: A portal that could potentially be used with our new Aruba wireless APs/controllers as well as our older Cisco APs/WLSM Easy revocation of user credentials and disconnection of offending hosts Delegated credential creation with limits (for example, only allow faculty/staff to create X number of guest credentials per day/week/whatever) NAC integration - -- Julian Y. Koh <mailto:kohs...@northwestern.edu> Manager, Network Transport Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAk4yzUsACgkQDlQHnMkeAWM4xACfVVRNP8Vlf4KQXyxits+m54ud a+gAn3Pbno0i71KtpcfiSS+Jc/T9bojQ =xT91 -END PGP SIGNATURE- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Public IP to nat/pat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon Aug 22 21:40:49 2011 Central Time, Jeff Kell wrote: > > (5) IPv6 fans and IPv4 purists will snicker behind your back :) So will those who were lucky enough to grab a bunch of IPv4 /16's when the getting was easy... :) - -- Julian Y. Koh <mailto:kohs...@northwestern.edu> Manager, Network Transport Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAk5TG3QACgkQDlQHnMkeAWNYmACfVXQGz67xTjnEG99ifTObbExt TrAAoNvKZEEj6g1smlyrzSX9t0ms8KqV =a514 -END PGP SIGNATURE- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Disappointing numbers of 5ghz clients
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon Sep 26 18:41:25 2011 Central Time, Craig Simons wrote: > > My stats also tell me that 60% of all our associated users this week had an > Apple OUI, which presumably means dual band capable (iPhone 3gs and up/iPad > are dual band as well as recent MacBook Pros). Most MacBook Pros are 5GHz-capable, not just the recent ones. All iPhones are 2.4GHz only, and only the iPhone 4 is 802.11n-capable. <http://www.apple.com/iphone/specs.html> <http://support.apple.com/kb/SP565> iPads are 5GHz-capable. <http://www.apple.com/ipad/specs/> - -- Julian Y. Koh <mailto:kohs...@northwestern.edu> Manager, Network Transport Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAk6Bs20ACgkQDlQHnMkeAWN14ACbBgPQK8lwy4N3wilyA510UzUV jOUAoNb/cT/ET9CKIACNBlY+HRshfwOX =CMO2 -END PGP SIGNATURE- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
iOS 5 Wireless Sync
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Does anyone have some definitive information on what the detailed technical requirements are for syncing an iOS 5 device with iTunes via Wi-Fi? The only thing in the user guide is: === After you configure Wi-Fi Sync, iPhone syncs with iTunes automatically, once a day, when it’s connect to a power source and: iPhone and your computer are both connected to the same Wi-Fi network. iTunes on your computer is running. = I'm assuming that Rendezvous/Bonjour is involved in some way, but do the devices both need to be on the same subnet/VLAN? What other gotchas are there for this type of syncing in our enterprise environments? - -- Julian Y. Koh <mailto:kohs...@northwestern.edu> Manager, Network Transport Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAk6cRToACgkQDlQHnMkeAWPbMACferRlFYA048bugEi2gxI3JGIj VMYAnRABA7Gq46OIFeG2USATKuhJkQAD =k7K/ -END PGP SIGNATURE-
Re: [WIRELESS-LAN] RADIUS Server preference for 10K+ Client Environments?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue Nov 01 2011 13:25:20 Central Time, Lee H Badman wrote: > > For those of you with large (10,000 + users) RADIUS deployments, what servers > are you using and what are your points of pain and/or appreciation? We're currently using Steel Belted Radius, and have been since 2000 or so when we rolled out VPN services. Overall it works, but end of life is in sight, and the replacement products from Juniper apparently won't have all of the same capabilities. We'll be looking for something else in the coming year or so. - -- Julian Y. Koh <mailto:kohs...@northwestern.edu> Manager, Network Transport Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAk6wOrYACgkQDlQHnMkeAWPFBgCfbwuscgNu1NUqk6pkMGxeQZbm g7UAn3hiq86WU95pNuJOzQ8PtPIQul14 =OMmH -END PGP SIGNATURE- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] RADIUS Server preference for 10K+ Client Environments?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed Nov 02 2011 08:09:21 Central Time, Lee H Badman wrote: > > Out of curiosity, can you describe what Juniper's replacement for SBR is > missing? Biggest thing was IP pools, since we assign IP addresses to our traditional VPN clients via RADIUS. - -- Julian Y. Koh <mailto:kohs...@northwestern.edu> Manager, Network Transport Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAk6xQwwACgkQDlQHnMkeAWPsYACdGpbbx2GZLhHq/SAs3xPDy58A TlIAoMHoWrQdOP460GzwxP6YbNte0wWX =4xAF -END PGP SIGNATURE- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Logos
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed Nov 02 2011 08:34:05 Central Time, "Voll, Toivo" wrote: > > Poor Lee. We got one too, very recently :-) > We've been using the one at <http://www.it.northwestern.edu/oncampus/wireless/> forever. I can't decide if I really like it or just kind of like it - depends on my mood. All I know is that it's better than anything I would have come up with on my own. :) - -- Julian Y. Koh <mailto:kohs...@northwestern.edu> Manager, Network Transport Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAk6xR9gACgkQDlQHnMkeAWMiHgCeLPOFxmNMWGfyFZjU4TJdu85O TtAAoLyHAq+dVRmswZrdDETab3JslpO7 =FGAm -END PGP SIGNATURE- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] WPA2-Enterprise - account lockouts and password changes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon Nov 07 2011 16:19:54 Central Time, "Fleming, Tony" wrote: > > How do you guys handle Account lockouts? We don't automatically lock accounts. > Do your students interpret these issues as WiFi trouble? > If so, how are you changing that perception? > Have any of you abandoned 802.1x (PEAP) because of this issue? > Do you see the same trouble with OSX and WPA2? > In general, the OS X (and iOS) machines have been some of the more trouble-free devices to set up for 802.1X (EAP-PEAP-MS-CHAP here). - -- Julian Y. Koh <mailto:kohs...@northwestern.edu> Manager, Network Transport Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAk64WjsACgkQDlQHnMkeAWN3SACg9GzZCx58q8qap8EVhh5Nlr9/ WSQAniqNX0q13QbCSfgA3s7tXi0zC+mV =YzCG -END PGP SIGNATURE- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Guest Network Sizing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Random poll: for those of you who have implemented guest networks with IP addressing separate from your regular wireless networks, what sizing did you use, and what kind of utilization levels are you seeing relative to your regular networks? Thanks! - -- Julian Y. Koh <mailto:kohs...@northwestern.edu> Manager, Network Transport Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAk7Id8wACgkQDlQHnMkeAWP4OgCg7Rpo9Sszm+lAXYR/Axl37H36 JXgAoN2aPHKkeV0vd3BHRtk3CWVXf0Fg =Bn0d -END PGP SIGNATURE- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Very high number of wireless devices returning from break
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 We have not seen a huge increase in our wireless usage since the winter break (right around 10K devices max). Maybe all of our users already loaded up on their devices over the summer? - -- Julian Y. Koh <mailto:kohs...@northwestern.edu> Manager, Network Transport Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAk8hzg8ACgkQDlQHnMkeAWOUZwCfQ15gEW2HrnCNPEF5Em241wWQ FIYAn2F3UvbB5UyLy7uF7ODlt9FxvCig =Iqg5 -END PGP SIGNATURE- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] SSIDs, devices and guests
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri Jan 27 2012 09:54:40 Central Time, Peter P Morrissey wrote: > > I've seen this come up a couple of times. So I hope you don't mind me asking, > what would be the advantage of providing "very low total bandwidth" for your > guests? One line of reasoning would be that you want to differentiate the guest network from your regular user network in terms of service level. Your typical user isn't going to readily appreciate the advantages that a regular WPA2 Enterprise SSID has in terms of encryption and centralized authentication, and in general you don't want the guest network to be an attractive option for your regular users. Also, depending on how your bandwidth is provisioned, you might want to prioritize/reserve traffic for your regular users over guest traffic anyway. Finally (at least from what I can think of quickly :)), depending on your physical proximity to non-University spaces, you might not want your guest network to be an attractive access option for people who are just next to your campus and could leech off your resources without being actual guests. - -- Julian Y. Koh <mailto:kohs...@northwestern.edu> Manager, Network Transport Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAk8iyk0ACgkQDlQHnMkeAWOG3gCg0+njUvscHatzECw+i/U2O6Ut FfIAoN1Zj6rWm80IJHhZGp3JcSH++aLu =NEHh -END PGP SIGNATURE- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support for instructors.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri Dec 16 2011 11:16:43 Central Time, "Johnson, Neil M" wrote: > > We have a request to support Airplay/Apple TV's on our enterprise network > so that instructors can mirror presentations from their iPad's to > classroom and meeting room projectors. This is only going to get more prevalent now that Mountain Lion will support Airplay mirroring from OS X machines. <http://www.apple.com/macosx/mountain-lion/features.html#airplay> Gonna be fun - -- Julian Y. Koh <mailto:kohs...@northwestern.edu> Manager, Network Transport Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAk9EBcgACgkQDlQHnMkeAWMf8wCfdfVsWgcll4cqUiIQRL/DClf5 w1IAnjvdC0e34jam3rguhn2fG/kUmm+p =Bd3x -END PGP SIGNATURE- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support for instructors.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue Feb 21 2012 16:21:24 Central Time, "Kellogg, Brian D." wrote: > > Had an Apple rep in recently and he stated Apple (Bonjour) has come a long > way since Appletalk on their network protocols. Well, to be fair, AppleTalk got a bad rep from people who didn't know how to set up zones and network number ranges correctly. :) Indeed, there are still things that AppleTalk could do in terms of easy and logical groupings of services and devices that you can't do with ZeroBonRendezJourConfVous. - -- Julian Y. Koh <mailto:kohs...@northwestern.edu> Manager, Network Transport Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAk9EGgoACgkQDlQHnMkeAWNz3gCg2fZFRiD7uvXOWPUlgXTi7kzx 4jIAoJbOOwsN7yHHtCmrMqTuO/V71wG1 =WqAG -END PGP SIGNATURE- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support for instructors.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed Feb 22 2012 09:24:46 Central Time, Jeff Kell wrote: > > Yes, "routing" breaks traditional AT, IPX, NetBEUI, etc. AppleTalk and IPX at least are totally routable protocols. :) - -- Julian Y. Koh <mailto:kohs...@northwestern.edu> Manager, Network Transport Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAk9FUkwACgkQDlQHnMkeAWP/VgCfZiFj/jT2L7RcGdYE5wVkRfWb 6C0AoPMcsGfmyQiy3DbtGcOIEwnyXuLz =0Zuv -END PGP SIGNATURE- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Location Based Printing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu May 31 2012 08:05:20 Central Time, "Cappalli, Tim G @ LSC-OIT" wrote: > > You don’t have to use CPPM if you are setting up static printers and media > devices. There will be AirGroup functionality in the base code. Details on that are sparse at best at this point. We've been asking exactly what features will require ClearPass and which ones won't, and the answers have been very vague so far. The product is obviously still in alpha or maybe even beta, but it would be nice to get some clear direction. - -- Julian Y. Koh Manager, Network Transport, Telecommunications and Network Services Northwestern University Information Technology (NUIT) 2001 Sheridan Road #G-166 Evanston, IL 60208 847-467-5780 NUIT Web Site: <http://www.it.northwestern.edu/> PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAk/HbdMACgkQDlQHnMkeAWMzgwCg8SSVkaaUZ0prDis4lDVHvlsv hdkAoKoy06lytkRfcz9cJzcHWowVuRka =4MRd -END PGP SIGNATURE-
Re: [WIRELESS-LAN] Cisco IPSEC VPN Client for Android
On Jul 12, 2012, at 13:12 , Curtis K. Larsen wrote: > > Curious to know what others are doing for Cisco VPN Access from their Android > Devices: With the ASAs, we were able to get L2TP/IPSec working from Android devices that support it. I can't remember exactly which version of Android started using that offhand. -- Julian Y. Koh Manager, Network Transport, Telecommunications and Network Services Northwestern University Information Technology (NUIT) 2001 Sheridan Road #G-166 Evanston, IL 60208 847-467-5780 NUIT Web Site: <http://www.it.northwestern.edu/> PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. signature.asc Description: Message signed with OpenPGP using GPGMail
Re: [WIRELESS-LAN] High Number of Disconnections - Mac 10.5 and up
On Sep 19, 2012, at 15:35 , James JJ Hooper wrote: > > Mac OS has pretty extensive Wi-Fi debugging facilities. You can use the > command: > > sudo > /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport > > with various parameters to enable logging, which either comes out in the > Terminal window when you run the command, or into system.log (use "Console" > to watch system.log easily), depending on what you debug. On Lion and Mountain Lion systems, there's a GUI front end application (Wi-Fi Diagnostics.app) to this in /System/Library/CoreServices. -- Julian Y. Koh Manager, Network Transport, Telecommunications and Network Services Northwestern University Information Technology (NUIT) 2001 Sheridan Road #G-166 Evanston, IL 60208 847-467-5780 NUIT Web Site: <http://www.it.northwestern.edu/> PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] High Number of Disconnections - Mac 10.5 and up
On Sep 20, 2012, at 00:41 , Stefan Kronawithleitner wrote: > > … or just Option-Click on the Wi-Fi-Symbol and choose "Open Wi-Fi > Diagnostics…" :-) Ah yes, but that's only on Mountain Lion. :) -- Julian Y. Koh Manager, Network Transport, Telecommunications and Network Services Northwestern University Information Technology (NUIT) 2001 Sheridan Road #G-166 Evanston, IL 60208 847-467-5780 NUIT Web Site: <http://www.it.northwestern.edu/> PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Cisco 7.3 Code and ISC DHCP
On Oct 16, 2012, at 19:49 , Jason Murray wrote: > > This is not completely related, but we just upgraded one of our Cisco > routers, after the upgrade dhcp stopped working because one dhcp option was > blank.'Debug IP dhcp server' was the only way we would have noticed this > problem. The router was silently discarding the replies. Can you share router model and software versions? -- Julian Y. Koh Manager, Network Transport, Telecommunications and Network Services Northwestern University Information Technology (NUIT) 2001 Sheridan Road #G-166 Evanston, IL 60208 847-467-5780 NUIT Web Site: <http://www.it.northwestern.edu/> PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] wireless printers in dorms
On Oct 30, 2012, at 13:53 , Tom O'Donnell wrote: > > I was wondering how other schools handle wireless printers in the > dorms. This seems to be the year everyone showed up with one, and > they're causing connectivity problems in our 2.4GHz space. How well do the printers work anyway wirelessly? Depending on the service advertisement protocols and printing protocols used, the client types, your authentication requirements (since most printers don't do WPA2-Enterprise/802.1X) and your subnetting/address assignment scheme, I wonder how successful people are at actually getting these things to work anyway. -- Julian Y. Koh Manager, Network Transport, Telecommunications and Network Services Northwestern University Information Technology (NUIT) 2001 Sheridan Road #G-166 Evanston, IL 60208 847-467-5780 NUIT Web Site: <http://www.it.northwestern.edu/> PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
eduroam question(s)
So we're looking at an eduroam deployment here, and one question that has come up is one of credentials. Here at NU, we have 2 identifiers - the NetID and the alias. All of the directories and the like are keyed off of the NetID, which does not have to be the same as the alias. Top-level email addresses take the form @northwestern.edu. Under a basic default eduroam deployment, a user would use @northwestern.edu as his/her username to authenticate to the wireless network. This is not 100% ideal from an end user point of view, though, since that could potentially lead to some confusion since at least here, netid rarely is the same as alias. Obviously, at some schools, netid = alias, so this is a moot point, but have other schools encountered support/documentation issues because of this? As an alternative, has anyone looking into using a subdomain for the realm? i.e., @eduroam.northwestern.edu? I tried going through the FAQs and documentation at <http://www.eduroamus.org/>, and there is some mention of avoiding subdomains at <http://www.eduroamus.org/node/29>. Personally, I think with good enough documentation we should be able to do the standard @northwestern.edu without a lot of trouble, but we also need to do due diligence and explore these options. :) Thanks!! -- Julian Y. Koh Manager, Network Transport, Telecommunications and Network Services Northwestern University Information Technology (NUIT) 2001 Sheridan Road #G-166 Evanston, IL 60208 847-467-5780 NUIT Web Site: <http://www.it.northwestern.edu/> PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] eduroam question(s)
On Nov 12, 2012, at 18:34 , "Hanset, Philippe C" wrote: > > To answer the sub-domain question: we pass to your University everything in > the form @*.university.edu > So you decide what to do. But that's still not recommended as per the eduroam best practices? Is there a requirement that the university.edu match what we actually use? i.e., could we do something like nu-eduroam.edu instead of northwestern.edu? (note: I'm not saying that would be a good idea, just trying to understand what's possible :) ) -- Julian Y. Koh Manager, Network Transport, Telecommunications and Network Services Northwestern University Information Technology (NUIT) 2001 Sheridan Road #G-166 Evanston, IL 60208 847-467-5780 NUIT Web Site: <http://www.it.northwestern.edu/> PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] eduroam question(s)
On Nov 13, 2012, at 09:11 , "Hanset, Philippe C" wrote: > > For sanity, we will only pass to you *.northwestern.edu or other domains that > you own and would like to be resolved e.gnorthwestern-1.edu Are there any stats available as to how many institutions are using a different eduroam domain than their regular top-level DNS domain? I'm thinking about tossing together a quick surveymonkey survey to collect some of this info if it's not available. -- Julian Y. Koh Manager, Network Transport, Telecommunications and Network Services Northwestern University Information Technology (NUIT) 2001 Sheridan Road #G-166 Evanston, IL 60208 847-467-5780 NUIT Web Site: <http://www.it.northwestern.edu/> PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless Survey
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 09:17 -0500 11/26/2002, Art Ripley wrote: >My feeling was that using switches was a >way to eliminate sniffing as a practical method of snooping Until your students discover dsniff, ettercap, etc... -BEGIN PGP SIGNATURE- Version: PGP 8.0 (Build 349) Beta Comment: <http://charlotte.at.northwestern.edu/julian/pgppubkey.html> iQA/AwUBPeOGWw5UB5zJHgFjEQJ2ewCdH+7/XWIUgbNxcnhYFOD+PEuNnb8An2hs ofeJxcJvUHMUqfX9tMHOo4yp =idg9 -END PGP SIGNATURE- -- Julian Y. Koh <mailto:[EMAIL PROTECTED]> Network Engineer Telecommunications and Network Services Northwestern University PGP Public Key:<http://charlotte.at.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Re: [WIRELESS-LAN] Peap info
-BEGIN PGP SIGNED MESSAGE- At 16:18 -0500 06/23/2005, Michael Griego wrote: >One quick warning here. Be very careful about running Steel Belted >RADIUS on Windows doing domain authentication or IAS in an environment >where the machines authenticating via 802.1x are *not* domain member >machines with users logging in via domain accounts. The builtin WinXP >supplicant refuses to reprompt the user for his new password if his >domain password is changed. It keeps trying to auth with the old >password, resulting in an eventual account lockout. You have to >actually remove the registry key that contains the cached network >credentials to get the machine to stop attempting to auth with the bad >credentials. The only ways to get around this are to a) make sure all >machines are domain members and the users are logging in with their >domain accounts or b) don't use IAS or SBR. We use FreeRADIUS, and we >don't have this problem with our student laptops. So your FreeRADIUS box authenticates directly to Active Directory? This isn't a problem with MS-CHAPv2, is it? We know we can't have FreeRADIUS authenticate to LDAP with MS-CHAPv2 because our passwords are encrypted on the LDAP server. Thanks!! -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.1 (Build 2185) Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQEVAwUBQsr1ly5elU+tqml1AQFIqQgAn0lV0D/1AJoNxO2cA8UzYf0s8hRvqnLz KC1wa/F1hERUCP4faLqZssyTMtNfyHzTMaDXRqpTDFxyMPxm5PuJTYH0J3Sh5l+k cfUQ+ehTnws3iOJKp61vemRbS9+63OKa49BiZgqP8pvcngzj6ow5QQyuqdevw9xG Z7xQej0lUVtfLRnYkEzm8++9hJKJ1djiXukRGtrzrIGAv21JidPF9jhqaIOsEYZm xSaMoysoqitJu1Ztu/hN5U2NF7pLkcq4IAsVDJJXDe9FIoXCTrxGLzeUDCYpUHsn m7Rsgl3Q+zKAoKHP0zqe0PwsQIv4M2tmoJFcKeNgkm5Xo0UictMXeQ== =k9Fk -END PGP SIGNATURE- -- Julian Y. Koh <mailto:[EMAIL PROTECTED]> Network Engineer Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Apple Airport 4.2 software
-BEGIN PGP SIGNED MESSAGE- Apple released version 4.2 of their Airport software today. Most notably, it adds WPA2 support. However, after applying the update to my Mac OS X 10.3.9 laptop, I can no longer get it to trust the test certificates that we generated for testing out 802.1X and EAP-PEAP. Earlier today with the Airport 4.1.1 software, everything was fine after I imported the test root certificate and accepted the server cert. I can get connected now with the 4.2 software, but the computer asks me every time to verify the server certificate, claiming that the root certificate is untrusted -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.1 (Build 2185) Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQEVAwUBQtbPky5elU+tqml1AQGTGQgAp1xRhzTt+pYvZkzCnVSGruZ0yCXFZntp C3zSSKl1wm/WTYLFFZua8fEthk4D8xxznC0ju6qIvfVx0JOKCOdWMikPDNa3UJQA F6uI3pColUol+zIbXQpbpGu3pwG1CNm/QE2ZhaJIMnF5yekWhUN2i0zptoGTZYPx svFB0163FTAIlJ6lSbP3vRidrPQE8hkoXC5dfdF/6Dior+GJQh97P92Hi+D3UVub 9dqR0qXTw0gcGFbB05dYZnHy1qQbIQxRdK5aqyRvnC7LfP2D68Km01ER5URuOErR 3OOfHuP1bQPSqod14mgbWsiSk17Aisti0kBTSsn3vcs9lJXsQlY0aw== =hf7O -END PGP SIGNATURE- -- Julian Y. Koh <mailto:[EMAIL PROTECTED]> Network Engineer Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
stupid autoreplies
-BEGIN PGP SIGNED MESSAGE- Can we start a Wall of Shame for people who don't know how to configure email servers and clients to not autoreply to mailing list mail? Here are my first 2 candidates. :) At 14:49 -0700 07/14/2005, McConathy, Sandra wrote: >Return-Path: <[EMAIL PROTECTED]> >Received: by bt.ittns.northwestern.edu (CommuniGate Pro PIPE 4.3.6) > with PIPE id 1472000; Thu, 14 Jul 2005 16:49:39 -0500 >X-Spam-Status: Scanner Called >Return-Path: <[EMAIL PROTECTED]> >Received: from [129.105.16.48] (HELO drjimmy.it.northwestern.edu) > by bt.ittns.northwestern.edu (CommuniGate Pro SMTP 4.3.6) > with ESMTP id 1471998 for [EMAIL PROTECTED]; Thu, 14 Jul > 2005 16:49:33 -0500 >Received: from drjimmy.it.northwestern.edu (localhost [127.0.0.1]) > by localhost (Postfix) with SMTP id 1101C1362BC > for <[EMAIL PROTECTED]>; Thu, 14 Jul 2005 16:49:33 -0500 >(CDT) Received: from mail.siemenscom.com (mail.siemenscom.com >[12.146.131.10]) > by drjimmy.it.northwestern.edu (Postfix) with ESMTP id 9DB5F136292 > for <[EMAIL PROTECTED]>; Thu, 14 Jul 2005 16:49:32 -0500 (CDT) >Received: from fdns2.rolm.com (localhost [127.0.0.1]) > by mail.siemenscom.com (8.12.10/8.12.10) with ESMTP id j6ELiPNl009748 > for <[EMAIL PROTECTED]>; Thu, 14 Jul 2005 14:44:25 -0700 >Received: from stca200a.bus.sc.rolm.com (stca200a.bus.sc.rolm.com >[165.218.68.180]) by fdns2.rolm.com (8.12.10/8.12.10) with ESMTP id >j6ELnUEA005125 > for <[EMAIL PROTECTED]>; Thu, 14 Jul 2005 14:49:30 -0700 (PDT) >Received: by stca200a.bus.sc.rolm.com with Internet Mail Service >(5.5.2657.72) id <38S1JQLL>; Thu, 14 Jul 2005 14:49:30 -0700 >Message-ID: ><[EMAIL PROTECTED]> From: >"McConathy, Sandra" <[EMAIL PROTECTED]> >To: "Julian Y. Koh" <[EMAIL PROTECTED]> >Subject: Out of Office AutoReply: [WIRELESS-LAN] Apple Airport 4.2 softwar > e >Date: Thu, 14 Jul 2005 14:49:29 -0700 >MIME-Version: 1.0 >X-Mailer: Internet Mail Service (5.5.2657.72) >Content-Type: text/plain >X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on > bt.ittns.northwestern.edu >X-Spam-Level: >X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham > version=3.0.4 > >I'll be away from the office until August 1. I will have limited access >to email. If you are in need of immediate assistance please contact John >Wright, [EMAIL PROTECTED] At 14:49 -0700 07/14/2005, Loiacono, Angela wrote: >Return-Path: <[EMAIL PROTECTED]> >Received: by bt.ittns.northwestern.edu (CommuniGate Pro PIPE 4.3.6) > with PIPE id 1472001; Thu, 14 Jul 2005 16:49:39 -0500 >X-Spam-Status: Scanner Called >Return-Path: <[EMAIL PROTECTED]> >Received: from [129.105.16.48] (HELO drjimmy.it.northwestern.edu) > by bt.ittns.northwestern.edu (CommuniGate Pro SMTP 4.3.6) > with ESMTP id 1471999 for [EMAIL PROTECTED]; Thu, 14 Jul > 2005 16:49:33 -0500 >Received: from drjimmy.it.northwestern.edu (localhost [127.0.0.1]) > by localhost (Postfix) with SMTP id 1A621136218 > for <[EMAIL PROTECTED]>; Thu, 14 Jul 2005 16:49:33 -0500 >(CDT) Received: from mail.siemenscom.com (mail.siemenscom.com >[12.146.131.10]) > by drjimmy.it.northwestern.edu (Postfix) with ESMTP id 9E1C41362B6 > for <[EMAIL PROTECTED]>; Thu, 14 Jul 2005 16:49:32 -0500 (CDT) >Received: from fdns2.rolm.com (localhost [127.0.0.1]) > by mail.siemenscom.com (8.12.10/8.12.10) with ESMTP id j6ELiPNl009743 > for <[EMAIL PROTECTED]>; Thu, 14 Jul 2005 14:44:25 -0700 >Received: from stca200a.bus.sc.rolm.com (stca200a.bus.sc.rolm.com >[165.218.68.180]) by fdns2.rolm.com (8.12.10/8.12.10) with ESMTP id >j6ELnUE9005125 > for <[EMAIL PROTECTED]>; Thu, 14 Jul 2005 14:49:30 -0700 (PDT) >Received: by stca200a.bus.sc.rolm.com with Internet Mail Service >(5.5.2657.72) id <38S1JQLK>; Thu, 14 Jul 2005 14:49:30 -0700 >Message-ID: ><[EMAIL PROTECTED]> From: >"Loiacono, Angela" <[EMAIL PROTECTED]> >To: "Julian Y. Koh" <[EMAIL PROTECTED]> >Subject: Out of Office AutoReply: [WIRELESS-LAN] Apple Airport 4.2 softwar > e >Date: Thu, 14 Jul 2005 14:49:29 -0700 >MIME-Version: 1.0 >X-Mailer: Internet Mail Service (5.5.2657.72) >Content-Type: text/plain >X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on > bt.ittns.northwestern.edu >X-Spam-Level: >X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham > version=3.0.4 > >I am out of the office on vacation from 7/11 through 7/15. I will return >to the office on Monday 7/18. Please contact Lee Ann Torigian with any >issues that requ
Re: [WIRELESS-LAN] WinXP 802.1x and password changes
-BEGIN PGP SIGNED MESSAGE- At 17:07 -0400 07/19/2005, King, Michael wrote: >Can everyone that's using Funk SBR, and is Concerned with the password >expiration on the Microsoft 802.1x client please Mail me off list. > >The Funk Bug ID is 5429, and Funk has stated that we are the only people >to every experience this problem. > >The Product Manager of SBR has asked me to have people contact him. We opened a case with Funk referencing your bug ID. We were told that the bug is slated to be fixed with the 5.3 release of SBR. Beta is scheduled for the end of August, general release in September/October timeframe. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.1 (Build 2185) Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQEVAwUBQuAKMC5elU+tqml1AQEpfgf/WyFFe+fZwtCBsF/nMhKWbZRf7Nz6K/9N 59TUnpT3BK/S0g2a9+f8ku5n61pQsHWdR+80jwobWB2H3dG8cGm5MGrdAPex0DEm 0NR1JQZgAoMtOozhKqSpulZkxai90m6xnSoPTI2zTpKlxATVT5ylHyOb6spG0VB7 +yTPGJ2UWCEnyisUf/8lq9Mxu76f+y0zMn5VbpRWQK4BTvlzIWmgkzE8iVUTXmpD wLfUCsMmoyvc23hnkxH8GkPBrembggq/CBFhtGkpEs3kCYW1B7BDLFlzfACnxhmP mj00DjZxq5r3vIUr/2bf4rfbjil05xUGjD/judO9dkyh7PC3v4IoYA== =lOO+ -END PGP SIGNATURE- -- Julian Y. Koh <mailto:[EMAIL PROTECTED]> Network Engineer Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Windows and Mac native IPSec clients/Nortel VPN
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 11:57 -0500 02/15/2006, Lee Badman wrote: >Has anybody found a way to leverage the built-in clients (L2TP IPSec)in both >Windows and Macintosh for use with the Nortel Contivity VPN routers? This isn't totally helpful for you since we use Cisco 3000 concentrators, but the built-in L2TP/IPSec clients on Windows and Mac OS X work fine with those devices. The only caveat is that the Mac OS X L2TP/IPSec client doesn't work through NAT with Cisco 3000s unless you update your client to Mac OS X 10.4.5. I've been asking for this compatibility for well over a year from both Cisco and Apple. It was the last stumbling block in our effort to get rid of PPTP. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.4 (Build 4042) Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQA/AwUBQ/nLkA5UB5zJHgFjEQKxsgCcDUfFgvgorSQ4Hp9Ibicy2o4HRhcAoONl vSztBcWUE2lKAH2YahJaBB6F =p+Il -END PGP SIGNATURE- -- Julian Y. Koh <mailto:[EMAIL PROTECTED]> Network Engineer Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Windows and Mac native IPSec clients/Nortel VPN
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 08:00 -0600 02/20/2006, Julian Y. Koh wrote: >This isn't totally helpful for you since we use Cisco 3000 concentrators, >but the built-in L2TP/IPSec clients on Windows and Mac OS X work fine with >those devices. The only caveat is that the Mac OS X L2TP/IPSec client >doesn't work through NAT with Cisco 3000s unless you update your client to >Mac OS X >10.4.5. I've been asking for this compatibility for well over a year from >both Cisco and Apple. It was the last stumbling block in our effort to get >rid of PPTP. A bunch of people have asked for more details about our Cisco concentrator and client setup. Our Windows users have been doing L2TP/IPSec since the summer. Instructions are at <http://www.it.northwestern.edu/oncampus/vpn/native/native-config-win.html>. Here are the old instructions that I wrote up for Mac OS X 10.3.x; they should still be mostly valid. It looks like 10.4.x has some new options for "VPN on demand", so that it will only bring up the VPN connection when you connect to certain hosts. Probably more complex than we want to make things for our users, but it might be fun to play around with on an individual basis to see how it works. > >1.) Mac OS X 10.3.x > > Open Internet Connect > Select "New VPN Connection" under the File menu. > In the window that appears, select "L2TP over IPSec", click Continue. > From the Configuration pop-up menu, select "Edit Configurations..." > Enter whatever you want for "Description" > Enter for "Server Address" > Enter your netid for "Account Name:" > Select "Use Password" for "Authentication", and enter your netid > password if you want it saved in your Keychain. > Enter for "Shared Secret" > Click OK; you should be back at the main Internet Connect screen. > Click "Connect" to attempt a connection. > If you have a Connection Log window open, you should see something like >this: > > >Mon Apr 11 17:25:31 2005 : L2TP: starting racoon... >Mon Apr 11 17:25:34 2005 : L2TP connecting to server ... >Mon Apr 11 17:25:38 2005 : L2TP connection established. >Mon Apr 11 17:25:38 2005 : Using interface ppp0 >Mon Apr 11 17:25:38 2005 : Connect: ppp0 <--> socket[34:18] >Mon Apr 11 17:25:41 2005 : acsp resetci called >Mon Apr 11 17:25:44 2005 : local IP address >Mon Apr 11 17:25:44 2005 : remote IP address >Mon Apr 11 17:25:44 2005 : primary DNS address >Mon Apr 11 17:25:44 2005 : secondary DNS address >Mon Apr 11 17:25:48 2005 : Terminating on signal 15. >Mon Apr 11 17:25:48 2005 : Connection terminated. >Mon Apr 11 17:25:48 2005 : Connect time 0.2 minutes. >Mon Apr 11 17:25:48 2005 : Sent 901 bytes, received 1645 bytes. >Mon Apr 11 17:25:48 2005 : L2TP disconnecting... >Mon Apr 11 17:25:49 2005 : L2TP disconnected >=== As far as the concentrator config is concerned, I don't know if I'll hit all the necessary points, but here goes. We're using RADIUS authentication, with an Active Directory backend, IP addresses assigned by the RADIUS server. Concentrator software version 4.1.7.H. Configuration->User Management->Base Group->General Tab Check box for L2TP over IPSec in Tunneling Protocols Configuration->User Management->Base Group->IPSec Tab IPSec SA = ESP-L2TP-TRANSPORT (see below) Tunnel Type = Remote Access Default Preshared Key = Configuration->User Management->Base Group->Client Config Tab Check box for IPSec over UDP IPSec over UDP Port = 1 Configuration->User Management->Base Group->PPTP/L2TP Tab L2TP Authentication Protocols = MSCHAPv2 Uncheck all boxes for L2TP Encryption and Compression Configuration->Policy Management->Traffic Management->SAs Modify/create IPSec SA named ESP-L2TP-TRANSPORT Inheritance: From Rule Authentication Algorithm: ESP/MD5/HMAC-128 Encryption Algorithm: 3DES-168 Encapsulation Mode: Transport Perfect Forward Secrecy: Disabled Lifetime Measurement: Time Data Lifetime: 1 Time Lifetime: 3600 IKE Peer: 0.0.0.0 Negotiation Mode: Main Digital Certificate: None (Use Preshared Keys) Certificate Transmission: Identity Certificate only IKE Proposal: CiscoVPNClient-3DES-MD5 Configuration->Tunneling and Security->L2TP Everything here should just be default, but: Check box for "Enabled" Max Tunnel Idle Time: 60 seconds Control Window Size: 4 packets Control Retransmit Interval: 1 second Control Retransmit Limit: 4 Max Tunnels: 0 Max Sessions/Tunnel: 0 Hello Interval: 60 seconds Configuration->Tunneling and Security->IPSec->IKE Proposals Modify/Create/Activate IKE Proposal named CISCOVPNClient-
Re: [WIRELESS-LAN] Windows and Mac native IPSec clients/Nortel VPN
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 16:11 -0600 02/22/2006, Scott Smith wrote: >I would be interested in knowing what configuration you needed to do on >the VPN 3000's as well. I believe that I included that information. :) You even included it in your top-posted reply. :) -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.4 (Build 4042) Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQA/AwUBQ/zqWw5UB5zJHgFjEQL9IgCg+nWmEWOOy1y4BHgoA6tVLKG5ieAAn3e3 yoaCPfOj6ar3oGI0v8+uMQls =YQjI -END PGP SIGNATURE----- -- Julian Y. Koh <mailto:[EMAIL PROTECTED]> Network Engineer Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.11a
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 09:06 -0600 02/24/2006, Nolan Banks wrote: >(note this applies to windows only since apple does not support A yet) There were rumblings that the new Intel-based Macs support a/b/g. Any truth to those rumors? -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.4 (Build 4042) Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQA/AwUBQ/8hhA5UB5zJHgFjEQK0WQCguETN/L2o9p+WL4SHjUOvIRiBuYMAoMgf u6EFbmZvPadWao8PCbWWojxR =Uh5G -END PGP SIGNATURE----- -- Julian Y. Koh <mailto:[EMAIL PROTECTED]> Network Engineer Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] WPA2 and 802.1x on Mac OS-X?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 11:12 -0500 02/27/2006, Landry, Michael wrote: >Can anyone share any info they might have on using WPA2 and 802.1x on a >Mac running OS/X? We don't officially support them, and I don't have one >here for testing, but I'm being told it can't be done/doesn't work. If >anyone has some info I could use to get started, I'd appreciate it! Oh, it works great. The consensus seems to be that it's easier to set up than on a Windows box. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.4 (Build 4042) Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQA/AwUBRAMl6w5UB5zJHgFjEQI0CwCglkhBMZILBrC0j32n5HYD+4AJTcUAnjZF q6gk6PIoK8A3Gnmidnl1o/nO =s6n9 -END PGP SIGNATURE- -- Julian Y. Koh <mailto:[EMAIL PROTECTED]> Network Engineer Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Obtaining MAC of associated AP in XP, OS-X within the OS?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 16:40 -0500 02/27/2006, Michael Dickson wrote: >Is there any trick to determine the radio MAC address of the associated >AP on an XP or MacOS-X client *without* using a 3rd party application >like NetStumbler? On Mac OS X, the Internet Connect application does that no problem. The information is also in /var/log/system.log. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.4 (Build 4042) Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQA/AwUBRANy/A5UB5zJHgFjEQJ+kwCfbO3l0jw+JdMmFnswCVJy/9wfpbwAn2zf UOJsAJKIOOJY64llK0pWdtsA =qjtP -END PGP SIGNATURE----- -- Julian Y. Koh <mailto:[EMAIL PROTECTED]> Network Engineer Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] WIRELESS-LAN Digest [Another RADIUS Question (802.1x)]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 17:24 -0700 03/24/2006, Chris Hessing wrote: >A bit more info on the MacBook issue. The chipset that is used in the >MacBooks is an Atheros a/b/g chipset. Can you actually make the MacBook Pro connect to an 802.11a network? -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.5 (Build 5050) Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQA/AwUBRCgoNw5UB5zJHgFjEQIyGQCg7vjdGP+8PaMDazoYjKj6bTCJDZUAn0bn GNqjdfZpEt+qPy7fahtTX0Ly =SYl5 -END PGP SIGNATURE- -- Julian Y. Koh <mailto:[EMAIL PROTECTED]> Network Engineer Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] WinXP 802.1x and password changes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 07:37 -0500 10/11/2005, Chris Hart wrote: >Has anyone confirmed that Funk update has resolved the issue with the >password change? Reviving this old thread. To review, the problem is as explained by Michael King concerning cached credentials with the XP 802.1X PEAP supplicant: At 09:07 -0400 06/24/2005, King, Michael wrote: >FreeRadius - >When a password is bad (fail MS-CHAPv2), the FreeRadius server will send >an EAP-Failure inside the EAP-PEAP tunnel, then send a second payload of >an EAP-Failure > >Steel-Belted Radius - >When a password is bad (fail MS-CHAPv2), the SBR server will ONLY send >an EAP-Failure, it will not send the EAP-Failure inside the EAP-PEAP >tunnel, basically, it skips a step. > >Apparently, the EAP-Failure inside the EAP-PEAP tunnel is what triggers >the XP client that the password is wrong and it should reprompt. Michael filed bug 5429 w/ Funk and reported that a test build would be available back in the August timeframe to fix this problem. We actually obtained the test build, but we never got around to trying it because we were told that the test build would require a complete rebuild of our config, which we didn't have the time to do. The final 5.3 release was supposed to incorporate this fix. We just upgraded this Sunday to SBR 5.30.2009, and I've got basic PEAP going with MS-CHAPv2. At least the Mac client works fine, as always, but the Windows XP supplicant still doesn't work when the AD password on the back end is changed. Windows prompts for a new password, but it doesn't work to let the user on the network, just prompts again. As always, deleting the EAPOL registry settings fixes things, at least until the AD password is changed again. According to Funk (now Juniper), the way to turn on the feature is to edit winauth.aut to change the following line: ;RetryFailedAuthentications = no to RetryFailedAuthentications = yes Again, though, this did not work for us. Has anyone got this working? Thanks!! -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.5 (Build 5050) Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQA/AwUBRDrQUg5UB5zJHgFjEQLNIwCfZNiBaTsZLHy99TR5dq66FrUSFlsAn3S+ Q0+lnQHtg1r80mcTHBX7IKQM =Ci0v -END PGP SIGNATURE- -- Julian Y. Koh <mailto:[EMAIL PROTECTED]> Network Engineer Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] WinXP 802.1x and password changes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 22:00 -0400 04/10/2006, King, Michael wrote: >After extensive packet captures, and comparisons, Funk/Juniper has >identified and fixed the problem. Microsoft didn't follow they're own >Spec when they made they're own client. > >Unfortunately, they only fixed it last week. So it's not in any public >build yet. Funk/Juniper says that they're going to try to get us the new build. Hopefully we can just replace the executable and not go through a whole installation process. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.5 (Build 5050) Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQA/AwUBRDutKA5UB5zJHgFjEQLLwQCg+8pNC+o/u/q+tZW2ya98fqKetHYAoN0W UrD0shfYSTIhHxbpwSXvP3Ks =CP1+ -END PGP SIGNATURE- -- Julian Y. Koh <mailto:[EMAIL PROTECTED]> Network Engineer Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] WinXP 802.1x and password changes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OK, we've got things working with SBR. Funk/Juniper got us the test 5.3 build. In addition to the config changes already mentioned (RetryFailedAuthentications = yes in winauth.aut), you also have to set the following in the Configuration section of radius.ini: WZCCompatibility=1 After that, all appears to be working for us. More extensive testing will follow. I'm still waiting to hear if the 5.4 train has this fix in it. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.5 (Build 5050) Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQA/AwUBRD17DQ5UB5zJHgFjEQJaNQCfU7tV3DFhTz2Q+Y1sv25cD67V8r0AoNT5 ZLB3akjza7aI4q7tB3QtzyR3 =/s8r -END PGP SIGNATURE----- -- Julian Y. Koh <mailto:[EMAIL PROTECTED]> Network Engineer Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] WinXP 802.1x and password changes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 17:11 -0500 04/12/2006, Julian Y. Koh wrote: > I'm still waiting to hear if the 5.4 train has this fix in it. No release build of 5.3.x or 5.4.x currently has the fix. Funk/Juniper may be releasing a maintenance build of 5.4.x in "a few weeks". In short, if you're experiencing this problem, contact your support rep. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.5 (Build 5050) Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQA/AwUBRD5abQ5UB5zJHgFjEQISsgCeKwyZ++vQj9OB9IJIOHN07JvTj/MAn30H jHv1tYIQHa/laXQYGBYTWSep =zDXR -END PGP SIGNATURE- -- Julian Y. Koh <mailto:[EMAIL PROTECTED]> Network Engineer Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RADIUS accounting through WLSM
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 So we're making real progress on our 802.1X testing and rollout. Thanks again to everyone who's helped us over the months. Our next issue involves RADIUS accounting records. We've got the WLSM product from Cisco, and that's great as far as RADIUS authentication is concerned. Our ~700 APs send the authentication requests up to the WLSM through the GRE tunnels, and the WLSM handles relaying them to the RADIUS server. Piece of cake. Unfortunately, it looks like WLCCP doesn't work like that for accounting records, so we're facing having to configure 700 entries into our RADIUS server. Obviously, anything can be done with the right scripts, but overall it seems like a bit of a management nightmare. It would be much better to be able to have all the accounting records tunneled just like they are with authentication requests. The TAC said to report this to our SE as a feature request, but like all feature requests, they only come to fruition if enough people really ask and can show Cisco that there's a business case for it. So I thought I'd toss this out here and see what people think. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.5 (Build 5050) Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQA/AwUBREVnxA5UB5zJHgFjEQKO+ACfbr0QZCedOiyb5LhvoODbfZny/eoAmQFo iOcOGqHGFs8QHEPRGCGvE4gh =pRvq -END PGP SIGNATURE- -- Julian Y. Koh <mailto:[EMAIL PROTECTED]> Network Engineer Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] RADIUS accounting through WLSM
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 09:13 -0400 04/19/2006, King, Michael wrote: >in most RADIUS Server, (and for example, I know Funk and FreeRADIUS >can do this) you can configure a "default" entry, or "wildcard" entry. >It will allow you to collect the statistics while you configure your >AP's. Yeah, that's true. But that seems to start the security alert meter pinging. :) I guess you still have to know the configured shared secret key (that sounds like an oxymoron.. :)), so it's not so bad, and we'd have to open up the router access list rules to allow communication with the APs anyway -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.5 (Build 5050) Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQA/AwUBREZAzw5UB5zJHgFjEQLavQCeIW8KksP/vgjywK7kt1c59DKOJpoAnipH 5MMDqwaAhVuwyVO/g0DovoPx =cX1/ -END PGP SIGNATURE- -- Julian Y. Koh <mailto:[EMAIL PROTECTED]> Network Engineer Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
802.1X accounting, PEAP outer identity
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 How are people handling accounting records for your 802.1X wireless networks? We're in the process of rolling out EAP-PEAP, and everything is fine in terms of our RADIUS accounting records from the APs as long as the users leave the "Outer Identity" field blank - we end up with their real usernames in the accounting records. However, as soon as they fill in anything for "Outer Identity" (Mac OS X) or "Roaming Identity" (Intel Wireless utility), that text is what ends up in our accounting records. Obviously this is suboptimal in terms of relying on our accounting records for true accounting of who was where on our network. Is there any way around this? FWIW, we're using Cisco 1200 APs with a WLSM/WLSE combo, Steel Belted RADIUS talking to an Active Directory back end. Thanks in advance! -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.6 (Build 6060) Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQA/AwUBRH9ptA5UB5zJHgFjEQKANgCcDrXkDHD7v+CDJmulrxHcTtVWSdsAn0sj GgvPA4nr9fM5cY5s0cNVuNly =TiAV -END PGP SIGNATURE- -- Julian Y. Koh <mailto:[EMAIL PROTECTED]> Network Engineer Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1X accounting, PEAP outer identity
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 15:34 -0700 06/01/2006, David Morton wrote: >Unfortunately it is the design of PEAP (and TTLS) to offer separate >inner and outer identities. A little Googling seems to reveal that Radiator has a hook that requires the inner and outer identities to be identical. Steel Belted RADIUS has a section in the manual called "Tunneled Accounting", which sounds very promising. We'll look into this and report anything back to the list. >Tunneled accounting allows Steel-BeltedRadius to pass user identity >information to accounting processes without exposing user identities to a >RAS or AP that should not see them. When tunneled accounting is enabled, >RADIUS attributes are encrypted and encapsulated in a Class attribute. If >the information for a Class attribute exceeds the attribute payload size >(253 octets), Steel-BeltedRadius returns more than one Class attribute for a >user. >The tunneled accounting transaction sequence is: >1 The Steel-BeltedRadius server acting as the tunnel endpoint for EAP/TTLS >or EAP/PEAP encrypts a user's inner User-Name and Class attributes when it >authenticates the user. 2 The server returns the encrypted information to >the RAS or AP encapsulated in a Class attribute in the outer Access-Accept >message. The RAS or AP associates this encapsulated identity attribute with >the user, and echoes the encapsulated identity attribute whenever it >generates an accounting request for the user. 3 When Steel-BeltedRadius >receives an accounting request from a RAS or Access Point, it scans the >request for an encapsulated identity attribute. 4 If Steel-BeltedRadius >finds an encapsulated identity attribute, it de-encapsulates and decrypts >the attributes to reconstitute the original inner User-Name and Class >attributes. 5 Steel-BeltedRadius substitutes the decrypted attributes for >the ones returned from the RAS or AP. 6 Steel-BeltedRadius processes the >accounting request locally or forwards the accounting request through the >proxy to its intended target. >To implement tunneled accounting, you must configure the classmap.ini file >to specify how attributes should be presented, and you must configure the >spi.ini file to specify the keys that are used to encrypt and decrypt >users' identity information. The classmap.ini file and the file are >described in the Steel-BeltedRadius Reference Guide. = -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.6 (Build 6060) Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQA/AwUBRH9u9w5UB5zJHgFjEQIMMQCgtmhQ3zMLI90szw4lw51fEhO84uIAn2Z3 MGCS8Oeza8zlAWaI7gi2DaNX =oPHK -END PGP SIGNATURE- -- Julian Y. Koh <mailto:[EMAIL PROTECTED]> Network Engineer Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] 802.1X accounting, PEAP outer identity
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Well, I talked to Funk/Juniper today. They said that this inner/outer identity thing will be fixed in a build of 5.4 (we're running an interim build of 5.3 that has the fix for the Windows password change issue). We should get the build in the next couple of weeks, just in time for our planned rollout. I was told that SBR will always record the inner identity in its accounting records and ignore whatever's in the outer identity. On a side note, there's another issue where if you have SBR sending accounting to an SQL database, the timestamps are 30 days in the past. That will also be fixed in this future build of 5.4. So, the build they deliver will definitely have those 2 fixes in it. I'll let everyone know how it goes after we install the upgrade. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.6 (Build 6060) Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQA/AwUBRIDivg5UB5zJHgFjEQLtEwCg90jQzrfIqFuEZaKa4hJ51Gg3v2oAn08t Xe7j1VakX9sX7DbmrVJ0jf/v =Xf2V -END PGP SIGNATURE- -- Julian Y. Koh <mailto:[EMAIL PROTECTED]> Network Engineer Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1X accounting, PEAP outer identity
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 20:15 -0500 06/02/2006, Julian Y. Koh wrote: >They said that this inner/outer >identity thing will be fixed in a build of 5.4 (we're running an interim >build of 5.3 that has the fix for the Windows password change issue). We >should get the build in the next couple of weeks, just in time for our >planned rollout. I was told that SBR will always record the inner identity >in its accounting records and ignore whatever's in the outer identity. > >On a side note, there's another issue where if you have SBR sending >accounting to an SQL database, the timestamps are 30 days in the past. That >will also be fixed in this future build of 5.4. > >So, the build they deliver will definitely have those 2 fixes in it. I'll >let everyone know how it goes after we install the upgrade. Going back again to this old thread...figured an update would be appropriate at this point in time. We got the new 5.4 build from Funk/Juniper and tried to install it on 6/18. The 3 bugs that were supposed to have been fixed, just for review, were: 1.) inner/outer identity logging in accounting records 2.) timestamps in SQL accounting records 3.) another crashing bug The problem with 5.4 as opposed to 5.3 is that 5.4 removes the "NT Domain" login method, leaving us only with the "Windows Domain" method. Unfortunately, this broke logins from our VPN using the Cisco IPSec client, since that's a PAP login as opposed to MS-CHAPv2. PAP logins get directed to the NT Domain login method, whereas MS-CHAPv2 logins go through the Windows Domain method. Apologies in advance - this is all rather convoluted. SBR is running on an Active Directory Domain Controller, since this was a requirement for MS-CHAP compatibility back in the version 3 and 4 days. Apparently now that's no longer a requirement, but if you want to process those PAP logins, you need to grant the users the right to log in locally on the server that you're running SBR. Obviously this is not cool for a domain controller, and we haven't had time to play around with demoting the server from a domain controller to a domain member server. So I went back to the test build of 5.3 that we had before and tried using the new sqlacct.dll file that I had been given, so at least we fixed the timestamps on the SQL accounting records. But we're still stuck with the problem of inner/outer identity logging. Now we find out from Funk that their fix in 5.4 still isn't working like they wanted, with a final fix scheduled for Q4 2006. This is obviously totally not cool, and will probably force us to jumpstart our freeradius efforts. The pain in the butt is that we just did our official rollout of the 802.1X/WPA2 wireless this week, and all the docs point to verifying the cert of the SBR server. Not an insurmountable deal to fix, but it looks bad if we have to switch. OTOH, switching now will be the best time to do it before we get a lot of people using the service, and it would be better than having people masquerade as other users in the accounting records -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.6 (Build 6060) Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQA/AwUBRLgEmg5UB5zJHgFjEQLeXwCgjuv1tioVJzh/Lm05tDzDqV5mqOAAoLwE WLOD+++p27BMypMW4cFhUPM8 =xA66 -END PGP SIGNATURE- -- Julian Y. Koh <mailto:[EMAIL PROTECTED]> Network Engineer Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
more fun with RADIUS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 So those of you who have been following our RADIUS saga will be happy to know that with the latest 5.41 build of Steel Belted RADIUS from Funk/Juniper, all of our outstanding issues have gone away. Well, mostly, but the remaining one does not appear to be an SBR problem. Hopefully someone can tell us if we're on the right track. We have 650+ Cisco IOS APs that all tunnel back to a WLSM. Now, due to a deficiency in the IOS and/or WLSM code, all 802.1X/WPA2 authentication requests are tunneled up from the APs through the WLSM to the RADIUS server, so as far as SBR is concerned, all authentication requests come from the WLSM, but the APs don't send accounting records up through the WLSM, so they send accounting records directly to SBR themselves. The last issue that we were trying to resolve with SBR was that accounting records only logged the outer identity for EAP-PEAP (and probably EAP-TTLS as well, but we're running PEAP), not the inner identity. SBR 5.41 includes a "FullName" attribute in accounting records, though, that has the inner identity. The problem manifests itself in that we are getting a ton of accounting records that have "Unknown" in the FullName field. I haven't done a conclusive correlation, but those records appear to be generated when a client roams from one AP to another. I am not exhaustively familiar with the 802.11 spec, but based on my knowledge of how things work, it seems to me that under the WLSM arrangement that we have, the inner identity will only be known on first authentication. When I roam to another AP, I don't have to go through a full reauthentication because again as far as SBR is concerned, my authentication came from the WLSM, not the AP. So the AP that I roam to is only going to send an accounting packet that SBR isn't going to know to associate with my inner identity, and thus "Unknown" gets logged in the accounting packet for the inner identity. The outer identity gets properly logged because the AP can see that just fine. Does it sound like I'm on the right track here? What we're planning on doing is starting to log both the FullName (inner) and User-Name (outer) attributes. At least in this case we have a chance of tracing a MAC address back to an accounting record that has an actual valid username associated with it. We're only seeing these unknown records from a little over 10% of our APs, and some of them are generating thousands of the records, so longer-term, of course, we need to exercise some better RF management so that users don't roam as often.But that's another exercise for another day. For now, I just need to see if my reasoning is sound. Thanks!!! -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.6 (Build 6060) Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQA/AwUBRQ9Mdg5UB5zJHgFjEQKybgCg6wFLCHWjmsco1RnHjJ0BMLPZqtAAn0fe JMB1v61lQ4KbfLP135Mp9TlG =EjiY -END PGP SIGNATURE- -- Julian Y. Koh <mailto:[EMAIL PROTECTED]> Network Engineer Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Implementing PEAP/ Using NAT
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 12:04 -0400 09/22/2006, Stephen Holland wrote: >I have two questions for the list > >1) We are looking into implementing PEAP and I would be interested to know >how others have implemented it , issues that came up, number of users, and >any other insights you might have. We've done it here at NU this past year. The problems/issues have mainly been RADIUS-related. I think most of them have been aired on this list. :) Things are working, though - not 100% sure about the user counts just yet, but any additional person that moves off of our VPN-restricted SSID and moves to the 802.1X/WPA2/EAP-PEAP network is a gift. :) >2) We have some address space issues and the use of NAT has been proposed. >I am of the opinion that NAT is not the optimal solution in the EDU >environment because somebody always develops an application that breaks >it. However, I would be interested to know what other folks on the list >think about the use of NAT. I usually vote against NAT, but obviously it has its uses. We're not constrained for address space (yet), so luckily we're not forced into using NAT when we don't want to. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.6 (Build 6060) Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQA/AwUBRRQMqw5UB5zJHgFjEQIDJQCgiMDY42MtvqDn8KQuw/BmHQVkS+0AoPfi 20rMF0xi9xWi4rTnHQwxYobA =jZR7 -END PGP SIGNATURE- -- Julian Y. Koh <mailto:[EMAIL PROTECTED]> Network Engineer Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Implementing PEAP/ Using NAT
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 14:19 -0400 09/22/2006, Stan Brooks wrote: >The only issue we've had is that even with Verisign signed >cert on each RADIUS server, we still have to manually accept the cert >(only once) the first time the client authenticates. I think this is a good security measure. If a rogue AP & RADIUS server come up with a valid CA-signed cert, you wouldn't want the computers to accept it without any kind of chance to inspect it. Now, granted, in practical terms, the users will probably accept any cert that's presented.but we try to make an effort in our documentation to tell them to check the cert. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.6 (Build 6060) Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQA/AwUBRRQscA5UB5zJHgFjEQIdEgCgs0CiI2oW5gmjnL8YQTTDzdY7X+sAoKKo hZlIBGGwMDSsyKP3PS9KG3e7 =M6eH -END PGP SIGNATURE- -- Julian Y. Koh <mailto:[EMAIL PROTECTED]> Network Engineer Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] WPA or VPN
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 17:04 -0400 09/24/2006, Zeller, Tom S wrote: >I have seen improvement with the built-in Macinstosh client with the >ASA, having stayed connected over a wired connection for over 24 hrs. Have you tried it when the client is behind a NAT device? When connecting a Mac OS X box via L2TP/IPSec to a VPN 3000 through NAT, the connection drops after 45 minutes. And it wasn't until 10.4.5 that L2TP/IPSec worked at all to a VPN 3000 through NAT. Given that the ASA is supposed to be built with VPN 3000 technology, I would be interested to see if these limitations are still in place. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.6 (Build 6060) Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQA/AwUBRRhTeA5UB5zJHgFjEQIP/ACfcp6SCulIHnw73Ayb16aKQosdBPQAnR+h u9vdtOVrOg3VTryLgcuXBfdb =wNeQ -END PGP SIGNATURE----- -- Julian Y. Koh <mailto:[EMAIL PROTECTED]> Network Engineer Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Frequent reassociations/reauthentications in 802.1x WLAN
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
At 4:15 PM -0400 9/27/06, Shumon Huque wrote:
>A large number of users seem to be repeatedly authenticating,
>some of them as frequently as every 30 seconds or every few
>minutes. Some debugging revealed that these users are frequently
>oscillating their associations between a number of different
>access points. A smaller number of users keep reassociating with
>the same access point.
This is exactly the problem that I referred to in my recent post of 9/18
("More fun with RADIUS"). We are working on adjusting the power levels and
channel assignments of the various APs in the problem areas to cut down the
frequency of these roaming events. Our reauth times don't appear to take
that long at all, probably because all of our APs tunnel back up to a WLSM,
so all the authentications appear to come from there as far as the RADIUS
server is concerned.
-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.0.6 (Build 6060)
Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html>
iQA/AwUBRRrh8w5UB5zJHgFjEQKbIQCeIJLUMi00zMxVDGE23leDPgcFWLYAoKqF
ln9S0+I5mcziwfqKMDKaukK1
=h/Qd
-----END PGP SIGNATURE-
--
Julian Y. Koh <mailto:[EMAIL PROTECTED]>
Network Engineer
Telecommunications and Network Services Northwestern University
PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html>
**
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1X and Mac Supplicant
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 11:07 -0400 10/11/2006, Walter Reynolds wrote: >Is this preventing anyone from deploying 802.1X? Has someone found a >solution? Has anyone reported this to Apple? I know that others have reported this to Apple, but more feedback never hurts. We went ahead with our 802.1X/WPA2/EAP-PEAP deployment anyway, with specific instructions in our documentation on how to validate the certificate that's presented by the RADIUS server. It's not ideal, but it's better than nothing. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.6 (Build 6060) Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQA/AwUBRS0JZQ5UB5zJHgFjEQK6YgCgp5fyuUaITxbRB1m4sjT2WMl2waMAnRVD qOUsvYJIQg4IqNl3X7UMDUd3 =MW+b -END PGP SIGNATURE- -- Julian Y. Koh <mailto:[EMAIL PROTECTED]> Network Engineer Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Dynamic WEP: caution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 16:34 -0400 10/11/2006, Philippe Hanset wrote: >http://www.ja.net/development/wireless/wag/wep-strongly-deprecated.pdf What implications are there for TKIP and WPA1? -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.6 (Build 6060) Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQA/AwUBRS5lFg5UB5zJHgFjEQImDACgvSvCL7bIBP1+oHrrdf2r/or5AWkAnRIX OtoN1CL8U6AyLRm34RFO/dyx =2YRG -END PGP SIGNATURE----- -- Julian Y. Koh <mailto:[EMAIL PROTECTED]> Network Engineer Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1X and Mac Supplicant
Heh. Timely article today on ZDNet. <http://news.zdnet.com/2100-1009_22-6125213.html> -- Julian Y. Koh <mailto:[EMAIL PROTECTED]> Network Engineer Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Dynamic WEP transition to WPA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 12:19 -0400 10/27/2006, Keith Moores wrote: >3) Deploy a new SSID/VLAN, announce a cutover period, after which >shutdown the old one. > >Pros: Gives people a chance to reconfigure on their own schedule >Cons: A LOT more back-end work, I'll miss our current ssid, go >(cavalier)s! This is the most user-friendly way to go. That's what we are doing with our migration from open SSID+VPN required --> WPA2. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.6 (Build 6060) Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQA/AwUBRUIydQ5UB5zJHgFjEQLnzQCgwdizliqtMovXGqvW//2fwD6HHWkAoPlO rEU8+yrMJjc3s2Jqy09ddab2 =KkKQ -----END PGP SIGNATURE- -- Julian Y. Koh <mailto:[EMAIL PROTECTED]> Network Engineer Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] securew2 client
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 11:45 -0400 11/08/2006, Matt Ashfield wrote: >I was just wondering if anyone out there is using the secureW2 client for >802.1x access? If so, I'm wondering how you deal with non-Windows clients. This depends on what EAP type you're using. In general, Mac OS X supports all the major EAP types in use today (TTLS, TLS, EAP-FAST, LEAP, PEAP, MD5). There are a couple supplicants like Open1X for Linux and other flavors of *nix. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.6 (Build 6060) Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQA/AwUBRVH83g5UB5zJHgFjEQJrJQCggFYM02Ko6mR/AENX5hhjnGpDEf8An3xO 8aSzWYBrFwevOEY42/BtSLwx =wTrS -END PGP SIGNATURE----- -- Julian Y. Koh <mailto:[EMAIL PROTECTED]> Network Engineer Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
