RE: [WIRELESS-LAN] idEngines AAA server

[King, Michael]

The short answer (I'm a little pressed for time this morning)

The Ignition server (The radius server) has a lot of policy features,
that are very well laid out.  We're slowly implementing policy based
wireless networking using the policy features.  Immediate plans are to
have our Staff and Students on separate VLANS. (This is determined via
group membership in Active directory)

We are using the Guest Manager, and the Autoconnect Product.  We have a
Open broadcasted SSID out there, that resolves back to a splash page.
The splash page has two buttons.  The top button launches Autoconnect,
which will configure all the 802.1x settings for our Staff/Students
(anyone with a BSC account).

The bottom button launches the guest manager application, which allows
the user to create a time limited account. (We have a bunch of other
restrictions on it like bandwidth, and access to college resources).
After the account is created, it then launches the Autoconnect to
configure they're wireless settings.

We are also using the above mentioned Policy features, so our Guest
users are on the same SSID, but they are on a third VLAN.

>From your use requirements, it sounds like the Provisioner feature is
right up your ally.  As the Guest Manager Admin, you can create
Provisioners.  
Each Provisioner account can be configured for the max amount of time
they are allowed to create accounts, what access zones, and network
right are allowed (This all ties back to the policy features.)
Provisioner can be configured to 1.  Not be able to see or edit
password. 2.  Edit but not see password (Reset it) 3.  See and edit
password.

Please don't hesitate to ask more questions.

Mike

-Original Message-
From: Hector J Rios [mailto:[EMAIL PROTECTED] 
Sent: Thursday, November 15, 2007 4:02 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] idEngines AAA server

Mike, 

We demoed the product last week and we were very impressed. In fact, the
amount of features and things you can do with it were actually
overwhelming. I'm interested to hear how you are using it and exactly
what features you've found helpful that other products don't have. In
particular, I liked the guest manager because it allows you to provide
an interface to your users to be able to create guest accounts and also
manage them. We currently have an application that we wrote in-house
where our staff and faculty can go to to create guest accounts for up to
seven days. The challenge is that among our staff and faculty, there are
those that have special needs and need to be able to create accounts for
longer than 7 days, change passwords, that kind of thing. I know this is
not available now, but I was told that with guest manager you will be
able to provide this type of access. In our case, we authenticate users
via AD. So if and when this feature becomes available, we should be able
to create an AD group where we can add the users with special needs.

The other reason why we are interested in idEngines is because if you
create guest accounts using Cisco's Lobby Ambassador (if you are
familiar with WCS), those accounts are only valid for WLANs with
WebAuth.  We've been having to pull all kinds of tricks to be able to
create accounts for our secure PEAP WLAN, our guest WebAuth WLAN, and
our wired LAN. It would be nice to have one interface that does it all.

Thanks,

-Hector


-Original Message-
From: King, Michael [mailto:[EMAIL PROTECTED] 
Sent: Thursday, November 15, 2007 8:39 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] idEngines AAA server

We have it here.  You may contact me on or off list.  (We also have the
Autoconnect product, and the Guest Manager)

Mike

-Original Message-
From: Hector J Rios [mailto:[EMAIL PROTECTED] 
Sent: Thursday, November 15, 2007 9:33 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] idEngines AAA server

This is for those of you that are familiar with idEngines' AAA server,
Ignition Server. We are considering this product to replace our Cisco
ACS servers. From what I've seen so far, the Ignition Server seems much
more granular and feature-rich. One of the features that we liked the
most is their Guest manager. Is there anybody that is currently using
this product? I'd be interested to hear what you think about it.

Thanks

Hector Rios
Telecommunications Analyst, NI
LSU Information Technology Services

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscript

RE: [WIRELESS-LAN] idEngines AAA server

[King, Michael]

We have it here.  You may contact me on or off list.  (We also have the
Autoconnect product, and the Guest Manager)

Mike

-Original Message-
From: Hector J Rios [mailto:[EMAIL PROTECTED] 
Sent: Thursday, November 15, 2007 9:33 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] idEngines AAA server

This is for those of you that are familiar with idEngines' AAA server,
Ignition Server. We are considering this product to replace our Cisco
ACS servers. From what I've seen so far, the Ignition Server seems much
more granular and feature-rich. One of the features that we liked the
most is their Guest manager. Is there anybody that is currently using
this product? I'd be interested to hear what you think about it.

Thanks

Hector Rios
Telecommunications Analyst, NI
LSU Information Technology Services

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] 802.11n Draft 2.0

[King, Michael]

True, you are correct about the gig port.

 

However, it's something to be aware of.  I can think of a few locations
were I've designed networks, and they are at the design capacity.  (And
we didn't expect it to happen that fast.  We designed for about 16 users
per AP Max load)

 

From: Frank Bulk [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, November 13, 2007 4:25 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] 802.11n Draft 2.0

 

Michael:

 

I would argue that 802.11n APs don't require gigabit Ethernet ports,
though it would help with the occasional burst of traffic.  Schools who
can't afford an edge switch and wireless upgrade in one year could
easily get away with doing 802.11n draft gear this year, and edge
switching the next.  

 

In regards to power, almost all the vendors have some kind of solution
or workaround.  Some use a second Ethernet port others power down a
radio chain.  Cisco is using CDP to negotiate more power out of select
models of their switch - see this article for more details:

http://www.networkcomputing.com/immersion/802.11n/showArticle.jhtml?arti
cleID=201804302

 

Good point about the certification for GigE mid-span PoE.  I'm not sure
if the IEEE 802.3af standard ever addressed mid-span for GigE, but it is
addressed in 802.3at.

 

Regards,

 

Frank

 

From: King, Michael [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, November 13, 2007 2:29 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] 802.11n Draft 2.0

 

Great question..

 

Two points you need to know.

 

1252's require gigabit Ethernet ports.  (Any 802.11n is going to need
gigabit Ethernet ports.  The actual throughput is over 100Mbs)

 

You'll need extra power.  Not many (if any) 802.11n AP's with dual
radios can run on standard POE.  Cisco is supposed to be releasing a
firmware for their 3750's that will allow it to power the 1252's, but
otherwise you'll be regulated to power injectors, or third party
mid-span devices. (That are gig certified)

 

Mike

 

From: Lee Weers [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, November 13, 2007 3:25 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] 802.11n Draft 2.0

 

We are looking at a campus wide wireless deployment, and my supervisor
is pushing for a complete Cisco 1252 with N draft 2.0 capability.  We
would have about a total of 250 to 300 AP's in full deployment.  Our
wired infrastructure is currently 100% Procurve with about 90% of it
being 10/100 switched.  I'd like to know what other schools are doing
with 802.11n.

Thank you, 
  
Lee Weers 
Assistant Director for Network Services 
Central College IT Services 
(641) 628-7675 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] 802.11n Draft 2.0

[King, Michael]

Great question..

 

Two points you need to know.

 

 

1252's require gigabit Ethernet ports.  (Any 802.11n is going to need
gigabit Ethernet ports.  The actual throughput is over 100Mbs)

You'll need extra power.  Not many (if any) 802.11n AP's with dual
radios can run on standard POE.  Cisco is supposed to be releasing a
firmware for their 3750's that will allow it to power the 1252's, but
otherwise you'll be regulated to power injectors, or third party
mid-span devices. (That are gig certified)

 

Mike

 

From: Lee Weers [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, November 13, 2007 3:25 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] 802.11n Draft 2.0

 

We are looking at a campus wide wireless deployment, and my supervisor
is pushing for a complete Cisco 1252 with N draft 2.0 capability.  We
would have about a total of 250 to 300 AP's in full deployment.  Our
wired infrastructure is currently 100% Procurve with about 90% of it
being 10/100 switched.  I'd like to know what other schools are doing
with 802.11n.

Thank you, 
  
Lee Weers 
Assistant Director for Network Services 
Central College IT Services 
(641) 628-7675 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] WCS 4.2

[King, Michael]

Doug,

Every release that you put on a Controller loads new software onto the
AP's.  There is always downtime with an upgrade.

Also, they upped the limit in the 4.0.206 to 10 APs at a time.

-Original Message-
Also the 4.2.62 has new code for the access points, so each will need to
download the new code.  Remember this takes about 4 minutes per access
point and each WLC can only upgrade 4 at a time, so 8 per WiSM.  If you
have a large installed wireless network plan on this downtime. 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Authentication method comparison

[King, Michael]

Hi Don,

 

You could look at IDEngines.  They sell a service (Autoconnect) that
scripts the install of the 802.1x Supplicant on Windows / Mac

 

We currently use the built-in XP/Vista Supplicant with PEAP, but I know
that IDEngines also supports (and distributes) the SecureW2 client.
They are also funding the opensource development of the
http://open1x.sourceforge.net/ agent as well.

 

We used the Autoconnect service this fall, and it significantly reduced
the amount of people that needed "Wireless Config". 

 

 

Michael King

Technology Systems & Networking

Bridgewater State College

 

 

 

 

From: Wright, Donald [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, October 23, 2007 1:56 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Authentication method comparison

 

We currently have a WPA wlan using TTLS as the auth method and
SecureW2 for the PC client software.  We occasionally receive trouble
calls from users having issues with SecureW2, and are now being asked if
there is a more "user-friendly" auth method we could move to.  I know
the short list of other reasonable possibilities comes down TLS and
PEAP.  Since we don't have our users credentials stored in AD, and we
don't currently have a PKI, neither of those would seem to be a
possibility for us right now.  

I am wondering about others experiences with using any of the
above auth methods, in particular from the user perspective.  Are there
still client issues with TLS or PEAP?  Are those configurations
"scriptable" for the client?   How well do these other methods work with
Macintoshes?  Is anyone else having significant user issues with
SecureW2?  Has anyone had success with the supported third-party TTLS
clients, Odyessy. etc? 

Don Wright

Network Technology Group

Brown University

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Vendor Choice

[King, Michael]

Just for reference, we chose Cisco  LWAPP.

 

I personally feel you can't go wrong with either choice.

 

Aruba has some cool features Cisco doesn't have, and Cisco has some cool
features Aruba doesn't have. 

 

Choose based on the features you want, not on the features you may never
use.

 

I'd be interested to see Frank Bulk's take, since he's done a bunch of
real-world interop testing with both vendors.

 

Mike

 

From: Jay Howell [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 19, 2007 10:12 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Vendor Choice

 

I am in the process of evaluating vendors for a campus-wide rollout of
wireless. I have narrowed my choices down to Cisco and Aruba. We are
planning on creating three roles which are faculty/staff, student, and
guest.Each of these roles will have varying degrees of access to systems
on the network. Because of manpower issues we will be broadcasting the
SSID and using Novell's LDAP to authenticate to the system. We are not a
Cisco shop so there is no advantage either way as far as dropping into
our existing system. 

My question is are there any gotchas I might be missing with these two
vendors? From what I have seen, both systems seem to work nearly
identically. You can access the same information from each controller,
and both are self-healing when an AP goes out. Are there any support
issues I should be aware of? We plan on making our decision around the
first of November, so I look forward to any comments this group might
have. 

-- 
*
Jay Howell
Executive Director of Information Technology
Chowan University
Ph: 252-398-6361
* **
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/. 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Open Cisco Controller Caveat/DHCP issue

[King, Michael]

The bug (thru cisco's bug tool) specifically calls out a customer using
Symbol scanners, and having them all power on at once.

 

I wasn't going to post because I thought you had read the actual bug
text.

 

>From the Cisco bug tool  (Which is working a bit spastically this
morning)

 

Symptom:
symptom
When 200+ wireless clients are trying to associate to a WLC at the same
time,
the WLC starts experience problems:
1. scanners stuck in DHCP_REQD state. The attached sniffer trace 
shows that the WLC receive DHCP offer from an external DHCP 
server, but the WLC does not send out the DHCP offer in LWAPP
2. the following message is logged in show tech:
apf_policy.c:258 APF-1-MOBSTA_ADD_FAILED: Unable to add mobile
xx:xx:xx:xx:xx:x to PEM module:
3. CPU is running high (e.g. 70+%)
symptom
When the partner power off 200+ Symbol scanners, the WLC
starts experience problems:
1. scanners stuck in DHCP_REQD state. The attached sniffer trace 
shows that the WLC receive DHCP offer from an external DHCP 
server, but the WLC does not send out the DHCP offer in LWAPP
2. the following message is logged in show tech:
apf_policy.c:258 APF-1-MOBSTA_ADD_FAILED: Unable to add mobile
00:15:70:32:5a:b5 to PEM module:
3. CPU is running high (77%)
4. A sniffer trace on the WLC shows that the WLC receives DHCP offer
from an
external DHCP server, but the corresponding DHCP offer is not sent to
the AP
in LWAPP.


Conditions:
The problem is verified in 4.0(217.0) and 4.1(171.0).


Workaround:
None


Further Problem Description:

 

From: Lee H Badman [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 05, 2007 9:00 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Open Cisco COntroller Caveat/DHCP issue

 

Hi Frank-

 

I would hope. But the wording leaves a lot to the imagination, and we
are seeing enough oddities on occasion that could point at something
like this that clarification is in order, if nothing more than for a
sanity check.

 

Lee



From: Frank Bulk [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 05, 2007 8:45 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Open Cisco COntroller Caveat/DHCP issue

 

Lee:

 

I think the key phrase is "at the same time".  This may be a bug found
when Cisco or someone else did scalability testing with test tools, not
a likely event in production.

 

Frank

 



From: Lee H Badman [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 05, 2007 7:29 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Open Cisco COntroller Caveat/DHCP issue

I'm trying to get clarification on this open caveat, but so far can't
get a clear answer on the specifics of the bug:

 

CSCsj25953-When 200 or more wireless clients try to associate to a
controller at the same time, the clients become stuck in the DHCP_REQD
state. The controller receives the DHCP offer from an external DHCP
server but does not send the offer to the access point in LWAPP.

 

Obviously, getting to 200 clients on a single controller is routine
operations on a busy network, especially when one controller has 150
associated access points. Has anyone else dug in on this one, and gotten
any real details? It sounds potentially catastrophic, or that it could
be relatively harmless, but without more detail it's hard to know...

 

Regards-

 

Lee H. Badman

Wireless/Network Engineer

Information Technology and Services

Syracuse University

315 443-3003

 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. ** Participation and
subscription information for this EDUCAUSE Constituent Group discussion
list can be found at http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] WPA "Countermeasures" - radios shutting down in LWAPP for legitimate users

[King, Michael]

Hi Lee.

 

I too am having 100 of these errors a day.

 

We've also been getting large number of complaints that students are
getting dropped off.  (Up and down as the students term it)

 

It started with the 4.0 code for us.

 

Reports from the Cisco Netpro forums that 4.1.185.0 is the code that
fixed this.  Nothing was mentioned about turning off the "radio off"
period.  This is from customers, not Cisco itself.

 

The only concern I have with the 4.1 code right now is I still have 40
ap's that won't support it.  (Pre Cisco Acquisition AP's, they don't
have enough RAM to load the image)  I hope to remedy this in the next
few days, and get onto 4.1 in a real hurry.

 

From: Lee H Badman [mailto:[EMAIL PROTECTED] 
Sent: Thursday, October 04, 2007 9:23 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] WPA "Countermeasures" - radios shutting down in
LWAPP for legitimate users

 

We are seeing huge quantities of this:

 

The AP '00:0f:f7:a7:a0:c0' received a WPA MIC error on protocol '0' from
Station '00:13:02:82:1c:8d'. Counter measures have been activated and
traffic has been suspended for 60 seconds.

 

Which means that radios are being disabled for 60 seconds- and all
networks on those radios- each time this countermeasure is invoked
because of something viewed as a potential attack happens for each user
listed, at the front end of the 802.1x authentication/encryption key
setup (we're using PEAP w/ MS-CHAP v/TKIP/WPA1).

 

What is very confusing- each user listed ends up on the network, just
fine. But in the meantime, we have radios being shut down all over the
place. This countermeasure is defined by the standard, so it's hard to
bash the hardware in this case. Clients involved are using Mac, XP, and
Vista- hundreds daily, and not consistent (sometimes a client has the
issue, sometimes not).

 

Our controllers are 4.0.207.

 

Cisco is saying a few things in response: this is likely a client driver
issue and that all drivers need to be kept up to date (easier said than
done on our campus). Also- in version 4.1 of the controllers, the
60-second "radio off" period can be turned off. Finally, WPA2 negates
this.

 

My questions- is anyone else seeing this, and have you found any causes
for good clients to show up as attackers and cause the radios to turn
off? And, has anyone found any real concerns with 4.1 code on the
controllers?

 

Thanks very much-

 

Lee H. Badman

Wireless/Network Engineer

Information Technology and Services

Syracuse University

315 443-3003

 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Outdoor Antenna

[King, Michael]

Allen,

You might want to enlist the services of a qualified reseller.  Doing an
outdoor deployment gets complex fast.

That being said, lets see what we can do.

Some information that will help.

1.  What are your goals?  100% outdoor coverage?  Just the area's that
people walk on?  Just the quad?
This is the single most important bit of information that you
can provide.
2.  What is your supported network frequency?  802.11a, 802.11g,
802.11n, 802.11h?  (Cisco supports all four for the LWAPP (the AP-1250
was announced this week that supports 802.11n draft 2.0 support)
3.  What access point model are you using?  1240?  1020?  1510?


To answer your questions.
Can anyone help me with this?
Yes.  We'll try.  I'm still recommending finding a
qualified reseller.  Your Cisco rep should have a local favorite.
Who do you order equipments to support AP from?
Not sure what you mean.  We've bought  Antenna Masts and
non-penetrating roof mounts from Tessco. 
Distance Problem
Distance is always a problem, and is a function of
Throughput.  You'll have to answer my goals answer to answer your
question.
Should AP be on 1 or 2 story building.
See above answer.  
What kind of Antenna do you recommend.
Depends on the AP you have.  Dipole antennas are better,
but if you only have a single pole AP, what's the point.  Omni's vs
Patch, depends on your goals.


I have pictures, but when I know more what you want, I can show you
one's that apply.

Mike

-Original Message-
From: Allen Matthews [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, September 05, 2007 2:20 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Outdoor Antenna

I am working to set up outdoor antenna for Wi-FI..  We are using Cisco 
4404 and LWAPP Access point.

Can anyone help me with this?

Who do you order equipments to support AP from?  (I have seen Cisco 
LWAPP package)

Distance problem?  Should AP be place on 2 story or 1 story building?

What kind of antenna do you recommend?  Dipole?  Omni? or Patch Panel?

Any information will be helpful.. If you have picture of your outdoor 
antenna, can I see it?

Thanks..

-- 
---
Allen Matthews
Network Engineer
Gallaudet University Information Technology Services
Washington, DC

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Cisco LWAPP, multicast/peer to peer blocking modes

[King, Michael]

Make sure your on release 4.0.206.0 or greater.  There was a bad bug
that was fixed in 4.0.206.0 that had significant packet loss on the
wireless network if Multicast was enabled.

 

We don't have multicast enabled.  We do have Peer to Peer blocking
disabled (so we are enabling Peer to Peer).   It wasn't a conscious
decision, just the default setting on the box, and we haven't changed
it.

 

My only recommendation is try to limit the bandwidth allowed for
Multicast.

 

From: Lee H Badman [mailto:[EMAIL PROTECTED] 
Sent: Friday, August 31, 2007 8:28 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cisco LWAPP, multicast/peer to peer blocking
modes

 

We have 12 WiSMs at SU (24 controllers) and around 1,550 APs online. By
default on the controllers under General System configuration options,
Ethernet Multicast Support is disabled by default, and we chose to
enable Peer to Peer Blocking Mode. 

 

We are being asked a by a researcher to change both of these settings to
allow both multicast and peer to peer connections in the WLAN, and our
first reaction is to grimace and gnash teeth a bit. Am wondering if
anyone is actually allowing multicast on a large WLAN and seeing any
problems, added load, or general observations worth noting? Same with
peer to peer.

 

Regards to the group-

 

Lee H. Badman

Wireless/Network Engineer

Information Technology and Services

Syracuse University

315 443-3003

 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Meru and Macs

[King, Michael]

I'd love to see the specifics.

-Original Message-
From: debbie fligor [mailto:[EMAIL PROTECTED] 
Sent: Friday, August 24, 2007 3:18 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Meru and Macs

On Aug 24, 2007, at 12:38, Brandon Pinsky wrote:

> Have any of the Meru users in the group noticed any performance  
> differences
> and/or problems with Macs?  More specifically, Meru users running  
> their
> Virtual Cell technology...

We've seen 2 problems.  One was Meru's and was fixed with the 3.3  
code and later(if I recall correctly), and just as we got that fix  
rolled out, we upgraded to 10.4.10 and all the intel Mac notebooks  
went back to having problems again.  This is fixable with a bunch of  
fiddling with drivers, or backing out to 10.4.9  so we think it's  
Apple's issue, not Meru's.  I can get some more details from one of  
the people here who researched it extensively (he'd just gotten an  
hand-me-down intel mac put 10.4.10 on it, and it didn't work :-)


>
> Thanks,
>
> BJ Pinsky
> Columbia University IT (CUIT)
> Network Infrastructure
>
> **
> Participation and subscription information for this EDUCAUSE  
> Constituent Group discussion list can be found at http:// 
> www.educause.edu/groups/.
>

-
-debbie
Debbie Fligor, n9dn   Network Engineer, CITES, Univ. of Il
email: [EMAIL PROTECTED]  
"My turn."  -River

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Release 4.0.219.0 for Cisco LWAPP Wireless

[King, Michael]

Has anyone upgraded to Release 4.0.219.0 for Cisco LWAPP yet?  It
contains the fix for the Wireless ARP Storm issue.

 

(I know the 3.2 and the 4.1 version were available last week)


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Changing signal strength on Cisco LWAPP aps

[King, Michael]

To elaborate, you might want to look for MIC key errors in WCS.


Here's one from my logs:

The AP '00:0b:85:62:05:80' received a WPA MIC error on protocol '1' from
Station '00:20:4a:89:25:d8'. Counter measures have been activated and
traffic has been suspended for 60 seconds


-Original Message-
From: Jorge Bodden [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 24, 2007 12:47 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Changing signal strength on Cisco LWAPP aps

Peter,

On WCS you can generate a report that lets you know the power level of a

particular AP for an extended period of time.  Does this report, 
indicate what you saw on the floor? 

Is it a specific type of client MAC or Windows based?  Are the areas in 
question falling back to the same controller?  What do the controller 
logs indicate for that given time for that given Mac address?  If the 
users are getting disconnected there should be something in the 
controller logs that indicate an error.  You have to turn the message 
logs on to a higher level than 'critical'.  You could use the following 
command at the prompt, 'config msglog level critical'.  This should log 
the MAC address in question.  Please let me know if this helps out or if

you need any more assistance.

Jorge Bodden

Peter Arbouin wrote:
> Hello,
>  
> We have a Cisco LWAPP installation running Wireless Control System  
> Version 4.1.83.0 and WiSM's running  4.1.171.0 
> Recently we have been experiencing lseveral ocations where the signal 
> strength goes from excellent to 0, causing clients to lose
asociations.
>  
>  
> Has anyone else experienced this and have you found a solution?
>  
> Thanks in advance.
>  
> Peter.
>  
>
> *Peter Arbouin*
>
> Network Engineer
>
> Network Operations Centre, ITS
>
> Queensland Universtity of Technology
>
> Brisbane, QLD, Australia
>
> PH: (07) 313 81030
>
>  
>
>  
>
>

> *From:* Lee H Badman [mailto:[EMAIL PROTECTED]
> *Sent:* Tuesday, 24 July 2007 8:33 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] ARP floods with Cisco APs - could this 
> be the bug?
>
> Check with TAC-- I'm told this morning that new WiSM code is pushed 
> out until an undeclared date in August.
>  
> -Lee
>
>

> *From:* David Pifer [mailto:[EMAIL PROTECTED]
> *Sent:* Mon 7/23/2007 6:00 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] ARP floods with Cisco APs - could this 
> be the bug?
>
> It is unclear to me if the solution provided was a configuration 
> correction or update to the current revision of code or beta code or 
> something else. It is worded so vague it could be anything. Only thing

> clear is Cisco helped them fix it.
>  
> Besides with Networkers going on this week, any new code is probably 
> going to be announced this week or next. We are waiting on new code 
> for our LWAP environment to fix some issues with Controllers dropping 
> channels and going "dumb".
>  
>  
>  
>
> David L. Pifer - N9YNF
> Indiana State University
> Office of Information Technology
> 210 N. 7th St.
> Rankin Hall R044
> Terre Haute, IN 47809
> 812.237.2923 office
> 812.237.4361 fax
>
> This email, and any attachments, thereto, is intended only for use by 
> the addressee(s) named herein and may contain privileged and/or 
> confidential information.  If you are not the intended recipient of 
> this email, you are hereby notified that any dissemination, 
> distribution or copying of this email, and any attachments thereto, is

> strictly prohibited.
> ** Participation and subscription information for this 
> EDUCAUSE Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/. ** Participation and 
> subscription information for this EDUCAUSE Constituent Group 
> discussion list can be found at http://www.educause.edu/groups/. 






This electronic message is intended to be for the use only of the named
recipient, and may contain information that is confidential or
privileged.  If you are not the intended recipient, you are hereby
notified that any disclosure, copying, distribution or use of the
contents of this message is strictly prohibited.  If you have received
this message in error or are not the named recipient, please notify us
immediately by contacting the sender at the electronic mail address
noted above, and delete and destroy all copies of this message.  Thank
you.

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] 802.1x without AD or LDAP?

[King, Michael]

Emily,

Your basic problem is that you need a RADIUS server that can speak to
the directory you have.

I'm sure commercial solutions can play here, but I'd imagine that
FreeRADIUS (http://www.freeradius.org) can authenticate your users
against your existing Linux user file.  (This is what it sounds like you
are doing)

Once you have a RADIUS server that can access your user database, it's a
simple step to implement 802.1x  User retraining however is a
considerable issue.

Mike

-Original Message-
From: Emily Harris [mailto:[EMAIL PROTECTED] 
Sent: Thursday, July 05, 2007 2:09 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] 802.1x without AD or LDAP?

I am curious if anyone has (successfully) implemented WPA/802.1x with
authentication via RADIUS to something OTHER than Active Directory or
LDAP.  We unfortunately are somewhat behind in our method of campus-wide
user management - LDAP is coming in 2008 but for now we have to make do
with authenticating against Linux servers.  Last year we used static WEP
with Webauth, using a RADIUS script for user/password verification.
That means two configurations and way too much user training, so we
wanted to do something a little less cumbersome this year.

FYI we're using Meru MC3000 and AP208s.

Any replies would be appreciated - thank you!

-- 
Emily Harris, BC '95
Associate Director, Network & Systems
Barnard College, MINS Department
3009 Broadway, New York, NY
212-854-8795

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] WiSM & SUP720 Performance Issue

[King, Michael]

WPA2, WPA, or WEP?

 

 

 

From: Dennis Xu [mailto:[EMAIL PROTECTED] 
Sent: Friday, June 08, 2007 9:11 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] WiSM & SUP720 Performance Issue

 

We use WiSM 4.0.217.0 and SUP720 12.2(18) SXF5. We experience bad
performance with wireless client download, for only about 70kbps. I
tried with a WLC2006 connected to the same SUP720 with similar
configurations with WiSM and I got 2Mbps download speed via WLC2006. Has
anyone experienced this issue before? 

Thanks!

 

Dennis Xu

Network Analyst(CCS)

University of Guelph

5198244120 x 56217

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Vista DHCP and CISCO WCS/WLC

[King, Michael]

-Original Message-
I can't walk you through the config for
allowing broadcast traffic, but there was a setting to enable multicast


After you upgrade to software release 4.0.206.0, use this CLI command to
re-enable broadcast:
config network broadcast enable

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Vista DHCP and CISCO WCS/WLC

[King, Michael]

-Original Message-
Our SE says they plan to separate these in future code.  We do not
route multicast to our wireless networks anyway, so I didn't have too
many concerns about allowing this for our eval.


It was separated on the 4.0.206.0 release

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Cisco Version 4.1 WiSM Code (Concannon)- Anyone upgraded yet? (3)

[King, Michael]

The AP1200's were an unreleased Airespace model, you could only obtain
them via the beta program.
They eventually became the AP1510's. (After several model number
changes)

-Original Message-
From: Lee H Badman [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 03, 2007 12:07 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco Version 4.1 WiSM Code (Concannon)-
Anyone upgraded yet? (3)

For clarity- I believe that these 1200s are the old Airespace originals-
NOT the Cisco 1200s...

Lee H. Badman
Wireless/Network Engineer
KC2IYK, CWNA/CWSP
Information Technology and Services
Syracuse University
315 443-3003

-Original Message-
From: Fred Archibald [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 03, 2007 11:00 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco Version 4.1 WiSM Code (Concannon)-
Anyone upgraded yet? (3)

It is my understanding that the AP1200s will never be able to support 
4.1 due to a memory limitation in the APs. This is also an issue for us.
Fred

Earl Barfield wrote:
>> We are feeling compelled to migrate to the latest WiSM code version
for
>> several reasons. Wondering if anyone has done the upgrade yet? If so,
>> any pain, problems, stuff to watch out for? Anything would be
helpful-
>> offline responses OK , too.
>
>
> Note that the description says "Emergency Release".   That doesn't 
> exactly sound fully baked.
>
> The release notes say that 4.1.171.0 does not support AP1200s.  That 
> is a show stopper for us.  I haven't yet asked our Cisco engineer when

> AP1200 support will be in the 4.1 chain.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Cisco Version 4.1 WiSM Code (Concannon)- Anyone upgraded yet?

[King, Michael]

Read the release notes.

 

You HAVE to hit a certain version before you can use the 4.1 code.

 

Contemplating the upgrade myself.

 

Mike

 

From: Lee H Badman [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, May 02, 2007 12:09 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cisco Version 4.1 WiSM Code (Concannon)- Anyone
upgraded yet?

 

We are feeling compelled to migrate to the latest WiSM code version for
several reasons. Wondering if anyone has done the upgrade yet? If so,
any pain, problems, stuff to watch out for? Anything would be helpful-
offline responses OK , too.

 

Thanks-

 

Lee H. Badman

Wireless/Network Engineer

KC2IYK, CWNA/CWSP

Information Technology and Services

Syracuse University

315 443-3003

 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Site survey Wifi deployment software and methodology queries

[King, Michael]

We use Ekahau software.  Wireless Valley is better product, (It thinks in 3 
dimensions, where Ekahau is two dimensional)

 

You load a floorplan onto the software.  You scale it. (Measure a wall, and 
tell the software how long the wall is)

 

First, you Simulate the layout.  

You draw all the walls on the floorplan, giving then RF values. (usually I 
stick with concrete, drywall, and elevator shaft)

Then you place "virtual" AP's on the floorplan, and try to figure a good 
placement.  When you have a good simulation you:

 

Test the design

You place an AP, (with Cisco (and most auto RF type AP's) they recommend 50% 
power, so the AP can boost it's signal to fill in gaps if necessary.)

You walk around, clicking on the floorplan, making data points on the map.

You "Freeze" the AP in the software. (That's the term they used, essential it 
munges the MAC of the AP so you can simulate many AP's with a single one)

Move the AP to the next placement point.

Repeat until the whole floor is covered.

 

Based on the graphs, you make some intelligent guesses, and adjust the AP 
placement.  Repeat the whole Survey until you get it right.

 

It is time consuming, but buying the software, and doing it yourself is usually 
cheaper than a consultant.

 

I know the Cisco Software on the WCS controller software (not the controller 
itself) can do this simulation as well.  We've have never used it in this 
capacity, since we have the Ekahau software, and we know it works very well.  
(We had the Ekahau software a year before the Cisco Product)

 

Mike King

 

 

From: Christian Hroux [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 26, 2007 3:58 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Site survey Wifi deployment software and methodology 
queries

 

Hello!

 

We are planning a campus wide Wifi deployment. I am looking for 
tool and advice on how to do site survey. We are looking at Cisco airspace 
solution with controller.  The test deployment 20 AP was done with consultant 
and the actual site survey was to install and move around one  mobile AP and 
check the reception with a laptop to determine the final AP spot. This process 
was repeated until the floor was covered. Not a very scientific approach and 
quite costly. 

 

>From my reading there are 2 types of site survey:

 

-Spectrum analyser to evaluate noise in your environment. 

-Simulation software tool where you load your (autocad) floor plan and the 
software will help to define the location of your access-points.

-Another survey is to install all access-points and walk the floor and take 
sample reading with a laptop and software and analyse the result.

-Once you have your Wifi network Cisco seem to have some functionality where AP 
can listen to each other and adjusted their power and maybe recommend to move 
some AP around. (WLSE walkabout feature old aeronet solution) but at this point 
you need to have your network install before using this tool. 

 

I was looking at air magnet software to those 2 functions any comments?

What was your experience with those softwares? Any other that I should look at?

In only few lines, how do you proceed with your WIFI site survey and what tool 
do you use?

 

Thanks 

 

Christian Héroux

University of Quebec

Montréal, Canada  

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/. 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] AP's for mesh?

[King, Michael]

 

> -Original Message-
> 
> We have a few grad students who are doing their PHD projects 
> and require some 801.11 Access Points which can do mesh. 

Aha, since they're grad students, they have 
1.  No Money
2.  Time
3.  Willingness to make it work

They should try some of the opensource stuff around.  Examples (in no
particular order):
http://www.cuwin.net/about
http://en.wikipedia.org/wiki/Netsukuku
http://en.wikipedia.org/wiki/TinyOS
http://en.wikipedia.org/wiki/Roofnet
http://www.oreillynet.com/pub/a/etel/2006/02/10/free-mesh-networking-wit
h-metrix-pebble.html


> We are a bit concerned that this will interfere with our 
> campus 802.11 deployment (their lab is near a very busy 
> student hangout), and as such are hoping to help them find an 
> AP that will allow some configurable options, most 
> specifically transmit power and channel selection.

You can suggest faraday cages
http://en.wikipedia.org/wiki/Faraday_cage

(Some grad students project that mentions using and old university
freezer as a faraday cage, then later a large steel cabinet)
http://scissec.scis.ecu.edu.au/wordpress/conference_proceedings/2005/for
ensics/yek2.pdf

> So far they found a product from 
> meraki which does mesh, but has frew configurable options.
> 

I think meraki is a commercial venture of MIT's roofnet

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] EOL of WiLAN controllers (a month or two after purchasing - what do you do?)

[King, Michael]

Yea, I see your point.

The 3504 became the 2006 with hardware change (3504's can't run 2006
images)

I think around October they released the 2106, which replaces the 2006.

I agree with Dale, Call the SE's boss, they should have let you know
that. 

> -Original Message-
> From: Dale W. Carder [mailto:[EMAIL PROTECTED] 
> Sent: Monday, February 19, 2007 3:37 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] EOL of WiLAN controllers (a month 
> or two after purchasing - what do you do?)
> 
> Wow, that sinks.
> 
> I would call your SE's boss.  In our region at least, they 
> actually tend to listen.
> 
> Dale
> 
> 
> 
> Thus spake Lelio Fulgenzi ([EMAIL PROTECTED]) on Mon, Feb 19, 
> 2007 at 03:33:11PM -0500:
> > we had an NDA product update in december. they neglected to tell us 
> > anything. :(
> > 
> > 
> > 
> --
> > --
> > Lelio Fulgenzi, B.A.
> > Senior Analyst (CCS) * University of Guelph * Guelph, 
> Ontario N1G 2W1
> > (519) 824-4120 x56354 (519) 767-1060 FAX (JNHN) 
> > 
> ^^
> > ...there's no such thing as a bad timbit...
> > 
> >   - Original Message - 
> >   From: Dale W. Carder 
> >   To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> >   Sent: Monday, February 19, 2007 3:27 PM
> >   Subject: Re: [WIRELESS-LAN] EOL of WiLAN controllers (a 
> month or two 
> > after purchasing - what do you do?)
> > 
> > 
> >   Thus spake Lelio Fulgenzi ([EMAIL PROTECTED]) on Mon, Feb 
> 19, 2007 at 01:07:25PM -0500:
> >   > This is for those who buy Cisco products.
> >   > 
> >   > We bought a Cisco 2006 controller last year, say late 
> November, early December. It's not been EOL'ed.
> >   > 
> >   > Just wondering what experience others have had
> > 
> >   Sign an NDA and get product roadmaps before buying anything from 
> >   anyone.  
> > 
> >   Cisco, in particular, tends NOT to announce an EOL of a 
> products until 
> >   months/years after removing all the developers from a 
> project.  I've
> >   seen this for a couple of product lines where new 
> features just suddenly
> >   stop, and then magicly in 6 months something takes that 
> product's place.
> >   Only then is an EOL announced because there is something 
> new to sell
> >   you as an "upgrade path".
> > 
> >   Dale
> > 
> >   
> --
> --
> >   Dale W. Carder - Network Engineer   | DoIT Network Services
> >   University of Wisconsin at Madison  | [EMAIL PROTECTED] 
> >   (608) 263-3628 | 24hr NOC: 263-4188 | 
> > http://net.doit.wisc.edu/~dwcarder
> > 
> 
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Supporting Wireless clients using LEAP

[King, Michael]

 

> -Original Message-
> Can you please let me know if your school is currently using 
> 802.1x and LEAP? 

802.1x and PEAP TTLS, and WPA/WPA2 PEAP TTLS

 If you can let me know if you are using a 
> supplicant client or just the vendor supplied utilities, I 
> would appreciate it.

Built in clients (2000, XP, Vista, Mac)

> Any other insights would be appreciate 
> as to how schools are supporting a secure wireless network.


Don't use LEAP under any circumstances.  It has been broken,
compromised, etc, since 2003.  That, coupled with the fact that very few
to no clients actually support LEAP should dissuade you from it.

Further more, Cisco has recommended that users migrated to another EAP
type, or strengthen they're password policy to mitigate the
vulnerabilities.
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_bulletin09186
a00801cc901.html

The two MAIN EAP protocols in public use at this time are:
PEAP
TTLS

PEAP is built into every Microsoft OS since 2000, and Both Mac and Linux
support it as well.
TTLS is built into almost every Mac and Linux box, and a third party
supplicant (SecureW2) allows use on Microsoft OS's.
Actually, you can support more than ONE EAP type per SSID, so you can
conceivable have both PEAP and TTLS on

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] LWAPP APs Disassociating From Controllers

[King, Michael]

Ok.. You have the release I was going to suggest.

You can try 4.0.206.0, but I don't see anything specific for your model
AP's.  (I have the 1010's, and there is a specific bug fix in that
release we've been chasing)

But you never know, it might be related.

 

> -Original Message-
> From: Lee Badman [mailto:[EMAIL PROTECTED] 
> Sent: Friday, February 02, 2007 10:47 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] LWAPP APs Disassociating From Controllers
> 
> 4.0.179.11. 
> 
> >>> [EMAIL PROTECTED] 2/2/2007 10:42 AM >>>
> What version code are you running on the controllers?
>  
> 
> > -Original Message-
> > Am opening a TAC case, but to save some some time from the 
> loathsome 
> > LWAPP debug process, wondering if anyone has experienced this 
> > condition?
> 
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] LWAPP APs Disassociating From Controllers

[King, Michael]

What version code are you running on the controllers?
 

> -Original Message-
> Am opening a TAC case, but to save some some time from the 
> loathsome LWAPP debug process, wondering if anyone has 
> experienced this condition?

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Problems with Windows 802.1x supplicant

[King, Michael]

It's why they're getting denied, they have to be allowed to login.  You
can probably do specific groups of computers or individual comptuers. 

> -Original Message-
> From: Lee Weers [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, February 01, 2007 5:07 PM
> To: King, Michael
> Subject: RE: [WIRELESS-LAN] Problems with Windows 802.1x supplicant
> 
>  Is it required that domain computers be allowed?  Most of 
> the college owned laptops are shared laptops.
> 
> -Original Message-
> From: King, Michael [mailto:[EMAIL PROTECTED]
> Sent: Thursday, February 01, 2007 3:48 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Problems with Windows 802.1x supplicant
> 
> Hey, what user's do you have in your IAS's remote access policy?
> 
> Do you have DOMAIN COMPUTERS allowed?  (It's not part of DOMAIN USERS)
> 
> Mike
> 
> > -Original Message-
> > From: Lee Weers [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, February 01, 2007 4:42 PM
> > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> > Subject: Re: [WIRELESS-LAN] Problems with Windows 802.1x supplicant
> > 
> > I've changed the name and marked out the ip addresses.  
> > 
> > Here is an example of the deny
> > 
> > User host/bob_10884.central.edu was denied access.
> >  Fully-Qualified-User-Name = CENTRALCOLLEGE\BOB_10884$  
> NAS-IP-Address
> 
> > = xxx.xxx.xxx.xxx  NAS-Identifier = WESM1  
> Called-Station-Identifier =
> 
> > 00-14-C2-A3-A4-85:airCentral-Academic
> >  Calling-Station-Identifier = 00-18-DE-66-6E-C4  
> Client-Friendly-Name 
> > = HP Wesm  Client-IP-Address = xxx.xxx.xxx.xxx  NAS-Port-Type = 
> > Wireless - IEEE 802.11 NAS-Port = 1  Proxy-Policy-Name = 
> Use Windows 
> > authentication for all users  Authentication-Provider = Windows 
> > Authentication-Server =   Policy-Name = 
>  
> > Authentication-Type = EAP  EAP-Type =   
> Reason-Code = 48
> 
> > Reason = The connection attempt did not match any remote access 
> > policy.
> > 
> > 
> > I wouldn't think I need to setup a policy for machine 
> authentication.
> > 
> > Here is the success.
> > 
> > User CENTRALCOLLEGE\bob was granted access.
> >  Fully-Qualified-User-Name = central.edu/Computers-AutoUpdate 
> > Fac-Staff/Roaming Profiles/Bob  NAS-IP-Address = xxx.xxx.xxx.xxx 
> > NAS-Identifier = WESM1  Client-Friendly-Name = HP Wesm 
> > Client-IP-Address = xxx.xxx.xxx.xxx  Calling-Station-Identifier =
> > 00-18-DE-66-6E-C4  NAS-Port-Type = Wireless - IEEE 802.11  
> NAS-Port =
> > 1
> >   Proxy-Policy-Name = Use Windows authentication for all users 
> > Authentication-Provider = Windows  Authentication-Server = 
> >   Policy-Name = Authenticate wireless network 
> > Authentication-Type = PEAP  EAP-Type = Secured password (EAP-MSCHAP
> > v2)
> > 
> > I've changed the name and marked out the ip addresses.
> > -Original Message-
> > From: Doug Payne [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, February 01, 2007 3:19 PM
> > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> > Subject: Re: [WIRELESS-LAN] Problems with Windows 802.1x supplicant
> > 
> > On 01/02/2007 3:32 PM, Lee Badman wrote:
> > 
> > > Automatically Use My Windows Credentials- implies that the
> > same user
> > > name and password used to simply open up Windows is the
> > same used to
> > > login to the network, like against AD- which is not 
> always the same 
> > > (in our case it is very likey almost never the same as the
> > users set
> > > up their own laptops and give themselves all sorts of 
> exotic and or 
> > > silly names and passwords that wouldn't match theur network IDs)
> > 
> > Not to mention that WXP automatically uses the computer name as the 
> > domain name, which doesn't work if you use IAS as your 
> Radius server.
> > 
> > **
> > Participation and subscription information for this EDUCAUSE 
> > Constituent Group discussion list can be found at 
> > http://www.educause.edu/groups/.
> > 
> > **
> > Participation and subscription information for this EDUCAUSE 
> > Constituent Group discussion list can be found at 
> > http://www.educause.edu/groups/.
> > 
> 
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Problems with Windows 802.1x supplicant

[King, Michael]

Hey, what user's do you have in your IAS's remote access policy?

Do you have DOMAIN COMPUTERS allowed?  (It's not part of DOMAIN USERS)

Mike

> -Original Message-
> From: Lee Weers [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, February 01, 2007 4:42 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Problems with Windows 802.1x supplicant
> 
> I've changed the name and marked out the ip addresses.  
> 
> Here is an example of the deny
> 
> User host/bob_10884.central.edu was denied access.
>  Fully-Qualified-User-Name = CENTRALCOLLEGE\BOB_10884$
>  NAS-IP-Address = xxx.xxx.xxx.xxx
>  NAS-Identifier = WESM1
>  Called-Station-Identifier = 00-14-C2-A3-A4-85:airCentral-Academic
>  Calling-Station-Identifier = 00-18-DE-66-6E-C4
>  Client-Friendly-Name = HP Wesm
>  Client-IP-Address = xxx.xxx.xxx.xxx
>  NAS-Port-Type = Wireless - IEEE 802.11
> NAS-Port = 1
>  Proxy-Policy-Name = Use Windows authentication for all users
>  Authentication-Provider = Windows 
>  Authentication-Server =  
>  Policy-Name =  
>  Authentication-Type = EAP
>  EAP-Type =  
>  Reason-Code = 48
>  Reason = The connection attempt did not match any remote 
> access policy.
> 
> 
> I wouldn't think I need to setup a policy for machine authentication.
> 
> Here is the success.
> 
> User CENTRALCOLLEGE\bob was granted access.
>  Fully-Qualified-User-Name = central.edu/Computers-AutoUpdate
> Fac-Staff/Roaming Profiles/Bob
>  NAS-IP-Address = xxx.xxx.xxx.xxx
>  NAS-Identifier = WESM1
>  Client-Friendly-Name = HP Wesm
>  Client-IP-Address = xxx.xxx.xxx.xxx
>  Calling-Station-Identifier = 00-18-DE-66-6E-C4
>  NAS-Port-Type = Wireless - IEEE 802.11
>  NAS-Port = 1
>   Proxy-Policy-Name = Use Windows authentication for all users
>  Authentication-Provider = Windows 
>  Authentication-Server =  
>  Policy-Name = Authenticate wireless network
>  Authentication-Type = PEAP
>  EAP-Type = Secured password (EAP-MSCHAP v2)
> 
> I've changed the name and marked out the ip addresses.
> -Original Message-
> From: Doug Payne [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, February 01, 2007 3:19 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Problems with Windows 802.1x supplicant
> 
> On 01/02/2007 3:32 PM, Lee Badman wrote:
> 
> > Automatically Use My Windows Credentials- implies that the 
> same user 
> > name and password used to simply open up Windows is the 
> same used to 
> > login to the network, like against AD- which is not always the same 
> > (in our case it is very likey almost never the same as the 
> users set 
> > up their own laptops and give themselves all sorts of exotic and or 
> > silly names and passwords that wouldn't match theur network IDs)
> 
> Not to mention that WXP automatically uses the computer name as the
> domain name, which doesn't work if you use IAS as your Radius server.
> 
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.
> 
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Vista Wireless Networking...

[King, Michael]

Quick question,

What's your radius server? 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Debug Cisco LWAPP

[King, Michael]

Someone has already mentioned the Syslog, and disabling the timeout.

One other thing.  You can force AP's to associate to specific
controllers. 

> -Original Message-
> From: Lee Badman [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, January 03, 2007 7:41 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Debug Cisco LWAPP
> 
> Am working with Aironet 1500 Mesh nodes, but have seen the 
> same problem with converted legacy APs that don't play well 
> with controllers for whatever reason. For troubleshooting, 
> command line debug is required at the controllers. In my 
> case, I have 16 controllers- and there's often no obvious 
> rhyme or reason to what controller trouble APs will try to 
> associate to. Cisco's current answer is to open 16 command 
> line windows-
> 1 for each controller- and issue multiple debug commands in 
> each while looking for signs of trouble. This can be 
> challenging, as these windows time out for inactivity and the 
> process has to be repeated until the trouble is found. WCS 
> doesn't appear to aggregate this debug data... 
> 
> Has anyone else found a way of dealing with this debug 
> process when it needs to be distibuted accross a large number 
> of controllers?
> 
> 
> 
> 
> Lee Badman
> Network/Wireless Engineer
> Syracuse University
> 315 443-3003
> 
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] SSID of "Free Public WiFi"

[King, Michael]

Microsoft has released a new wireless utility update, that changes
Ad-HOC functionality.  Maybe that is the fix you're looking for.

http://support.microsoft.com/kb/917021

Changes for ad hoc networks
On a computer that does not have the Wireless Client Update installed,
Wireless Auto Configuration automatically tries to connect to all the
wireless networks in the preferred networks list that have previously
been connected to. If no infrastructure mode networks are present,
Wireless Auto Configuration sends probe requests to try to connect to
the first ad hoc wireless network in the preferred networks list. An
observer could monitor these probe requests and establish an unsecured
connection with a Windows wireless client.

On a computer that has the Wireless Client Update installed, Wireless
Auto Configuration does not send probe requests to connect to newly
created ad hoc wireless networks in the preferred networks list. Because
many ad hoc wireless networks are created for temporary wireless
connectivity, you must use the Choose a Wireless Network dialog box to
manually initiate a connection to an ad hoc mode wireless network. 

> -Original Message-
> From: Philippe Hanset [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, November 28, 2006 9:56 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] SSID of "Free Public WiFi"
> 
> Martin,
> 
> I have asked the same question before on this list after 
> having searched for quite a while the key that turns ad-hoc off.
> The best I got was the following command line script:
> 
> http://www.engl.co.uk/products/zwlancfg/
> 
> Best,
> 
> Philippe Hanset
> Univ. of Tennessee
> 
> 
> On Tue, 28 Nov 2006, Flagg, Martin D. wrote:
> 
> > Thanks, but what I am looking for is a reg key to turn off 
> ICS without turning off the firewall.  or Some other way to 
> prevent a client from broadcasting a SSID.
> >
> > 
> >
> > From: Robinson, Ronald [mailto:[EMAIL PROTECTED]
> > Sent: Tue 11/28/2006 9:18 AM
> > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> > Subject: Re: [WIRELESS-LAN] SSID of "Free Public WiFi"
> >
> >
> > Hi Martin,
> >
> > I don't know if this is what you are looking for but it may 
> help.  Under the Wireless Networks tab of the network card 
> properties there is and Advanced button that will allow you 
> to set a check box to only allow connection to Access point 
> networks.  The default is any network.
> >
> >
> > Ron Robinson
> > [EMAIL PROTECTED]
> >
> >
> >
> >
> > 
> >
> > From: Flagg, Martin D. [mailto:[EMAIL PROTECTED]
> > Sent: Tuesday, November 28, 2006 7:19 AM
> > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> > Subject: Re: [WIRELESS-LAN] SSID of "Free Public WiFi"
> >
> >
> >
> > Does anyone know how to shutdown the ability of XP to 
> act as an ad-hoc network?  I would like this add this check 
> to CCA but have not figured out how to do it.
> >
> >
> >
> > Martin Flagg
> >
> > Hiram College
> >
> >
> >
> >
> > 
> >
> >
> > From: David Warner [mailto:[EMAIL PROTECTED]
> > Sent: Monday, November 27, 2006 3:09 PM
> > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> > Subject: Re: [WIRELESS-LAN] SSID of "Free Public WiFi"
> >
> >
> >
> > If a computer were doing this, it could also be logging 
> sensitive data for exploitation.
> >
> > At 02:55 PM 11/27/2006, you wrote:
> >
> >
> >
> > I have been seeing the same SSID as well as several 
> others that are
> > continually showing up on our network.  After further 
> investigation, and
> > some testing to verify, I have determined that it is 
> caused by wireless
> > profiles configured on a Windows computer.
> >
> > I set up a test using a unique broadcast SSID on an 
> access point, then
> > connected to it with a WinXP box (which automatically 
> creates a wireless
> > profile for that SSID).  I then shut down both the AP 
> and the WinXP
> > client.  Using another wireless client I viewed 
> available wireless
> > networks, the unique SSID was not seen.  I then turned 
> the WinXP box
> > back on, without connecting to any wireless network, 
> and there it was,
> > the unique SSID being broadcast as an Ad-Hoc network.  
> Turn off the XP
> > box and the SSID disappears, turn it back on and there 
> it is again.  I
> > then removed the profile for that SSID from the XP box 
> and the Ad-Hoc
> > network never appeared again.
> >
> >
> > Ron Robinson
> > [EMAIL PROTECTED]
> >
> > -Original Message-
> > From: Lee Badman [mailto:[EMAIL PROTECTED]
> > Sent: Monday, November 27, 2006 1:18 PM
> > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> > Subject: [WIRELESS-LAN] SSID of "Free Public WiFi"
> >
> > SSID: "Free Public WiFi"
> >
> > Am seeing dozens and dozens of these on any given day 
> as detected by our
> > Cisco LWAPP system- all ad hoc. Internet

Windows XP SP2 Wireless hotfix

[King, Michael]

Found this on the 
SANS site:
http://isc.sans.org/diary.php?storyid=1849
 
Seems Microsoft has 
released a hotfix (This means it will NOT appear on Windows Update) that changes 
the default behavior of the Wireless Supplicant.
 

Allows group policy to control WPA2 settings.
Allows networks in the preferred network list to be set as broadcast or 
non-broadcast. Setting all to broadcast prevents the computers from leaking the 
list of preferred networks when they do not find one in their list.
'parked' wireless cards are given encryption. Parking a card is according to 
Microsoft: "Wireless Auto Configuration may 
create a random wireless network name and put the wireless network adapter in 
infrastructure mode.  In this situation, the wireless adapter is not 
connected to any wireless network. However, the wireless adapter continues to 
scan for preferred wireless networks every 60 seconds". They go on 
with: "Some wireless network adapter drivers 
may interpret this parking operation as a request to connect to a wireless 
network. Therefore, these drivers may send probe requests in search of a network 
that has the random name. Because the parking operation passes no security 
configuration the driver, the random wireless network might be an open 
system-authenticated wireless network that uses no encryption. An observer could 
monitor these probe requests and establish a connection with a parked Windows XP 
wireless client". Now encrypting will surely help, but it does feel 
funny to let it sit there configured randomly while there is no use for it doing 
anything.
Stop trying to connect to ad-hoc networks in the preferred network 
list.
**
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] How many SSID's?

[King, Michael]

 

> -Original Message-
 
> 1. Legacy VPN-protected
> 2. 802.1x
> 3. Guest
> 4. EduRoam 
> (Travelling scholars  can use their home RADIUS server to 
> use WiFi)
> 5. Ad Hoc local department network with legit special need 
> (Health Center?)
> 6. Appliances - for Tivos, game consoles, whatever.
>access via mac address registration
>access to internet, with some blocks, but not campus
>perhaps access across the dorm network
> 


Here's a couple more:

7.  Conference and Events.  Not a permanite SSID, but one that is
requested and activated for each conference.
8.  Legecy Devices.  (Very Similar to your Appliances SSID, assuming you
Applicances SSID is using WPA-PSK, this would just use WEP)

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Feedback on Plan

[King, Michael]

 

> -Original Message-
> BSSID3
> No encryption, Throttled via CCA, two hour limit before 
> having to select Guest again. Internet Only and Limited Access. 

I'd suggest that you find out your average class duration, and make sure
that your Guest is at least that long.

Two hours sounds about right.  (We are 1 hour here)

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Streaming multicast over wireless]

[King, Michael]

Writing another email, made me think of this question:
 
IF you multicast enable your Wireless infrastructure, can you prevent
students from initiating a multicast stream?
 
Essentially, do I have to worry about a student broadcasting from his
wireless laptop with a free copy of VLC?  (We used VLC to test our
Multicast infrastructure)




From: Bill Cole [mailto:[EMAIL PROTECTED] 
Sent: Thursday, November 02, 2006 10:24 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Streaming multicast over wireless]


We are currently setting up a pilot with VideoFurnace. We are
using LWAP as well, but are not looking to stream over the wireless
network for a while. This is partially due to the Cisco CCA application
we run to do authentication for our wireless network.  As of now
multicast does not work over CCA. It is expected to be fixed in the
future. I would really hesitate to run this over 802.11b/g access points
since all it takes is one b user to drive everyone from 54Mbs to 11Mbs
and really clog up the network unless you really limit the bandwidth you
set up when you encode. 802.11a is a much better choice. I think that
Dartmouth has totally replaced their wireless infrastructure with Aruba
802.11a access points.

Duke University ran a pilot with VideoFurnace over wireless in
their Tower Dorm for a while. You might want to contact them about their
result and density of access points. From my discussions with them they
had used quite a few access points to do the coverage. The point of
contact at Duke is Kevin Miller.

Regards,

Bill Cole

--
Bill Cole
Video Network Engineer
North Carolina State University
Communication Technologies/ITD
Campus Box 7208
2114 Avent Ferry Road
Raleigh, NC 27695
Voice: 919.515.0100
Email: [EMAIL PROTECTED]
IP/Video: 152.1.5.156
VideNet/GDS: 00111899195151349



On Nov 2, 2006, at 9:48 AM, Rick Brown wrote:




 Original Message  
Subject:Re: [WIRELESS-LAN] Streaming multicast over wireless
Date:   Wed, 1 Nov 2006 20:09:58 -0500  
From:   Joyce, Todd N <[EMAIL PROTECTED]> 
Reply-To:   802.11 wireless issues listserv

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE:Multicast with CCA was "Sreaming multicast over wireless"

[King, Michael]

Bill,
 
There are two ways to make Multicast work with CCA right now. (The
problem is CCA's internal router does not currently route Multicast
Packets.)
 
The Cisco Offically supported way is to run your CAS's in Virtual
Gateway mode.  (Since CCA is not the router, it doesn't have to route
the Multicast)
 
The second way is not "officially supported" but has been used in a few
scenairo's, and we've extensively tested it here.  (We're Real-IP
Gateway Mode)
 
You create an interface, with an IP that doesn't exist on your network
for the VLAN that is being managed.  You also make the subnet it's on
only large enough for a single IP.  Then Add the multicast commands to
that interface.  Apply approriate ACL's so that you can control which
the direciton the traffic flows. (IE, do you want your studnets mailing
up a multicast stream in the dorms?)
 
The way it works is essentially, it's a hidden router that routes the
multicast traffic to the rest of the network and/or injects it after the
CAS.  Since it only has a valid range of one address, which is the
router, student's can't use it as a bypass of CCA.  ACL's can further
ensure this.  But the Multicast traffic will bypass CCA.




From: Bill Cole [mailto:[EMAIL PROTECTED] 
Sent: Thursday, November 02, 2006 10:24 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Streaming multicast over wireless]


We are currently setting up a pilot with VideoFurnace. We are
using LWAP as well, but are not looking to stream over the wireless
network for a while. This is partially due to the Cisco CCA application
we run to do authentication for our wireless network.  As of now
multicast does not work over CCA. It is expected to be fixed in the
future. I would really hesitate to run this over 802.11b/g access points
since all it takes is one b user to drive everyone from 54Mbs to 11Mbs
and really clog up the network unless you really limit the bandwidth you
set up when you encode. 802.11a is a much better choice. I think that
Dartmouth has totally replaced their wireless infrastructure with Aruba
802.11a access points.

Duke University ran a pilot with VideoFurnace over wireless in
their Tower Dorm for a while. You might want to contact them about their
result and density of access points. From my discussions with them they
had used quite a few access points to do the coverage. The point of
contact at Duke is Kevin Miller.

Regards,

Bill Cole

--
Bill Cole
Video Network Engineer
North Carolina State University
Communication Technologies/ITD
Campus Box 7208
2114 Avent Ferry Road
Raleigh, NC 27695
Voice: 919.515.0100
Email: [EMAIL PROTECTED]
IP/Video: 152.1.5.156
VideNet/GDS: 00111899195151349



On Nov 2, 2006, at 9:48 AM, Rick Brown wrote:




 Original Message  
Subject:Re: [WIRELESS-LAN] Streaming multicast over wireless
Date:   Wed, 1 Nov 2006 20:09:58 -0500  
From:   Joyce, Todd N <[EMAIL PROTECTED]> 
Reply-To:   802.11 wireless issues listserv

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Streaming multicast over wireless

[King, Michael]

 

> -Original Message-

> 
> So I'd say it's good for the press release but at a decent 
> resolution it's going to be difficult to support more than a 
> few channels.
> 
> -Kevin


I've talked a bit with Dartmouth when they first rolled this out.

If I remember correctly, they have the multicast ONLY on the 802.11a
band.  They have more than 20 channels, but they can only support 4
channels per AP simultaneously.  (The same 4 channels don't have to be
on every AP I believe)

All of these were not limitations on the Aruba gear, but conscious
choices made in design to present the best experience.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Dynamic WEP transition to WPA

[King, Michael]

 

> -Original Message-

> When you deploy 802.1x wep, it is very secure as well. 

Just a note, this was true up till a few weeks ago.

http://www.ja.net/development/wireless/wag/wep-strongly-deprecated.pdf

The synopis of this paper is,  it is now possible to crack WEP with 1
packet, and several seconds.

Most Key Rotation schemes are every 5 minutes, or more.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Dynamic WEP transition to WPA

[King, Michael]

 

> -Original Message-
> 
> At 12:19 -0400 10/27/2006, Keith Moores wrote:
> >3) Deploy a new SSID/VLAN, announce a cutover period, after which 
> >shutdown the old one.
> >
> >Pros: Gives people a chance to reconfigure on their own schedule
> >Cons: A LOT more back-end work, I'll miss our current ssid, go 
> >(cavalier)s!


This is the way we're going as well.   

802.1x TKIP -> WPA/WPA2 SSID

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Apple MAC connections thro Bluetooth

[King, Michael]

Hi Tony.

It all depends on how you are authenticating your users.  

I'm going to assume you are using 802.1x with PEAP, or WPA/Enterprise /
WPA2 enterprise.

Without knowing this, we can't really offer comments.

However, if your are using 802.1x with PEAP, you can successfully us any
client that can "talk" PEAP.  We have MAC's, Linux, and Windows boxes
all on our wireless network.  

So, what's your authentication method? 

-Original Message-
From: Tony Fellows [mailto:[EMAIL PROTECTED] 
Sent: Thursday, October 19, 2006 3:44 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Apple MAC connections thro Bluetooth

Hi Guy's,
 
We have a fairly moderate wireless network with a current policy which
restricts users with the Microsoft platform only.  At the last student
intake a few of them had Apple MACs and wanted to connect - they got
pretty upset with our policy of Microsoft clients only.   
We have no experience with Apple MAC connections.
 
My question:  How many folks on this thread allow multi-platform
connections who have primary Active Directory authentication. Is any
particular software available which Apple MAc clients need to install in
order to emulate a windows client.  Or is there another way around this.
 
Any suggestions would be appreciated.
 
Thanks
 
Kind Regards
 
Tony Fellows
Head of IT Services
Newman College of HE
Birmingham B32 3NT
UK
 
Email: [EMAIL PROTECTED]
 
 




**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Dynamic WEP: caution

[King, Michael]

Had not seen that.

Thanks for sharing. 

-Original Message-
From: Philippe Hanset [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, October 11, 2006 4:34 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Dynamic WEP: caution

All,

FYI.

http://www.ja.net/development/wireless/wag/wep-strongly-deprecated.pdf

Philippe Hanset
University of Tennessee

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Ethernet Wireless Bridge that supports 802.1x

[King, Michael]

I've found a few.  
 
ZyXel made one of them, the G-405 (802.1x and 
WPA)
http://us.zyxel.com/web/product_family_detail.php?PC1indexflag=20040520161256&CategoryGroupNo=01D0FA7A-6FC9-4C60-9A80-508E650AD105
 
It looks like they also have the G-470 now (With support 
for WPA2)
http://us.zyxel.com/web/product_family_detail.php?PC1indexflag=20040520161256&CategoryGroupNo=PDCA2006039
 
 
 
I've also bought a Pegasus Outdoor Bridge (The same people 
that make the WiJet)
http://www.pegasuswirelesscorp.com/products/products.html
(These support WPA-Enterprise only, not 
WPA2)
 
Just a note, some AP's don't allow Bridges.  They only 
allow the MAC's that are associated to them to pass.  I'd try one out 
before committing to this route. (You can get it to work, but you need 
a NAT router at the far end, we found this too much trouble)
 
I know about, but haven't tried Lantronix's product 
line.  (We use quite a bit of Lantronix here, we like the company based on 
other products)
http://www.lantronix.com/device-networking/embedded-device-servers/wiport.html
 
 
We do use several of these however:
http://www.lantronix.com/device-networking/external-device-servers/wibox.html
The Wibox allows Serial Devices to communicate over the IP 
network.  We use these on Cash Registers and on Vending 
Machines.
 
Mike King
Bridgewater State College


From: Landau, Gary [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, October 04, 2006 9:58 AMTo: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUSubject: [WIRELESS-LAN] Ethernet 
Wireless Bridge that supports 802.1x


Does anyone know of an Ethernet to 
Wireless 
Bridge that supports 802.1x 
(with PEAP and MSCHAPv2)?
 
We have a system that only has an 
Ethernet interface and we want to connect it wirelessly.  However, the only 
supported security that I’ve found on the various manufacturer’s websites that 
have wireless bridges are WEP and WPA.
 
Thanks in 
advance,
Gary
 
Gary 
Landau, CISSP, CCNPDirector | 
Network Services-Loyola 
Marymount UniversityInformation 
TechnologyOne LMU 
Drive 
| Los Angeles, CA 90045p.310.338.4434  f.310.338.2326
[EMAIL PROTECTED] 
| http://its.lmu.edu-LMU|LA 
IT: 
We 
Deliver!
 ** 
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/. 
**
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Enterasys wireless switch deployment

[King, Michael]

The Enterasys product is essentially the Trapeze platform. 

-Original Message-
From: Stephen Holland [mailto:[EMAIL PROTECTED] 
Sent: Thursday, September 28, 2006 3:14 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Enterasys wireless switch deployment

Does anybody have a large scale deployment of the Enterasys wireless
switch architecture?  By large scale I mean 600 ap's scaling to 1500 or
higher?.

If so are you happy with the performance and the functionality?  What
kind of authentication are you running?

Thanks so much

Stephen Holland
Network Engineer
Northeastern University

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Cisco/Airespace and Radius authentication (also a location appliance comment)

[King, Michael]

 

-Original Message-
>We'd like to allow or deny permission to each WLAN based 
>on group membership. Is anyone else doing this and 
>willing to share their Radius and WCS configs?


We're not doing this.  But it is possible.  I know because I saw a very
similar question on the FreeRADIUS mailinglist a few weeks ago.  I think
it involves hunt-groups.  Wish I could have more information for you.
Have you tried the FreeRADIUS list?



>Apparently the location appliance can only handle a very 
>limited number of these obstructions. 
>But it's been months since we've heard anything new.

Mark,  Have you upgraded code recently on the Location Applicance?
They up'd the tracked Items, and obstruction limits Since the release in
June. (I believe it's 2500 now, up from 1500)

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Cisco LWAPP

[King, Michael]

Title: Re: [WIRELESS-LAN] Cisco LWAPP



Actually, that's a little misleading.
 
Newer versions of WCS with older WISM code is OK. (Not the 
best, but OK)
 
Newer versions of WISM, with older WCS is NOT OK. (WCS asks 
a question, WISM gives a response WCS is not prepared to 
answer)
 
 


From: Roth, Joe [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, September 20, 2006 1:24 PMTo: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUSubject: Re: [WIRELESS-LAN] Cisco 
LWAPP


We actually installed 
4.0 on a new box and just pulled the configs off of the controllers again 
without any problems. But we were told by Cisco that you should not run a newer 
ver of WCS with an older ver of the WiSM code, or vice 
versa.
 
 
 




From: BennettJ 
[mailto:[EMAIL PROTECTED] Sent: Wednesday, September 20, 2006 12:51 
PMTo: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUSubject: Re: [WIRELESS-LAN] Cisco 
LWAPP
 
Joe,Did you have 
any problems upgrading the controllers or WCS from version 3.0.x.x to the 
4.0.66.0 version of WCS. While upgrading a controller from 3.0.x.x to a 4.0.x.x 
I found that not all the settings were saved. Several previously made interfaces 
(but not all) as well as a few Wlans were missing from the config. It was easy 
enough to consult the backup configs to replace these settings but I felt like 
this loss of configuration should not have happened.Has anyone else had 
a similar experience?-JimJim BennettSr. Network 
EngineerCollege of Charleston** 
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/. ** 
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.
**
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Users getting disconnected

[King, Michael]

What version of Controller code are you running?  There was a bug in
4.0.155.0 that cause AP's to reboot randomly.  This was fixed in
4.0.155.5 

> -Original Message-
> From: Jorge Bodden [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, August 29, 2006 11:46 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Users getting disconnected
> 
> Has anyone had a problem with users getting disconnected from 
> the wireless network every 4 hours or so.  I get a hit on the 
> wireless at designated intervals (roughly) where they just 
> get kicked off the network.  I have sniffed the traffic and 
> noticed that every time a disconnect takes place, the clients 
> re-authenticate onto the network.  I really do not see 
> anything out of the ordinary.  I do see a lot of requests 
> going to the NetBios server and none coming back, further 
> confuses me.  Does anyone have any experience with this?
> 
> Thanks.
> 
> Jorge
> 
> 
> 
> 
> 
> This electronic message is intended to be for the use only of 
> the named recipient, and may contain information that is 
> confidential or privileged.  If you are not the intended 
> recipient, you are hereby notified that any disclosure, 
> copying, distribution or use of the contents of this message 
> is strictly prohibited.  If you have received this message in 
> error or are not the named recipient, please notify us 
> immediately by contacting the sender at the electronic mail 
> address noted above, and delete and destroy all copies of 
> this message.  Thank you.
> 
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] SSIDs: broadcast and non-broadcast, and command line access

[King, Michael]

Just in from the front. (sorta, it's dated april)

http://www.microsoft.com/technet/community/columns/cableguy/cg0406.mspx

Non-broadcasting wireless networks

A non-broadcasting wireless network does not advertise its network name,
also known as its Service Set Identifier (SSID). A wireless access point
of a non-broadcasting wireless network can be configured to either not
send Beacon frames or to send Beacon frames with an SSID set to NULL. A
non-broadcasting wireless network is also known as a hidden wireless
network.

In Windows(r) XP, you could not configure a preferred wireless network
as a non-broadcasting wireless network. The behavior of Wireless Auto
Configuration in Windows XP is to attempt connections to broadcasting
wireless networks before non-broadcasting wireless networks. Therefore,
a computer running Windows XP could automatically connect to a
broadcasting network instead of a non-broadcasting network that is
higher in the preferred wireless networks list.

In Windows Vista, you can now configure wireless networks as broadcast
or non-broadcast. A computer running Windows Vista will attempt to
connect to wireless networks in the preferred networks list order,
regardless of whether they are broadcast or non-broadcast.


Further more Microsoft has added to the methods to connect to
networks

Wireless network configuration methods

You can configure connections to wireless networks, known as wireless
profiles, for a computer running Windows Vista with the following
methods:
*   

Connect to a network dialog box

This is the principal method by which individual users will configure
connections to wireless networks.
*   

Group Policy

Network administrators can use Group Policy settings in an Active
Directory(r) directory service environment to centrally configure and
deploy wireless network settings and automatically configure domain
member computers.
*   

Command line

Network administrators can use commands in the new netsh wlan context of
the Netsh.exe tool to manually configure wireless networks and their
settings. There are Netsh commands to export an existing wireless
profile to an XML file and then import the wireless profile settings
stored in the XML file on another computer.
 

-Original Message-
From: Zeller, Tom S [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 10, 2006 8:21 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] SSIDs: broadcast and non-broadcast

Yes, Microsoft has documented that XP will prefer a broadcast SSID over
a non-broadcast SSID irrespective of their order in the list.  

http://www.microsoft.com/technet/itsolutions/network/evaluate/hiddennet.
mspx

However, if you remove the broadcast SSID from the list, there's no
conflict.

The issue I was experiencing attempting to use 802.1x on a non-broadcast
SSID went beyond this problem.  ON a wide range of laptops, including
Macs, it was simply unreliable making a connection.  20-40% of the time
the laptop would connect to the proper SSID and then everything worked
great.  But roaming to another AP or coming back gave mostly
unsuccessful results.

I should also mention that there is an optional patch from Microsoft
(i.e. not pushed out by them) that improves the visibility of
non-broadcast SSIDs once you have defined them on the system.  They show
up in the "available networks" list.

http://support.microsoft.com/?id=893357

I should also point to Microsoft's documentation entitled:

"You cannot reconnect to a wireless network that uses a hidden SSID
after you manually disconnect from that network on a Windows XP Service
Pack 2-based computer"

http://support.microsoft.com/kb/907405

-Original Message-
From: Kevin Miller [mailto:[EMAIL PROTECTED]
Sent: Monday, July 10, 2006 12:12 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] SSIDs: broadcast and non-broadcast

 From observations and discussion with others, it seems that that
wireless zero config on windows favors broadcast SSIDs... You may notice

that sporadically it will connect to the broadcast one even if you've
configured the non-broadcast with higher priority.

-Kevin

Jim Gogan wrote:
> Quick question: has anyone run into any support issues when some SSIDs

> are broadcast and some aren't on a campus?
> 
> -- Jim Gogan
>ITS Telecommunications
>University of North Carolina at Chapel Hill
> 
> **
> Participation and subscription information for this EDUCAUSE
Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found a

RE: [WIRELESS-LAN] SSIDs: broadcast and non-broadcast

[King, Michael]

 

> -Original Message-
> From: Frank Bulk [mailto:[EMAIL PROTECTED] 
> Microsoft's 
> development of WPS IE should hopefully reduce the problem.
> 
> Frank

Frank,

Have you seen any uptake on WPS from any of the third party RADIUS
Servers?  So far I assume it's still an IAS only solution.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] SSIDs: broadcast and non-broadcast

[King, Michael]

 Jorge,

I'm just trying to understand.  Were the clients that were already
configured OK? It was just the support people themselves that were
saying the network is down.  (I can't see it, It must be down)

Or is it more serious than that, and people actually stopped working
because it wasn't Broadcasted anymore?

I'm hoping to have a few training sessions with the HD people to explain
the matter before hand.



-Original Message-
From: Jorge Bodden [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 10, 2006 10:11 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] SSIDs: broadcast and non-broadcast

Michael,
We tried this and it was immediately shot down by the people higher up.

We only had it not broadcasting for 1 day. That takes a lot more
preparation than a couple of calls to the HD and the unchecking of a box
somewhere.  Some people will scream wolf saying that the network is
down, when in reality they are not capable of properly configuring their
device, which is fine because it keeps us employed.  Just remember that
you will get a nice amount of calls regarding this matter. 

JB

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] SSIDs: broadcast and non-broadcast

[King, Michael]

We're changing the SSID we've used in the past.  In the past it was
Broadcasted.

We plan to Broadcast the "New" SSID, and non-broadcast the "Old" SSID.
All new setups, and any calls for help would change people to the "New"
SSID.  The thought is to provide service for the old SSID, but not
encourage it's use.

Has anyone done this?  I curious now, because of this email thread if
I'm asking for problems.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] 802.1x authentication using LDAP

[King, Michael]

 

-Original Message-
On Fri, 7 Jul 2006, Matt Ashfield wrote:

> I am running FreeRadius and SunOne ldap server. 

Whoops, missed that part.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] 802.1x authentication using LDAP

[King, Michael]

Hi Matt.

I'm going to answer your questions, and also point out something you've
missed.

You are using PEAP (if your are using the XP Client, you are using PEAP)

To tell PEAP not to use your logon creditialas, but to prompt for it,
you have to uncheck something that is buried 3 menu's deep.

See here for directions:
http://www.informit.com/guides/content.asp?g=security&seqNum=74&rl=1

See figure 7 for details

BUT

I don't think this will work for you.  (I'm making some assumptions
about your network that could prove me wrong)
I assume you have Active Directory, with freeradius querying this via
LDAP?
If it is, this setup won't work for you.  ActiveDirectory, in the usual
Microsoft methodailty, embraces standards, and extends them with
proprietary extensions.  
What does this mean?  It means by default you can't get passwords out of
AD.  You could store passwords in plaintext. (Bad idea)

You need to setup FreeRadius using the ntlm_auth helper program.  You
install Samba on the FreeRadius Box, join it to the domain, and
configure freeradius to perform Auth's via ntlm_auth.  Then freeRadius
will have no problem talking to ActiveDirectory.  You can still use the
LDAP module to assign attributes. (This was on the freeradius mailing
list last week)

Hope this helped.

-Original Message-
From: Matt Ashfield [mailto:[EMAIL PROTECTED] 
Sent: Friday, July 07, 2006 2:51 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] 802.1x authentication using LDAP

Hi All

I'm trying to configure 802.1x wireless authentication using credentials
stored in LDAP.

I am running FreeRadius and SunOne ldap server. The Radius server is
correctly doing authentication attempts to the LDAP server (I issue the
"radtest" command with a username/passwd from LDAP and I get an
authenticate-accept back).

The next step is setting up an XP client to talk to an Access Point,
which is configured to authenticate via the Raidus server, via LDAP. So
far, in my minimal testing, I've seen the client try to connect using
it's Windows credentials rather than giving the user a chance to enter a
username/password.

I'm sure others out there are doing this. I'm just wondering what you're
using? EAP-TLS, PEAP, etc..?  I guess I need to get my acronyms straight
first and go from there.

>From what I can tell PEAP will require my users to install a
certificate.
We'd much rather prefer them to have to enter their LDAP usernames and
passwords. 

Any advice is appreciated.

Thanks


Matt Ashfield
[EMAIL PROTECTED] 

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Cisco/Airespace Training

[King, Michael]

I went.

Lots of good basics, plus they cover a lot of they "why" you click that
button.

I think it was worth it.  I had figured out quite a few things on my
own, but being in the classroom environment I got to ask a lot of
questions about things I couldn't understand why you clicked that.

There is an additional 1 day class for the Mesh product, you have to ask
to be included.  (I didn't know about it, wish I did)

The biggest plus is they cover lots of features that are in the manuals,
but you may not have realized the potential for.

Example:
Mobility anchors, you can put a controller outside of your firewall, and
terminate guest sessions on that controller
And
Group AP's, you can have users on the same ssid end up on different
VLAN's based on the AP they associated to. (In addition to the usual
RADIUS return attributes)

 

> -Original Message-
> From: Lee Badman [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, June 21, 2006 11:01 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Cisco/Airespace Training
> 
> Hello again to the group.
> 
> Am contemplating whether the formal training on the 
> Cisco/Airespace stuff is "worth it" from the perspective of 
> one just getting started with it... I know the answer varies 
> per individual, but has anyone sat in the classroom for 
> Airespace training? Was the content good enough value to 
> expend the time and money getting there versus figuring it 
> out as you go? Any specific horror stories about individual 
> training firms (answer offline if you want)? 
> 
> Thanks-
> 
> Lee
> 
> Lee H. Badman
> Network Engineer
> CWNA, CWSP
> Information Technology and Services
> Syracuse University
> 315.443.3003
> [EMAIL PROTECTED]
> 
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Nintendo DS on the WLAN

[King, Michael]

Nintendo, on they're support forum,
Has stated, and I quote:

http://forums.nintendo.com/nintendo/board/message?board.id=tech_question
s_wifi&message.id=4196#M4196

We have no plans for WPA at this time.

If your concerned about WEP, turn your computers are OFF after you've
switch to WEP for the DS. I don't care if The Lone Gunmen are parked
outside your door with a van full of equipment trying to bust in your
computer files, they can't do it if your computers are off. And, yes,
your wireless router will still work if your computer is off. Um, unless
it's plugged into the same power strip and you power the whole strip
off.

If that's not an option for you, you may want to get the Nintendo USB
WiFi Connector, as it works ONLY with the Nintendo DS, and you can leave
your other WiFi router with WPA.

NOTE: The reason the Nintendo DS is compatible with WEP, and not WPA, is
that we found WEP to be the most prevalent standard for securing wi-fi
connections.

End Quote.

So forget getting them to work easily, the company has no understanding
of WiFi, or they're target audience 

> -Original Message-
> From: Lee Badman [mailto:[EMAIL PROTECTED] 
> Sent: Monday, June 12, 2006 12:39 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Nintendo DS on the WLAN
> 
> Have been asked if we will "allow" the New Nintendo DS to use 
> the campus WLAN for gaming... Has anyone else started looking 
> at this sort of thing? Here's what I know so far:
> 
> - The Old version of DS had a wireless (true Wi-Fi) dongle 
> available, it provided wireless connectivty between the game 
> console and the PC, then Internet connectivity was through 
> the PC. Only real implication here is one more noise-making 
> device contending for the 2.4 GHz spectrum.
> 
> - The new DS (Lite) has built in 802.11b, but can go no 
> better than 2 Mbps. It may use the 802.11 protocol, or the 
> proprietary "Nintendo Low Latency Protocol" that wireless 
> sniffers have a hard time correctly classifying.  
> 
> - They are just now starting to come out with games that rely 
> on a TCP-IP stack, before it was just using the Wi-Fi for 
> layer 1 and 2 functions, and some sort of funky tunneling was 
> used to get games accross the Internet through an otherwise 
> connected PC.
> 
> I'm sure I'm way behind others that actually play these 
> things, but am curious how other wireless folks feel or worry 
> about the impact of these things both on the wireless 
> networks and the campus Internet edge?
> 
> Thanks-
> 
> Lee
> 
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Wireless Network "Interfering" With Fire Alarm

[King, Michael]

 

> -Original Message-
> From: Howie Frisch [mailto:[EMAIL PROTECTED] 
>
> The way you phrased this makes it seem that you are running 
> the smoke-heads, and maybe the whole fire alarm system over 
> the building's LAN.  If that it the case, and the heads have 
> fixed IP addresses that overlap the DHCP address space on the 
> LAN, that could cause this trouble.  This has nothing to do 
> with the WiFi/RF side of anything - it seems more likely to 
> be simple IP conflict. 
> 
> 

Just a little background.

Addressable smokeheads do not use IP.  They use they're own proprietary
protocol.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Extending an external antenna

[King, Michael]

 
> -Original Message-
> From: Lee Weers [mailto:[EMAIL PROTECTED] 
> 1.  Can you extend an antenna from an AP 250 ft?  (That's how 
> long it is to the scoreboard) 

Yes, you can.  But it won't work very well.

>2.  What kind of coax do we 
> need to use to do a/b/g? 

Expensive, and one for each Band.  (One for A, one for B/G)  I'm
guessing much better than LMR 600 we used for our 50ft runs.

> We would like to mount the ap inside of the building and then 
> just extend the external antenna to the scoreboard. 
> 

Why not run an outdoor rated Cat 5 cable up the pipe, and mount an
outdoor Access point at the antenna site.

Several companys make these units.

Depending on how big the complex is, you could even look into Mesh
Units, (this would be your base station) and then put a repeater unit
out at the pressbox (You need power and line of sight) of each of the
field you want to cover.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Cisco Airespace APs with AIrwave AMP Management

[King, Michael]

I'm not 100% sure, but I think the location server's upper limit is
somewhere around 2000.  It's actually dependant on many factors. (Number
of clients being tracked, number of tags in the environment, if tags are
being tracked, if clients are being tracked.).  And WCS can manage
multiple Location Servers. 

So the location server isn't the limit, WCS has an upper limit of 1500
on 3.2 software.  And it has to be in WCS for the location server to see
it.  That's the real limiting factor.

I've heard very convincing rumors, from well informed sources that this
number will be increased in 4.0, due out very soon. This will require
beefier hardware (mostly RAM)

I'm privately hoping that they come up with a clustering type of
platform. IE. one SuperWCS that controls multiple WCS's.  But that would
probably require a major re-architecting of the database structure.

If the 100 AP limit was given to you by a Cisco Sales rep, I would get
another Sales rep that knows the product line.  If you got that number
off the product literature, I'd call Cisco, an not your reseller, and
have them send a sales drone by to show it off to you.  They have it on
a few laptops that they can walk around with.

Several other things to be aware of:

WCS is sold two ways.

WCS with location,
WCS without Location.

WCS is only sold with a license to control 50 AP's.  You buy incremental
license additions, in blocks of 50 or 100.  Site licenses are available
(per installation of WCS).  I'm told the break point is right around 400
aps.  (ie, less than 400 Aps, buy the incremental license additions to
get to the number of AP's you have)



> -Original Message-
> From: John Watters [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, May 17, 2006 5:20 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Cisco Airespace APs with AIrwave AMP 
> Management
> 
> I am preparing to rollout a large deployment of Cisco 
> Airespace APs to cover our entire 1,000 acre campus with 120+ 
> buildings, inside and out.
> My estimate of the number of APs needed approaches 3,000. My 
> Cisco folks recommend using their WCS product along with 
> their Location Appliances.
> Since each pair of these will only handle up to 100 APs each, 
> that is lot of money to be spent on WCS+Location Appliance 
> pairs. My Airwave tech person visited yesterday and said that 
> their AMP product (which I already have managing my fat APs) 
> can easily take the place of the Cisco
> WCS+Location Appliance pairs. He went on to say that Cisco even
> recommends the Airwave management solution for "large deployments".
> 
> My questions to the list are:
> 
> 1) Is the Airwave person correct that the AMP product can do 
> all (or almost all) of what the Cisco WCS+Location Appliance 
> pairs do when managing an Airespace environment?
> 
> 2) Is anyone running an Airspace deployment anywhere close to 
> this size (in a single location) and satisfactorily using the 
> Airwave AMP product instead of the Cisco WCS+Location 
> Appliance pairs to manage it?
> 
> Thanks.
>   
> 
> 
> 
> John Watters  UA: Office of Information Technology  205-348-3992
> 
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Airespace/Cisco, SNMP monitoring, CiscoWorks, etc.

[King, Michael]

Lee


From the controller

Management -> SNMP ->  Trap Receivers

Put your NMS here

Management -> SNMP ->  Trap Controls
Check off what you want.
Sounds like you want to start with
Cisco AP Traps
AP Register
AP Interface Up/Down

With WCS, you could create a template, and apply this to all your
controllers at once as well.  (Here's a secret, this is how WCS get's it
info in the first place)

> -Original Message-
> From: Lee Badman [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, May 10, 2006 3:22 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Airespace/Cisco, SNMP monitoring, 
> CiscoWorks, etc.
> 
> Has anyone using Airespace (now Cisco) done anything with 
> CiscoWorks or external SNMP network monitoring that has 
> worked out- like for basic device up/down, traps, alarms, 
> etc. for the controllers? In this model, without going 
> directly to WCS and controllers, how are you getting info on 
> AP status- can the controllers send effective traps for AP trouble?
> 
> Thanks-
> 
> Lee
> 
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Site Survey Software

[King, Michael]

Keeping with the 
free/cheap theme:
 
Spectrum 
analyzer
http://www.thinkgeek.com/gadgets/electronic/80ce/
 
AP Power in 
Real-Time
http://www.netstumbler.com/downloads/
You need a "Good" card in 
the fact that Netstumbler was designed for it's chipset
 
 
I haven't found anything 
that puts stuff on a map for under $1000
 
But that tool 
is:
 
http://www.ekahau.com/?id=4600
 
Which seems to retail 
right around $1200 for the basic package, and $3000 for the full boat 
(Prediction, Reporting, GPS Logging)
 
For reference, the 
GranDaddy of this stuff is Wireless Valley at $8000 to $50,000 dollars.  
(3D predication) 
http://www.motorola.com/Enterprise/us/en_us/solution.aspx?navigationpath=id_801i/id_2720i/id_2732i

  
  
  From: Flagg, Martin D. [mailto:[EMAIL PROTECTED] Sent: 
  Friday, May 05, 2006 12:04 PMTo: 
  WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUSubject: Re: [WIRELESS-LAN] Site 
  Survey Software
  
  I like the Cisco tool but unless something has 
  changed it does not show all APs only the one you are associated with.  
  In answer to some other questions I have clarified my 
  requirements.
   
  Requirements:
  AP Power in real Time
  Show all access points in range and 
  channel/Freq
  must support LEAP/PEAP 
   
  Wish 
  List:
  Quality 
  Measurement
  Record 
  measurements to a map
  Spectrum 
  analyzer
  Martin D. 
  Flagg Network 
  Engineer/Administrator Hiram College 
  
   
  
  
  From: Nathan Hay [mailto:[EMAIL PROTECTED] 
  Sent: Friday, May 05, 2006 11:27 AMTo: 
  WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUSubject: Re: [WIRELESS-LAN] Site 
  Survey Software
  
  I've always used a Cisco a/b/g card with the site survey tool that comes 
  with it, either on a laptop or iPAQ.  It gives signal strength, noise 
  level, and signal-to-noise ratio.  Some will tell you this might not be 
  the best way to do it, but it has worked for our purposes.  I usually 
  couple this with a web-based bandwidth tester to see what kind of actual 
  bandwidth I get at the places I take my readings.
   
  Nathan
   
   
   
  Nathan P. HayNetwork EngineerComputer ServicesCedarville 
  UniversityOffice: 937-766-6516Email: [EMAIL PROTECTED]Web: 
  www.cedarville.edu>>> [EMAIL PROTECTED] 5/5/2006 11:19 AM 
  >>>I am looking for the best free or really inexpensive (less 
  then $1,000)site survey tools available.  Our network is B/G we have 
  MACs/WindowsLaptops or IPAQs available.  Any 
  suggestions?Martin D. Flagg Network Engineer/Administrator 
  Hiram College **Participation and subscription 
  information for this EDUCAUSE Constituent Group discussion list can be found 
  at http://www.educause.edu/groups/.** 
  Participation and subscription information for this EDUCAUSE Constituent Group 
  discussion list can be found at http://www.educause.edu/groups/. ** 
  Participation and subscription information for this EDUCAUSE Constituent Group 
  discussion list can be found at http://www.educause.edu/groups/. 

**
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Site Survey Software

[King, Michael]

Site survey as in:

1.  Real time read out of all signal strength seen a single point of
time.

2.  Heat maps showing a the coverage pattern of 802.11 on a given floor
plan. 

> -Original Message-
> From: Flagg, Martin D. [mailto:[EMAIL PROTECTED] 
> Sent: Friday, May 05, 2006 11:20 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Site Survey Software
> 
>  
> I am looking for the best free or really inexpensive (less 
> then $1,000) site survey tools available.  Our network is B/G 
> we have MACs/Windows
> Laptops or IPAQs available.  Any suggestions? 
> 
> 
> Martin D. Flagg
> Network Engineer/Administrator
> Hiram College 
> 
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] point to point wireless

[King, Michael]

Again, not another product that I've used, but the glossy sheet looked
cool at a trade show

http://www.rad.com/Article/0,6583,27242-Broadband_Wireless_Multiplexer,0
0.html

Carries both Ethernet and T1 circuits over the same wireless equipment.
(get's your phone over there as well) 

> -Original Message-
> From: Michael Griego [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, April 19, 2006 3:22 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] point to point wireless
> 
> Proxim and Bridgewave were the only two manufacturers I could 
> find that had gigabit capable non-optical wireless solutions. 
>  Our not-so- happy experiences with Proxim is what pointed us 
> initially towards Bridgewave for our current point to point project.
> 
> --Mike
> 
> On Apr 19, 2006, at 12:37 PM, King, Michael wrote:
> 
> > Or Pre-WiMax Stuff as well
> >
> > Here's a list of everything Proxim sells.. (Had a very good product 
> > spread.  Licensed, unlicensed, laser, etc.  I've never used Proxim
> > personally)
> >
> > http://www.proxim.com/products/bwa/point/
> >
> >> -Original Message-
> >> From: Philippe Hanset [mailto:[EMAIL PROTECTED]
> >> Sent: Wednesday, April 19, 2006 1:21 PM
> >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> >> Subject: Re: [WIRELESS-LAN] point to point wireless
> >>
> >> Bruce,
> >>
> >> If it's for a point-to-point and you don't worry about 
> >> standardization, you could always consider pre-802.11n solutions!
> >>
> >> http://www.extremetech.com/article2/0,1697,1949656,00.asp
> >>
> >> Just an idea, we haven't done anything like that...yet!
> >>
> >> Philippe Hanset
> >> University of Tennessee
> >>
> >>
> >> On Wed, 19 Apr 2006, Entwistle, Bruce wrote:
> >>
> >>> We are currently using a pair of Cisco 1300 wireless bridges to 
> >>> connect some student residences to the campus network.  
> While these 
> >>> bridges have worked well we now need something which is
> >> capable of a
> >>> higher speed connection without using multiple links.  
> The current 
> >>> distance between the two antennas is about 300 feet.  I was
> >> wondering
> >>> what products others have used and how they performed.
> >>>
> >>>
> >>>
> >>> Thank you
> >>>
> >>> Bruce Entwistle
> >>>
> >>> Network Manager
> >>>
> >>> University of Redlands
> >>>
> >>>
> >>>
> >>>
> >>> **
> >>> Participation and subscription information for this
> >> EDUCAUSE Constituent Group discussion list can be found at 
> >> http://www.educause.edu/groups/.
> >>>
> >>
> >> **
> >> Participation and subscription information for this EDUCAUSE 
> >> Constituent Group discussion list can be found at 
> >> http://www.educause.edu/groups/.
> >>
> >
> > **
> > Participation and subscription information for this EDUCAUSE 
> > Constituent Group discussion list can be found at http:// 
> > www.educause.edu/groups/.
> 
> 
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] point to point wireless

[King, Michael]

Or Pre-WiMax Stuff as well

Here's a list of everything Proxim sells.. (Had a very good product
spread.  Licensed, unlicensed, laser, etc.  I've never used Proxim
personally)

http://www.proxim.com/products/bwa/point/ 

> -Original Message-
> From: Philippe Hanset [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, April 19, 2006 1:21 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] point to point wireless
> 
> Bruce,
> 
> If it's for a point-to-point and you don't worry about 
> standardization, you could always consider pre-802.11n solutions!
> 
> http://www.extremetech.com/article2/0,1697,1949656,00.asp
> 
> Just an idea, we haven't done anything like that...yet!
> 
> Philippe Hanset
> University of Tennessee
> 
> 
> On Wed, 19 Apr 2006, Entwistle, Bruce wrote:
> 
> > We are currently using a pair of Cisco 1300 wireless bridges to 
> > connect some student residences to the campus network.  While these 
> > bridges have worked well we now need something which is 
> capable of a 
> > higher speed connection without using multiple links.  The current 
> > distance between the two antennas is about 300 feet.  I was 
> wondering 
> > what products others have used and how they performed.
> >
> >
> >
> > Thank you
> >
> > Bruce Entwistle
> >
> > Network Manager
> >
> > University of Redlands
> >
> >
> >
> >
> > **
> > Participation and subscription information for this 
> EDUCAUSE Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> >
> 
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] RADIUS accounting through WLSM

[King, Michael]

This won't help with your feature request,

But in most RADIUS Server, (and for example, I know Funk and FreeRADIUS
can do this) you can configure a "default" entry, or "wildcard" entry.
It will allow you to collect the statistics while you configure your
AP's.

Also, (I'm pretty sure you have FUNK) you can import from a text file
your list of Aps.  I think a text file would be easier to generate.

> -Original Message-
> From: Julian Y. Koh [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, April 18, 2006 6:27 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] RADIUS accounting through WLSM
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> So we're making real progress on our 802.1X testing and 
> rollout.  Thanks again to everyone who's helped us over the months.
> 
> Our next issue involves RADIUS accounting records.  We've got 
> the WLSM product from Cisco, and that's great as far as 
> RADIUS authentication is concerned.  Our ~700 APs send the 
> authentication requests up to the WLSM through the GRE 
> tunnels, and the WLSM handles relaying them to the RADIUS 
> server.  Piece of cake.
> 
> Unfortunately, it looks like WLCCP doesn't work like that for 
> accounting records, so we're facing having to configure 700 
> entries into our RADIUS server.  Obviously, anything can be 
> done with the right scripts, but overall it seems like a bit 
> of a management nightmare.  It would be much better to be 
> able to have all the accounting records tunneled just like 
> they are with authentication requests.
> 
> The TAC said to report this to our SE as a feature request, 
> but like all feature requests, they only come to fruition if 
> enough people really ask and can show Cisco that there's a 
> business case for it.
> 
> So I thought I'd toss this out here and see what people think.
> 
> 
> -BEGIN PGP SIGNATURE-
> Version: PGP Desktop 9.0.5 (Build 5050)
> Comment: 
> 
> iQA/AwUBREVnxA5UB5zJHgFjEQKO+ACfbr0QZCedOiyb5LhvoODbfZny/eoAmQFo
> iOcOGqHGFs8QHEPRGCGvE4gh
> =pRvq
> -END PGP SIGNATURE-
> 
> -- 
> Julian Y. Koh 
> 
> Network Engineer   
> 
> Telecommunications and Network Services Northwestern 
> University
> PGP Public 
> Key:
> 
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] WinXP 802.1x and password changes

[King, Michael]

It was a single file, and a directive in the config file 

> -Original Message-
> From: Julian Y. Koh [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, April 11, 2006 9:21 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> At 22:00 -0400 04/10/2006, King, Michael wrote:
> >After extensive packet captures, and comparisons, Funk/Juniper has 
> >identified and fixed the problem.  Microsoft didn't follow 
> they're own 
> >Spec when they made they're own client.
> >
> >Unfortunately, they only fixed it last week.  So it's not in 
> any public 
> >build yet.
> 
> Funk/Juniper says that they're going to try to get us the new build.
> Hopefully we can just replace the executable and not go 
> through a whole installation process.
> 
> 
> -BEGIN PGP SIGNATURE-
> Version: PGP Desktop 9.0.5 (Build 5050)
> Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html>
> 
> iQA/AwUBRDutKA5UB5zJHgFjEQLLwQCg+8pNC+o/u/q+tZW2ya98fqKetHYAoN0W
> UrD0shfYSTIhHxbpwSXvP3Ks
> =CP1+
> -END PGP SIGNATURE-
> 
> -- 
> Julian Y. Koh 
> <mailto:[EMAIL PROTECTED]>
> Network Engineer   
> 
> Telecommunications and Network Services Northwestern 
> University
> PGP Public 
> Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html>
> 
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] WinXP 802.1x and password changes

[King, Michael]

Not one to let a sleeping dog lie, I've been continuing to chase this
with funk.  I let it drop for a few months, but about a month ago, I
picked it up again. 

After extensive packet captures, and comparisons, Funk/Juniper has
identified and fixed the problem.  Microsoft didn't follow they're own
Spec when they made they're own client.

Unfortunately, they only fixed it last week.  So it's not in any public
build yet.  

I'll check tomorrow and find out what version they expect the fix to be
in.  

Mike 

> -Original Message-
> From: Julian Y. Koh [mailto:[EMAIL PROTECTED] 
> Sent: Monday, April 10, 2006 5:38 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> At 07:37 -0500 10/11/2005, Chris Hart wrote:
> >Has anyone confirmed that Funk update  has resolved the 
> issue with the 
> >password change?
> 
> Reviving this old thread.
> 
> To review, the problem is as explained by Michael King 
> concerning cached credentials with the XP 802.1X PEAP supplicant:
> 
> At 09:07 -0400 06/24/2005, King, Michael wrote:
> >FreeRadius -
> >When a password is bad (fail MS-CHAPv2), the FreeRadius server will 
> >send an EAP-Failure inside the EAP-PEAP tunnel, then send a second 
> >payload of an EAP-Failure
> >
> >Steel-Belted Radius -
> >When a password is bad (fail MS-CHAPv2), the SBR server will 
> ONLY send 
> >an EAP-Failure, it will not send the EAP-Failure inside the EAP-PEAP 
> >tunnel, basically, it skips a step.
> >
> >Apparently, the EAP-Failure inside the EAP-PEAP tunnel is 
> what triggers 
> >the XP client that the password is wrong and it should reprompt.
> 
> Michael filed bug 5429 w/ Funk and reported that a test build 
> would be available back in the August timeframe to fix this problem.
> 
> We actually obtained the test build, but we never got around 
> to trying it because we were told that the test build would 
> require a complete rebuild of our config, which we didn't 
> have the time to do.
> 
> The final 5.3 release was supposed to incorporate this fix.  
> We just upgraded this Sunday to SBR 5.30.2009, and I've got 
> basic PEAP going with MS-CHAPv2.
> At least the Mac client works fine, as always, but the 
> Windows XP supplicant still doesn't work when the AD password 
> on the back end is changed.  Windows prompts for a new 
> password, but it doesn't work to let the user on the network, 
> just prompts again.  As always, deleting the EAPOL registry 
> settings fixes things, at least until the AD password is 
> changed again.
> 
> According to Funk (now Juniper), the way to turn on the 
> feature is to edit winauth.aut to change the following line:
> 
> ;RetryFailedAuthentications = no
> 
> to
> 
> RetryFailedAuthentications = yes
> 
> Again, though, this did not work for us.
> 
> Has anyone got this working?
> 
> Thanks!!
> 
> 
> -BEGIN PGP SIGNATURE-
> Version: PGP Desktop 9.0.5 (Build 5050)
> Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html>
> 
> iQA/AwUBRDrQUg5UB5zJHgFjEQLNIwCfZNiBaTsZLHy99TR5dq66FrUSFlsAn3S+
> Q0+lnQHtg1r80mcTHBX7IKQM
> =Ci0v
> -END PGP SIGNATURE-
> 
> -- 
> Julian Y. Koh 
> <mailto:[EMAIL PROTECTED]>
> Network Engineer   
> 
> Telecommunications and Network Services Northwestern 
> University
> PGP Public 
> Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html>
> 
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Guest access - CALEA rabbit trail

[King, Michael]

 Jake,

We too have begun to consider anonymous guest access.

Where in CALEA are you to referring to?  (A hyperlink would help)  I'd
like to approach this new initiative aware of all the facts, and this is
one I hadn't considered before.

> -Original Message-
> From: Barros, Jacob [mailto:[EMAIL PROTECTED] 
> Sent: Friday, March 31, 2006 9:00 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Guest access - CALEA rabbit trail
> 
>  We've been forcing all users to authenticate and were 
> considering anonymous guest access as well, but in light of 
> CALEA enforcement probability we are hesitant.  For those of 
> you that do allow anonymous guests, are you considering 
> changing that policy in light of CALEA? Have you any other 
> legal 'problems' with anonymous access?
> 
> Jake Barros
> Grace College
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Cisco AP spacing

[King, Michael]

 

I've been told 30ft, but not by anyone with a degree.


From: Rick Brown [mailto:[EMAIL PROTECTED] 
Sent: Monday, March 27, 2006 4:51 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cisco AP spacing


We are using Cisco 1240 series AP's.  I seem to remember 
an instructor for Terrawave saying that when clustering AP's
for user density to space them approximately 3 ft a part.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Off subject DSL point-to-point

[King, Michael]

We've done it as well.

I echo Tim's comment, and cannot stress it enough.  It must be an
Unloaded Pair.

Many people have had success with asking for an alarm circuit.

You basically want one pair of copper wire with no equipment in between.
No load coils. (This is the hard part)

If you have trouble getting it to work, ask them to do a load coil test.

Also, another item to be aware of.  You need to take in account the
distance from building A to the local CO, them from the local CO to
building B.  Phone wires typically don't go building to building. 

> -Original Message-
> From: Flagg, Martin D. [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, March 22, 2006 11:26 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Off subject DSL point-to-point
> 
> Does any one have any experience in using DSL as a private 
> Point-to-Point solution where telephone lines already exist.  
> Our local township has a scenario where running fiber would 
> be too expensive and they already have extra phones lines.  
> The buildings the wish to connect are about 500 ft apart and 
> they only need 1.5Mbps between them.
> 
> 
> 
> Martin D. Flagg
> Network Engineer/Administrator
> Hiram College 
> 
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Tools

[King, Michael]

You maintain service on that 
blade.

  
  
  From: Flagg, Martin D. 
  [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 15, 2006 10:32 
  AMTo: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUSubject: Re: 
  [WIRELESS-LAN] Tools
  
  Mike,
   
  We get large EDU discounts so the discount is not an 
  issue, small budget is the problem.  When you purchase the blade do you 
  also have to maintain maintenance on the blade or is it covered by the 
  chassis?
   
  Martin D. 
  Flagg Network Engineer/Administrator
   
**
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Tools

[King, Michael]

I suggest you find another cisco reseller if they're 
charging you list price
 
http://www.cdwg.com/shop/products/default.aspx?EDC=801563
 
(And that 
is without calling and asking for educational 
pricing.)
 
Since we have 6509's we purchased the WISM 
card.
It does 300 AP's instead of 100, and it lists for around 
$46,000 (you have to have a 6500 to use this)
 
I am in the middle of deploying 480 AP's with the 1010's 
and WISM's.  I'm coming off of supporting 300 Thick AP's.  I can tell 
you already, this is a dream to manage compared to chasing 300 Thick AP's.  
Plus, now I have management reports.  (Eg..  What SNR the client has, 
and a graph of it for the last few days)
 
BTW, airwave has a product that will manage the 1200's, but 
it would run you about the same amount of money.

  
  
  From: Flagg, Martin D. 
  [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 15, 2006 9:30 
  AMTo: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUSubject: Re: 
  [WIRELESS-LAN] Tools
  
  I have just received pricing for Cisco's latest 
  solution for Wireless Solution.  I have sticker price shock.  The 
  part number and list price are as follows;
   
  
  




  
AIR-WLC4404-100-K9   $34,995
 
  We 
  have about 60 AP 1200's running IOS and using ACS/LEAP/PEAP.  I thought 
  that this solution would be the next logical step for our Wireless 
  network.  What are other schools our size doing?  Even with our EDU 
  discount this is a lot of money.  Will Cisco continue to support the 
  1200's running IOS?  What can I do to make the wireless network more 
  manageable without spending this much money?  Anyone running the 
  lightweight access points with this appliance?
  Martin D. 
  Flagg Network Engineer/Administrator Hiram College ** 
  Participation and subscription information for this EDUCAUSE Constituent Group 
  discussion list can be found at http://www.educause.edu/groups/. 

**
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Few more 802.1X questions

[King, Michael]

Several.

Securew2 seems the best supported and most popular
http://www.securew2.com/  It supports batch configuration.
Unfortunately the website seems a bit slow right this second.


Wire1x is an Open1x port to windows. (Hasn't had any activity since
2004)
http://wire.cs.nthu.edu.tw/wire1x/ 

> -Original Message-
> From: Lee Badman [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, March 01, 2006 9:32 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Few more 802.1X questions
> 
> Thanks, Frank-
> 
>  I realize LDAP is hamstringing us, but AD may not be ready 
> for primetime for our environment from a timing 
> perspective... Given that Cisco ACS is in house, LDAP MAY 
> have to be used initially, and say we have to start with TTLS 
> before we can run with PEAP- is there a known, PREFERRED, 
> FREE!!!, Windows-friendly TTLS supplicant? I've seen 
> Xsupplicant recommended, but it doesn't appear to have a 
> Windows version.
> 
> Again- thanks.
> 
> Lee
> 
> 
> 
> >>> Frank Bulk <[EMAIL PROTECTED]> 2/28/2006 4:35 PM >>>
> Lee:
> 
> If you're using LDAP that limits many of your choices, 
> unfortunately.  
> ==
> If your directory server is based on LDAP, your options are 
> limited based on how your passwords are stored.
> 
> Cisco's Secure ACS LDAP integration supports EAP-TLS and 
> PEAPv1/EAP-GTC. In the first type, LDAP is used to retrieve 
> the user's public-key certificate for comparison with both 
> the client and the user's private-key certificate. In the 
> second type, the environment must support one-time keys, as 
> with token cards.
> 
> If your passwords are stored in MSCHAPv2 format, as is the 
> case with Windows Domains and Active Directory, you can use 
> the LDAP features of other RADIUS vendors to take advantages 
> of EAP-TTLS and PEAP.
> 
> If your passwords are stored in your LDAP directory in the 
> clear, you can use EAP-TLS/PAP and EAP-TTLS/PAP as well as a 
> few others, depending on the RADIUS vendor.
>   
> http://www.networkcomputing.com/mobile/archives/mobile_archive
> _011106.html
> ==
> In other words, you should be able to front end your LDAP 
> infrastructure with a 3rd-party RADIUS server.
> 
> As for roaming, Cisco's CCKM (proprietary standard!) does 
> support fast secure roaming with PEAP. Go here:
> http://www.cisco.com/univercd/cc/td/doc/product/wireless/cb21a
> g/acau02/au_pr
> of.htm#wp1094945
> And scroll down to CCKM to see some background and caveats.
> 
> Regards,
> 
> Frank
> 
> -Original Message-
> From: Lee Badman [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, February 28, 2006 12:53 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Few more 802.1X questions
> 
> Given these specific resources:
> 
> - Cisco ACS 3.3
> - LDAP (moving to AD, but not at first)
> - Cisco 1130/1200s running latest 12.3(7) JA2 IOS code
> - Up-to-date Windows XP users native supplicants
> - Macintosh 10.4 users (latest) native supplicants
> 
> And looking at piloting an 802.1x environment using PEAP...
> 
> Looking for comments on-
> 
> - Roaming (I believe fast secure roaming doesn't work with 
> PEAP) satisfaction
> - Users that may have used 802.1X migration as a juncture to 
> give up the typical wireless DMZ and make wireless an 
> extension of the wired network (for authorized users)
> - Luck with WPA with a broad range of client hardware likely 
> found in a "bring what you have" laptop/handheld environment
> - Success with Windows Mobile
> - General satisfaction
> - Horrors experienced
> - Anything else relevent to the exercise with the resources 
> described above.
> 
> As usual- thanks for the great input this list tends to provide!
> 
> Lee Badman
> 
> Lee Badman
> Network Engineer
> CWNA, CWSP
> Information Technology and Services
> (Formerly Computing and Media Services)
> Syracuse University
> (315) 443-3003
> [EMAIL PROTECTED] 
> 
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Problems with 802.1x with hidden SSID

[King, Michael]

http://www.winplanet.com/article/3115-.htm


Hidden SSID Syndrome

By default, most access points broadcast their SSID. This allows your
connection manager to see their presence and tell you, "Hey, buddy: this
access point is in range." Some people prefer to hide their SSID by
configuring their access point not to broadcast. In this case, you
manually set the SSID in your connection manager to link the connection.

The problem with Wireless Zero Configuration occurs if a second AP is
also within range. If that AP is broadcasting its SSID, WZC will attempt
to connect to it - even if you've told it that your AP with the hidden
SSID is your preferred network. Whether or not WZC can establish a
connection with the more promiscuous AP, its attempts can cause
instability in your link.

Disabling SSID broadcasting is sometimes suggested as a security
precaution. The theory is that your AP won't advertise its presence to
nearby snoops. In fact, this doesn't provide much security at all.
Whether or not it broadcasts its SSID, the AP includes the SSID in
transmission packets which are easily sniffed out. In reality, disabling
your SSID is no more secure than taping a broom handle across your
steering wheel, hoping that thieves will mistake it for The Club. Secure
your access point with WPA, or a MAC address filter. Enable SSID
broadcasting, and WZC will treat you better.

Of course, the AP with the hidden SSID may not be yours to configure. If
you can't manage the access point yourself, a kludgier solution is to
knock WZC senseless. Skip ahead to "The WZC Two-Step" on the next page
for details on how to disable WZC after it has established the
connection. 

> -Original Message-
> From: Tom Zeller [mailto:[EMAIL PROTECTED] 
> Sent: Monday, February 27, 2006 3:29 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Problems with 802.1x with hidden SSID
> 
> Our APs can only broadcast a single SSID (Proxim 600s and HP 420s).
> 
> To minimize disruption we're looking at running a new 802.1x 
> wireless network in parallel with the old VPN-protected network.
> 
> What we're seeing isn't so pretty.  Very unreliable getting a 
> connection with both Mac and PC though it works well once connected.
> 
> Using the same laptops with a test of broadcast SSID and they 
> both connected reliably and much faster.
> 
> If anyone has any ideas that this can NEVER work, or that you 
> are in fact doing this, I'd be interested in hearing about it.
> 
> Tom Zeller
> Indiana University
> [EMAIL PROTECTED]
> 
> 812-855-6214
> 
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] 802.11a

[King, Michael]

How do you make them prefer A?

  
  
  From: Nolan Banks [mailto:[EMAIL PROTECTED] 
  Sent: Friday, February 24, 2006 9:24 AMTo: 
  WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUSubject: Re: [WIRELESS-LAN] 
  802.11a
  Here at FHSU we just finished 
  deploying 250+ AP's to cover the majority of our campus.  We enabled 
  802.11 A/B/G on our network with the understand that the majority of our 
  students will be using B/G.  However we are purchasing all university 
  laptops to be A/B/G and are setting them to prefer 802.11 A  If anything 
  this well help with load on the network, by not having university owned 
  machines and student machines competing for bandwidth.  I don't foresee 
  any additional support problems from deploying A.  I consider the 
  additional amount of channels to provide more separation to be a great feature 
  of A. Nolan BanksFHSU 
  Wireless Network Administrator(785) 628-5688[EMAIL PROTECTED] 
  ** Participation and subscription information for this EDUCAUSE 
  Constituent Group discussion list can be found at 
  http://www.educause.edu/groups/.
**
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Microsoft Zero Config Hunt Order

[King, Michael]

I thought I would post this based on the conversation that was going on
today.

http://www.microsoft.com/technet/community/columns/cableguy/cg1102.mspx

This document says the Broadcasted will always be preferred OVER
non-broadcasted.

However, I can't find the document I found a while ago which spoke about
encrypted vs. unencrypted.

>From what I remember, In order of preference, it will attempt to
associated in this order

Broadcasted, Encrypted SSID
Broadcasted, non encrypted SSID
Non-Broadcasted, Encrypted SSID
Non-Broadcasted, Non-Encrypted SSID

Speed only makes a difference within the same category.  (For example,
11meg Broadcasted encrypted will be preferred over 54meg nonBroadcasted
encrypted)

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Vocera over Aruba

[King, Michael]

 I keep beating them up about not having it.  :-)



> -Original Message-
> From: Frank Bulk [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, January 19, 2006 9:10 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Vocera over Aruba
> 
> Let me know when you see WPA2-Enterprise support for a VoWLAN 
> handset. ;)
> 
> Frank 
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Vocera over Aruba

[King, Michael]

Many of the Vendors that are direct competitors of Aruba (AireSpace,
Trapeze) recommend disabling Aggressive load balancing for the problems
that you have described..  Have you disabled Aruba's aggressive load
balancing feature?

Also, I know that WPA2 has features like Cached authentication, and
Pre-authentication that speeds up roaming.  So using WPA2 is the best
security protocol for VoIP

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, January 19, 2006 2:18 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Vocera over Aruba
> 
> Does anyone have experience with running Vocera over an Aruba 
> wireless network?  If so, have you encountered any problems 
> with roaming, voice quality, etc.?  We would also be very 
> interested in knowing about your experiences with Airespace 
> as well.  Thank you!
> 
> Mark
> 
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Vivato

[King, Michael]

I just got an email from a contact at Vivato.  He forwarded this to me,
with the note that his doors close tommorrow

Last Call for Vivato? 
12.15.05

Everyone is talking about rumors of the imminent demise of Vivato Inc.,
one of the startups that originally kick-started the wireless LAN switch
movement.

Multiple sources [ed. note: It's even on the message-board!] have told
Unstrung that the company is expected to close down by the end of the
year, with December 20 looking like the most likely date.

We spoke to Vivato last week when these rumors first got too loud to
ignore, and a spokesman denied them then. No one has yet replied to
calls today.

The firm is said to be looking for a buyer, but it is not clear what
prospects are out there.

Of course, Vivato has been pronounced dead in the water before and come
back. But the wireless whisperers we've spoken to insist that the
investor community is now saying that Vivato will close its doors soon.

Vivato's closure could be seen as something of an end of an era for the
WLAN market. The firm was one of the first to promote the idea of a
centrally-managed "wireless LAN switch" network for enterprise users.
(See Vivato Plans Ambitious WLAN.)

But unlike successful startups, such as Airespace and Aruba Wireless
Networks that followed in its wake, Vivato proposed to "light up"
offices with one powerful box that used "beam-steering" technology to
provide radio coverage over hundreds of square feet. (See WLAN Switches:
The Brains Behind 802.11?.) The other players in this space preferred to
use a central switch to manage a network of "dumb" access points. (See
Vivato's Switch Bitch and Switch Tiff Heats Up .)

But in practice, providing coverage in an office-space filled with cubes
and other radio-dampening obstacles proved to be a tricky task for the
Vivato. So the firm repositioned itself as a company that could provide
coverage for stadiums, conference centers, and outdoor areas. (See
Vivato's New Broom and Vivato Goes Wide.)

But despite winning some contracts, the company has remained troubled.
In April, the firm hired a new "crisis CEO" to restructure the company.
(See Vivato Hires Crisis CEO.)

Since its foundation in December 2000, Vivato has scored around $67
million in funding from investors like Intel Capital and U.S. Venture
Partners.

- Dan Jones, Site Editor, Unstrung





 
Copyright (c) 2000-2005 Light Reading, Inc. - All rights reserved.
www.unstrung.com
 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Multiple VLANs configuration

[King, Michael]

 

> -Original Message-

> Where would you set the host to ask for credentials every 
> time a connection is initiated?


Short answer, Not sure you can do this.

There is a registry key you would have to delete manually to effect
this.

You can also set the 802.1x to use the windows domain and username. (I
believe this is the default setting)

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Multiple VLANs configuration

[King, Michael]

 

> -Original Message-
> From: Ranjit Philip [mailto:[EMAIL PROTECTED] 

> 
> This takes us into another subject, but, I was trying to 
> configure the AP in such a way that it has one SSID tied to 
> VLAN 168 which requires MAC based open authentication and no 
> encryption and another SSID tied to VLAN 19 which requires 
> 802.1x based authentication using EAP-PEAP with MS-CHAPv2 and 
> WPA encryption. Do I need to have the port the AP is 
> connected to set for 1x? How would I do it on a trunk port & 
> if 1x is configured on the port wouldn't all the SSIDs on the 
> AP require 802.1x based authentication? 


All authentication takes place on the AP.  The port just needs to be
trunked on the AP and the switch.

To configure the methods you just mentioned, you would need to do that
from the AP configuration.

AFIK, the 1100/1200's  do what you want, but how are you
managing/configuring your AP.  That answer will determine on how to
answer the AP configuration quesitons.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] BSOD on Wireless Network

[King, Michael]

 This points to the network card driver.  Has the network driver been
updated recently?






Driver_IRQL_Not Less_or_Equal 

Tech Info: 
NDIS.SYS 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Cisco Self-Healing- does it work?

[King, Michael]

 

> -Original Message-
> From: Lee Badman [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, December 06, 2005 9:55 AM
> 
> I am contemplating piloting a rather large new building to 
> use Cisco's WLSE/AP "self healing" features- have had some 
> success with it in small test areas. Wondering if anyone is 
> using it on a larger scale and has either gotten comfortable 
> with it or has experienced pain as a result.
> 

Lee, 

Have you looked at Cisco's WISP with the WCS software instead of the
WLSE.  (Jeeze does Cisco love those W acronyms)

Translation,

Instead of using the 1200 intelligent AP with the WLSE engine, using the
cheaper "Thin" AP's with the intelligence in the core.  Otherwise known
as the Airespace product line.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] 802.1x authentication on wired network

[King, Michael]

 Dave, and Dave (or anyone else with Cisco ACS on a wireless network)

Since you both have Cisco ACS servers, could you check something for me.

Pre-requisites
1.  User is not joined to the domain
2.  User is using built-in XP supplicant
3.  User changes password on the domain.  (Any mechanism)

Does the XP client reprompt them to change the password when you try to
associate to the wireless network?  (Or prompt for username, password,
domain)

We had a large problem with this with a couple of RADIUS servers.
FreeRADIUS doesn't have this problem, and Funk had a fix coming out last
I checked (August)
Since we're considering using ACS, I'm trying to figure out if I'm going
to have this problem again.

> -Original Message-
> From: David Morton [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, December 01, 2005 11:19 PM
> Subject: Re: [WIRELESS-LAN] 802.1x authentication on wired network
> 
> If you're not using ACS, there are three Radius attributes 
> that can be used to put a user in a particular VLAN. I don't 
> recall the attribute numbers off the top of my head, but I am 
> sure you can find them on Cisco's web site.  I know that they 
> are also in the Microsoft Wireless Provisioning Server 
> documentation (which you can find on Microsoft's web site.)
> 
> David
> 
> On Nov 28, 2005, at 5:14 AM, David Warner wrote:
> 
> > Matt,
> >
> > Inside the Cisco ACS server(and other radius servers I 
> assume) you can 
> > specify which vlan a group should be associated with.  The dot1x 
> > configuration on the switch will then use that information 
> to set the 
> > vlan when a user successfully authenticates.
> >
> > dave warner
> >
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] WAP Installs on Pedestals

[King, Michael]

1500 series 

> -Original Message-
> From: Philippe Hanset [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, November 29, 2005 3:34 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] WAP Installs on Pedestals
> 
> If the reason for "no antenna attached to building" is 
> beautification, some Cisco APs (mesh based)from the Airespace 
> acquisition may be a good fit.
> They attach to light poles and look pretty good.
> They better look good for $3995 list price/AP...accessories 
> not included!
> I forgot the name of the AP, but your local Cisco rep will know.
> 
> Philippe Hanset
> 
> On Tue, 29 Nov 2005, Reggie Clarkson wrote:
> 
> > Is anyone using "Code Blue" pedestal phones for installation of 
> > wireless access points?  We will not be able to install antennas or 
> > other wireless devices to our campus buildings so we are 
> considering 
> > any and all possible alternatives.
> >
> >
> >
> > Reggie Ann Clarkson
> >
> > Manager, IT Telecommunications
> >
> > Rice University
> >
> > 713 348-4911
> >
> >
> >
> >
> >
> >
> > **
> > Participation and subscription information for this 
> EDUCAUSE Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> >
> 
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] WAP Installs on Pedestals

[King, Michael]

Both
www.cisco.com Cisco, http://www.tropos.com/ tropos and http://www.belairnetworks.com/ Bellair 
networks have wireless mesh networks.
 
Cisco's is built on they're AireSpace acquisition, so it 
integrates with those controllers.
 
Here is the Marketing line...
 
http://www.belairnetworks.com/solutions/hospitality.cfm
 
Is this what you were hinting at, or were you more looking 
at just outdoor coverage?
 
FYI, it seems to be much more cost effective to deploy 
units mounted on buildings with external Antenna's vs. building a mesh 
topology.
 
Another technology you might want to investigate is http://www.vivato.com/  You put one of 
these up above the tree line, at one end of your campus.
 
 


  
  
  From: Reggie Clarkson [mailto:[EMAIL PROTECTED] 
  Sent: Tuesday, November 29, 2005 3:37 PMTo: 
  WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUSubject: [WIRELESS-LAN] WAP 
  Installs on Pedestals
  
  
  Is anyone using “Code Blue” 
  pedestal phones for installation of wireless access points?  We will not 
  be able to install antennas or other wireless devices to our campus buildings 
  so we are considering any and all possible alternatives. 
   
   
  Reggie Ann 
  Clarkson
  Manager, IT 
  Telecommunications
  Rice 
  University
  713 
  348-4911
   
   ** Participation 
  and subscription information for this EDUCAUSE Constituent Group discussion 
  list can be found at http://www.educause.edu/groups/. 

**
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Administrative Wireless Network

[King, Michael]

>From: Eric Morgenroth [mailto:[EMAIL PROTECTED] 
>This network will only be used by our IT staff, and the network 
>has access to all university resources, based on firewall rules. 

If that is your premise, I would start out with the Highest level of
security you can tolerate, but since most people cannot tolerate TLS
certificates,

I would recommend WPA2-Enterprise (Which is based on 802.1x) with AES
encryption.  You can control access based on the RADIUS server.

I am also a strong proponent of security in layers.  This means any
system that you access via wireless, should use secure access methods.
(example SSH, HTTPS)

I will also warn you, once you introduce wireless, it will grow, and
grow quickly.  It won't just be IT only in a short period of time.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Wireless in dorms, a seat of the pants approach?

[King, Michael]

 

> -Original Message-
> From: Flagg, Martin D. [mailto:[EMAIL PROTECTED] 
> Sent: Friday, November 11, 2005 9:20 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Wireless in dorms, a seat of the 
> pants approach?

> I am using less directional antennas now and realize I will 
> soon have to worry more about channel over lap and power.  
> Next year I am planning on buying a central management 
> solution to help me to deal with power and channel overlap 
> issues.  Any Suggestions?


Since you mention that you run Cisco 1200's, you could purchase the
(Former) Airespace Controllers from Cisco.  You load a special firmware
onto the 1200's, and they become "Lightweight" AP's.


I can also Strongly recommend AirWave.  I had a demo of it, and it
worked great.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] 802.1x & Active Directory GPOs

[King, Michael]

You can use machine authentication, if your RADIUS server supports it.

The computer will authenticate using it's computer account, and have
access.  When a user logs in, it will drop the computer credentials, and
switch to the users credentials.  When the user logs out, it will switch
back to the computer account.

What's your RADIUS server? 

> -Original Message-
> From: Katie Rose [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, October 05, 2005 4:45 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] 802.1x & Active Directory GPOs
> 
> At Notre Dame, we're finding some issues when using 802.1x on 
> computers that belong to our Active Directory domain.  The 
> authentication to access the wireless network appears to 
> happen after the user has actually logged into the computer, 
> so some GPOs to manage the computer don't get applied 
> properly during login.  Is anyone else seeing this issue?  If 
> so, how are you handling it?
> 
> Thanks in advance,
> Katie Rose
> 
> University of Notre Dame - OIT
> 
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] PC's bridging wired to wireless

[King, Michael]

> -Original Message-
> From: Dale W. Carder [mailto:[EMAIL PROTECTED] 

> We have bpdu-guard enabled on the switchports, the network 
> doesn't get into a loop state, but this has the side effect 
> of taking the AP down.  

Slightly left of the topic at hand,

Shouldn't bpdu-guard take the client's switchport down, and not the AP's
port?  That was my understanding of the technology.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] 802.1x rollout

[King, Michael]

> - - is anyone using Active Directory as an authentication resource?

We are

> - - who's using native 802.1x supplicants versus who is 
> distributing additional software?  Of the latter group, any 
> recommendations? (my personal leanings are Funk's 802.1x 
> supplicant mated with the Open.com Radiator RADIUS server).

We're using WindowsXP/2k native supplicant.

It didn't exist at the time we committed to 802.1x, but I would look at
the SecureW2's http://www.securew2.com very hard right now.  It's open
source as well.
SecureW2 3.1.0 now supports preconfiguration on Service Pack 2 allowing
Administrators to deploy SecureW2 more easily. SecureW2 3.1.0 also
contains the first SecureW2 Gina allowing users to authenticate using
their interactive logon credentials.

We're using FreeRADIUS for a Radius server.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Guest access strategy

[King, Michael]

I don't support this, and don't use it.  But you should know that it
exists

WPS  Wireless Provisioning Services
http://www.microsoft.com/whdc/device/network/wireless/wps.mspx



Wireless Provisioning Services (WPS) enable the discovery of and
connection to wireless networks. WPS enhancements are included in
Microsoft Windows XP Service Pack 2 (SP2) and under consideration for
Windows Server(tm) 2003 Service Pack 1 (SP1).

WPS extends the wireless client software included with Windows XP and
the Internet Authentication Service (IAS) included with Windows Server
2003 to allow for a consistent and automated configuration process when
connecting to public wireless hotspots or private wireless networks that
provide guest access to the Internet.

The WPS APIs allow for the pre-provisioning of network information to
connect to these networks and the provisioning of network settings to
connect to private wireless networks.



> -Original Message-
> From: Mearl Danner [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, September 15, 2005 10:53 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Guest access strategy
> 
> Samford is in the process of establishing policies for 
> wireless access on campus.
> 
> We have Airespace/Cisco 4100 controllers and are in the 
> process of deploying model 1100 APs in various areas around 
> campus. Using this hardware we are able to establish 
> different default ACL's for each SSID, and have sucessfully 
> applied custom ACL's using Radius (freeradius/eDirectory) reply items.
> 
> We plan to provide restricted access to campus guests on an 
> open SSID and a higher default level of access on an 802.1x 
> authenticated SSID.
> 
> We would like to make it a relatively simple process for 
> campus visitors to access the guest SSID, but make it's 
> access restrictive enough to encourage members of the campus 
> community to go the extra steps required to configure for 802.1x.
> 
> We'd appreciate any information on access strategies any list 
> members have implemented (or are considering).
> 
> Thanks,
> 
> 
> 
> 
> 
> Mearl Danner
> Systems Programmer
> [EMAIL PROTECTED]
> Samford University
> http://www.samford.edu
> 
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] WinXP 802.1x and password changes

[King, Michael]

Funk has issued a fix for this problem, and is planning to have it
available by Monday.

Contact Alan Phillips [EMAIL PROTECTED] for further details.

> At 17:07 -0400 07/19/2005, King, Michael wrote:
> >Can everyone that's using Funk SBR, and is Concerned with 
> the password 
> >expiration on the Microsoft 802.1x client please Mail me off list.
> >
> >The Funk Bug ID is 5429, and Funk has stated that we are the only 
> >people to every experience this problem.
> >
> >The Product Manager of SBR has asked me to have people contact him.
> 
> We opened a case with Funk referencing your bug ID.  We were 
> told that the bug is slated to be fixed with the 5.3 release 
> of SBR.  Beta is scheduled for the end of August, general 
> release in September/October timeframe.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] WinXP 802.1x and password changes

[King, Michael]

Can everyone that's using Funk SBR, and is Concerned with the password
expiration on the Microsoft 802.1x client please Mail me off list.

The Funk Bug ID is 5429, and Funk has stated that we are the only people
to every experience this problem.

The Product Manager of SBR has asked me to have people contact him.

Michael King
Telecommunications Support Specialist
Bridgewater State College
(508) 531-2528
(508) 531-4528 Fax
[EMAIL PROTECTED]


> -Original Message-
> From: 802.11 wireless issues listserv 
> [mailto:[EMAIL PROTECTED] On Behalf Of Frank Bulk
> Sent: Tuesday, April 26, 2005 11:12 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Wimp 802.1x and password changes
> 
> Michael, it sounds like you're on to something with Funk.
> 
> If Microsoft could just patch/fix their IAS regarding this 
> issue the whole 802.1X thing would be a lot better for wireless users.
> 
> Frank
> 
> -Original Message-
> From: 802.11 wireless issues listserv
> [mailto:[EMAIL PROTECTED] On Behalf Of King, Michael
> Sent: Tuesday, April 26, 2005 8:14 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes
> 
> I did some digging.
> 
> For my implementation (Funk SBR) It looks like when my users 
> put a bad password, the Statistics counter increments 
> "Insufficient resources."
> When I disable authentication (by removing the authentication 
> method) it starts incrementing "Failed Authentication" and my 
> Windows XP client prompts me for a new password.
> 
> I'm awaiting a callback from funk on how to fix this for my server
> 
> -Original Message-
> From: 802.11 wireless issues listserv
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Michael Griego
> Sent: Monday, April 25, 2005 6:44 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes
> 
> Actually, a packet capture would likely be of little use.  
> What's most likely different in the response from a 
> FreeRADIUS server versus an IAS server (that manifests itself 
> in the does-a-user-get-a-password-prompt question anyway) is 
> the MSCHAPv2 response.  Since this response is tunneled 
> inside TLS, a packet capture would not show anything useful.
> 
> --Mike
> 
> 
> King, Michael wrote:
> 
> >Anyone have FreeRadius?  I'm sure this can answered with a packet 
> >capture.  (The message the client is receiving)
> >
> >-Original Message-
> >From: 802.11 wireless issues listserv
> >[mailto:[EMAIL PROTECTED] On Behalf Of 
> Michael Griego
> >Sent: Monday, April 25, 2005 3:56 PM
> >To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> >Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes
> >
> >Are you running SBR on Windows doing full domain authentication?  I 
> >wouldn't be surprised if SBR on Windows doing domain 
> authentication is 
> >using some of the same API services that IAS is causing it 
> to have the 
> >same difficulty.
> >
> >--Mike
> >
> >---
> >Michael Griego
> >Wireless LAN Project Manager
> >The University of Texas at Dallas
> >
> >
> >
> >King, Michael wrote:
> >
> >
> >>Interesting.  I joined the list just because of this issue.
> >>
> >>I'm running on Funk SBR and it does not appear that the client is 
> >>prompting for a new password.
> >>
> >>Could it be in the answerback that the radius server is sending?
> >>
> >>-Original Message-
> >>From: 802.11 wireless issues listserv
> >>[mailto:[EMAIL PROTECTED] On Behalf Of Frank Bulk
> >>Sent: Monday, April 25, 2005 2:57 PM
> >>To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> >>Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes
> >>
> >>I attend Mike Griego's excellent online webinar today (courtesy of 
> >>EDUCAUSE), and he said that with FreeRADIUS the WinXP 
> client properly 
> >>prompts for a new password to be entered, which is not the 
> case with 
> >>IAS.
> >>
> >>Can anyone else confirm that?
> >>
> >>Frank
> >>
> >>-Original Message-
> >>From: 802.11 wireless issues listserv
> >>[mailto:[EMAIL PROTECTED] On Behalf Of Frank Bulk
> >>Sent: Tuesday, January 25, 2005 10:49 PM
> >>To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> >>Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes
> >>
> >>Can Mike and Katie report to the group wha

RE: [WIRELESS-LAN] WLAN Analysis Tools

[King, Michael]

> 
> We're looking for help from current WLAN managers. You can 
> either provide general input or answer the following two 
> questions. I hope in most cases you would be willing to post 
> your thoughts publicly, but if you have comments that are of 
> a sensitive nature, you can e-mail me directly.
> 
> 1. What are the most common WLAN problems you face, either in 
> the design or operation of your network, for which WLAN 
> analysis tools might be helpful?

Bridging of the wired and wireless interface, and interference from
Rougue/AdHoc Wireless Networks.

> 
> 2. Which specific available tools -- commercial or otherwise 
> -- are most helpful in allowing you to do your job?

Ethereal, Allows packet capture and basic decodes on wireless frames.
Ekahau Site Survey.  Site Survey tool that also is very good at
detecting hidden networks (With appropriate card)
Network Stumbler.  

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Apple Airport 4.2 software

[King, Michael]

Hmm..


Any have a Verisign/Thawte/Somebody Top level CA and a Mac to test this
on? 

We're self generated CA's here as well, so this will be a problem for us
as well.

> -Original Message-
> From: Julian Y. Koh [mailto:[EMAIL PROTECTED] 
> Sent: Thursday, July 14, 2005 5:48 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Apple Airport 4.2 software
> 
> -BEGIN PGP SIGNED MESSAGE-
> 
> Apple released version 4.2 of their Airport software today.  
> Most notably, it adds WPA2 support.
> 
> However, after applying the update to my Mac OS X 10.3.9 
> laptop, I can no longer get it to trust the test certificates 
> that we generated for testing out 802.1X and EAP-PEAP.  
> Earlier today with the Airport 4.1.1 software, everything was 
> fine after I imported the test root certificate and accepted 
> the server cert.  I can get connected now with the 4.2 
> software, but the computer asks me every time to verify the 
> server certificate, claiming that the root certificate is 
> untrusted
> 
> 
> -BEGIN PGP SIGNATURE-
> Version: PGP Desktop 9.0.1 (Build 2185)
> Comment: 
> 
> iQEVAwUBQtbPky5elU+tqml1AQGTGQgAp1xRhzTt+pYvZkzCnVSGruZ0yCXFZntp
> C3zSSKl1wm/WTYLFFZua8fEthk4D8xxznC0ju6qIvfVx0JOKCOdWMikPDNa3UJQA
> F6uI3pColUol+zIbXQpbpGu3pwG1CNm/QE2ZhaJIMnF5yekWhUN2i0zptoGTZYPx
> svFB0163FTAIlJ6lSbP3vRidrPQE8hkoXC5dfdF/6Dior+GJQh97P92Hi+D3UVub
> 9dqR0qXTw0gcGFbB05dYZnHy1qQbIQxRdK5aqyRvnC7LfP2D68Km01ER5URuOErR
> 3OOfHuP1bQPSqod14mgbWsiSk17Aisti0kBTSsn3vcs9lJXsQlY0aw==
> =hf7O
> -END PGP SIGNATURE-
> 
> -- 
> Julian Y. Koh 
> 
> Network Engineer   
> 
> Telecommunications and Network Services Northwestern 
> University
> PGP Public 
> Key:
> 
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Peap info

[King, Michael]

> 
> We're not currently using this functionality here, but I have 
> tested it and it does work for user authentication.  It 
> currently does not work for machine authentication, though.
> 

The workaround for machine authentication, for now, is to proxy it off
to a IAS or Funk SBR server.  Not exactly elegant, but it get's you
machine authentication, while your users remain on FreeRadius. 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Peap info

[King, Michael]

 

> -Original Message-
> From: Bennefield, Cully A. [mailto:[EMAIL PROTECTED] 
> Sent: Friday, June 24, 2005 3:59 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Peap info
> The students were unable to log on to the laptop 
> since their credentials were not cached.  We used the 
> Meetinghouse client to authenticate with AD during the boot 
> up process as a workaround.  

The feature you were looking for was 

Below the box where you select PEAP or Smartcard, there is a check box
marked
"Authenticate as a computer when computer information is available"

I'm not sure how to set it up on IAS, but on Steel Belted Radius it was
Allow Machine Accounts.

Then the Computer account in Active Directory will provide network
access, until the user logs in, then the user credentials will replace
it during the logon process.
There is also a registry key that controls this, so you can always use
the machine account if you want to.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Peap info

[King, Michael]

 
> One quick warning here.  Be very careful about running Steel Belted 
> RADIUS on Windows doing domain authentication or IAS in an 
> environment 
> where the machines authenticating via 802.1x are *not* domain member 
> machines with users logging in via domain accounts.  The 
> builtin WinXP 
> supplicant refuses to reprompt the user for his new password if his 
> domain password is changed.  It keeps trying to auth with the old 
> password, resulting in an eventual account lockout.  You have to 
> actually remove the registry key that contains the cached network 
> credentials to get the machine to stop attempting to auth 
> with the bad 
> credentials.  The only ways to get around this are to a) make 
> sure all 
> machines are domain members and the users are logging in with their 
> domain accounts or b) don't use IAS or SBR.  We use 
> FreeRADIUS, and we 
> don't have this problem with our student laptops.
> 

Michael,

I have spoken extensively with Funk Software, and have managed to deleve
into why this is different between FreeRadius and Steel Belted Radius.

FreeRadius - 
When a password is bad (fail MS-CHAPv2), the FreeRadius server will send
an EAP-Failure inside the EAP-PEAP tunnel, then send a second payload of
an EAP-Failure

Steel-Belted Radius -
When a password is bad (fail MS-CHAPv2), the SBR server will ONLY send
an EAP-Failure, it will not send the EAP-Failure inside the EAP-PEAP
tunnel, basically, it skips a step.

Apparently, the EAP-Failure inside the EAP-PEAP tunnel is what triggers
the XP client that the password is wrong and it should reprompt.

Funk has told me they will open a case with engineering to have it
addressed in their code, but I have no timetable.  Maybe if people using
Funk products would call them and push them for the same problem I did,
it might get a little more of a push.

Michael King
Bridgewater State College

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] mixing 'b' and 'g'

[King, Michael]

 Close.

.11b is of course 11meg

.11g goes to compatibility mode, and drops down to something in the
order of 19meg.

> -Original Message-
> From: 802.11 wireless issues listserv 
> [mailto:[EMAIL PROTECTED] On Behalf Of Mike Yohe
> Sent: Thursday, May 12, 2005 4:42 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] mixing 'b' and 'g'
> 
> I am not a wireless network expert, but it is my 
> understanding that a b connection to a WAP slows all traffic 
> on that WAP to b speed.
> 
> - Mike

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] WinXP 802.1x and password changes

[King, Michael]

Still working with FUNK. 

I have confirmed that by building a FreeRADIUS server, it will prompt
for the password if it's wrong, or if it changes.

FreeRADIUS at this time cannot perform machine account authentications,
but it supports proxying them off to another RADIUS server (for example,
IAS, or FUNK)

I'll post more when I know it.

-Original Message-
From: 802.11 wireless issues listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Frank Bulk
Sent: Tuesday, April 26, 2005 11:12 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes

Michael, it sounds like you're on to something with Funk.

If Microsoft could just patch/fix their IAS regarding this issue the
whole 802.1X thing would be a lot better for wireless users.

Frank

-Original Message-
From: 802.11 wireless issues listserv
[mailto:[EMAIL PROTECTED] On Behalf Of King, Michael
Sent: Tuesday, April 26, 2005 8:14 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes

I did some digging.

For my implementation (Funk SBR) It looks like when my users put a bad
password, the Statistics counter increments "Insufficient resources."
When I disable authentication (by removing the authentication method) it
starts incrementing "Failed Authentication" and my Windows XP client
prompts me for a new password.

I'm awaiting a callback from funk on how to fix this for my server

-Original Message-
From: 802.11 wireless issues listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Michael Griego
Sent: Monday, April 25, 2005 6:44 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes

Actually, a packet capture would likely be of little use.  What's most
likely different in the response from a FreeRADIUS server versus an IAS
server (that manifests itself in the does-a-user-get-a-password-prompt
question anyway) is the MSCHAPv2 response.  Since this response is
tunneled inside TLS, a packet capture would not show anything useful.

--Mike


King, Michael wrote:

>Anyone have FreeRadius?  I'm sure this can answered with a packet 
>capture.  (The message the client is receiving)
>
>-Original Message-
>From: 802.11 wireless issues listserv
>[mailto:[EMAIL PROTECTED] On Behalf Of Michael Griego
>Sent: Monday, April 25, 2005 3:56 PM
>To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes
>
>Are you running SBR on Windows doing full domain authentication?  I 
>wouldn't be surprised if SBR on Windows doing domain authentication is 
>using some of the same API services that IAS is causing it to have the 
>same difficulty.
>
>--Mike
>
>-----------
>Michael Griego
>Wireless LAN Project Manager
>The University of Texas at Dallas
>
>
>
>King, Michael wrote:
>
>
>>Interesting.  I joined the list just because of this issue.
>>
>>I'm running on Funk SBR and it does not appear that the client is 
>>prompting for a new password.
>>
>>Could it be in the answerback that the radius server is sending?
>>
>>-Original Message-
>>From: 802.11 wireless issues listserv
>>[mailto:[EMAIL PROTECTED] On Behalf Of Frank Bulk
>>Sent: Monday, April 25, 2005 2:57 PM
>>To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>>Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes
>>
>>I attend Mike Griego's excellent online webinar today (courtesy of 
>>EDUCAUSE), and he said that with FreeRADIUS the WinXP client properly 
>>prompts for a new password to be entered, which is not the case with 
>>IAS.
>>
>>Can anyone else confirm that?
>>
>>Frank
>>
>>-Original Message-
>>From: 802.11 wireless issues listserv
>>[mailto:[EMAIL PROTECTED] On Behalf Of Frank Bulk
>>Sent: Tuesday, January 25, 2005 10:49 PM
>>To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>>Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes
>>
>>Can Mike and Katie report to the group what kind of access points and 
>>software revisions they are running?
>>
>>My aide in this diagnosis suspects it could be some kind of 
>>communication flow between the AP and the client that causes some WLAN
>>
>>
>
>
>
>>systems to prompt for the credentials and others not to.
>>
>>Regards,
>>
>>Frank
>>
>>-Original Message-
>>From: 802.11 wireless issues listserv
>>[mailto:[EMAIL PROTECTED] On Behalf Of Michael 
>>Griego
>>Sent: Tuesday, January 25, 2005 10:57 AM
>>To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>>Subject: Re: [WIRELESS-LAN] WinXP 802.1x and pas

RE: [WIRELESS-LAN] Student Printing on Wireless Network

[King, Michael]

We've been using IPP enabled print queues on Windows2000 servers.

We demo'd the PrinterOn Technology.  We were impressed with it, but we
decided to go with IPP instead.

For details on IPP printing at BSC, we have the following setup
directions

http://it.bridgew.edu/telecomm/perfigo/wirelessprinting.cfm

 

-Original Message-
From: 802.11 wireless issues listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Frank Bulk
Sent: Tuesday, May 03, 2005 9:10 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Student Printing on Wireless Network

This seems somewhat timelyI found it in my Campus Technology
e-newsletter.  I don't know if it's any good.


Sponsor:

802.11 Wireless Notebook Printing

With the growth of mobile computing and wireless networks, the simple
act of printing now presents challenges to students and their
institutions. Read about the technologies and printing solutions that
provide value to mobile and wireless users on campus in the whitepaper,
"Student Printing in a Mobile Computing Environment," by PrinterOn.
Download this comprehensive look at how to leverage current assets and
address needs now and into the future from the Campus Technology
Resource Page.

http://info.101com.com/default.asp?id=14689


*

Frank




From: 802.11 wireless issues listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Patel, Amish
Sent: Monday, May 02, 2005 4:00 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Student Printing on Wireless Network



Hello everyone,



I just want to see what schools are doing with students printing on the
wireless network.



Here is a little background on what The John Marshall Law School, has
setup;



Student here connect to the wireless network using a VPN client, which
they enter their student ID and password.  The VPN client allows them to
connect to the domain.  If they want to print we install a Hold printer
which is on a print server on the domain.  Once the printer in installed
anytime they connect the printer is reconnect with their logon
credentials.  Students then go to a release station where they are asked
to put in they credentials and their jobs are then displayed for
release.  That's the basic setup.



We want to upgrade our wireless network and we would like to get away
from using the VPN client.  My question is how are other schools
handling printing on the wireless, other then joining student machine to
the domain.



Any help would be appreciated!



Thanks,



Amish Patel

Computer Services

The John Marshall Law School

[EMAIL PROTECTED]

312-427-2737 x550



** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.