Re: [WIRELESS-LAN] Cisco WLC code recommendations
We are currently running a handful of 5508s with 8.0.133.0 and have been stable for some time with around 400 APs and upwards of 1.5k clients. We also run a half dozen 5520s with 8.2.141.0 and they have been running solid with around 1k APs each and upwards of 10k clients. We do not however run anything but 2600, 3600, 2700 and 3700 APs. The only issue I have seen that I don’t understand well yet is related to some APs losing the minds during network interruptions. The APs will appear up from CDP neighbor information, but will have lost their name and will not connect to their configured primary or secondary controllers. A power cycle will often recover the AP, but not always. I believe that issue started with 8.2. Thank you. Ken -- Ken LeCompte - Consulting Telecommunications Analyst Telecommunications Division Office of Information Technology Rutgers, The State University of New Jersey Office ~ (848) 445-4823 On Mar 10, 2017, at 1:52 PM, Entwistle, Bruce mailto:bruce_entwis...@redlands.edu>> wrote: We are currently running version 8.0.133.0 on our Cisco 5508 controllers, as our current access points are primarily 3500s and 3600s. However we have recently purchased a batch of 2802i access points whose minimum supported version is 8.2.110.0. I was looking to the group for their recommendations on a stable version of code which will support our new 2802i access points. Thank you Bruce Entwistle Network Manager University of Redlands ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
Re: [WIRELESS-LAN] Ruckus has purchased Cloudpath
Philippe, I am confused by your statement about Apple dropping support for EAP-TTLS. Do you have something official stating this? IOS9 clearly supports EAP-TTLS-PAP and my understanding is that MacOS 10.11 is essentially the same as iOS9 is terms of 802.1x. Thank you. Ken -- Ken LeCompte - Consulting Telecommunications Analyst Telecommunications Division Office of Information Technology Rutgers, The State University of New Jersey Office ~ (848) 445-4823 On Oct 22, 2015, at 11:40 AM, Philippe Hanset wrote: > Just to clarify, CAT (cat.eduroam.org) is mostly designed for PEAP and > EAP-TTLS. > You could use it for EAP-TLS but it doesn’t tie to a PKI (that part of the > code is missing) > > Support for EAP-TTLS for Windows XP-VISTA-7 was interrupted this year after > SecureW2 asked CAT to stop using its code. > > But new version of MacOS do not support EAP-TTLS, so it seems that EAP-TTLS > might really disappear anyway! > (if you want to support PEAP in a non Microsoft environment, you can read > this: https://www.eduroam.us/node/97) > > Philippe > > Philippe Hanset > www.eduroam.us > > >> On Oct 22, 2015, at 11:14 AM, Philippe Hanset wrote: >> >> Or if you only care about 802.1X automatic configuration (and not about all >> the features of device management that come with Cloudpath and others) >> you can use the free configuration tool from cat.eduroam.org (definitely not >> as good as Cloudpath, but good enough for many of us ..and it does support >> your local SSID in addition to eduroam) >> >> Philippe >> >> Philippe Hanset >> www.eduroam.us >> >>> On Oct 22, 2015, at 11:02 AM, Coehoorn, Joel wrote: >>> >>> Best case scenario: Ruckus' awesome Dynamic PSK feature gets rolled into >>> Cloudpath for the rest of us and the pricing comes down in an effort to use >>> CloudPath to eventually sway customers towards Ruckus hardware. Worst case: >>> Cloudpath effectively goes Ruckus-only, leaving us to move to either >>> Secure-W2, Cisco ISE, or Aruba ClearPass. >>> >>> >>> >>> >>> Joel Coehoorn >>> Director of Information Technology >>> 402.363.5603 >>> jcoeho...@york.edu >>> >>> >>> The mission of York College is to transform lives through Christ-centered >>> education and to equip students for lifelong service to God, family, and >>> society >>> >>> On Thu, Oct 22, 2015 at 9:58 AM, Frank Sweetser wrote: >>> Well that's... interesting. >>> >>> Anyone heard any rumors about what their roadmap might be? These >>> acquisitions of an independent service by a larger portfolio company rarely >>> seem to well for customers of the independent service if you're not also a >>> customer of the large one. >>> >>> Frank Sweetser fs at wpi.edu| For every problem, there is a solution >>> that >>> Manager of Network Operations | is simple, elegant, and wrong. >>> Worcester Polytechnic Institute | - HL Mencken >>> >>> On 10/22/2015 10:43 AM, Lee H Badman wrote: >>> FYI. >>> *Lee Badman*| Network Architect >>> Information Technology Services >>> 206 Machinery Hall >>> 120 Smith Drive >>> Syracuse, New York 13244 >>> *t* 315.443.3003 *f* 315.443.4325 *e* _lhbadman@syr.edu_ >>> <mailto:lhbad...@syr.edu> *w* its.syr.edu >>> *SYRACUSE UNIVERSITY >>> *syr.edu >>> ** Participation and subscription information for this EDUCAUSE >>> Constituent Group discussion list can be found at >>> http://www.educause.edu/groups/. >>> >>> >>> ** >>> Participation and subscription information for this EDUCAUSE Constituent >>> Group discussion list can be found at http://www.educause.edu/groups/. >>> >>> ** Participation and subscription information for this EDUCAUSE >>> Constituent Group discussion list can be found at >>> http://www.educause.edu/groups/. >>> >> >> ** Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/groups/. >> > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] List abuse? SecureW2
I am not sure I would consider the mention of an email thread from a public listserv as "marketing material". Regardless, I am a happy customer of SecureW2 and have provided references to that effect, so I am not offended if they see some benefit in mentioning that to a prospective customer. -- Ken LeCompte - Manager of Information Technology Telecommunications Division Office of Information Technology Rutgers, The State University of New Jersey Office ~ (848) 445-4823 Facebook: http://fb.me/RUWireless On Mar 5, 2014, at 12:02 PM, Jeffrey Sessler wrote: > I'd be interested in knowing if other members on the list who are Cloudpath > customers have recently been contacted by SecureW2? > > I received and unsolicited marketing email from them today touting their > product, including the fact that "quite a few" former XpressConnect customers > have switched to them. As proof, the marketing email links back to a Jan 16th > discussion on this list where someone from Rutgers posted about their > experience. > > I suspect they collected my email from the list thus why I'm interested in > knowing if other Cloudpath customers on the list got a similar email. > Do the educause list rules allow use of posts in marketing? > For Rutgers, are you aware Securew2 is using you in their marketing material? > > best, > Jeff > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Cisco WLC and SecureW2
At Rutgers we have used SecureW2's MS Windows supplicant for years. In the past we used it in conjunction with Cloudpath XpressConnect, which many schools did. The major problem arose when Apple discontinued default support for Java, which XpressConnect was programmed in. We had also been struggling to afford the cost of the product, which I understand became somewhat more affordable after we discontinued our contract. We rolled our own solution for a year and then were thrilled to find out SecureW2 were working on their own solution. We have been using it now for about six months and have been very happy with its features and flexibility. I have also found the product far more affordable than Cloudpath without the loss of function or support. We are also Cisco WLC shop but as was previously mentioned there is not considerable difference here among wireless vendors. Thanks you. Ken -- Ken LeCompte - Manager of Information Technology Central Systems and Services Office of Information Technology Rutgers, The State University of New Jersey Office ~ (732) 445-4823 Facebook: http://fb.me/RUWireless - Original Message - From: "Joe Roth" To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Thursday, January 16, 2014 8:57:34 AM Subject: Re: [WIRELESS-LAN] Cisco WLC and SecureW2 Sapna, We use Cisco WiSM2's, presently running 7.4.110.0 and we just finished evaluating SecureW2 JoinNow and we are going to implement in production by the end of this week. It has worked well for us. We use Entrust for our certs. On Thu, Jan 16, 2014 at 5:32 AM, Scharloo, Gertjan wrote: > Hi Sapna, > > > > We have been using SecureW2 on boarding technology for years successfully > with Cisco WLC 7.2.110.10. (We are now running WLC 7.6.100.0 and WLC > 7.4.121.0 also without problems). This type of solution is used widely in > various types of WLCs, not limited to Cisco WLCs and the configurations > are not really specific to SecureW2 but across onboarding solutions. In our > case we have an unauthenticated open SSID, our "UvAguests or HvAguests" > SSID, and use the captive portal *external* web redirect functionality of > the WLC to redirect the associated clients to our internal web server > > (https://wifiportal.uva.nl / https://wifiportal.hva.nl ) hosting the > JoinNow package and Cisco NAC/ISE guests functionally (only internal) . > Users who have an existing internet connection that try to access this URL > are redirected to the package hosted in the cloud to configure their > devices. We like having the flexibility of both the cloud and locally > hosted options. > > > > > > > > Kind regards, > > > > *Technical Support* > > IC – Informatiseringscentrum > > > > *Gertjan Scharloo* > > > > Gebouw Leeuwenburg > > Weesperzijde 190 | 1097 DZ Amsterdam | kamer A 9.36 > > *T: *(020) 525 4885 > > *E:* g.schar...@uva.nl > > *Aanwezig:* | di | wo | do | vr | > > > > *Van:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *Namens *Misra, Sapna > *Verzonden:* dinsdag 14 januari 2014 22:06 > *Aan:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Onderwerp:* [WIRELESS-LAN] Cisco WLC and SecureW2 > > > > We have Cisco Wireless controllers (WiSM2, 5508s and 8510s) and we are > looking for an “onboarding solution”. We are getting ready to evaluate > SecureW2 and were wondering if anyone in this group with Cisco Wireless > Controllers is using SecureW2. > > > > Thanks , > > > > > > > *Sapna Misra | Network Engineer II | Information Technology | Vanderbilt > University *sapna.tripa...@vanderbilt.edu | phone 615-483-5371| > it.vanderbilt.edu > > > > [image: Vanderbilt IT logo] > > > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > -- Joe Roth Network Manager Binghamton University Ph. 607-777-7528 Fax 607-777-4009 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1x vs web-portal
One major consideration is that the use of https for more and more webpages is resulting in more confused users not getting redirected to captive portal login pages. There is also the more obvious issue that client data is not encrypted over the air, although you could argue that more and more applications are using TLS/SSL. I do think that you are correct that captive portal robustness has been dramatically increased with products like the 5508, which handles a great deal more simultaneous connections than other products before it. I also feel like captive portal security is kinder to backend authentication servers since the authentication is typically done once with a decent length session timeout, whereas many supplicants do tons of reauths. Thanks. Ken -- Ken LeCompte - Manager of Information Technology Central Systems and Services Office of Information Technology Rutgers, The State University of New Jersey Office ~ (848) 445-4823 Facebook: http://fb.me/RUWireless On Nov 19, 2013, at 3:28 PM, "Ashfield, Matt (NBCC)" wrote: > Just wondering what people’s thoughts are here regarding using the Web Portal > authentication vs 802.1x auth in your wifi networks. Obviously one big “pro” > for 802.1x is dynamic vlan assignment based on the users’s credentials, but > certainly for web-portal the big “pro” is simplicity for the user. > > We currently use ExpressConnect to configure student devices for our 802.1x > wifi network using certbased authentication, and while it works great 90% of > the time, we have 10% where it’s tough to get the user on for a variety of > reasons on student owned devices. Since we provide guest access via a portal > authentication, we inevitably get the question as to why don’t we do all wifi > auth with that? > > I know when I first started out, there were limitations with the # of users a > portal auth system could support, but I don’t think that’s a major concern > anymore (we are using Cisco 5508 controllers here). Just wondering what the > thoughts are on this list. Always good input. > > Thanks > > > > Matt > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Anybody Using SecureW2 JoinNow MultiOS?
I am curious if anybody out there is using SecureW2 Join MultiOS for BYOD on-boarding. They are a competitor to XpressConnect Cloudpath. I just finished a dog and pony show with them and was quite impressed. Since they already provide our TTLS Windows supplicant, I was very interested to see their BYOD offering as it is being offered as a free add on to the Enterprise client license. Thank you. Ken -- Ken LeCompte - Manager of Information Technology Central Systems and Services Office of Information Technology Rutgers, The State University of New Jersey Office ~ (848) 445-4823 Facebook: http://fb.me/RUWireless ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] DHCP losing its mind….
Phillip, This is a bit outside my area of systems expertise, but I can tell you that we designed our ISC DHCP servers from the beginning to keep their leases, config and log files in a ramdisk because we found that while the system may not be I/O bound, the single threaded nature of ISC dhcp caused it to be I/O bound. We went from something on the order of 16 clients per second to 1000 clients per second with that fundamental change. Thanks. Ken On Aug 27, 2012, at 2:19 PM, Hanset, Philippe C wrote: > All, > > (trying to help our systems group by asking this list) > > Have any of you experienced DHCP issues due to too many machines requesting > leases? > > We run two ISC DHCP servers (in Active-Active mode) with 30 minutes lease time > Running on SUN V440, no unusual I/O load, no unusual CPU load and ethernet is > fine. > > DHCP is literally not responding to lease requests, on wired and on wireless. > > We were fine during the summer (with 5000 concurrent users), but we are not > now with 14,000 concurrent users. > > Thanks, > > Philippe > > Philippe Hanset > University of Tennessee, Knoxville > www.eduroamus.org > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. -- Ken LeCompte - Manager of Information Technology Rutgers University Office of Information Technology Campus Computing Services - Central Systems and Services Office ~ (732) 445-4823 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Filter-ID passing from FreeRadius v2 to controller
Just one thing to be careful of when running FreeRADIUS is debug mode (radius
-X). It will run single threaded and produce very verbose output, READ:
performance will be terrible, so run this only during a very slow time or only
on a test server.
Ken
--
Ken LeCompte - Manager of Information Technology
Rutgers University Office of Information Technology
Campus Computing Services - Central Systems and Services
Office ~ (732) 445-4823
On Apr 3, 2012, at 4:45 PM, Christopher Wieringa wrote:
> It is hard to say exactly why it isn't adding it in without seeing some
> actual configuration or server debugging text, but there are a few areas you
> can check.
>
> First, make sure that you have the dictionary with that radius attribute
> loaded. It should be loaded by default, but it doesn't hurt to check that
> the dictionaries are being loaded. With a quick search it looks like it the
> attribute you want is in the file "dictionary.rfc2865" named "Filter-Id". I
> don't have a copy of FreeRadius 1.x's dictionaries around, but the attribute
> name might have changed slightly in the 2.x series - make sure you are
> referring to it correctly.
>
> Next, make sure that you are populating Filter-Id as a reply attribute - are
> you setting it through a LDAP attribute map, from SQL's radreply or
> radgroupreply tables, or some other method? If you think you are, then I
> would suggest running your radius server in debug mode (./radiusd -X) and
> watching an authentication and see why or why not it is being added to the
> radius reply.
>
> If that still doesn't work, for testing, you can add the following lines into
> your post-auth section of the server config to add the attribute to all
> completed and accepted requests.
>
> update reply {
> Filter-Id := "student"
> }
>
> You also might try the FreeRadius listserv for support as well (make sure to
> include configuration snippets and debugging output), or email me direct with
> the same.
>
> Chris Wieringa
>
>
>>>> On 4/3/2012 at 2:42 PM, "Wright, Don" wrote:
>> We have been testing with the latest version 2.x of FreeRadius and are
>> having trouble passing the Filter-ID information back to our Aruba
>> controllers. Note the packet traces below show the missing Filter-ID in
>> the 2.x version, and where it is present on our functioning version 1.x
>> FreeRadius servers. My systems people have tried different configuration
>> settings on the server based on the documentation they are looking at, but
>> without any positive results so far.
>>Does anyone have an idea of what setting might resolve this, or can
>> point us to documentation that shows how this works? Thanks in advance for
>> any help.
>>
>> Don Wright
>> Brown University
>>
>> From Version 1.x server:
>>
>> 16:04:51.121056 IP (tos 0x0, ttl 64, id 0, offset 0, flags
>> [DF], proto: UDP (17), length: 207) 10.4.28.15.1645 >
>> 128.148.10.104.32797: RADIUS, length: 179
>> *Access Accept (2)*, id: 0xaa, Authenticator:
>> c85628210672caeedf2c8e3ade84cdfa
>> *Filter ID Attribute (11), length: 9, Value: student*
>> Vendor Specific Attribute (26), length: 58, Value: Vendor:
>> Microsoft (311) [|radius] [|radius]
>>
>>
>> From Version 2.x server:
>>
>> 15:39:34.337535 IP (tos 0x0, ttl 64, id 59206, offset 0, flags
>> [none], proto: UDP (17), length: 197) 10.4.28.12.1645 >
>> 128.148.10.104.33828: RADIUS, length: 169
>> *Access Accept (2)*, id: 0xbf,
>> Authenticator: 85c2f9f515ee8ff6a8bee1d88cae243c
>> Vendor Specific Attribute (26), length: 58, Value: Vendor:
>> Microsoft (311) [|radius] [|radius]
>>
>> **
>> Participation and subscription information for this EDUCAUSE Constituent
>> Group discussion list can be found at http://www.educause.edu/groups/.
>
>
>
> --
> --
> Chris Wieringa
> cwier...@calvin.edu
> Sr. Systems Engineer
> Calvin Information Technology
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.
**
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] WPA2 vulnerability found
This is good news to at least one vendor. Meru Network's Virtual Cell feature creates a unique BSSID for each associated station, thereby rendering the whole vulnerability a non-issue. -- Ken LeCompte - Telecommunications Analyst Rutgers University Office of Information Technology Campus Computing Services - Central Systems and Services Office ~ (732) 445-4823 On Jul 26, 2010, at 5:59 PM, Chris Hart wrote: > This is not good -It does not mention anything about keys that are > rotated. > > http://www.networkworld.com/newsletters/wireless/2010/072610wireless1.html > > > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found > athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Private IP space for wireless users- anyone?
Jamie, We have a Bluesocket/Meru implementation. Both companies perform broadcast suppression by using proxy ARP at the access points. Meru also converts a lot of broadcast frames into unicast at the access point for the same reason. In any event, I was apprehensive about the move initially, but the claims seem accurate as the broadcast traffic seems quite limited at individual clients. Thanks. Ken -- Ken LeCompte - Telecommunications Analyst Rutgers University Office of Information Technology Campus Computing Services - Central Systems and Services Office ~ (732) 445-4823 On Dec 16, 2009, at 10:04 AM, Jamie Savage wrote: Ken, /20 subnets?.I've always been concerned about such a large broadcast domain.iewe've not gone larger than /22. Have you done any special tweaking to facilitate the /20s or have they just worked fine as is? .thx...J James Savage York University Senior Communications Tech. 108 Steacie Building jsav...@yorku.ca4700 Keele Street ph: 416-736-2100 ext. 22605Toronto, Ontario fax: 416-736-5830M3J 1P3, CANADA From: Ken LeCompte To:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Date:12/16/2009 08:11 AM Subject:Re: [WIRELESS-LAN] Private IP space for wireless users- anyone? Sent by:The EDUCAUSE Wireless Issues Constituent Group Listserv We are doing NAT/PAT at the edge with a firewall module in a 6500 for our 5000 peak logged in users. We use four /20's to break up those users across our wireless controllers. The wireless users are also not the only ones being NATed at that firewall module. All of the dorm wired users are NATed there too. Thanks. Ken -- Ken LeCompte - Telecommunications Analyst Rutgers University Office of Information Technology Campus Computing Services - Central Systems and Services Office ~ (732) 445-4823 On Dec 15, 2009, at 6:36 AM, Lee H Badman wrote: > Thanks for all of the responses- I wonder if anyone with a peak > usage like ours is doing NAT- almost 6500 clients? > > -Lee > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv [wireless-...@listserv.educause.edu > ] On Behalf Of Jason Appah [jason.ap...@oit.edu] > Sent: Monday, December 14, 2009 11:03 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] Private IP space for wireless users- > anyone? > > Yes, that is what we do. I just wondered how big if a bear it would be > to track pat in a university wireless environment. > > In a second related note, we recently changed our NAT timeout from 3 > to 2 hours as we were beginning to run out of 1 to 1 NAT ranges > > Sent from my iPhone > > Jason Appah > Systems Administrator > Oregon Tech > > On Dec 14, 2009, at 6:33 PM, "Phil Trivilino" wrote: > >> We do 1to1 dynamic NAT on the ASA firewall and log all the >> translations to a syslog server. Easy to get the private ip from >> the log given the time and global ip. It is all we've seen the need >> for to this point. >> Phil >> >> On Dec 14, 2009, at 8:55 PM, Lee H Badman wrote: >> >>> Wondering how many other schools are using private IP space for >>> wireless users, how you accomplish the NAT, and what mechanisms you >>> use for user tracking for the private-public mappings for forensic/ >>> investigatory purposes. >>> >>> Thanks- >>> >>> Lee >>> ** >>> Participation and subscription information for this EDUCAUSE >>> Constituent Group discussion list can be found at http://www.educause.edu/groups/ >>> . >> >> ** >> Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at http://www.educause.edu/groups/ >> . > > ** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at http://www.educause.edu/groups/ > . > > ** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at http://www.educause.edu/groups/ > . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Private IP space for wireless users- anyone?
We are doing NAT/PAT at the edge with a firewall module in a 6500 for our 5000 peak logged in users. We use four /20's to break up those users across our wireless controllers. The wireless users are also not the only ones being NATed at that firewall module. All of the dorm wired users are NATed there too. Thanks. Ken -- Ken LeCompte - Telecommunications Analyst Rutgers University Office of Information Technology Campus Computing Services - Central Systems and Services Office ~ (732) 445-4823 On Dec 15, 2009, at 6:36 AM, Lee H Badman wrote: Thanks for all of the responses- I wonder if anyone with a peak usage like ours is doing NAT- almost 6500 clients? -Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [wireless-...@listserv.educause.edu ] On Behalf Of Jason Appah [jason.ap...@oit.edu] Sent: Monday, December 14, 2009 11:03 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Private IP space for wireless users- anyone? Yes, that is what we do. I just wondered how big if a bear it would be to track pat in a university wireless environment. In a second related note, we recently changed our NAT timeout from 3 to 2 hours as we were beginning to run out of 1 to 1 NAT ranges Sent from my iPhone Jason Appah Systems Administrator Oregon Tech On Dec 14, 2009, at 6:33 PM, "Phil Trivilino" wrote: We do 1to1 dynamic NAT on the ASA firewall and log all the translations to a syslog server. Easy to get the private ip from the log given the time and global ip. It is all we've seen the need for to this point. Phil On Dec 14, 2009, at 8:55 PM, Lee H Badman wrote: Wondering how many other schools are using private IP space for wireless users, how you accomplish the NAT, and what mechanisms you use for user tracking for the private-public mappings for forensic/ investigatory purposes. Thanks- Lee ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Large numbers of clients in one room
First, I don't think 50 users in a room is much to worry about for any pair of modern access points. Unless the users are all going to be high throughput users. For large open lecture halls being setup with the highest throughput in mind my recommendation regardless of equipment would be: 1. 3 channel(1,6,11) layout only with 2.4Ghz radios NO 4 channel(1,4,8,11) layout in open spaces 2. Ceiling mount antennas and use directional patch antennas NOT omni- directional antennas 3. Turn power down and don't be too worried about RF absorption, since it will actually help focus your client radios onto the best access point. -- Ken LeCompte - Telecommunications Analyst Rutgers University Office of Information Technology Campus Computing Services - Central Systems and Services Office ~ (732) 445-4823 On Aug 11, 2009, at 11:05 AM, John York wrote: Hi We have a small installation with about 40 Cisco lwap's (b/g) running on a Cisco 4402. I've just gotten a request from a group that wants to run 50+ clients in one room. The last time we tried that about 4 years ago, it was a disaster. We had fat AP's at the time. There were a lot of Mac's, and they kept grabbing each other instead of the AP's. Ugh. How do folks handle this now? With my current system can I just throw a couple more AP's in the room and let them have at it? Thanks John John York Blue Ridge Community College, VA ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] University of Chicago Removes Wireless From Classroom
Harvard Medical School at one point used a scheduling database to determine what students should be in what location. They then gave professors the ability to opt in or out of allowing wireless access during their classes. They used Bluesocket to put the whole thing together, which is by far the easy part. The neat thing about the system was that a student was only blocked from using the wireless in the location that the professor had 'jurisdiction' over. I am not sure if they are still using the system. Ken -- Ken LeCompte - Telecommunications Analyst Rutgers University Office of Information Technology Campus Computing Services - Central Systems and Services Office ~ (732) 445-4823 On Apr 24, 2008, at 2:42 PM, Steely, John wrote: I believe that you are playing with fire when you start offering that type of control. What if one faculty member wants it, but another, who shares the same classroom, does not? Even if you remove APs in one building with classrooms, there's no guarantee that an adjacent admin or residential building won't bleed in. Do you then turn those buildings down, and wait for the cries of poor coverage to start? Dangerous waters, IMHO. John Steely Associate Director Infrastructure Systems Department Library and Information Services Dickinson College P.O. Box 1773 Carlisle, PA 17013 717-245-1613 (Voice) 717-245-1690 (Fax) [EMAIL PROTECTED] -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Zeller, Tom S Sent: Thursday, April 24, 2008 2:29 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] University of Chicago Removes Wireless From Classroom My personal opinion is that it is not a good or even reasonable strategy to attempt to control WiFi in the classroom. For one thing, it's unlikely that an AP serves only a single classroom and no adjacent areas. Secondly, we can't control the cellular signal, so really there's not much benefit from a cheating standpoint. Tom Zeller Indiana University On 4/24/08 2:18 PM, "Lee H Badman" <[EMAIL PROTECTED]> wrote: http://news.uchicago.edu/news.php?asset_id=1329 Are any other schools up against anything of this magnitude? Has anyone come up with a mechanism to let faculty have some control over wireless in classrooms? -Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
