RE: Cisco EAP-TLS fragmentation with active/active firewalls

[Lee Weers]

Look at the load balancing on the firewalls. Depending on how it is setup, 
there is a way that all the traffic is sent to one firewall vs the other per 
session.  I know this can be done at the interface level. I don’t remember what 
they called it off the top of my head.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Turpin, Max
Sent: Monday, September 13, 2021 11:09 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cisco EAP-TLS fragmentation with active/active firewalls

Hey everyone,

Hoping everyone is having a peaceful start of the semester. Reaching out 
because we’re dealing with a doozy of a problem and hoping someone else may 
have dealt with this and can help.

We are running several pairs of Cisco 5520 controllers running 8.5.171 code. We 
have recently done a complete rebuild of our Clearpass environment split across 
two data centers and those are running 6.9.6. What we have found is that when 
sending traffic to this new cluster, some packets are greater than 1500 bytes 
and are getting fragmented in the environment. That would be all well and fine 
except our perimeter firewalls are active/active so in some cases, fragment 1 
goes to FW-A and fragment 2 goes to FW-B. Palo alto will drop fragments if does 
not have all parts. So these fragments are getting dropped and thus the EAP 
exchange is timing out.


  1.  As far as I’ve gotten from Cisco, 5520 controllers do not support jumbo 
frames
  2.  There is no support from Cisco on specifying an EAP-TLS fragment size 
(unlike Aruba)
  3.  I cannot move all the controllers inside the data centers as there are 
some remote controllers as part of this environment.

The only solution I can think of right now is to point the traffic to one 
firewall with policy routes with SLA tracking but that’s an administratively 
burdensome solution and frankly, kind of kludgy.

Have any of you dealt with this sort of issue? Any thoughts on this would be 
appreciated.

Thanks,
Max

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] [EXTERNAL] Re: [WIRELESS-LAN] WIRELESS-LAN Digest - 28 Aug 2020 to 29 Aug 2020 (#2020-156)

[Lee Weers]

About 2 years ago I installed 3 of the Ventiv mini bollards. I was concerned 
that a mower would take out one of them, but it hasn’t happened yet. The top 
when not connected to the base seems very flimsy, but it has surprised me how 
well they have held up. We did place them in areas where students would not sit 
on them.
We even installed 2702i access points in them, so they are not even outdoor 
rated access points.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Brian Helman
Sent: Monday, August 31, 2020 3:17 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [EXTERNAL] Re: [WIRELESS-LAN] WIRELESS-LAN Digest - 
28 Aug 2020 to 29 Aug 2020 (#2020-156)

I wasn’t planning on powering the AP’s from the poles.  I assumed the lights on 
the poles were locally switched though, so pre-switch should be possible.   
It’s something to verify though.  The problem with bollards is that combined 
with the light poles, it makes the area very busy with vertical poles.  It’s 
supposed to be an inviting area, not one that looks like a jail (or crib).

Thanks though.  All of these are being added to our “double check” list!

-Brian

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Manon Lessard
Sent: Monday, August 31, 2020 3:32 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [EXTERNAL] Re: [WIRELESS-LAN] WIRELESS-LAN Digest - 
28 Aug 2020 to 29 Aug 2020 (#2020-156)

CAUTION: This email originated from outside of Salem State University. Do not 
click links or open attachments unless you recognize the sender and know the 
content is safe.
Brian

In my experience (YMMV) light poles have photo cells which would prevent proper 
power from being fed to your APs during the day. In my case, it’s even worse, 
there is one “loop” that feeds the power to all poles on campus, so all poles 
light up at the same time, I cannot only power one up, say because I have an AP 
on it but not on the others. And we’re not even talking about convincing the 
power people to let you put something on “their” pole...

Hanging from roof is just a huge hassle, too high anyways and the cost in 
wiring in addition to the loss you would get even using LMR600 would be too 
much trouble IMO.

So either bollards or some kind of a pole or even a skinned building-side 
solution could be best. If you have bus stop enclosures that are heated/cooled, 
maybe they could help you cover the area?


Manon Lessard
Chargée de programmation et d’analyse
CCNP, CWNE #275, AWA 10, ESCE Design
Direction des technologies de l'information
Pavillon Louis-Jacques-Casault
1055, avenue du Séminaire
Bureau 0403
Université Laval, Québec (Québec)
G1V 0A6, Canada
418 656-2131, poste 412853
Télécopieur : 418 656-7305
manon.less...@dti.ulaval.ca
www.dti.ulaval.ca
Avis relatif à la confidentialité | Notice of 
Confidentiality


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Brian Helman 
mailto:bhel...@salemstate.edu>>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Monday, August 31, 2020 at 3:18 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] [EXTERNAL] Re: [WIRELESS-LAN] WIRELESS-LAN Digest - 
28 Aug 2020 to 29 Aug 2020 (#2020-156)

[Externe UL*]
Well, you saved me from having to look for bollards.  Our Facilities people are 
not in favor of us putting anything on the roofs, so now I’m back to looking at 
ground level.  Everyone wants wireless in the quad, but no one wants the actual 
gear installed.  Right now, I’m leaning to mounting them on existing light 
poles, but this is good info to have.

Thanks,
Brian

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Jennifer Minella
Sent: Monday, August 31, 2020 3:08 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [EXTERNAL] Re: [WIRELESS-LAN] WIRELESS-LAN Digest - 28 Aug 2020 to 29 
Aug 2020 (#2020-156)

CAUTION: This email originated from outside of 

Re: [WIRELESS-LAN] Printing to a wired printer from wireless

[Lee Weers]

We implemented mobile printing with papercut when they first released it. We 
just refreshed all our printers and copiers during break and we upgraded to 
17.4.4. It fixed some of the problems we were having and we found a dns entry 
we were missing.  Now we see more and more mac clients and ios devices using it 
everyday.

One limitation is it doesn't support the more advanced printing features of the 
copiers like stapling, booklet, paper punch, etc.

Thank you,
Lee Weers

Get Outlook for Android


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Mark Duling 

Sent: Thursday, February 1, 2018 5:19:02 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Printing to a wired printer from wireless

We're using Pharos. It needs a license for mobile printing that we don't have 
yet. But when we get a license sometime in future they have a mobile app you 
can use to print. Don't know how it stacks up against Papercut since I'm not 
involved with printing at all.


On Thu, Feb 1, 2018 at 3:09 PM, Saber, Max 
mailto:max.sa...@mcphs.edu>> wrote:
Another +1 for PaperCut MF.

We have been PaperCut MF users for about four years now, and we are also 
looking at the Mobility Print as an initiative for the Fall semester. I don’t 
think it is going to be overly complicated seeing how easy the rest of their 
product is to use, but I would certainly be interested in talking to someone on 
or off list about their implementation of Mobility Print.

Thanks,
Max


...
Max Saber   ,   MS

Systems Engineer II
Information Services
MCPHS University

179<https://maps.google.com/?q=179%C2%A0Longwood%C2%A0Avenue%C2%A0%7C%C2%A0Boston%C2%A0MA%C2%A002115&entry=gmail&source=g>
 
Longwood<https://maps.google.com/?q=179%C2%A0Longwood%C2%A0Avenue%C2%A0%7C%C2%A0Boston%C2%A0MA%C2%A002115&entry=gmail&source=g>
 
Avenue<https://maps.google.com/?q=179%C2%A0Longwood%C2%A0Avenue%C2%A0%7C%C2%A0Boston%C2%A0MA%C2%A002115&entry=gmail&source=g>
 
|<https://maps.google.com/?q=179%C2%A0Longwood%C2%A0Avenue%C2%A0%7C%C2%A0Boston%C2%A0MA%C2%A002115&entry=gmail&source=g>
   
Boston<https://maps.google.com/?q=179%C2%A0Longwood%C2%A0Avenue%C2%A0%7C%C2%A0Boston%C2%A0MA%C2%A002115&entry=gmail&source=g>
   
MA<https://maps.google.com/?q=179%C2%A0Longwood%C2%A0Avenue%C2%A0%7C%C2%A0Boston%C2%A0MA%C2%A002115&entry=gmail&source=g>
   
02115<https://maps.google.com/?q=179%C2%A0Longwood%C2%A0Avenue%C2%A0%7C%C2%A0Boston%C2%A0MA%C2%A002115&entry=gmail&source=g>

T   617.732.2811  F   
617.732.2080  C   774.644.1542

max.sa...@mcphs.edu<mailto:max.sa...@mcphs.edu>
www.mcphs.edu<http://www.mcphs.edu>

[MCPHS University]<http://www.mcphs.edu>
Confidentiality Note: This e-mail, and any attachment to it, is intended to be 
confidential and might be legally privileged.  It is intended solely for the 
use of the addressee.  If you are not the intended recipient, you are hereby 
notified that reading, copying, disseminating or distributing this email is 
strictly prohibited.  If you have received this e-mail in error, please 
immediately return it to the sender and delete it from your system.  Thank you.


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>]
 On Behalf Of Hart, Michael
Sent: Thursday, February 1, 2018 3:42 PM

To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Printing to a wired printer from wireless

MSU Denver is also a PaperCut user.  My team is not directly involved in 
administration, but I can have the team that is responsible reach out to anyone 
who’s looking for feedback and advice.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Tony Skalski
Sent: Thursday, February 1, 2018 12:22 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Printing to a wired printer from wireless

Another +1 for PaperCut MF. We rolled out Mobility Print and configuring 
printers on student devices has never been easier.

ajs

On Thu, Feb 1, 2018 at 12:54 PM, Glinsky, Eric 
mailto:eric.glin...@uconn.edu>> wrote:
We used PaperCut MF in my previous workplace as well and we were satisfied with 
it. When we first implemented (summer 2016), we also used Presto to handle the 
DNS. I'm a bit fuzzy on the details at this point but that was flakey (biggest 
issue being print jobs not getting cleared from the Presto queue after being 
passed on to PaperCut and filling up the server's disk), so as soon as PaperCut 
released their own solution (Project Banksia), we impl

RE: WAPs Bounce on vlan 765

[Lee Weers]

Do you have dns servers setup on that dhcp scope have the 
Cisco-CAPWAP-Controller entry that point to your WiSM's?

Thank you,

Lee Weers
Director of ITS Infrastructure
Central College
641-628-7675

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Legge, Jeffry
Sent: Thursday, April 14, 2016 10:40 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] WAPs Bounce on vlan 765

I have all my Aps on vlan 665. I am trying to put some on vlan 765. When I do 
they repeatedly associated and dis-associate. I am working with Cisco TAC but 
so far they cannot explain why this is happening. Ha anyone experienced this 
before. Any suggestions I have two WISM2s on 7.6.122.12. I plan on upgrading to 
8.x in May.

Jeff Legge
Radford University
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: off-topic: thoughts on Hyper-V

[Lee Weers]

I have been running our production environment on Hyper-v since 2008 RC code 
was released.  No matter what the solution you have to pay for the Microsoft 
licensing on top of Citrix and VMWare.  With Hyper-v you only add the 
management piece as far as cost.  That is the only reason why we have been 
doing hyper-v for so long.

Thank you,

Lee Weers
Central College
IT Services
Director of ITS Infrastructure
641-628-7675
Vcard https://www.mcpvirtualbusinesscard.com/VBCServer/LeeWeers/interactivecard
Vprofile https://www.mcpvirtualbusinesscard.com/VBCServer/LeeWeers/profile

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ashfield, Matt (NBCC)
Sent: Monday, August 13, 2012 1:27 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] off-topic: thoughts on Hyper-V

Hi

I apologize for the off-topic post, but I find this an excellent resource for 
Higher Ed folks, and can't seem to find a more appropriate/engaged mailing list 
for this topic in higher-ed and thought maybe some people would have some 
thoughts they could share off-line via direct email.

We're basically looking at moving to a new data center and are debating Citrix 
vs VM-Ware vs Microsoft Hyper-V. We're not doing anything too crazy (ie, not 
running redundant clusters across a WAN, etc..) and it seems like any of these 
3 could meet our needs from a functionality perspective. Basically we need a 
some servers and some disk.  We haven't dove into the pricing too deep yet but 
at first glance, with the discounts we get from Microsoft because of our 
HigherED licensing, it seems much cheaper.

I know I saw a lot of higher ed institutions move to Forefront for AV, and this 
seems like another one of those areas, where the discounts given by Microsoft 
make it worth looking at, even if it's not the #1 player in the market. I could 
see where if we had a significant investment in one or the other that would 
factor in, but where our switching costs are low because we're essentially 
starting new, I thought I'd check here for any advice/warnings/gotchas

Again, I apologize for the off-topic post, and please reply directly to me at 
matt.ashfi...@nbcc.ca<mailto:matt.ashfi...@nbcc.ca> for any follow-up. Any 
feedback is much appreciated.

Thanks

Matt
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support for instructors.

[Lee Weers]

From my brief play with one the sleep/wake is an advertisement, and it was 
easier for me to power cycle it.

Thank you,

Lee Weers
Central College
IT Services
Assistant Director for Network Services
641-628-7675
Vcard https://www.mcpvirtualbusinesscard.com/VBCServer/LeeWeers/interactivecard
Vprofile https://www.mcpvirtualbusinesscard.com/VBCServer/LeeWeers/profile

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Garry Peirce
Sent: Tuesday, July 10, 2012 4:22 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] You knew it was coming...Airplay/Apple TV support 
for instructors.

I apologize for duplicate posting, but it was suggested I rename the subject of 
my note below so that it fall under this related subject thread.

Re:  Cisco vlan select method – I note to be discovered by clients, “This means 
the Apple TV should be forced to announce itself by being put to sleep, and 
then woken up.”Is this one time occurrence or would a user have to have mgt 
access to the AppleTV in order to put it to sleep/wake up to be able to 
discover it?
If it’s the advertisement needs this frequent kick, I unfortunately suspect it 
might be easier to simply power-cycle it.

Also, Eric, do you know if the Avahi reflector allows for any level of Bonjour 
service level filtering?

=
I’m in support of the collective request to help enable further operational 
flexibility, although also not sure Apple will feel enough pressure to assist.

To the first item:  ‘That Apple establish a way for  Apple TV's (and other 
Bonjour/Airplay enabled devices) be accessible across multiple IPv4 and IPv6 
sub-nets.”
Isn’t this item solved to a degree by wide area DNS-SD?
If not, I assume this is left open to solve by either making it use a routable 
mcast addr or by creating some non-standard solution.

Controls will be needed to make sense of all the advertised services and 
possibly for security/privacy reasons.
I would think navigating a large Bonjour enabled subnet for a production 
service must be an ugly exercise - nevermind if enabled to pass L2 boundaries.
Who remembers those IPX service filtering ACLs?  Request #2 might soon follow 
to network vendors to be able to support Bonjour service filtering.

For production services, wide area DNS-SD seems a better tool to me, as opposed 
to using the wild west of zeroconf end device advertisements or some special 
hardware solution.  We’ve trialed it (static entries) for printing and it seems 
to work well.
This leverages our existing DNS infrastructure, allows for control of the 
advertised entries, and a uniform naming convention making it easier to 
identify the service.
One could also opt to block 224.0.0.251 altogether, if there is concern about 
unnecessary device traffic.

So in tandem to supporting this request, I’d also be interested in anyone’s 
recap of their wide area DNS-SD (WAB) environment, the services being 
advertised , how it is scaling, and any major stumbling blocks.


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]<mailto:[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]>
 On Behalf Of Lee H Badman
Sent: Monday, July 09, 2012 4:00 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Apple Petition

Please consider this- as we get to the point where we have an agreed on 
document, say by this Friday, and we find an online petition site to use where 
individuals can "sign" on in whatever form that takes before we close the 
signing window and present it to Apple- are each one of us able to do so on 
behalf of our institutions or organizations? If you need to seek permission, 
now is the time. If a CIO or Director is the only one allowed to make such 
public-facing declarations on behalf of your school/or org, it would be good to 
start working the notion. Ideally, no one would overstep their position by 
jumping on this worthy endeavor.

Lee H. Badman
Wireless Architect/Network Engineer
Information Technology and Services
Adjunct Instructor, iSchool
Syracuse University
315 443-3003


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]<mailto:[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]>
 On Behalf Of Andy Voelker
Sent: Monday, July 09, 2012 12:44 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Apple Petition

That confuses me as well.  It is obviously built in to many other iOS devices 
(iPod Touch, iPad) and has been for some time.  Why the change?  I suspect it 
just due to the GUI difference.  If so, that’s easily fixable.

-- Andy Voelker
Manager of Student Computing in the Technology Commons
WCU Staff Senator
Western Carolina University
Check the status of your IT requests at any ti

RE: Selling WiSMs?

[Lee Weers]

I have sold a lot of our surplus network equipment to IT Outlet.

Kevin Huber at the IT Outlet
khu...@itoutletinc.com<mailto:khu...@itoutletinc.com>
605-275-4198

Thank you,

Lee Weers
Central College
IT Services
Assistant Director for Network Services
641-628-7675
Vcard https://www.mcpvirtualbusinesscard.com/VBCServer/LeeWeers/interactivecard
Vprofile https://www.mcpvirtualbusinesscard.com/VBCServer/LeeWeers/profile

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Thursday, January 12, 2012 2:37 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Selling WiSMs?

Wondering if anyone has found resellers interested in buying WiSM blades?

Thanks-

Lee

Lee H. Badman
Wireless/Network Engineer
Information Technology and Services
Adjunct Instructor, iSchool
Syracuse University
315 443-3003


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Delay in getting IP address on Snow Leopard/Lion on the WLAN

[Lee Weers]

I saw this with Bradford implemented on Windows and Mac clients.  Aruba 
rebrands Bradford and if that is implemented there is a global setting for a 
vlan switching delay.  This helped with that problem.  I don't know if the 
Aruba controllers can do something similar or not.  By implementing the delay 
the client sees a link down and a link up so then it renews its dhcp offer.

Thank you,

Lee Weers
Central College
IT Services
Assistant Director for Network Services
641-628-7675
Vcard https://www.mcpvirtualbusinesscard.com/VBCServer/LeeWeers/interactivecard
Vprofile https://www.mcpvirtualbusinesscard.com/VBCServer/LeeWeers/profile

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Aaron Abitia
Sent: Monday, December 12, 2011 6:56 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Delay in getting IP address on Snow Leopard/Lion on 
the WLAN

Hi Ryan, the dhcp offers in the sniff were not on the Apple client, but on the 
interface feeding our DHCP server (the trusted side of the CCA server).  Our 
DHCP server is responding with offers but either the Apple is ignoring it, or 
it never never got them, and I'm suspecting the latter.  Got this tip from 
another user...it seems to line up with what I'm seeing...my experience has 
been the same...the issue hits when moving between vlans:

CSCts56141 Bug Details
MAC OSX vlan entry gets corrupted in CAS intern_arpq table

Symptom:

MAC OSX machines when moved from one vlan to another , fail to get DHCP IP when 
moved back to the original vlan. This is becuase the vlan entry of the old vlan 
is getting changed to the new vlan in the intern_arpq on the CAS


Conditions:

Only seen with MAC OSX Windows PC do not seem to trigger this problem

Workaround:
none


I have let the TAC engineer know about this.  So far it's the closest I've come 
to an explanation that fits, but we'll see.

-Aaron



On Fri, Dec 9, 2011 at 7:23 PM, Holland, Ryan 
mailto:holland@osu.edu>> wrote:
Are the dhcp offers you saw from a sniff on the client or elsewhere?
===
Ryan Holland
(sent while mobile)

On Dec 9, 2011, at 8:17 PM, "Aaron Abitia" 
mailto:aabi...@calpoly.edu>> wrote:
Hello all,

We are currently running Cisco Clean Access 4.8.2 inband NAC on an Aruba 
6.1.2.3 WLAN infrastructure, and have an intermittent problem with Apple 
Macintoshes running Snow Leopard and Lion.  Snow Leopard and Lion Macintosh 
computers take a long time to connect to wireless because there's a delay in 
getting an IP address, and of course they cannot be challenged to login until 
they have an IP address.  The delay is anywhere from a minute to 3 minutes, and 
the machine will finally get an IP after much waiting.  It doesn't happen all 
the time and there doesn't seem to be a pattern.  But from the user point of 
view, they just can't get onto wireless and don't wait 3 minutes and just give 
up.   In terms of traffic flow, our Aruba system just takes the wireless 
traffic and passes it right through the controller to the untrusted side of the 
CCA server, where login/remediation will take place.

I have confirmed a few things:

1.  The total throughput of wireless traffic going through our CCA inband 
server (aka CAS) is only 50Mbps, so it doesn't appear to be a congestion issue 
in the CAS.
2.  The total number of users flowing through the CAS today is 853, we have a 
5000 user license.
3.  The AP isn't overloaded and this problem will happen on an AP with no other 
users on it.
4.  DHCP usage for the wireless subnets is low, so this isn't an issue of not 
having enough leases.
5.  It happens only on our unencrypted SSID, which goes through the CAS; our 
802.1x SSID bypasses the CAS and this problem doesn't happen on that SSID.  
Both SSIDs go to the same enterprise DHCP server for IP addresses.
6.  I had heard that OCSP changes in Snow Leopard/Lion was causing users to not 
be able to get to the web logon page-we do both web logon and Agent; we tried 
opening up the Unauthenticated role to Comodo's OCSP server, but it didn't help.

I searched around online and found several things that people had done to fix 
similar Airport/Ethernet issues on the Apple client side:

1.  Disabled ipV6 -->  Problem still occurs.
2.  Unclicked the check box, "Use Passive FTP Mode (PASV)" under Airport 
settings --> Problem still occurs.
3.  Removed the SSID from list of Preferred Networks in Airport and rebuilt it 
-->  Problem still occurs.
4.  Disabled CRL --> Problem still occurs.
5.  Disabled OCSP --> Problem still occurs.
6.  Repaired Keychain --> Problem still occurs.

We did some sniffing and our DHCP server is apparently replying to the Apple 
with multiple DHCP offers, but the Mac just sits there, then finally it comes 
to its senses and takes the IP address.  This suggests tha

RE: Issue with Microsoft NPS certs and ipads/iphones

[Lee Weers]

I do this.  In the certificate the common name is Auth.central.edu.  Then I 
have auth2 and auth3 listed as additional names on the certificate.  I have the 
certificate installed on both servers and auth points to both servers.  With 
server 2008R2 I also disable strict name checking.

Thank you,

Lee Weers
Central College
IT Services
Assistant Director for Network Services
641-628-7675
Vcard https://www.mcpvirtualbusinesscard.com/VBCServer/LeeWeers/interactivecard
Vprofile https://www.mcpvirtualbusinesscard.com/VBCServer/LeeWeers/profile


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W
Sent: Tuesday, September 20, 2011 6:20 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Issue with Microsoft NPS certs and ipads/iphones

Dennis,

How does that work? The two servers have different hostnames & DNS entries, I 
assume.

I do not think it would work in our NPS environment anyway. Our NPS servers are 
also Read-Only Domain Controllers (each in their own site). This removes the 
RADIUS server load from our production Domain Controllers.

Bruce Osborne
Wireless Network Engineer
IT Network Services
 
(434) 592-4229
 
LIBERTY UNIVERSITY
40 Years of Training Champions for Christ: 1971-2011


-Original Message-
From: Dennis Xu [mailto:d...@uoguelph.ca] 
Sent: Monday, September 19, 2011 3:04 PM
Subject: Re: Issue with Microsoft NPS certs and ipads/iphones

We use the same certificate on two ACS servers for PEAP authentication to avoid 
the certificate warning when user connects to the 2nd ACS server. We haven't 
seen any issues with that. 

---
Dennis Xu
Network Analyst, Computing and Communication Services University of Guelph
5198244120 x 56217

- Original Message -
From: "Bob Richman" 
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Sent: Monday, September 19, 2011 1:11:02 PM
Subject: [WIRELESS-LAN] Issue with Microsoft NPS certs and ipads/iphones




We have a new issue that popped up when we upgraded our radius backend for our 
dot1x/peap from 2 microsoft widows 2003 IAS servers with Equifax certs to 3 
microsoft windows 2008 NPS servers with geotrust certs. 



What we have is issues with ipad/iphones that seem to only sometimes remember 
the cert they most recently accepted. So for example, an IPAD connecting to the 
wireless using NPS server 1 will prompt the user to accept and they get on. 
Subsequent attempts to an AP that uses that same server will work fine. But an 
attempt to another set of APs using server 2 will cause the user to have to 
accept the cert corresponding to the new server. 



We do use the Cloudpath installers, but they seem to be of no help here. 



So, we did change 2 things at once, new certs and going from IAS to NPS. 



Anyone having any issues like this? 



Thanks, Bob Richman 

University of Notre Dame. ** Participation and subscription information 
for this EDUCAUSE Constituent Group discussion list can be found at 
http://www.educause.edu/groups/. 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

NPS and Cisco web auth

[Lee Weers]

I am experimenting with getting the built in Cisco webauth going on our 
wireless controllers.  However, I'm getting a reason code 66 error that states 
the authentication type is not supported.  I see the client is trying to do PAP 
and I have enable PAP authentication in the network policy.  I have set the 
service type to Login as well.

What else am I missing?  I have my 802.1x SSID's connecting just fine.

Thank you,

Lee Weers
Central College
IT Services
Assistant Director for Network Services
641-628-7675
Vcard https://www.mcpvirtualbusinesscard.com/VBCServer/LeeWeers/interactivecard
Vprofile https://www.mcpvirtualbusinesscard.com/VBCServer/LeeWeers/profile


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Machine Authentication and IAS 2008

[Lee Weers]

In your allow policy I added the group "Domain Computers" to the list and then 
machine auth worked.  I had tried just a separate group that I put machine 
accounts as members, but I couldn't ever get it to work.  This has worked for 
me for Aruba, HP and Cisco.

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Jason Appah
Sent: Thursday, October 14, 2010 4:11 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Machine Authentication and IAS 2008

We are a complete Aruba shop, and I'll confess I haven't actually ticketed this 
with Aruba, but...

Has anyone else been able to make machine auth work with IAS as the Radius? 
Each time the authentication comes across as bad username/password on the 
machine account.



We had an IDengines ignition server that worked flawlessly but has now died. 
IAS was the replacement and machine auth hasn't worked since.

So, has anyone else experienced this?


Jason Appah
Security/Systems Administrator  
Oregon Institute of Technology
Oregon's only Technical Institute. 
Office 541-885-1719
Fax  541-885-1919
Email jason.ap...@oit.edu 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Management Frame Protection

[Lee Weers]

I forgot to mention that when an alert is generated I asked TAC how do you 
resolve it.  They said there is nothing you could do.  It is a client driver 
implementation problem.

Thank you,

Lee Weers
Central College
Assistant Director for Network Services
641-628-7675
Vcard https://www.mcpvirtualbusinesscard.com/VBCServer/LeeWeers/interactivecard
Vprofile https://www.mcpvirtualbusinesscard.com/VBCServer/LeeWeers/profile


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee Weers
Sent: Friday, May 28, 2010 1:29 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Management Frame Protection

About 18 months ago we had a Cisco TAC enable it while troubleshooting another 
problem.  It caused thousands of alerts to be generated, and we had problems 
with the WLC's quarantining AP's that were associated with another controller.  
What was generating all of the alerts was a bug that is supposed to be fixed in 
7.0.  It has to do with 2 ap's being in an ap group but on different 
controllers.  The groups have a different id on the controllers and this will 
generate an alert.  How the groups get different id's and a different SSID 
order when configs are pushed out using templates is very frustrating, and why 
that makes a difference is beyond me.



Thank you,

Lee Weers
Central College
Assistant Director for Network Services
641-628-7675
Vcard https://www.mcpvirtualbusinesscard.com/VBCServer/LeeWeers/interactivecard
Vprofile https://www.mcpvirtualbusinesscard.com/VBCServer/LeeWeers/profile


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Dennis Xu
Sent: Friday, May 28, 2010 9:45 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Management Frame Protection

Just wondering what are people's MFP experiences after enabling it on Cisco 
WLCs. How well does it work? Any issues caused by enabling this? Do you get a 
lots of MFP alerts? As I understand, the infrastructure MFP can only detect and 
report intrusions but cannot stop them. So what are your action plans after 
receiving the MFP alerts?

Thanks!  

Dennis Xu
Network Analyst
Computing and Communication Services
University of Guelph
5198244120 x 56217

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Management Frame Protection

[Lee Weers]

About 18 months ago we had a Cisco TAC enable it while troubleshooting another 
problem.  It caused thousands of alerts to be generated, and we had problems 
with the WLC's quarantining AP's that were associated with another controller.  
What was generating all of the alerts was a bug that is supposed to be fixed in 
7.0.  It has to do with 2 ap's being in an ap group but on different 
controllers.  The groups have a different id on the controllers and this will 
generate an alert.  How the groups get different id's and a different SSID 
order when configs are pushed out using templates is very frustrating, and why 
that makes a difference is beyond me.



Thank you,

Lee Weers
Central College
Assistant Director for Network Services
641-628-7675
Vcard https://www.mcpvirtualbusinesscard.com/VBCServer/LeeWeers/interactivecard
Vprofile https://www.mcpvirtualbusinesscard.com/VBCServer/LeeWeers/profile


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Dennis Xu
Sent: Friday, May 28, 2010 9:45 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Management Frame Protection

Just wondering what are people's MFP experiences after enabling it on Cisco 
WLCs. How well does it work? Any issues caused by enabling this? Do you get a 
lots of MFP alerts? As I understand, the infrastructure MFP can only detect and 
report intrusions but cannot stop them. So what are your action plans after 
receiving the MFP alerts?

Thanks!  

Dennis Xu
Network Analyst
Computing and Communication Services
University of Guelph
5198244120 x 56217

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Cisco Wireless Controller Feature Gaps

[Lee Weers]

I do not stack our Procurve core switches, so I would like to setup 2 lacp 
groups on the 4404's and have 2 ports go to one core and the other 2 ports go 
to the other core.

Instead I have to have all 4 ports go to one switch and have 3 controllers on 
each switch.

Thank you,

Lee Weers
Central College
Assistant Director for Network Services
641-628-7675


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Jeffrey Sessler
Sent: Friday, April 23, 2010 6:29 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco Wireless Controller Feature Gaps

Lee,
 
If you have a stack of Cisco switches, say a pair of 3750G's connected
via stackwise, you can split the trunks between the two. on something
like a 6509, the ports can be split between line cards (that's what I'm
doing with my 5508's).
 
Push out templates - can't this be done via the "controller groups"
function in WCS. Create a group of one, select all the templates from
the templates tab, then apply them to the new controller.

Jeff

>>> Lee Weers  4/23/2010 11:58 AM >>>

I would like to be able to setup lacp differently so that it can be
split between two switches.  Then LACP doesn’t truly work unless a
gbic is inserted in port 1.  I haven’t tried pulling the port1 gbic to
see if the controller still maintains connectivity or not.  It will not
establish connectivity on boot, unless a gbic is in port 1 (this is for
4404 controllers).
 
Version 7 and 5508 only feature that is currently lacking is the remote
office capability.  I would like to see better integration between wcs
and the controllers.  There are still to many things to go to each
controller to configure.
 
WCS needs to be able to push out templates better for bringing in a new
controller.  I would like to push out a master template, not have to go
into each sub template and apply it separately.  I occasionally still
find a template not applied to a controller.
 
Thank you,
 
Lee Weers
Central College
Assistant Director for Network Services
641-628-7675
 
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Mike King
Sent: Friday, April 23, 2010 11:34 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [WIRELESS-LAN] Cisco Wireless Controller Feature Gaps

 
I was asked this today, and I didn't have a good answer, looking from
other Cisco Wireless Controller users to help me formulate a good
response.

 

What features do you find lacking in the wireless LAN controller that
are available in other products?

 

What is a major source of discontent with the product.

 

What feature do you wish the product has

 

I know I have one major source of discontent, the separate mesh
releases (which have finally be re-intergrated in the 6.0 release)

 

What have you guys got?

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 
** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Cisco Wireless Controller Feature Gaps

[Lee Weers]

I would like to be able to setup lacp differently so that it can be
split between two switches.  Then LACP doesn't truly work unless a gbic
is inserted in port 1.  I haven't tried pulling the port1 gbic to see if
the controller still maintains connectivity or not.  It will not
establish connectivity on boot, unless a gbic is in port 1 (this is for
4404 controllers).

 

Version 7 and 5508 only feature that is currently lacking is the remote
office capability.  I would like to see better integration between wcs
and the controllers.  There are still to many things to go to each
controller to configure.

 

WCS needs to be able to push out templates better for bringing in a new
controller.  I would like to push out a master template, not have to go
into each sub template and apply it separately.  I occasionally still
find a template not applied to a controller.

 

Thank you,

 

Lee Weers

Central College

Assistant Director for Network Services

641-628-7675

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Mike King
Sent: Friday, April 23, 2010 11:34 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cisco Wireless Controller Feature Gaps

 

I was asked this today, and I didn't have a good answer, looking from
other Cisco Wireless Controller users to help me formulate a good
response.

 

What features do you find lacking in the wireless LAN controller that
are available in other products?

 

What is a major source of discontent with the product.

 

What feature do you wish the product has

 

I know I have one major source of discontent, the separate mesh releases
(which have finally be re-intergrated in the 6.0 release)

 

What have you guys got?

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Client DHCP issues after WLC upgrade

[Lee Weers]

No we are not running dhcp proxy.

 

Thank you,

 

Lee Weers

Central College

Assistant Director for Network Services

641-628-7675

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman
Sent: Thursday, March 18, 2010 11:16 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Client DHCP issues after WLC upgrade

 

Mike, and Lee- are you guys running DHCP proxy on your controllers?

 

-Lee

 

Lee H. Badman

Wireless/Network Engineer

Information Technology and Services

Adjunct Instructor, iSchool

Syracuse University

315 443-3003

 

 



From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Schomer,
Michael J.
Sent: Thursday, March 18, 2010 11:40 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Client DHCP issues after WLC upgrade

 

Hello,

 

We are noticing a problem on our WPA/802.1x SSID with some of our
clients after a recent Cisco WLC upgrade from 5.2.178 to 6.0.188.  The
clients are able to connect and authenticate to the SSID; however, they
aren't receiving an IP address.  We have ruled out the DHCP server as
the problem.  This doesn't affect all clients, and the problem seems to
come and go.  We haven't seen a common OS or chipset among the clients
that are having problems.  

 

We currently are running four WLCs in production, and all of them
received the upgrade at the same time.  The only thing that most of
these clients have in common is that they are associated to APs on two
particular controllers.  The only thing unique about those two
controllers is that they have mostly 1131 APs.  When the clients roam to
a different WLC, they can usually connect just fine. 

 

I'm at a loss right now.  We did test the 6.0.188 code in one building
(with 1250 APs) for several months before deploying it, without any
notable issues.  We are now potentially looking at downgrading back to
5.2 code, but aren't thrilled about it.  Another option would be to
upgrade to 6.0.196, but we haven't done any testing of that code
revision.

 

Has anyone seen a similar issue?  Does anyone know of any issues with
6.0.188 code and 1131 APs?  Any thoughts or advice would be appreciated.

 

Thanks for your help.

 

-Mike Schomer

-St. Cloud State University

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Client DHCP issues after WLC upgrade

[Lee Weers]

In doing debug info with cisco tac just resulted in a "It is a client
driver issue".

 

Thank you,

 

Lee Weers

Central College

Assistant Director for Network Services

641-628-7675

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Schomer,
Michael J.
Sent: Thursday, March 18, 2010 10:40 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Client DHCP issues after WLC upgrade

 

Hello,

 

We are noticing a problem on our WPA/802.1x SSID with some of our
clients after a recent Cisco WLC upgrade from 5.2.178 to 6.0.188.  The
clients are able to connect and authenticate to the SSID; however, they
aren't receiving an IP address.  We have ruled out the DHCP server as
the problem.  This doesn't affect all clients, and the problem seems to
come and go.  We haven't seen a common OS or chipset among the clients
that are having problems.  

 

We currently are running four WLCs in production, and all of them
received the upgrade at the same time.  The only thing that most of
these clients have in common is that they are associated to APs on two
particular controllers.  The only thing unique about those two
controllers is that they have mostly 1131 APs.  When the clients roam to
a different WLC, they can usually connect just fine. 

 

I'm at a loss right now.  We did test the 6.0.188 code in one building
(with 1250 APs) for several months before deploying it, without any
notable issues.  We are now potentially looking at downgrading back to
5.2 code, but aren't thrilled about it.  Another option would be to
upgrade to 6.0.196, but we haven't done any testing of that code
revision.

 

Has anyone seen a similar issue?  Does anyone know of any issues with
6.0.188 code and 1131 APs?  Any thoughts or advice would be appreciated.

 

Thanks for your help.

 

-Mike Schomer

-St. Cloud State University

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Client DHCP issues after WLC upgrade

[Lee Weers]

We have been experiencing the same problem as well with 6.0.188.  What
we see is mostly with 1252's.  It is almost like a client can't decide
between 2 ap's on different controllers.  We have controllers 1, 3, 4,
5, 6, and 7.  We experience the problem the most when an ap is on
controller4 and another ap on controller6.  Both controllers show the
client connected to them, but the client doesn't get an ip address.
When we shutdown one of the ap's then the client is happy, or they roam
to an ap on another controller.  We keep suspecting something wrong with
controller6, but I have compared the configs of all the controllers and
the only difference between the controllers are the wlan id numbers.

 

 

 

Thank you,

 

Lee Weers

Central College

Assistant Director for Network Services

641-628-7675

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Schomer,
Michael J.
Sent: Thursday, March 18, 2010 10:40 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Client DHCP issues after WLC upgrade

 

Hello,

 

We are noticing a problem on our WPA/802.1x SSID with some of our
clients after a recent Cisco WLC upgrade from 5.2.178 to 6.0.188.  The
clients are able to connect and authenticate to the SSID; however, they
aren't receiving an IP address.  We have ruled out the DHCP server as
the problem.  This doesn't affect all clients, and the problem seems to
come and go.  We haven't seen a common OS or chipset among the clients
that are having problems.  

 

We currently are running four WLCs in production, and all of them
received the upgrade at the same time.  The only thing that most of
these clients have in common is that they are associated to APs on two
particular controllers.  The only thing unique about those two
controllers is that they have mostly 1131 APs.  When the clients roam to
a different WLC, they can usually connect just fine. 

 

I'm at a loss right now.  We did test the 6.0.188 code in one building
(with 1250 APs) for several months before deploying it, without any
notable issues.  We are now potentially looking at downgrading back to
5.2 code, but aren't thrilled about it.  Another option would be to
upgrade to 6.0.196, but we haven't done any testing of that code
revision.

 

Has anyone seen a similar issue?  Does anyone know of any issues with
6.0.188 code and 1131 APs?  Any thoughts or advice would be appreciated.

 

Thanks for your help.

 

-Mike Schomer

-St. Cloud State University

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Wireless Clients Can See WLANs, but Cannot Connect (feels like only beacons functional)

[Lee Weers]

We are experiencing this issue with ap's on different controllers.  And
it affects aps in an ap group.  The aps not in a group do not have a
problem.  A factory reset of the ap and then reconfiguring seems to fix
it for a while.  We have been working a case with Cisco for several
weeks.  We are running 6.0.182 on our 4404 controllers.

 

Thank you,

 

Lee Weers

Central College

Assistant Director for Network Services

641-628-7675

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Roth, Pierce
Sent: Monday, November 16, 2009 9:52 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Clients Can See WLANs, but Cannot
Connect (feels like only beacons functional)

 

I'm having issues with CAPWAP as well, my waps keep getting a DTLS
Client Error, which also seems to be an issue with encryption, and only
with 6.0, not a problem with 5.1.  I don't want to downgrade, unless I
know a version that works with capwap and doesn't have this problem.

 

~Pierce Roth

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Charles Bisel
Sent: Monday, November 16, 2009 9:35 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Clients Can See WLANs, but Cannot
Connect (feels like only beacons functional)

 


I had a similar issue to this which I was able to resolve by disabling
'Aironet IE' on the WLAN. 



Charles Bisel
ITO Network Services
Bayer Business and Technology Services LLC
100 Bayer Road
Pittsburgh, PA 15205
EMAIL charles.bi...@bayerbbs.com <mailto:charles.bi...@bayerbbs.com> 
WEB   http://www.bayer.com <http://www.bayer.com/> 

 

 



 

Daniel Husand  
Sent by: The EDUCAUSE Wireless Issues Constituent Group Listserv
 

11/13/2009 02:51 PM 

Please respond to
The EDUCAUSE Wireless Issues Constituent Group Listserv


To

WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 

cc


Subject

Re: [WIRELESS-LAN] Wireless Clients Can See WLANs, but Cannot Connect
(feels like only beacons functional)

 






On 13/11/2009 19:43, Lee H Badman wrote:
> Wondering if anyone else sees this condition in a Cisco LWAPP/CAPWAP
> wireless environment:
>
> We seem to have occasional spates where select APs are clearly
beaconing
> SSIDs, but clients cannot connect.
>

We have this exact issue on the first iteration of the 6.0 software. It 
primarily affects our web-auth SSID.

I did some captures of the association and the access point is actually 
denying the client because the 'encryption method' is not supported. 
(none) (I have a .pcap if someone wants it)

TAC has not been able to reproduce or fix yet.

-- 
Daniel Husand

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/
<http://www.educause.edu/groups/> .

 



The information contained in this e-mail is for the exclusive use of the
intended recipient(s) and may be confidential, proprietary, and/or
legally privileged.  Inadvertent disclosure of this message does not
constitute a waiver of any privilege.  If you receive this message in
error, please do not directly or indirectly use, print, copy, forward,
or disclose any part of this message.  Please also delete this e-mail
and all copies and notify the sender.  Thank you. 

For alternate languages please go to http://bayerdisclaimer.bayerweb.com
<http://bayerdisclaimer.bayerweb.com> 



** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

<>

RE: [WIRELESS-LAN] WiSM 6.0.182.0

[Lee Weers]

I received a report of not getting an ip address on a student computer 
yesterday.  It took a repair, and a release renew but it eventually got one.  
When I have had this problem on previous releases it has been an old wireless 
driver or their computer was messed up with a lot of spyware.

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Peter Arbouin
Sent: Wednesday, August 19, 2009 10:14 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WiSM 6.0.182.0

Hi,

We also upgraded to 6.0 
We have several aps on busses using HREAP. For some reason clients were not 
able to get a valid ip and we had to revert to the previous version of code. 
Anyone else seen this issue?

Another issue is some random hosts have issues getting an ip address by DHCP in 
some locations, but work fine in other locations.

The WCS interface is far better than previous versions.

Peter. 


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Procyk, Ian
Sent: Thursday, 6 August 2009 5:11 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WiSM 6.0.182.0

UBC upgraded our campus (39 controllers consisting of 4402's 4404's WiSM's and 
5508's) on July 18th to 6.0.182. 

-We had some AP's with Static IP's that needed attention.

-We also noticed that the wired ACL in 6.0x doesn't work - we noticed this even 
during our 6.0 beta test.

-AP's that were located at remote sites (via DSL/cable) that were directly 
connected to controllers, are now having difficulty connecting to controllers 
running 6.x  The solution has been to put these AP's into office extend mode or 
HREAP mode, where the latency timers are longer. 



Thanks
Ian Procyk
UBC IT
604-827-5707


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Dennis Xu
Sent: Wednesday, August 05, 2009 7:15 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] WiSM 6.0.182.0

Has anybody upgraded to WiSM 6.0.182.0? Any feedback?

Thanks!

Dennis Xu
Network Analyst
Computing and Communication Services
University of Guelph
5198244120 x 56217

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Phones with 802.1x capabilities...

[Lee Weers]

The person that did it followed the directions on this website.  

http://www.amset.info/pocketpc/certificates3.asp


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Jethro R Binks
Sent: Tuesday, August 04, 2009 2:08 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Phones with 802.1x capabilities...

On Tue, 4 Aug 2009, Lee Weers wrote:

> We setup a website that we hit with the mobile device to download and 
> install the certificates.  We even bundled them in a cab file so the 
> phones that can't install the cert directly, can run the cab file.

Forgive my naiivity (Windows is not my forte): how does one create the cab 
file?  I have seen this mentioned before.

Jethro.


> 
> 
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jethro R Binks
> Sent: Tuesday, August 04, 2009 9:44 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Phones with 802.1x capabilities...
> 
> On Tue, 4 Aug 2009, Justin Hao wrote:
> 
> > certificate management really kinda sucks on windows mobile, i think 
> > they added a basic cert manager on 5.0/6.0 so you could import 
> > certificates easier, but there are several 3rd party applications that 
> > also try to help, all i know is that i've never had much luck w/ WM 
> > automagically downloading and verifying the certificate on it's own. 
> > I've always had to manually import the root certificate and then 
> > manually find it in file explorer and install it if possible.
> 
> I've done it by emailing it to myself as an attachment, then reading my 
> email on the device in question ...
> 
> Jethro.
> 
> 
> > 
> > -Justin
> > 
> > Hector J Rios wrote:
> > 
> >   I?ve run into a couple of cellphones that have 802.1x
> >   capabilities and even built in certificates. The issue is that
> >   when they try to connect to our network (802.1x/PEAP) they get
> >   stuck on the certificate step. It basically says that a
> >   certificate is required. But when I look in the certificates for
> >   the phones, I see a bunch of Root certificates, including the
> >   one that would be needed for our setup. Anybody messed with
> >   this?
> > 
> >    
> > 
> >   BTW. The last phone I worked with was an HTC running Windows
> >   Mobile 6.1
> > 
> >    
> > 
> >   Thanks,
> > 
> >    
> > 
> >   Hector Rios
> > 
> >   Louisiana State University
> > 
> > ** Participation and subscription information for this
> > EDUCAUSE Constituent Group discussion list can be found at
> > http://www.educause.edu/groups/.
> > 
> > 
> > -- 
> > Justin Hao
> > Network Engineer
> > Texas A&M University
> > Networking and Information Security
> > j...@tamu.edu
> > (979)862-2162
> > ** Participation and subscription information for this EDUCAUSE
> > Constituent Group discussion list can be found at
> > http://www.educause.edu/groups/.
> > 
> > 
> > 
> 
> .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
> Jethro R Binks
> Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.
> 

.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
Jethro R Binks
Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Phones with 802.1x capabilities...

[Lee Weers]

We setup a website that we hit with the mobile device to download and install 
the certificates.  We even bundled them in a cab file so the phones that can't 
install the cert directly, can run the cab file.


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Jethro R Binks
Sent: Tuesday, August 04, 2009 9:44 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Phones with 802.1x capabilities...

On Tue, 4 Aug 2009, Justin Hao wrote:

> certificate management really kinda sucks on windows mobile, i think 
> they added a basic cert manager on 5.0/6.0 so you could import 
> certificates easier, but there are several 3rd party applications that 
> also try to help, all i know is that i've never had much luck w/ WM 
> automagically downloading and verifying the certificate on it's own. 
> I've always had to manually import the root certificate and then 
> manually find it in file explorer and install it if possible.

I've done it by emailing it to myself as an attachment, then reading my 
email on the device in question ...

Jethro.


> 
> -Justin
> 
> Hector J Rios wrote:
> 
>   I?ve run into a couple of cellphones that have 802.1x
>   capabilities and even built in certificates. The issue is that
>   when they try to connect to our network (802.1x/PEAP) they get
>   stuck on the certificate step. It basically says that a
>   certificate is required. But when I look in the certificates for
>   the phones, I see a bunch of Root certificates, including the
>   one that would be needed for our setup. Anybody messed with
>   this?
> 
>    
> 
>   BTW. The last phone I worked with was an HTC running Windows
>   Mobile 6.1
> 
>    
> 
>   Thanks,
> 
>    
> 
>   Hector Rios
> 
>   Louisiana State University
> 
> ** Participation and subscription information for this
> EDUCAUSE Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
> 
> 
> -- 
> Justin Hao
> Network Engineer
> Texas A&M University
> Networking and Information Security
> j...@tamu.edu
> (979)862-2162
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
> 
> 
> 

.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
Jethro R Binks
Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Cisco LWAPP- The change from WLAN Override to AP Groups- Pain?

[Lee Weers]

Ap groups are broken in certain versions of WCS.  When you push a vlan
group from WCS to a controller I would make sure it sets the vlan
properly on the controller.  Then the aps need a reboot once they are
assigned to a group.  I have noticed that they don't always reboot
through WCS.  We have to go make a visit to the 1252's POE injector to
reboot them.

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman
Sent: Friday, May 29, 2009 9:49 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cisco LWAPP- The change from WLAN Override to AP
Groups- Pain?

 

Knowing that some have already gone down this road...

 

We are still on "stable" 4.2.code, have not jumped to 5 yet. It is our
understanding that "stable" 5 code will be coming out soon, and we have
several reasons to go to the 5 train (I realize 6 is also coming out,
but may be too bleeding edge for us out of the gate). All of that aside,
when we move out of 4.2 into 5, we will thankfully put WLAN Override
behind us. But is a feature we use extensively out of necessity, and so
we'll most certainly need to use "AP Groups" in the more current code.

 

I'm wondering what the pain was in transitioning from WLAN Override to
AP Groups on a large scale during the code upgrade, and if there were
any particular issues of note during the process.

 

Thanks-

 

Lee

 

Lee H. Badman

Wireless/Network Engineer

Information Technology and Services

Syracuse University

315 443-3003

 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] DeAuthentication Floods

[Lee Weers]

That is what I was told by TAC, it is an old bug that was fixed in 4.x code, 
but looks like it cropped up again in some of the 5.x code.

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of John Duran
Sent: Friday, May 15, 2009 5:34 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] DeAuthentication Floods

 

This is interesting, we are running 5.1.151.0 code on our WiSMs. Is this a 
known bug for different versions of code? 

 

John

>>> Lee Weers  5/15/2009 12:21 PM >>>

Are you running controller code or WISM?  If controller code what version of 
code are you running?  We didn’t see the problem with 5.0.63, but when we 
upgraded to 5.2.157 we began to see this.  The attacking mac was another cisco 
ap in the system.  We have upgraded to 5.2.178 and this fixed the problem.  We 
also tried downgrading to 5.1.??? and that didn’t work.

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of John Duran
Sent: Friday, May 15, 2009 11:59 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] DeAuthentication Floods

 

Good Morning All,

 

We are using the Cisco Unified Wireless solution here at the University of New 
Mexico. We continue to see a high number of "DeAuthntication Floods" and other 
IDS signatures being triggered on the wireless system. We are curious to know 
what others are doing to mitigate these types of attacks? What tools and 
techniques are being used?

 

Thanks,

 

 

 

 

 

 

John V. Duran
Network Engineer 

University of New Mexico
Information Technology Services
Ph: (505) 249-7890
Fax: (505) 277-8101

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/. 

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/. 

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/. 

RE: [WIRELESS-LAN] DeAuthentication Floods

[Lee Weers]

Are you running controller code or WISM?  If controller code what
version of code are you running?  We didn't see the problem with 5.0.63,
but when we upgraded to 5.2.157 we began to see this.  The attacking mac
was another cisco ap in the system.  We have upgraded to 5.2.178 and
this fixed the problem.  We also tried downgrading to 5.1.??? and that
didn't work.

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:wireless-...@listserv.educause.edu] On Behalf Of John Duran
Sent: Friday, May 15, 2009 11:59 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] DeAuthentication Floods

 

Good Morning All,

 

We are using the Cisco Unified Wireless solution here at the University
of New Mexico. We continue to see a high number of "DeAuthntication
Floods" and other IDS signatures being triggered on the wireless system.
We are curious to know what others are doing to mitigate these types of
attacks? What tools and techniques are being used?

 

Thanks,

 

 

 

 

 

 

John V. Duran
Network Engineer 

University of New Mexico
Information Technology Services
Ph: (505) 249-7890
Fax: (505) 277-8101

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Wireless Projectors (again)

[Lee Weers]

In my brief testing with an NEC projector, the only way I could get it
to display from a desktop and on the wired network was to have it in a
class c address space and the desktop on that same network.  Displaying
would not route, and would not do super netted subnets.  So if someone
has a projector that would work on the wired lan, and can be routed or
work with a /21 let me know.

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman
Sent: Wednesday, April 08, 2009 12:09 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Projectors (again)

 

Hi Jeff. Funny you should mention that... I'm toying with an NEC
projector, and finding that meaningfully using it over the LAN (testing
as a potential answer to lame wireless support built in to these) is
quite a bit harder than I thought it would ever be. Controlling the
projector- as in changing settings, etc over the wired network is very
simple, but delivering desktop display to it is thus far maddening on an
NP2000. But then again, I am just scratching the surface.

 

Lee



From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Legge, Jeffry
Sent: Wednesday, April 08, 2009 12:48 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Projectors (again)

 

Good luck. I am interested if you find one. We have one but the company
does not make it anymore so we will probably replace them with wired
projectors. -Jeff Legge Radford University

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman
Sent: Wednesday, April 08, 2009 12:24 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Wireless Projectors (again)

 

Just looking for updates beyond what I can find- has anyone found a
wireless projector or NIC that will act as an 802.1x client on a WLAN? 

 

Lee H. Badman

Wireless/Network Engineer

Information Technology and Services

Syracuse University

315 443-3003

 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Aerohive 340AP

[Lee Weers]

Todd,

 

What about your switch architecture?  If you have a 24 port 10/100/1000
switch with a single 1gb uplink back to the core, how is this not
oversubscription if you have 23 1gb clients plugged in?  Does your
network go down due to a saturated gb uplink?

 

After deploying campus wide wireless, I actually saw my traffic on my
uplink ports go down.  We deployed 390 802.11n  and 110 802.11a/b/g aps.

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Smith, Todd
Sent: Monday, March 02, 2009 3:37 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Aerohive 340AP

 

Hello Bruce,

 

Like I said, this is a personal opinion and not hard engineering fact.
My issue is that you are trunking everything from the edge to the
network core to process and then switch to available resources.  Unless
you are installing 10G at the core or many, many 1G ports then I feel
that you run the risk of network saturation from traffic from the AP at
802.11n speeds.  This is vendor agnostic as far as I can see since
oversubscription is a component of all of the centralized controller
environments that I know of. 

 

I like the edge switching architecture that several vendors are
promoting, Trapeze, Hi-Path Wireless and Aerohive are at least three
vendors that have edge switching in the product line.  Of course,
Aerohive is completely edge switched and the others offer that for
certain classes of traffic.  GB edge switches are generally cheaper then
core switches but maybe that is our enevimrnt and not typical in other
places.

 

Todd Smith

Charleston Area Medical Center



From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Osborne, Bruce
W. (NS)
Sent: Saturday, February 28, 2009 10:09
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Aerohive 340AP

 

Todd,

 

I'm not sure why you would say that. We now have almost 600 802.11n APs
on 3 controllers that are managed centrally from the master controller.
We can handle up to 500 APs per controller (2000 per chassis). This
allows you to standardize configurations & OS versions. We are
supplementing this with Airwave Wireless Management Suite for
monitoring.

 

We moved from 450 Cisco 1231G "fat" APs. The centralized solution scales
much better for us.

 

From: Smith, Todd [mailto:todd.sm...@camc.org] 
Sent: Friday, February 27, 2009 4:28 PM
Subject: Re: Aerohive 340AP

 

I reviewed their product in our environment and it worked pretty well.
I don't think that we are going to be purchasing anything this year due
to the economic downturn but they are on my short list as well as Xirrus
and Meru simply because they use non-standard architectures.  My
personal opinion is that centralized controller environments don't scale
very well when you are considering large 802.11n rollouts.

 

Todd Smith

Charleston Area Medical Center  

 

 



From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Frank Bulk
Sent: Friday, February 27, 2009 15:34
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Aerohive 340AP

 

I've have had several opportunities to talk to AeroHive.  Competitors
like to poke holes at their product, but my (un-tested) impression is
that it's pretty solid.

 

If you ask for references, they do have some small to medium-sized build
outs, but I'm not sure if they have any 500+ AP installations, yet.

 

Frank

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman
Sent: Friday, February 27, 2009 2:31 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Aerohive 340AP

 

I have been contacted by Aerohive recently (www.aerohive.com
 ) and had never heard of them before. Is
interesting- they are a controller-less model, that *seems* to scale and
compete with controller-based functionality based on the glossy. No idea
how they are on the likes of fast roaming, etc. But part of my brain
yearns for the days when there were no controllers, and wireless life
was a lot simpler. (You never see WLAN controllers in Norman Rockwell
paintings). Is anyone using Aerohive, even on a small scale? 

 

 

Lee

 

Lee H. Badman

Wireless/Network Engineer

Information Technology and Services

Syracuse University

315 443-3003



From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Joseph Clark
Sent: Friday, February 27, 2009 2:32 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Aerohive 340AP

 

Is anyone currently using Aerohive AP's in a classroom deployment? In
particular their 802.11N 340AP. 
I am interested in how they handle a large 

RE: [WIRELESS-LAN] WCS- virtualized?

[Lee Weers]

When we were implementing our Cisco wireless network and I was looking
at the server specs WCS as an ESX guest is supported.

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman
Sent: Friday, December 19, 2008 5:53 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] WCS- virtualized?

 

I am experimenting with WCS in an ESX virtual environment. So far, this
is very promising, and I see no degradation in server performance, and
have been able to do code upgrades, etc. in the virtual world. Before I
commit to making the actual switch of our WCS to the virtual world-
supporting 2000 APs and 12 WiSM/24 controllers- wondering if anyone has
already gone down this road for production WCS use. Any success or
horror stories?

 

Thanks-

 

Lee

 

Lee H. Badman

Wireless/Network Engineer

Information Technology and Services

Syracuse University

315 443-3003

 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] WPA and Wireless LAN Server Certificate?

[Lee Weers]

I'm using MS IAS with the Verisign server cert, and one difference is I didn't 
have to install IIS to get the certificate.  I don't think I had to generate a 
cert request either.  I just entered the server name online and they generated 
the request and the cert for me.

Those were my differences.

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL 
PROTECTED] On Behalf Of Toivo Voll
Sent: Tuesday, November 18, 2008 1:08 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] WPA and Wireless LAN Server Certificate?

Until now we've been using our regular web / SSL certificate for WPA /
PEAP/MSCHAP purposes, and predictably have run into the usability
issues with certificate trust prompts on the client end. (We use Cisco
LWAPP / Freeradius). It appears VeriSign has a specific "Wireless LAN
Server Certificate," and apparently there is work done in IETF
regarding WLAN specific extensions in certificates.

After a fair bit of googling I've been unable to find out just what
the difference between a vanilla SSL certificate and a "Wireless LAN
Server Certificate" is. Presumably the WLAN certificates won't prompt
for the certificate trust, but what other difference, if any, is
there? Are there providers other than VeriSign for these certificates?
(Thawte, for example, seems to refer back to VeriSign for such certs.)

Here's the uninformative product page:
http://www.verisign.com/ssl/buy-ssl-certificates/specialized-ssl-certificates/wireless-lan-security/

Any advice or links to documentation on the matter would be greatly appreciated.

-- 
Toivo Voll
Network Administrator
Information Technology Communications
University of South Florida

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Cisco 11n users

[Lee Weers]

Something else is power.  The power draw according to the brick is .95
amps at 120V.  I haven't seen them actually draw that much power, but we
planned for it.

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Peter P
Morrissey
Sent: Wednesday, November 12, 2008 9:58 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco 11n users

Thanks for sharing that. Have you ever considered midspan devices for
when you need more than a handful of bricks?
http://www.microsemi.com/powerdsine/Products/Midspan/

Pete Morrissey

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Lee Weers
Sent: Wednesday, November 12, 2008 10:53 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco 11n users

As far as the range is concerned we do get a greater range with the
1252's.  I can't say we use this as a feature, because we didn't have a
lot of wireless deployed before.  Where we did have it deployed before
we have put in more access points to do a capacity model rather than a
coverage model.

Where I have seen this range improve is I'm working on our Football
stadium.  In the press box we have a 1242 with a 12dbi 2.4 ghz antenna
on one end and a 1242 with a Cisco 2506 (5dbi 2.4 ghz) antenna on the
other end.  The pressbox is sheetmetal all around it, so in the middle
of the 40 ft building we were getting very little signal.  So we mounted
a 1252 inside in the middle, and we saw the signal just as strong across
the field from the 1252 as we do the 1242's.

My high watermark on clients is 685.  I have seen as many as 65 N
clients online.

My displeasure with the 1252's are the following:

1.  The DOA's.  We have had about a 3% failure rate out of the box.
This is either the ap or the POE injector.  So getting them replaced
under Cisco's 1 year limited warranty has been difficult at times.

2.  We have to walk out to 1 to 2 of them a week and reboot them, as
there weren't any managed solutions that we could afford at the time.
The E class switches were just announced, but not released.  That and
they are too expensive for us.

3.  The POE injectors do get pretty warm.  When on edge we can fit 9
across on a 19" rack shelf.  We originally tied them together to make a
solid brick.  This made them so hot you can hardly hold on to them.  We
have since stopped doing this.  Give them air flow to stay cooler.


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Jeffrey Sessler
Sent: Tuesday, November 11, 2008 4:09 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco 11n users

We are running 11n in 2.4 GHz on the 1252's, but only at 20MHz. 40MHz in
2.4 MHz seems like a very bad idea because of the lack of
non-overlapping channels.

As for range, the building I'm in is a thick concrete/rebar construction
and I can get about 120 feet (exiting the building) from an 1252 AP
before I can't see it. That said, I'm designing based on capacity more
than range. In the case that capacity is not an issue, I'm shooting for
50-70 foot spacing between 1252s to maximize 5GHz coverage.


Jeff 

>>> "Barber, Matt" <[EMAIL PROTECTED]> 11/11/2008 12:06 PM >>>
Anyone running 11n in the 2.4 GHz on the 1252s?  20 or 40MHz?

What kind of range from the APs are you seeing?  

Matt Barber
Network Analyst / PC Support
Morrisville State College
315-684-6053


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Jim Glassford
Sent: Tuesday, November 11, 2008 2:53 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] Cisco 11n users

Greetings,

Nothing cutting edge but all seems to be working a OK.

(5) 4404s and (1) 4402 all running 4.2.130.0 and same mobility group

(83) AP1252 (has one gigabit ethernet port)
(246) AP1242
(47) AP1231
(25) AP1220
(41) AP1020 (these will not work on 5.n code)

Peak of 1195 users logged in.
See peaks of (70) 802.11a, (325) 802.11b, (940) 802.11g, (115) 802.11n 
devices in various states of probing, associated and authenticated. Lots

of devices talking on the air for the number of authenticated users.

Thanks to everyone for the great information on this list!
jim





Lee H Badman wrote:
>
> Thanks, Lee. If you prefer to do off list, can I call you? If you are 
> good with on list, I would imagine others are interested- but whatever

> you preferJ
>
> Thanks-
>
> Lee
>
> Lee H. Badman
>
> Wireless/Network Engineer
>
> Information Technology and Services
>
> Syracuse University
>
> 315 443-3003
>
>
--------
>
>

RE: [WIRELESS-LAN] Cisco 11n users

[Lee Weers]

At the time there weren't any midspans released that would provide the
full 20 watts of power required by the 1252.  It will run off of the
standard 802.3af power, but then you only get a 1x3 rather than the 2x3
capabilities.

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Peter P
Morrissey
Sent: Wednesday, November 12, 2008 9:58 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco 11n users

Thanks for sharing that. Have you ever considered midspan devices for
when you need more than a handful of bricks?
http://www.microsemi.com/powerdsine/Products/Midspan/

Pete Morrissey

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Lee Weers
Sent: Wednesday, November 12, 2008 10:53 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco 11n users

As far as the range is concerned we do get a greater range with the
1252's.  I can't say we use this as a feature, because we didn't have a
lot of wireless deployed before.  Where we did have it deployed before
we have put in more access points to do a capacity model rather than a
coverage model.

Where I have seen this range improve is I'm working on our Football
stadium.  In the press box we have a 1242 with a 12dbi 2.4 ghz antenna
on one end and a 1242 with a Cisco 2506 (5dbi 2.4 ghz) antenna on the
other end.  The pressbox is sheetmetal all around it, so in the middle
of the 40 ft building we were getting very little signal.  So we mounted
a 1252 inside in the middle, and we saw the signal just as strong across
the field from the 1252 as we do the 1242's.

My high watermark on clients is 685.  I have seen as many as 65 N
clients online.

My displeasure with the 1252's are the following:

1.  The DOA's.  We have had about a 3% failure rate out of the box.
This is either the ap or the POE injector.  So getting them replaced
under Cisco's 1 year limited warranty has been difficult at times.

2.  We have to walk out to 1 to 2 of them a week and reboot them, as
there weren't any managed solutions that we could afford at the time.
The E class switches were just announced, but not released.  That and
they are too expensive for us.

3.  The POE injectors do get pretty warm.  When on edge we can fit 9
across on a 19" rack shelf.  We originally tied them together to make a
solid brick.  This made them so hot you can hardly hold on to them.  We
have since stopped doing this.  Give them air flow to stay cooler.


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Jeffrey Sessler
Sent: Tuesday, November 11, 2008 4:09 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco 11n users

We are running 11n in 2.4 GHz on the 1252's, but only at 20MHz. 40MHz in
2.4 MHz seems like a very bad idea because of the lack of
non-overlapping channels.

As for range, the building I'm in is a thick concrete/rebar construction
and I can get about 120 feet (exiting the building) from an 1252 AP
before I can't see it. That said, I'm designing based on capacity more
than range. In the case that capacity is not an issue, I'm shooting for
50-70 foot spacing between 1252s to maximize 5GHz coverage.


Jeff 

>>> "Barber, Matt" <[EMAIL PROTECTED]> 11/11/2008 12:06 PM >>>
Anyone running 11n in the 2.4 GHz on the 1252s?  20 or 40MHz?

What kind of range from the APs are you seeing?  

Matt Barber
Network Analyst / PC Support
Morrisville State College
315-684-6053


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Jim Glassford
Sent: Tuesday, November 11, 2008 2:53 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] Cisco 11n users

Greetings,

Nothing cutting edge but all seems to be working a OK.

(5) 4404s and (1) 4402 all running 4.2.130.0 and same mobility group

(83) AP1252 (has one gigabit ethernet port)
(246) AP1242
(47) AP1231
(25) AP1220
(41) AP1020 (these will not work on 5.n code)

Peak of 1195 users logged in.
See peaks of (70) 802.11a, (325) 802.11b, (940) 802.11g, (115) 802.11n 
devices in various states of probing, associated and authenticated. Lots

of devices talking on the air for the number of authenticated users.

Thanks to everyone for the great information on this list!
jim





Lee H Badman wrote:
>
> Thanks, Lee. If you prefer to do off list, can I call you? If you are 
> good with on list, I would imagine others are interested- but whatever

> you preferJ
>
> Thanks-
>
> Lee
>
> Lee H. Badman
>
> Wireless/Network Engineer
>
> Information Technology and Services
>
> Syracuse University
>
> 315 443-3003
>
>
------

RE: [WIRELESS-LAN] Cisco 11n users

[Lee Weers]

As far as the range is concerned we do get a greater range with the
1252's.  I can't say we use this as a feature, because we didn't have a
lot of wireless deployed before.  Where we did have it deployed before
we have put in more access points to do a capacity model rather than a
coverage model.

Where I have seen this range improve is I'm working on our Football
stadium.  In the press box we have a 1242 with a 12dbi 2.4 ghz antenna
on one end and a 1242 with a Cisco 2506 (5dbi 2.4 ghz) antenna on the
other end.  The pressbox is sheetmetal all around it, so in the middle
of the 40 ft building we were getting very little signal.  So we mounted
a 1252 inside in the middle, and we saw the signal just as strong across
the field from the 1252 as we do the 1242's.

My high watermark on clients is 685.  I have seen as many as 65 N
clients online.

My displeasure with the 1252's are the following:

1.  The DOA's.  We have had about a 3% failure rate out of the box.
This is either the ap or the POE injector.  So getting them replaced
under Cisco's 1 year limited warranty has been difficult at times.

2.  We have to walk out to 1 to 2 of them a week and reboot them, as
there weren't any managed solutions that we could afford at the time.
The E class switches were just announced, but not released.  That and
they are too expensive for us.

3.  The POE injectors do get pretty warm.  When on edge we can fit 9
across on a 19" rack shelf.  We originally tied them together to make a
solid brick.  This made them so hot you can hardly hold on to them.  We
have since stopped doing this.  Give them air flow to stay cooler.


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Jeffrey Sessler
Sent: Tuesday, November 11, 2008 4:09 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco 11n users

We are running 11n in 2.4 GHz on the 1252's, but only at 20MHz. 40MHz in
2.4 MHz seems like a very bad idea because of the lack of
non-overlapping channels.

As for range, the building I'm in is a thick concrete/rebar construction
and I can get about 120 feet (exiting the building) from an 1252 AP
before I can't see it. That said, I'm designing based on capacity more
than range. In the case that capacity is not an issue, I'm shooting for
50-70 foot spacing between 1252s to maximize 5GHz coverage.


Jeff 

>>> "Barber, Matt" <[EMAIL PROTECTED]> 11/11/2008 12:06 PM >>>
Anyone running 11n in the 2.4 GHz on the 1252s?  20 or 40MHz?

What kind of range from the APs are you seeing?  

Matt Barber
Network Analyst / PC Support
Morrisville State College
315-684-6053


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Jim Glassford
Sent: Tuesday, November 11, 2008 2:53 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] Cisco 11n users

Greetings,

Nothing cutting edge but all seems to be working a OK.

(5) 4404s and (1) 4402 all running 4.2.130.0 and same mobility group

(83) AP1252 (has one gigabit ethernet port)
(246) AP1242
(47) AP1231
(25) AP1220
(41) AP1020 (these will not work on 5.n code)

Peak of 1195 users logged in.
See peaks of (70) 802.11a, (325) 802.11b, (940) 802.11g, (115) 802.11n 
devices in various states of probing, associated and authenticated. Lots

of devices talking on the air for the number of authenticated users.

Thanks to everyone for the great information on this list!
jim





Lee H Badman wrote:
>
> Thanks, Lee. If you prefer to do off list, can I call you? If you are 
> good with on list, I would imagine others are interested- but whatever

> you preferJ
>
> Thanks-
>
> Lee
>
> Lee H. Badman
>
> Wireless/Network Engineer
>
> Information Technology and Services
>
> Syracuse University
>
> 315 443-3003
>
>
--------
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:[EMAIL PROTECTED] *On Behalf Of *Lee Weers
> *Sent:* Tuesday, November 11, 2008 1:02 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> *Subject:* Re: [WIRELESS-LAN] Cisco 11n users
>
> We have 6 4404 controllers running 375 1252's, 106 1131's and 18
1242's.
>
> I'm not a wireless expert, but I can share some of the things we have 
> seen with the 1252's.
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:[EMAIL PROTECTED] *On Behalf Of *Lee H
Badman
> *Sent:* Tuesday, November 11, 2008 11:50 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> *Subject:* [WIRELESS-LAN] Cisco 11n users
>
> Wondering if anyone has jumped in to Cisco 11n yet on any sort of 
> scale that they wouldn't mind sharing? Esp

RE: [WIRELESS-LAN] Cisco 11n users

[Lee Weers]

We have 6 4404 controllers running 375 1252's, 106 1131's and 18 1242's.

 

I'm not a wireless expert, but I can share some of the things we have
seen with the 1252's.

 

 

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Lee H Badman
Sent: Tuesday, November 11, 2008 11:50 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cisco 11n users

 

Wondering if anyone has jumped in to Cisco 11n yet on any sort of scale
that they wouldn't mind sharing? Especially where 11n APs and a/g APs
are hosted on the same controllers or in the same mobility groups...
looking for general feedback.

 

Thanks-

 

Lee

 

Lee H. Badman

Wireless/Network Engineer

Information Technology and Services

Syracuse University

315 443-3003

 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

H-REAP and NAT to Cisco 4400 controllers

[Lee Weers]

Is there anyone using H-REAP to extend their wireless network?  We have
some students and employees that are in houses that are serviced
currently by DSL or cable modems.  Our controllers currently have a
private ip address.  Is it possible to set an ap to use H-REAP and then
nat the controllers for it to then talk too?  How reliable is this?  The
equipment in the houses consist of a Linksys router and maybe a
unmanaged switch.

Thank you,
 
Lee Weers
Assistant Director for Network Services
Central College IT Services
(641) 628-7675


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Lightening surge arrestor's on outdoor antennas

[Lee Weers]

I was curious to know how many of you are using lightening surge
arrestors that go between the ap and external antenna?  Do they work and
provide protection from damaging the ap, or do they induce a lot of db
loss?

Thank you,
 
Lee Weers
Assistant Director for Network Services
Central College IT Services
(641) 628-7675


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] WiSM, Radius, WPA & WPA2

[Lee Weers]

Daniel,

I found this link on certificate requirements for EAP-TLS and IAS.

http://support.microsoft.com/default.aspx?scid=kb;en-us;814394



-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Bennett
Sent: Tuesday, April 08, 2008 1:42 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WiSM, Radius, WPA & WPA2

Do you run redundant Certificate Authorities?  Or if your certificate
authority goes down is your wireless out until you rebuild and restore?

Daniel R. Bennett
CompTIA Security+
Information Technology Security Analyst
Pennsylvania College of Technology
One College Ave
Williamsport, PA 17701
(P) 570.329.4989


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Lee Weers
Sent: Thursday, April 03, 2008 1:50 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WiSM, Radius, WPA & WPA2

I have IAS working with Cisco 4404 controllers, an Aruba 2400, and an HP
WESM.  We are using Peap and MS-CHAPv2 with a WLAN certificate from
Verisign.

The documents I used to setup the IAS server is here.
http://support.microsoft.com/kb/325725/en-us
http://www.microsoft.com/technet/security/guidance/cryptographyetc/peap_
1.mspx

Our wireless setup document is here
http://www.central.edu/itservices/Wireless%20Network%20Setup.PDF

CAVEATS I have found.
You do need to authenticate the computer accounts for domain joined
computers' login scripts to run.  That was a big gotcha I found.  Then
on personally owned computers you need to turn off use computer
credentials.

Also PDA's I have yet to get working.  They say they work with
PEAP-MS-CHAP-v2, but they still want a personal certificate.  I don't
know why they still want a personal cert.  So if someone wants to help
me with that problem or help me dig up the info to enable EAP-TLS on an
IAS server I'd be glad to hear from you.

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Bennett
Sent: Wednesday, April 02, 2008 7:30 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] WiSM, Radius, WPA & WPA2

Does anyone have experience setting up a Cisco WiSM with IAS Radius and
Encryption.  Basically I want to have our WiSM authenticate wireless
users to our Active Directory, which we can do directly.  I also want
the wireless secured through WPA and/or WPA2 encryption without having
to email the key to everyone.  I know it can be done but can't find out
how to do this.

The process I want:
1. Computer connects to AP
2. Encryption key is passed to computer and transmission is now secured
3. Internet Browser redirected to login page
4. AD credentials are entered
5. Authenticate
6. Internal IP issued and good to go.

We have 1,3,4,5,6 done.  Step 2 we have working by putting the key into
the computers but that is a pain.

Any suggestions?

Daniel R. Bennett
CompTIA Security+
Information Technology Security Analyst
Pennsylvania College of Technology
One College Ave
Williamsport, PA 17701
(P) 570.329.4989

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] WiSM, Radius, WPA & WPA2

[Lee Weers]

I haven't yet.  That is still my stumbling block.

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Bennett
Sent: Friday, April 11, 2008 3:16 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WiSM, Radius, WPA & WPA2

How did you deal with Wireless PDAs?

Daniel R. Bennett
CompTIA Security+
Information Technology Security Analyst
Pennsylvania College of Technology
One College Ave
Williamsport, PA 17701
(P) 570.329.4989


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Lee Weers
Sent: Friday, April 11, 2008 4:03 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WiSM, Radius, WPA & WPA2

Enabling the check server cert has been very hit and miss for me.  It
has depended on mostly on the client drivers.  Some wouldn't auth until
it was checked.

For domain computers, I created a group that we add all wireless
computer objects too, and that group is then in the IAS policy.  The
less secure way is to add the group "Domain computers".  By default all
Domain Computers are added to this group.

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Bennett
Sent: Friday, April 11, 2008 2:43 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WiSM, Radius, WPA & WPA2

Where is your publicly recognized certificate?  On your IAS server? AD
Server?  I have our certificate servers setup and IAS servers but can't
enable the option to check the server's certificate.  If I uncheck that
option in the wireless configuration settings it works.

Also how does everyone handle domain computers?  I issued all computers
certificates and told the system to authenticate as the computer if
possible so they could hit active directory to authenticate.

Thanks,

Daniel R. Bennett
CompTIA Security+
Information Technology Security Analyst
Pennsylvania College of Technology
One College Ave
Williamsport, PA 17701
(P) 570.329.4989

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Lee Weers
Sent: Tuesday, April 08, 2008 2:53 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WiSM, Radius, WPA & WPA2

I don't run redundant certificate authorities.  I also only have 1 IAS
server because we are in the beginning stages of our deployment (so far
a high of about 90 clients).  I am planning to expand to a 2nd IAS
server this fall.

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Bennett
Sent: Tuesday, April 08, 2008 1:42 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WiSM, Radius, WPA & WPA2

Do you run redundant Certificate Authorities?  Or if your certificate
authority goes down is your wireless out until you rebuild and restore?

Daniel R. Bennett
CompTIA Security+
Information Technology Security Analyst
Pennsylvania College of Technology
One College Ave
Williamsport, PA 17701
(P) 570.329.4989


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Lee Weers
Sent: Thursday, April 03, 2008 1:50 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WiSM, Radius, WPA & WPA2

I have IAS working with Cisco 4404 controllers, an Aruba 2400, and an HP
WESM.  We are using Peap and MS-CHAPv2 with a WLAN certificate from
Verisign.

The documents I used to setup the IAS server is here.
http://support.microsoft.com/kb/325725/en-us
http://www.microsoft.com/technet/security/guidance/cryptographyetc/peap_
1.mspx

Our wireless setup document is here
http://www.central.edu/itservices/Wireless%20Network%20Setup.PDF

CAVEATS I have found.
You do need to authenticate the computer accounts for domain joined
computers' login scripts to run.  That was a big gotcha I found.  Then
on personally owned computers you need to turn off use computer
credentials.

Also PDA's I have yet to get working.  They say they work with
PEAP-MS-CHAP-v2, but they still want a personal certificate.  I don't
know why they still want a personal cert.  So if someone wants to help
me with that problem or help me dig up the info to enable EAP-TLS on an
IAS server I'd be glad to hear from you.

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Bennett
Sent: Wednesday, April 02, 2008 7:30 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] WiSM, Radius, WPA & WPA2

Does anyone have experience setting up a Cisco WiSM with IAS Radius and
Encryption.  Basically I want to have our WiSM authenticate wireless
users to our Active Direct

RE: [WIRELESS-LAN] WiSM, Radius, WPA & WPA2

[Lee Weers]

Enabling the check server cert has been very hit and miss for me.  It
has depended on mostly on the client drivers.  Some wouldn't auth until
it was checked.

For domain computers, I created a group that we add all wireless
computer objects too, and that group is then in the IAS policy.  The
less secure way is to add the group "Domain computers".  By default all
Domain Computers are added to this group.

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Bennett
Sent: Friday, April 11, 2008 2:43 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WiSM, Radius, WPA & WPA2

Where is your publicly recognized certificate?  On your IAS server? AD
Server?  I have our certificate servers setup and IAS servers but can't
enable the option to check the server's certificate.  If I uncheck that
option in the wireless configuration settings it works.

Also how does everyone handle domain computers?  I issued all computers
certificates and told the system to authenticate as the computer if
possible so they could hit active directory to authenticate.

Thanks,

Daniel R. Bennett
CompTIA Security+
Information Technology Security Analyst
Pennsylvania College of Technology
One College Ave
Williamsport, PA 17701
(P) 570.329.4989

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Lee Weers
Sent: Tuesday, April 08, 2008 2:53 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WiSM, Radius, WPA & WPA2

I don't run redundant certificate authorities.  I also only have 1 IAS
server because we are in the beginning stages of our deployment (so far
a high of about 90 clients).  I am planning to expand to a 2nd IAS
server this fall.

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Bennett
Sent: Tuesday, April 08, 2008 1:42 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WiSM, Radius, WPA & WPA2

Do you run redundant Certificate Authorities?  Or if your certificate
authority goes down is your wireless out until you rebuild and restore?

Daniel R. Bennett
CompTIA Security+
Information Technology Security Analyst
Pennsylvania College of Technology
One College Ave
Williamsport, PA 17701
(P) 570.329.4989


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Lee Weers
Sent: Thursday, April 03, 2008 1:50 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WiSM, Radius, WPA & WPA2

I have IAS working with Cisco 4404 controllers, an Aruba 2400, and an HP
WESM.  We are using Peap and MS-CHAPv2 with a WLAN certificate from
Verisign.

The documents I used to setup the IAS server is here.
http://support.microsoft.com/kb/325725/en-us
http://www.microsoft.com/technet/security/guidance/cryptographyetc/peap_
1.mspx

Our wireless setup document is here
http://www.central.edu/itservices/Wireless%20Network%20Setup.PDF

CAVEATS I have found.
You do need to authenticate the computer accounts for domain joined
computers' login scripts to run.  That was a big gotcha I found.  Then
on personally owned computers you need to turn off use computer
credentials.

Also PDA's I have yet to get working.  They say they work with
PEAP-MS-CHAP-v2, but they still want a personal certificate.  I don't
know why they still want a personal cert.  So if someone wants to help
me with that problem or help me dig up the info to enable EAP-TLS on an
IAS server I'd be glad to hear from you.

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Bennett
Sent: Wednesday, April 02, 2008 7:30 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] WiSM, Radius, WPA & WPA2

Does anyone have experience setting up a Cisco WiSM with IAS Radius and
Encryption.  Basically I want to have our WiSM authenticate wireless
users to our Active Directory, which we can do directly.  I also want
the wireless secured through WPA and/or WPA2 encryption without having
to email the key to everyone.  I know it can be done but can't find out
how to do this.

The process I want:
1. Computer connects to AP
2. Encryption key is passed to computer and transmission is now secured
3. Internet Browser redirected to login page
4. AD credentials are entered
5. Authenticate
6. Internal IP issued and good to go.

We have 1,3,4,5,6 done.  Step 2 we have working by putting the key into
the computers but that is a pain.

Any suggestions?

Daniel R. Bennett
CompTIA Security+
Information Technology Security Analyst
Pennsylvania College of Technology
One College Ave
Williamsport, PA 17701
(P) 570.329.4989

**
Participation and subscription informati

RE: [WIRELESS-LAN] WiSM, Radius, WPA & WPA2

[Lee Weers]

My public cert is on the IAS server.  I used the certificates mmc to
generate the cert request to send to verisign so I didn't have to
install IIS.



-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Bennett
Sent: Friday, April 11, 2008 2:43 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WiSM, Radius, WPA & WPA2

Where is your publicly recognized certificate?  On your IAS server? AD
Server?  I have our certificate servers setup and IAS servers but can't
enable the option to check the server's certificate.  If I uncheck that
option in the wireless configuration settings it works.

Also how does everyone handle domain computers?  I issued all computers
certificates and told the system to authenticate as the computer if
possible so they could hit active directory to authenticate.

Thanks,

Daniel R. Bennett
CompTIA Security+
Information Technology Security Analyst
Pennsylvania College of Technology
One College Ave
Williamsport, PA 17701
(P) 570.329.4989

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Lee Weers
Sent: Tuesday, April 08, 2008 2:53 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WiSM, Radius, WPA & WPA2

I don't run redundant certificate authorities.  I also only have 1 IAS
server because we are in the beginning stages of our deployment (so far
a high of about 90 clients).  I am planning to expand to a 2nd IAS
server this fall.

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Bennett
Sent: Tuesday, April 08, 2008 1:42 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WiSM, Radius, WPA & WPA2

Do you run redundant Certificate Authorities?  Or if your certificate
authority goes down is your wireless out until you rebuild and restore?

Daniel R. Bennett
CompTIA Security+
Information Technology Security Analyst
Pennsylvania College of Technology
One College Ave
Williamsport, PA 17701
(P) 570.329.4989


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Lee Weers
Sent: Thursday, April 03, 2008 1:50 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WiSM, Radius, WPA & WPA2

I have IAS working with Cisco 4404 controllers, an Aruba 2400, and an HP
WESM.  We are using Peap and MS-CHAPv2 with a WLAN certificate from
Verisign.

The documents I used to setup the IAS server is here.
http://support.microsoft.com/kb/325725/en-us
http://www.microsoft.com/technet/security/guidance/cryptographyetc/peap_
1.mspx

Our wireless setup document is here
http://www.central.edu/itservices/Wireless%20Network%20Setup.PDF

CAVEATS I have found.
You do need to authenticate the computer accounts for domain joined
computers' login scripts to run.  That was a big gotcha I found.  Then
on personally owned computers you need to turn off use computer
credentials.

Also PDA's I have yet to get working.  They say they work with
PEAP-MS-CHAP-v2, but they still want a personal certificate.  I don't
know why they still want a personal cert.  So if someone wants to help
me with that problem or help me dig up the info to enable EAP-TLS on an
IAS server I'd be glad to hear from you.

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Bennett
Sent: Wednesday, April 02, 2008 7:30 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] WiSM, Radius, WPA & WPA2

Does anyone have experience setting up a Cisco WiSM with IAS Radius and
Encryption.  Basically I want to have our WiSM authenticate wireless
users to our Active Directory, which we can do directly.  I also want
the wireless secured through WPA and/or WPA2 encryption without having
to email the key to everyone.  I know it can be done but can't find out
how to do this.

The process I want:
1. Computer connects to AP
2. Encryption key is passed to computer and transmission is now secured
3. Internet Browser redirected to login page
4. AD credentials are entered
5. Authenticate
6. Internal IP issued and good to go.

We have 1,3,4,5,6 done.  Step 2 we have working by putting the key into
the computers but that is a pain.

Any suggestions?

Daniel R. Bennett
CompTIA Security+
Information Technology Security Analyst
Pennsylvania College of Technology
One College Ave
Williamsport, PA 17701
(P) 570.329.4989

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**

RE: [WIRELESS-LAN] WiSM, Radius, WPA & WPA2

[Lee Weers]

I don't run redundant certificate authorities.  I also only have 1 IAS
server because we are in the beginning stages of our deployment (so far
a high of about 90 clients).  I am planning to expand to a 2nd IAS
server this fall.

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Bennett
Sent: Tuesday, April 08, 2008 1:42 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WiSM, Radius, WPA & WPA2

Do you run redundant Certificate Authorities?  Or if your certificate
authority goes down is your wireless out until you rebuild and restore?

Daniel R. Bennett
CompTIA Security+
Information Technology Security Analyst
Pennsylvania College of Technology
One College Ave
Williamsport, PA 17701
(P) 570.329.4989


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Lee Weers
Sent: Thursday, April 03, 2008 1:50 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WiSM, Radius, WPA & WPA2

I have IAS working with Cisco 4404 controllers, an Aruba 2400, and an HP
WESM.  We are using Peap and MS-CHAPv2 with a WLAN certificate from
Verisign.

The documents I used to setup the IAS server is here.
http://support.microsoft.com/kb/325725/en-us
http://www.microsoft.com/technet/security/guidance/cryptographyetc/peap_
1.mspx

Our wireless setup document is here
http://www.central.edu/itservices/Wireless%20Network%20Setup.PDF

CAVEATS I have found.
You do need to authenticate the computer accounts for domain joined
computers' login scripts to run.  That was a big gotcha I found.  Then
on personally owned computers you need to turn off use computer
credentials.

Also PDA's I have yet to get working.  They say they work with
PEAP-MS-CHAP-v2, but they still want a personal certificate.  I don't
know why they still want a personal cert.  So if someone wants to help
me with that problem or help me dig up the info to enable EAP-TLS on an
IAS server I'd be glad to hear from you.

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Bennett
Sent: Wednesday, April 02, 2008 7:30 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] WiSM, Radius, WPA & WPA2

Does anyone have experience setting up a Cisco WiSM with IAS Radius and
Encryption.  Basically I want to have our WiSM authenticate wireless
users to our Active Directory, which we can do directly.  I also want
the wireless secured through WPA and/or WPA2 encryption without having
to email the key to everyone.  I know it can be done but can't find out
how to do this.

The process I want:
1. Computer connects to AP
2. Encryption key is passed to computer and transmission is now secured
3. Internet Browser redirected to login page
4. AD credentials are entered
5. Authenticate
6. Internal IP issued and good to go.

We have 1,3,4,5,6 done.  Step 2 we have working by putting the key into
the computers but that is a pain.

Any suggestions?

Daniel R. Bennett
CompTIA Security+
Information Technology Security Analyst
Pennsylvania College of Technology
One College Ave
Williamsport, PA 17701
(P) 570.329.4989

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] WiSM, Radius, WPA & WPA2

[Lee Weers]

I have IAS working with Cisco 4404 controllers, an Aruba 2400, and an HP
WESM.  We are using Peap and MS-CHAPv2 with a WLAN certificate from
Verisign.

The documents I used to setup the IAS server is here. 
http://support.microsoft.com/kb/325725/en-us 
http://www.microsoft.com/technet/security/guidance/cryptographyetc/peap_
1.mspx  

Our wireless setup document is here
http://www.central.edu/itservices/Wireless%20Network%20Setup.PDF

CAVEATS I have found.  
You do need to authenticate the computer accounts for domain joined
computers' login scripts to run.  That was a big gotcha I found.  Then
on personally owned computers you need to turn off use computer
credentials.

Also PDA's I have yet to get working.  They say they work with
PEAP-MS-CHAP-v2, but they still want a personal certificate.  I don't
know why they still want a personal cert.  So if someone wants to help
me with that problem or help me dig up the info to enable EAP-TLS on an
IAS server I'd be glad to hear from you.

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Bennett
Sent: Wednesday, April 02, 2008 7:30 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] WiSM, Radius, WPA & WPA2

Does anyone have experience setting up a Cisco WiSM with IAS Radius and
Encryption.  Basically I want to have our WiSM authenticate wireless
users to our Active Directory, which we can do directly.  I also want
the wireless secured through WPA and/or WPA2 encryption without having
to email the key to everyone.  I know it can be done but can't find out
how to do this.

The process I want:
1. Computer connects to AP
2. Encryption key is passed to computer and transmission is now secured
3. Internet Browser redirected to login page
4. AD credentials are entered
5. Authenticate
6. Internal IP issued and good to go.

We have 1,3,4,5,6 done.  Step 2 we have working by putting the key into
the computers but that is a pain.

Any suggestions?

Daniel R. Bennett
CompTIA Security+
Information Technology Security Analyst
Pennsylvania College of Technology
One College Ave
Williamsport, PA 17701
(P) 570.329.4989

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Cisco controllers and HP switches

[Lee Weers]

Has anyone gotten Cisco 4404 controllers working with LAG enabled connecting to 
HP 5412 switches?  We have tried a couple of different things with Trunking and 
LACP on the 5400's, but haven't seen a lot of success yet.

Thank you,
 
Lee Weers
Assistant Director for Network Services
Central College IT Services
(641) 628-7675


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] 802.11n

[Lee Weers]

n 
> starts to look really interesting!  Forcing maintenance on the small 
> stuff is ridiculous especially for thin APs that are controlled by the

> controllers (these APs aren't autonomous anymore).
>
> If you want to stay with Cisco, then waiting for the "WiFi 802.11n"
> compliance certification is likely your best bet.
>
> ... Jonn Martell
>
> On 1/11/08, Lee H Badman <[EMAIL PROTECTED]> wrote:
> >
> >
> >
> > Hi Lee-
> >
> >
> >
> > Where I find fault with this is the requirement to keep APs under 
> > maintenance. Our model has always been that the APs are cheap enough

> > and reliable enough that it's more cost effective to keep a dozen 
> > spares on
> hand
> > than to keep 1600 APs on maintenance.  so in my opinion, Smartnet 
> > isn't
> the
> > right silver bullet for protection against changes to the standard- 
> > but I
> do
> > concede that every environment has their own circumstances.
> >
> >
> >
> > Lee
> >
> >
> > 
> >
> >
> > From: Lee Weers [mailto:[EMAIL PROTECTED]
> > Sent: Friday, January 11, 2008 11:46 AM
> > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> > Subject: Re: [WIRELESS-LAN] 802.11n
> >
> >
> >
> >
> > We have a campus wide wireless project just starting that we are 
> > going to
> do
> > 802.11n everywhere we can place a Cisco 1252.  We couldn't get a 
> > guarantee from Cisco that there won't be a hardware change.  Just 
> > that if the AP is under smartnet they will then do the upgrade for
free.
> >
> >
> >
> > I have also heard the same thing from Xirrus with their AP arrays.  
> > If
> they
> > are under maintenance then they will send you the 802.11n radios to 
> > swap out.
> >
> >
> >
> >
> >
> >
> > 
> >
> >
> > From: Lee H Badman [mailto:[EMAIL PROTECTED]
> > Sent: Friday, January 11, 2008 9:39 AM
> > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> > Subject: [WIRELESS-LAN] 802.11n
> >
> > Wondering who is taking the early plunge on 802.11n, who's system 
> > you are going with (beyond small pilots), and if you are requiring 
> > commitment from the manufacturer that if the standard does change in

> > ways that make pre-standard hardware incompatible, free replacements
would be provided?
> >
> >
> >
> > On list or off is OK- just trying to gather data for our own 11n
research.
> >
> >
> >
> > Kind regards-
> >
> >
> >
> > Lee H. Badman
> >
> > Wireless/Network Engineer
> >
> > Information Technology and Services
> >
> > Syracuse University
> >
> > 315 443-3003
> >
> >
> >
> > ** Participation and subscription information for this 
> > EDUCAUSE Constituent Group discussion list can be found at 
> > http://www.educause.edu/groups/. ** Participation and 
> > subscription information for this EDUCAUSE Constituent Group 
> > discussion list can be
> found
> > at http://www.educause.edu/groups/. ** Participation and 
> > subscription information for this EDUCAUSE Constituent Group 
> > discussion
> list
> > can be found at http://www.educause.edu/groups/.
>
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
>
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
>
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
>
> **
> Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
>

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] 802.11n

[Lee Weers]

We have a campus wide wireless project just starting that we are going
to do 802.11n everywhere we can place a Cisco 1252.  We couldn't get a
guarantee from Cisco that there won't be a hardware change.  Just that
if the AP is under smartnet they will then do the upgrade for free.
 
I have also heard the same thing from Xirrus with their AP arrays.  If
they are under maintenance then they will send you the 802.11n radios to
swap out.
 
 



From: Lee H Badman [mailto:[EMAIL PROTECTED] 
Sent: Friday, January 11, 2008 9:39 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] 802.11n


Wondering who is taking the early plunge on 802.11n, who's system you
are going with (beyond small pilots), and if you are requiring
commitment from the manufacturer that if the standard does change in
ways that make pre-standard hardware incompatible, free replacements
would be provided?
 
On list or off is OK- just trying to gather data for our own 11n
research.
 
Kind regards-
 
Lee H. Badman
Wireless/Network Engineer
Information Technology and Services
Syracuse University
315 443-3003
 
** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Making Wireless Network 'Location-Ready'

[Lee Weers]

We are having a site survey done of our campus for our campus wide
deployment of wireless.  For location based the client needs to be seen
by at least 3 different AP's for trianglation to happen.  This being
seen in a Cisco world needs to happen in a 2D fashion, as the code isn't
there for 3-D yet. 

-Original Message-
From: Jorge Bodden [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, December 18, 2007 10:13 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Making Wireless Network 'Location-Ready'

Does anyone out there have any good documentation on what is required in
order to make an existing wireless infrastructure 'location-ready'.  I
know that APs have to be placed on the perimeter of the building.  I
just want to get a little more information on the matter, before I start
reevaluating the site survey information that I have.  Thanks.

Jorge Bodden





This electronic message is intended to be for the use only of the named
recipient, and may contain information that is confidential or
privileged.  If you are not the intended recipient, you are hereby
notified that any disclosure, copying, distribution or use of the
contents of this message is strictly prohibited.  If you have received
this message in error or are not the named recipient, please notify us
immediately by contacting the sender at the electronic mail address
noted above, and delete and destroy all copies of this message.  Thank
you.

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Feedback needed for WiFi manufacturers

[Lee Weers]

Procurve does have a centralized controller wireless solution based on
their 5400 and 5300 chassis.  I'd recomend the zl chassis base, for
future N deployments.  They won't release a N ap until the standard is
ratified.  Currently their management for multiple controllers is
lacking.  I'm waiting for Mobility Manger 2.0 to be released in January
to see how this improves.

So for a large deployment of HP I'd look at Airwave to manage it.  If
you just want a captive portal and 802.1x HP is the fastest solution to
setup.  They don't have all of the features or Aruba, like the firewall
or terminate vpn's, yet. 

-Original Message-
From: Scott Smith [mailto:[EMAIL PROTECTED] 
Sent: Thursday, December 06, 2007 2:41 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Feedback needed for WiFi manufacturers

For years we have been a Cisco and Vivato WiFi shop.  I am now being
asked to evaluate other WiFi manufacturers.  In the past I've looked at
3com, Lucent, and Symbol.  However, that's been over 7 years ago at this
point.

So I'm wanting any feedback for other types of WiFi other Universities
are currently utilizing, pros and cons, and even ones in the past you
may have used.

I started looking at Colubris, Xirrus, and Symbol as those are the ones
specifically I was asked to look at.  However, I'm just wanting to see
what other options there may be, besides Cisco.

--
Scott Smith
Network Engineering Services
Southern Illinois University Carbondale
[EMAIL PROTECTED]

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] 802.11n tied to 802.3at

[Lee Weers]

I heard from Cisco 2 days ago that the 3750E and the modules that will
power their 1252 will be availble around the end of Dec/Januarary time
frame.  I'm trying to pry out of HP if the 5400's and 3500's will be
firmware upgradable to the 802.3at standard and just not support as many
ports.  The 5400 answer is that it will probably be a different module.
I haven't heard on the 3500.

I haven't heard a ratification date for the 802.3at standard, and I
heard that it was going to happen about the same time or after the
802.11n standard.  I haven't followed that one as close, last I saw they
hadn't decided on 33 or 48 watts of power per port.

-Original Message-
From: Frank Bulk - iNAME [mailto:[EMAIL PROTECTED] 
Sent: Thursday, November 15, 2007 8:07 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] 802.11n tied to 802.3at

Good points, Philippe.  For those organizations that want to be bleeding
edge, I don't think PoE concerns are going to hold them back.  Every
vendor has a way to address them today in a way that's not a
show-stopper.

Has anyone heard from Cisco, Extreme, Foundry, HP, etc. on when 802.3at
switches/blades will be available?

Which 802.11n AP supports Etherchannel?  It's my understanding that any
vendor who has a second Ethernet port on their AP is using it
exclusively for PoE (Trapeze's AP may be the exception).

Frank

-Original Message-
From: Philippe Hanset [mailto:[EMAIL PROTECTED]
Sent: Thursday, November 15, 2007 11:35 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] 802.11n tied to 802.3at

Following the trail of discussion about 802.11n, I wouldn't be buying
802.11n before 802.3at (AKA Power over Ethernet PLUS) gears are on the
market. By then, 802.11n vendors should have only one Ethernet port to
the AP.
One port will bring savings on PoE injectors, Cabling, and even
switchports (if you were planning to etherchannel those two 100 Mbps
ports to one AP).
After all, a 48 ports 10/100/1000 switch is only 50% more expensive than
a 10/100 (in the Cisco world), one more reason to only have one cable
from the switch to the AP!

Last thing: According to a few websites, 802.3at will work over regular
cat5.

Best,

Philippe Hanset
University of Tennessee

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] 802.11n Draft 2.0

[Lee Weers]

I don't see a finalization of 802.11n anytime soon.  If I remember right
the original draft was supposed to be finalized by now, but then pushed
it back to Spring 08 then Oct 08 and now Mar 09.  I wouldn't be suprised
to see it pushed back yet again.  I was also concerned about not seeing
a release on 3 patents to the IEEE standards body yet, but then just
found this article.
http://www.infoworld.com/article/07/10/02/WLAN-patent-threat-may-be-reso
lved_1.html

I think a/b/g will be here for quite some time.

-Original Message-
From: Kevin Pait [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, November 13, 2007 3:38 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] 802.11n Draft 2.0

We are currently rolling out Cisco a/b/g wireless and asked the vendor
about designing with 802.11n in mind.  The overall response was that the
technology is too immature and any predictions would be highly
speculative.  They also said that the consumer base would not be
populated with N - capable devices within the next 5-8 years in
sufficient numbers to realize an advantage.

So what does the population think about the lifespan of the current
802.11a/b/g technology?



On Tue, 2007-11-13 at 16:09 -0500, Jorj Bauer wrote:
> > > We are looking at a campus wide wireless deployment, and my 
> > > supervisor is pushing for a complete Cisco 1252 with N draft 2.0 
> > > capability.  We would have about a total of 250 to 300 AP's in 
> > > full deployment.  Our wired infrastructure is currently 100% 
> > > Procurve with about 90% of it being 10/100 switched.  I'd like to
know what other schools are doing with 802.11n.
> > 
> > I think you are right on. I think as long as your a/b/g network is 
> > working well, the students aren't going to care about 11n. In my 
> > mind this is still a very immature technology.
> 
> Personally, I'd hate to put any draft technology on my production 
> network.
> 
> We went through the same thing with 802.11g. Network researchers 
> (here) that started using 802.11g draft hardware suffered innumerable 
> interoperability headaches.
> 
> -- Jorj
> 
>
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-=-=-
> Jorj Bauer  |
[EMAIL PROTECTED]
> Director of Networking  | 3330 Walnut St.
> School of Engineering and Applied Science   |Levine Building, Room
160
> University of Pennsylvania  | Philadelphia, PA
19104
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> -=-=-=-
> 
> 
> **
> Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] 802.11n Draft 2.0

[Lee Weers]

For wireless we currently have an Aruba 2400, and a HP WESM xl module.
About a year ago I did a comparison (mostly on paper) of a campus wide
deployment of Aruba, Trapeze, Procurve, Xirrus, Cisco, and Siemens.  It
came down to Procurve for several reasons.  1.  It is very simple to
setup and maintain.  2.  It has supported 802.1x a lot easier than our
Aruba deployment  3.  It is the least expensive to maintain year over
year (Lifetime warranty).
 
The only reason why he is pushing Cisco is they are shipping N now, and
he is concerned there will be a politically backlash from the students
with the technology fee increase.
 
My opinion is the students won't care if it is a/b/g or n.  They just
want wireless.



From: Lee H Badman [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, November 13, 2007 2:36 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] 802.11n Draft 2.0


Hi Lee-
 
I would encourage an eyes-open, non-biased bake-off if you have no
wireless now. Regardless of what APs you settle on, scrutinize the
management component closely. You may end up with a whiz-bang WLAN, but
if you become a slave to the management tool, you'll likely be looking
for alternatives not too far down the road. The management component
(and the hidden costs that you'd do well to ferret out before purchasing
by grilling others who have gone before you), add a significant amount
to your TCO. 
 
For us, we're seeing what early adopters have to say on 802.11n.
Especially large schools with thousands of APs that also do 802.1x. You
probably realize that 802.11n can impact your PoE and data wiring
strategy, along with the number of APs, etc... 
 
 
Keep us posted as you proceed. Out of curiosity- did the push for Cisco
by your supervisor come after a comparison with other vendors?
 
Regards-
 
Lee
 
Lee H. Badman
Wireless/Network Engineer
Information Technology and Services
Syracuse University
315 443-3003
________

From: Lee Weers [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, November 13, 2007 3:25 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] 802.11n Draft 2.0
 
We are looking at a campus wide wireless deployment, and my supervisor
is pushing for a complete Cisco 1252 with N draft 2.0 capability.  We
would have about a total of 250 to 300 AP's in full deployment.  Our
wired infrastructure is currently 100% Procurve with about 90% of it
being 10/100 switched.  I'd like to know what other schools are doing
with 802.11n.
Thank you, 
  
Lee Weers 
Assistant Director for Network Services 
Central College IT Services 
(641) 628-7675 
** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. ** Participation and
subscription information for this EDUCAUSE Constituent Group discussion
list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

802.11n Draft 2.0

[Lee Weers]

We are looking at a campus wide wireless deployment, and my supervisor is 
pushing for a complete Cisco 1252 with N draft 2.0 capability.  We would have 
about a total of 250 to 300 AP's in full deployment.  Our wired infrastructure 
is currently 100% Procurve with about 90% of it being 10/100 switched.  I'd 
like to know what other schools are doing with 802.11n.

Thank you,
 
Lee Weers
Assistant Director for Network Services
Central College IT Services
(641) 628-7675


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] The strategic importance of 5GHz

[Lee Weers]

 Panduit's midspan device they claim to inject power on a gig link.  I
wonder how they overcome these concerns...

-Original Message-
From: Frank Bulk [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 02, 2007 10:40 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] The strategic importance of 5GHz

I'm no EE, but it's my understanding that most IEEE 802.3af midspans
inject power on unused pairs because it's not easy/cheap to inject it on
data-carrying pairs.  It's no problem for Ethernet switches, because
they are generating both.

Kind regards,

Frank

-Original Message-
From: Enfield, Chuck [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 28, 2007 12:09 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] The strategic importance of 5GHz

I doubt it has anything to do with power over signaling conductors.  If
that can work on endspan, it should work just fine on midspan.  If the
transmission performance of the midspan is good enough, there's no
reason a midspan couldn't use the detection methods specified for
endspan to provide power with GigE.  If otherwise 3af compatible, such a
device would simply exceed the requirements of the standard.  Apparently
the PowerDsine 6000G and 3001G do that.  Maybe others will too.

I don't know the reason that midspan power for GigE was excluded from
the standard, but I'm happy to venture a guess.  I assume the required
data transmission performance made it too difficult for some
manufacturers to do it.  From a transmission perspective, the minimum
requirements for 3af devices seem to be aimed at maintaining cat-5
performance.  Since a continuous 90m cat-5 link is barely up to the task
of 1000BASE-T, the requirement that a midspan device would support GigE
on that same cat-5 link was probably a dealbreaker.  At the risk of
looking foolish by prognosticating, I see 802.3at including midspans for
1000BASE-T, but only on cat-5e or higher cable.

Chuck

-Original Message-
From: Frank Bulk - iNAME [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 27, 2007 8:43 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] The strategic importance of 5GHz

Chuck:

If I understand what you're saying, midspan can only inject power on
unused powers, and since GigE uses all four pairs, PoE for GigE needs to
be driven from endspans using what Wikipedia calls 'phantom power'
(http://en.wikipedia.org/wiki/Power_over_Ethernet).  Is that right?

Frank


-Original Message-
From: Enfield, Chuck [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 27, 2007 2:41 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] The strategic importance of 5GHz

Sorry, I've been using midspan power so long I sometimes forget there
are other options.  I don't have time to look it up, but I'm reasonably
sure that 802.3af doesn't include midspan power for 1000BASE-T.  Much
has been made of the fact that 802.3at will.

That's not to say there are no midspan devices out there that comply
with 3af AND do power for GigE.  If they can get adequate transmission
performance through the interconnect, there's no reason it shouldn't
work.
I'll have to look into the PowerDsine PSE.

Chuck

-Original Message-
From: Philippe Hanset [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 27, 2007 11:16 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] The strategic importance of 5GHz

If you look for instance at a PowerDsine 6000 serie Midspan power
injector, it is 802.3af compliant, and supports GigE. That's what we buy
today in preparation for 802.11n. (and crossing our fingers ;-) I have a
secret hope that 802.11b/g will be for coverage, (the Iphone will
decide!) 802.11n at 5 Ghz for performance and who knowns what will
happened to 802.11a (cheap
point-to-point?) Hopefully the 15 watts of 802.3af will suffice for b/g
and n at 5Ghz on one AP!

Philippe Hanset
University of Tennessee


On Wed, 27 Jun 2007, Enfield, Chuck wrote:

> Since we can't do 3af power with GigE, that one connection would have 
> to be 100Mb.  If we're going to use two cables for power let's hope 
> we'll be given the chance to use two data channels as well.
>
> Chuck
>
> -Original Message-
> From: Tomo [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, June 27, 2007 4:14 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] The strategic importance of 5GHz
>
> The Airwave webinar (for which a link was sent round last week) 
> mentioned that some vendors are looking at providing two Ethernet 
> sockets on MIMO / 802.11n Access Points, so they could draw 2 x 
> 802.3af power connections and one live Ethernet connection.
>
> _
>
> Tomo | Senior Network & Telecommunications Infrastructure Engineer 
> Direct
> line: +44 (0)20 7000  | Email: [EMAIL PROTECTED]
>
> www.london.edu
>
>
> > -Original Message-
> > From: Frank Bulk - iNAME [mailto:[EMAIL PROTECTED]
> > Sent: 27 June 2007 02:32
>

RE: [WIRELESS-LAN] PEAPv0 questions

[Lee Weers]

Here is the link I was originally looking for it is deploying a secure
wireless network using MS.  It talks about IAS, group policy for XP,
Vista, and Longhorn.

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.msp
x
 

-Original Message-
From: Tom Rixom [mailto:[EMAIL PROTECTED] 
Sent: Thursday, February 08, 2007 10:39 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] PEAPv0 questions

Does anyone now the group policy setting for something like this?

Regards,

Tom

> -Oorspronkelijk bericht-
> Van: Frank Bulk [mailto:[EMAIL PROTECTED]
> Verzonden: donderdag 8 februari 2007 17:16
> Aan: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Onderwerp: Re: [WIRELESS-LAN] PEAPv0 questions
> 
> I think group policies would help out there.
> 
> Regards,
> 
> Frank
> 
> -Original Message-
> From: Tom Rixom [mailto:[EMAIL PROTECTED]
> Sent: Thursday, February 08, 2007 10:07 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] PEAPv0 questions
> 
> Hi all,
> 
> If we are going to talk about PEAP, could someone maybe answer me the 
> following questions?
> 
> Are these PEAPv0 implementations also used on public computers 
> (accessible by different users, without admin privileges)?
> 
> And if so can those non-admin users access the PEAP configuration via 
> the network properties window? Or can this for example be disabled by 
> a domain policy?
> 
> The reason I ask is that in my experiments with PEAP on Windows I 
> could change the configuration regardless of my privileges. This 
> allowed me to configure PEAP to not validate the server certificate 
> allowing the so called man-in-the-middle attack to take place.
> 
> Regards,
> 
> Tom Rixom
> 
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
> 
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] PEAPv0 questions

[Lee Weers]

To access Active Directory-based wireless network policy settings,
follow these steps: 1. On the domain controller, start the Active
Directory Users and Computers snap-in. 
2. Right-click the domain object in the console tree, and then click
Properties. 
3. Click the Group Policy tab. 
4. Click Default Domain Policy, and then click Edit. 
5. Expand the following folder:
Computer Configuration\Windows Settings\Security Settings\Wireless
Network (IEEE 802.11) Policies 
For more information about how to use Wireless Network (IEEE 802.11)
Policies, see the following topics in Microsoft Windows Help: * Access
Active Directory-based wireless network policies 
* Add, edit, or remove Active Directory-based wireless network policies

* Define preferred wireless networks in Group Policy 
* Define 802.1X authentication for wireless networks in Group Policy 

Copied from 

http://support.microsoft.com/kb/811233/en-us

-Original Message-
From: Tom Rixom [mailto:[EMAIL PROTECTED] 
Sent: Thursday, February 08, 2007 10:39 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] PEAPv0 questions

Does anyone now the group policy setting for something like this?

Regards,

Tom

> -Oorspronkelijk bericht-
> Van: Frank Bulk [mailto:[EMAIL PROTECTED]
> Verzonden: donderdag 8 februari 2007 17:16
> Aan: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Onderwerp: Re: [WIRELESS-LAN] PEAPv0 questions
> 
> I think group policies would help out there.
> 
> Regards,
> 
> Frank
> 
> -Original Message-
> From: Tom Rixom [mailto:[EMAIL PROTECTED]
> Sent: Thursday, February 08, 2007 10:07 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] PEAPv0 questions
> 
> Hi all,
> 
> If we are going to talk about PEAP, could someone maybe answer me the 
> following questions?
> 
> Are these PEAPv0 implementations also used on public computers 
> (accessible by different users, without admin privileges)?
> 
> And if so can those non-admin users access the PEAP configuration via 
> the network properties window? Or can this for example be disabled by 
> a domain policy?
> 
> The reason I ask is that in my experiments with PEAP on Windows I 
> could change the configuration regardless of my privileges. This 
> allowed me to configure PEAP to not validate the server certificate 
> allowing the so called man-in-the-middle attack to take place.
> 
> Regards,
> 
> Tom Rixom
> 
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
> 
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Windows WZC Auto config tool

[Lee Weers]

Save the following into a text file with a .bat extension.  Then I had
to copy the .bat and the ArubaWifiCFG.exe to the local computer and
double click the .bat.

ArubaWifiCFG -add /SSID:SSIDNAME /Authentication:WPA2 /Encryption:AES
/EAPType:PEAP /InnerAuthentication:MSCHAPv2 /MACHINE_AUTH:TRUE
/GUEST_AUTH:FALSE /KeyProvidedAutomatically:TRUE
/UseWindowsLogonInfo:TRUE /EnableFastReconnect:TRUE
/IEEE8021xEnabled:TRUE 

-Original Message-
From: Matt Ashfield [mailto:[EMAIL PROTECTED] 
Sent: Monday, February 05, 2007 1:25 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Windows WZC Auto config tool

Do you have an example of that?

Thanks

Matt
[EMAIL PROTECTED] 


-Original Message-
From: Emerson Parker [mailto:[EMAIL PROTECTED]
Sent: February 4, 2007 10:14 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Windows WZC Auto config tool

 
I wanted to let everyone know of a neat trick you can do with the
autoconfig tool. You can create a batch file that executes it and place
that on a captive portal web site on an open SSID.  Students can
self-serv the 802.1x config.

Do I have a flair for the obvious or what? ;)

-Emerson

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Problems with Windows 802.1x supplicant

[Lee Weers]

For the moment I added domain computers to the list, and I was able to
login on the computer I hadn't before. (I'll restrict it to the list of
laptops today).  While I didn't see timers in the tweak utility
mentioned earlier, I did see some timers when setting up the GPO. I
change the max start and Authentication period timers.  Maybe this will
help.

My login script ran, but the home folder  drive mapping that takes place
using the account profile didn't.  I'll add that to the login scripts.

So I'm partially there.

Now it is on to the users iBook and PC's who connect to wireless at
home, but then can't connect back to the network.  The iBook is an older
one, but it is fully updated.

Thank you for your help.

-Original Message-
From: King, Michael [mailto:[EMAIL PROTECTED] 
Sent: Thursday, February 01, 2007 4:09 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Problems with Windows 802.1x supplicant

It's why they're getting denied, they have to be allowed to login.  You
can probably do specific groups of computers or individual comptuers. 

> -Original Message-
> From: Lee Weers [mailto:[EMAIL PROTECTED]
> Sent: Thursday, February 01, 2007 5:07 PM
> To: King, Michael
> Subject: RE: [WIRELESS-LAN] Problems with Windows 802.1x supplicant
> 
>  Is it required that domain computers be allowed?  Most of the college

> owned laptops are shared laptops.
> 
> -Original Message-
> From: King, Michael [mailto:[EMAIL PROTECTED]
> Sent: Thursday, February 01, 2007 3:48 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Problems with Windows 802.1x supplicant
> 
> Hey, what user's do you have in your IAS's remote access policy?
> 
> Do you have DOMAIN COMPUTERS allowed?  (It's not part of DOMAIN USERS)
> 
> Mike
> 
> > -Original Message-
> > From: Lee Weers [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, February 01, 2007 4:42 PM
> > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> > Subject: Re: [WIRELESS-LAN] Problems with Windows 802.1x supplicant
> > 
> > I've changed the name and marked out the ip addresses.  
> > 
> > Here is an example of the deny
> > 
> > User host/bob_10884.central.edu was denied access.
> >  Fully-Qualified-User-Name = CENTRALCOLLEGE\BOB_10884$
> NAS-IP-Address
> 
> > = xxx.xxx.xxx.xxx  NAS-Identifier = WESM1
> Called-Station-Identifier =
> 
> > 00-14-C2-A3-A4-85:airCentral-Academic
> >  Calling-Station-Identifier = 00-18-DE-66-6E-C4
> Client-Friendly-Name
> > = HP Wesm  Client-IP-Address = xxx.xxx.xxx.xxx  NAS-Port-Type = 
> > Wireless - IEEE 802.11 NAS-Port = 1  Proxy-Policy-Name =
> Use Windows
> > authentication for all users  Authentication-Provider = Windows 
> > Authentication-Server =   Policy-Name =
> 
> > Authentication-Type = EAP  EAP-Type = 
> Reason-Code = 48
> 
> > Reason = The connection attempt did not match any remote access 
> > policy.
> > 
> > 
> > I wouldn't think I need to setup a policy for machine
> authentication.
> > 
> > Here is the success.
> > 
> > User CENTRALCOLLEGE\bob was granted access.
> >  Fully-Qualified-User-Name = central.edu/Computers-AutoUpdate 
> > Fac-Staff/Roaming Profiles/Bob  NAS-IP-Address = xxx.xxx.xxx.xxx 
> > NAS-Identifier = WESM1  Client-Friendly-Name = HP Wesm 
> > Client-IP-Address = xxx.xxx.xxx.xxx  Calling-Station-Identifier =
> > 00-18-DE-66-6E-C4  NAS-Port-Type = Wireless - IEEE 802.11
> NAS-Port =
> > 1
> >   Proxy-Policy-Name = Use Windows authentication for all users 
> > Authentication-Provider = Windows  Authentication-Server = 
> >   Policy-Name = Authenticate wireless network 
> > Authentication-Type = PEAP  EAP-Type = Secured password (EAP-MSCHAP
> > v2)
> > 
> > I've changed the name and marked out the ip addresses.
> > -Original Message-
> > From: Doug Payne [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, February 01, 2007 3:19 PM
> > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> > Subject: Re: [WIRELESS-LAN] Problems with Windows 802.1x supplicant
> > 
> > On 01/02/2007 3:32 PM, Lee Badman wrote:
> > 
> > > Automatically Use My Windows Credentials- implies that the
> > same user
> > > name and password used to simply open up Windows is the
> > same used to
> > > login to the network, like against AD- which is not
> always the same
> > > (in our case it is very likey almost never the same as the
> > users set
> > > up their own laptops and give themselves all sorts of
> exotic and or
> > > silly names and pa

RE: [WIRELESS-LAN] Problems with Windows 802.1x supplicant

[Lee Weers]

For this log, I enabled the file tracing and logged the user off.  I
then tried to login as myself, which I have never been on this computer
before.  It failed.  I then logged on as a user, but didn't appear to
get fully connected (never got an ip address).  I then logged off and
tried myself again.  Failed.  I then logged back in on the computer as
the same user as before, and it completed successfully, ip address, etc.


-Original Message-
From: Tom Rixom [mailto:[EMAIL PROTECTED] 
Sent: Thursday, February 01, 2007 3:43 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Problems with Windows 802.1x supplicant

Hi Lee,

Set the following registry key to "1".

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EAPOL\EnableFileTracing

This will enable the following trace file:

c:\windows\tracing\eapol.log

Please post the log file here and I will take a look.

Regards,

Tom Rixom

PS. I am almost sure no confidential info is logged in the EAPOL log,
but I would verify this before posting ;)

> -Oorspronkelijk bericht-
> Van: Lee Weers [mailto:[EMAIL PROTECTED]
> Verzonden: donderdag 1 februari 2007 0:00
> Aan: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Onderwerp: [WIRELESS-LAN] Problems with Windows 802.1x supplicant
> 
> I'd appreciate any help I can get on my problems.
> 
> Environment:
> I've setup a secure SSID that is using WPA-TKIP/WPA2-AES encryption.  
> The EAP type is PEAP and MS-CAHP-V2.  The wireless hardware is a mix 
> of Aruba, and HP Procurve (thin).  The SSID name is the same on both 
> vendors.  MS IAS is the Radius server with the Versign wireless LAN
certificate.
> Laptops are XP SP2 all fully patched through Nov 06 or newer.
> 
> The problems I am having are as follows:
> 
> 1.  A laptop that belongs to our domain, but the user has never logged

> into it before (so no cached creditentials exist) it errors with the 
> Domain is not available.  If cached creditentials do exist then they 
> get logged in.
> 
> 2.  When the user gets logged in the login scripts may or may not run 
> so drive may or may not be mapped.
> 
> 3.  Users who connect to the encrypted SSID take it home and connect 
> to the wireless network at home, but then they don't get connected 
> again when they come back.  The logs show that it is using the 
> domainname\computername rather than domainname\username, hence access 
> denied.  It doesn't seem to matter if the Authenticate as computer is 
> checked or unchecked.
> 
> 4.  UTStar vx6700 does not recoginize the Verisign root certificate.  
> When we installed the Verisign root certificate again on the device it

> broke a bunch of other things like activesync and being able to make a

> wifi connection.
> 
> Other than #4, this is reproducable on Dell D510's, IBM Tablets, and 
> other older laptops.  I have not seen these problems with the Mac 
> iBook's.  It doesn't make a difference if the WPA2 patch (KB893357) is

> installed or not.
> 
> What I would like to see happen is the same behavior whether it is a 
> wire connection to the network or using the wireless connection.  That

> was my interpretation as to the advantage of 802.1x.  We do not 
> currently use 802.1x on the wired network.
> 
> Thank you,
> 
> Lee Weers
> Assistant Director for Network Services Central College IT Services
> (641) 628-7675
> 
> ** Participation and subscription information for this 
> EDUCAUSE Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


EAPOL.LOG
Description: EAPOL.LOG

RE: [WIRELESS-LAN] Problems with Windows 802.1x supplicant

[Lee Weers]

No I do not have domain computers allowed.  Maybe this is the root of my
problem? 

-Original Message-
From: King, Michael [mailto:[EMAIL PROTECTED] 
Sent: Thursday, February 01, 2007 3:48 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Problems with Windows 802.1x supplicant

Hey, what user's do you have in your IAS's remote access policy?

Do you have DOMAIN COMPUTERS allowed?  (It's not part of DOMAIN USERS)

Mike

> -Original Message-
> From: Lee Weers [mailto:[EMAIL PROTECTED]
> Sent: Thursday, February 01, 2007 4:42 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Problems with Windows 802.1x supplicant
> 
> I've changed the name and marked out the ip addresses.  
> 
> Here is an example of the deny
> 
> User host/bob_10884.central.edu was denied access.
>  Fully-Qualified-User-Name = CENTRALCOLLEGE\BOB_10884$  NAS-IP-Address

> = xxx.xxx.xxx.xxx  NAS-Identifier = WESM1  Called-Station-Identifier =

> 00-14-C2-A3-A4-85:airCentral-Academic
>  Calling-Station-Identifier = 00-18-DE-66-6E-C4  Client-Friendly-Name 
> = HP Wesm  Client-IP-Address = xxx.xxx.xxx.xxx  NAS-Port-Type = 
> Wireless - IEEE 802.11 NAS-Port = 1  Proxy-Policy-Name = Use Windows 
> authentication for all users  Authentication-Provider = Windows  
> Authentication-Server =   Policy-Name =   
> Authentication-Type = EAP  EAP-Type =   Reason-Code = 48

> Reason = The connection attempt did not match any remote access 
> policy.
> 
> 
> I wouldn't think I need to setup a policy for machine authentication.
> 
> Here is the success.
> 
> User CENTRALCOLLEGE\bob was granted access.
>  Fully-Qualified-User-Name = central.edu/Computers-AutoUpdate 
> Fac-Staff/Roaming Profiles/Bob  NAS-IP-Address = xxx.xxx.xxx.xxx  
> NAS-Identifier = WESM1  Client-Friendly-Name = HP Wesm  
> Client-IP-Address = xxx.xxx.xxx.xxx  Calling-Station-Identifier = 
> 00-18-DE-66-6E-C4  NAS-Port-Type = Wireless - IEEE 802.11  NAS-Port = 
> 1
>   Proxy-Policy-Name = Use Windows authentication for all users  
> Authentication-Provider = Windows  Authentication-Server = 
>   Policy-Name = Authenticate wireless network  
> Authentication-Type = PEAP  EAP-Type = Secured password (EAP-MSCHAP 
> v2)
> 
> I've changed the name and marked out the ip addresses.
> -Original Message-
> From: Doug Payne [mailto:[EMAIL PROTECTED]
> Sent: Thursday, February 01, 2007 3:19 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Problems with Windows 802.1x supplicant
> 
> On 01/02/2007 3:32 PM, Lee Badman wrote:
> 
> > Automatically Use My Windows Credentials- implies that the
> same user
> > name and password used to simply open up Windows is the
> same used to
> > login to the network, like against AD- which is not always the same 
> > (in our case it is very likey almost never the same as the
> users set
> > up their own laptops and give themselves all sorts of exotic and or 
> > silly names and passwords that wouldn't match theur network IDs)
> 
> Not to mention that WXP automatically uses the computer name as the 
> domain name, which doesn't work if you use IAS as your Radius server.
> 
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Problems with Windows 802.1x supplicant

[Lee Weers]

I've changed the name and marked out the ip addresses.  

Here is an example of the deny

User host/bob_10884.central.edu was denied access.
 Fully-Qualified-User-Name = CENTRALCOLLEGE\BOB_10884$
 NAS-IP-Address = xxx.xxx.xxx.xxx
 NAS-Identifier = WESM1
 Called-Station-Identifier = 00-14-C2-A3-A4-85:airCentral-Academic
 Calling-Station-Identifier = 00-18-DE-66-6E-C4
 Client-Friendly-Name = HP Wesm
 Client-IP-Address = xxx.xxx.xxx.xxx
 NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 1
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows 
 Authentication-Server =  
 Policy-Name =  
 Authentication-Type = EAP
 EAP-Type =  
 Reason-Code = 48
 Reason = The connection attempt did not match any remote access policy.


I wouldn't think I need to setup a policy for machine authentication.

Here is the success.

User CENTRALCOLLEGE\bob was granted access.
 Fully-Qualified-User-Name = central.edu/Computers-AutoUpdate
Fac-Staff/Roaming Profiles/Bob
 NAS-IP-Address = xxx.xxx.xxx.xxx
 NAS-Identifier = WESM1
 Client-Friendly-Name = HP Wesm
 Client-IP-Address = xxx.xxx.xxx.xxx
 Calling-Station-Identifier = 00-18-DE-66-6E-C4
 NAS-Port-Type = Wireless - IEEE 802.11
 NAS-Port = 1
  Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows 
 Authentication-Server =  
 Policy-Name = Authenticate wireless network
 Authentication-Type = PEAP
 EAP-Type = Secured password (EAP-MSCHAP v2)

I've changed the name and marked out the ip addresses.
-Original Message-
From: Doug Payne [mailto:[EMAIL PROTECTED] 
Sent: Thursday, February 01, 2007 3:19 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Problems with Windows 802.1x supplicant

On 01/02/2007 3:32 PM, Lee Badman wrote:

> Automatically Use My Windows Credentials- implies that the same user 
> name and password used to simply open up Windows is the same used to 
> login to the network, like against AD- which is not always the same 
> (in our case it is very likey almost never the same as the users set 
> up their own laptops and give themselves all sorts of exotic and or 
> silly names and passwords that wouldn't match theur network IDs)

Not to mention that WXP automatically uses the computer name as the
domain name, which doesn't work if you use IAS as your Radius server.

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Problems with Windows 802.1x supplicant

[Lee Weers]

On the computers I'm having this problem with that box should be checked
ideally.  Student computers this would not be checked because they would
be different. 

Maybe have the users messing with too many things also, trying to fix
it.

I do appreciate the suggestions I have gotten so far.  I've asked the
techs to start gathering some chipset and driver information also.

It's one of the things I see on this list, that I haven't tried yet.
-Original Message-
From: Lee Badman [mailto:[EMAIL PROTECTED] 
Sent: Thursday, February 01, 2007 2:33 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Problems with Windows 802.1x supplicant

Automatically Use My Windows Credentials- implies that the same user
name and password used to simply open up Windows is the same used to
login to the network, like against AD- which is not always the same (in
our case it is very likey almost never the same as the users set up
their own laptops and give themselves all sorts of exotic and or silly
names and passwords that wouldn't match theur network IDs)

Lee 



>>> [EMAIL PROTECTED] 2/1/2007 3:25 PM >>>
I forgot to mention the most consistant way of connecting to the network
successfully is to uncheck the "Automatically use my Windows
credentials", but then it doesn't run login scripts, and you have to
have logged on to the computer before. 

-Original Message-
From: Michael Griego [mailto:[EMAIL PROTECTED]
Sent: Thursday, February 01, 2007 2:10 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Problems with Windows 802.1x supplicant

Dumb question...   In your 802.1x configuration on your Windows  
laptops, you *do* have both "Authenticate as a machine..." and
"Automatically use my Windows credentials" enabled, yes?

--Mike

On Feb 1, 2007, at 1:26 PM, Lee Weers wrote:

> My problem is there are no cached creditials on the machine.  I don't

> even make it as far in to get a pop up box, because as soon as I 
> select OK I get the error of Domain is unavailable.
>
> -Original Message-
> From: Lee Badman [mailto:[EMAIL PROTECTED]
> Sent: Thursday, February 01, 2007 12:39 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Problems with Windows 802.1x supplicant
>
> On the login box- which is preceeded by "Click here to select a 
> certificate or other credential" balloon pop-up, we inititially shot

> ourselves in the foot somewhat as part of our Novell client build was

> a registry tweak to disable such pop ups (this was done long before 
> .1x was even a twinkle in the eye). That little pop up is critical to

> getting the initial login box. And to say credentials are cached 
> indefinitely may be stretching it- when users change their passwords

> in AD (or whatever) the cached credentials then become invalid (just

> to be complete).
>
> Lee
>
> Lee Badman
> Network/Wireless Engineer
> Syracuse University
> 315 443-3003
>
>>>> [EMAIL PROTECTED] 2/1/2007 1:28 PM >>>
> I would think this would be a RADIUS /IAS Issue. I do ths almost
> daily:
>  Add a temporary user to AD/ACS/RADIUS and log in with my WZC
utility.
> It prompts on the first  login attempt for my uname/pw and to verify

> the cert.  However, this box does not often show itself easily and 
> seems to hide behind any window that happens to be open.  clear all 
> windows from desktop and during the auth process, continually click
on

> the little wireless icon in the task bar.  This seems to force the 
> window from the realm of invisibility.  Once you do this, it will
cash

> the credentials indefinately.  I've had varying degrees of success 
> with the "clear cached credential" registry change that msoft talks 
> about...
>
> How to remove cached user credentials that are used for PEAP 
> authentication in Windows XP
> http://support.microsoft.com/default.aspx?scid=kb;en-us;823731
>
>>>
>>> 1.  A laptop that belongs to our domain, but the user has never 
>>> logged into it before (so no cached creditentials exist) it errors

>>> with the Domain is not available.  If cached creditentials do
exist
>
>>> then they get logged in.
>
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
>
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
>
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at http:// 
> www.educause.edu/groups/.

**

RE: [WIRELESS-LAN] Problems with Windows 802.1x supplicant

[Lee Weers]

I forgot to mention the most consistant way of connecting to the network
successfully is to uncheck the "Automatically use my Windows
credentials", but then it doesn't run login scripts, and you have to
have logged on to the computer before. 

-Original Message-
From: Michael Griego [mailto:[EMAIL PROTECTED] 
Sent: Thursday, February 01, 2007 2:10 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Problems with Windows 802.1x supplicant

Dumb question...   In your 802.1x configuration on your Windows  
laptops, you *do* have both "Authenticate as a machine..." and
"Automatically use my Windows credentials" enabled, yes?

--Mike

On Feb 1, 2007, at 1:26 PM, Lee Weers wrote:

> My problem is there are no cached creditials on the machine.  I don't 
> even make it as far in to get a pop up box, because as soon as I 
> select OK I get the error of Domain is unavailable.
>
> -Original Message-
> From: Lee Badman [mailto:[EMAIL PROTECTED]
> Sent: Thursday, February 01, 2007 12:39 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Problems with Windows 802.1x supplicant
>
> On the login box- which is preceeded by "Click here to select a 
> certificate or other credential" balloon pop-up, we inititially shot 
> ourselves in the foot somewhat as part of our Novell client build was 
> a registry tweak to disable such pop ups (this was done long before 
> .1x was even a twinkle in the eye). That little pop up is critical to 
> getting the initial login box. And to say credentials are cached 
> indefinitely may be stretching it- when users change their passwords 
> in AD (or whatever) the cached credentials then become invalid (just 
> to be complete).
>
> Lee
>
> Lee Badman
> Network/Wireless Engineer
> Syracuse University
> 315 443-3003
>
>>>> [EMAIL PROTECTED] 2/1/2007 1:28 PM >>>
> I would think this would be a RADIUS /IAS Issue. I do ths almost
> daily:
>  Add a temporary user to AD/ACS/RADIUS and log in with my WZC utility.
> It prompts on the first  login attempt for my uname/pw and to verify 
> the cert.  However, this box does not often show itself easily and 
> seems to hide behind any window that happens to be open.  clear all 
> windows from desktop and during the auth process, continually click on

> the little wireless icon in the task bar.  This seems to force the 
> window from the realm of invisibility.  Once you do this, it will cash

> the credentials indefinately.  I've had varying degrees of success 
> with the "clear cached credential" registry change that msoft talks 
> about...
>
> How to remove cached user credentials that are used for PEAP 
> authentication in Windows XP
> http://support.microsoft.com/default.aspx?scid=kb;en-us;823731
>
>>>
>>> 1.  A laptop that belongs to our domain, but the user has never 
>>> logged into it before (so no cached creditentials exist) it errors 
>>> with the Domain is not available.  If cached creditentials do exist
>
>>> then they get logged in.
>
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
>
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
>
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at http:// 
> www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Problems with Windows 802.1x supplicant

[Lee Weers]

I have had the Auth as a computer checked and unchecked with the
Automatically use my Windows Credentials.  When the Authenticate as
computer is checked, the computer will sometimes pass the username and
access is granted if the user has logged on before.  If the user hasn't
been on the computer before I don't see anything on the Radius server
for a login attempt.  I'm not sure what causes this, but a user can
successfully auth, log off, log back in and get denied.  The deny
happens because it is the computer that is authenticating and not the
user.

Scenario:

User Joe logs in successfully on wireless network (I see the successful
auth on IAS).  He logs off, then it fails to log back in because now
instead of authenticating domain\Joe is authenticating domain\computer.
I'm to the point now I go beat my head into desk, and go uncheck
computer auth, logoff, and he logs in successfully.  Then the next day
repeat process, but in reverse.

I'm thinking there has to be something a profile or some piece of
software that isn't behaving properly. 

-Original Message-
From: Michael Griego [mailto:[EMAIL PROTECTED] 
Sent: Thursday, February 01, 2007 2:10 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Problems with Windows 802.1x supplicant

Dumb question...   In your 802.1x configuration on your Windows  
laptops, you *do* have both "Authenticate as a machine..." and
"Automatically use my Windows credentials" enabled, yes?

--Mike

On Feb 1, 2007, at 1:26 PM, Lee Weers wrote:

> My problem is there are no cached creditials on the machine.  I don't 
> even make it as far in to get a pop up box, because as soon as I 
> select OK I get the error of Domain is unavailable.
>
> -Original Message-
> From: Lee Badman [mailto:[EMAIL PROTECTED]
> Sent: Thursday, February 01, 2007 12:39 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Problems with Windows 802.1x supplicant
>
> On the login box- which is preceeded by "Click here to select a 
> certificate or other credential" balloon pop-up, we inititially shot 
> ourselves in the foot somewhat as part of our Novell client build was 
> a registry tweak to disable such pop ups (this was done long before 
> .1x was even a twinkle in the eye). That little pop up is critical to 
> getting the initial login box. And to say credentials are cached 
> indefinitely may be stretching it- when users change their passwords 
> in AD (or whatever) the cached credentials then become invalid (just 
> to be complete).
>
> Lee
>
> Lee Badman
> Network/Wireless Engineer
> Syracuse University
> 315 443-3003
>
>>>> [EMAIL PROTECTED] 2/1/2007 1:28 PM >>>
> I would think this would be a RADIUS /IAS Issue. I do ths almost
> daily:
>  Add a temporary user to AD/ACS/RADIUS and log in with my WZC utility.
> It prompts on the first  login attempt for my uname/pw and to verify 
> the cert.  However, this box does not often show itself easily and 
> seems to hide behind any window that happens to be open.  clear all 
> windows from desktop and during the auth process, continually click on

> the little wireless icon in the task bar.  This seems to force the 
> window from the realm of invisibility.  Once you do this, it will cash

> the credentials indefinately.  I've had varying degrees of success 
> with the "clear cached credential" registry change that msoft talks 
> about...
>
> How to remove cached user credentials that are used for PEAP 
> authentication in Windows XP
> http://support.microsoft.com/default.aspx?scid=kb;en-us;823731
>
>>>
>>> 1.  A laptop that belongs to our domain, but the user has never 
>>> logged into it before (so no cached creditentials exist) it errors 
>>> with the Domain is not available.  If cached creditentials do exist
>
>>> then they get logged in.
>
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
>
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
>
> **
> Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at http:// 
> www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Problems with Windows 802.1x supplicant

[Lee Weers]

My problem is there are no cached creditials on the machine.  I don't
even make it as far in to get a pop up box, because as soon as I select
OK I get the error of Domain is unavailable. 

-Original Message-
From: Lee Badman [mailto:[EMAIL PROTECTED] 
Sent: Thursday, February 01, 2007 12:39 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Problems with Windows 802.1x supplicant

On the login box- which is preceeded by "Click here to select a
certificate or other credential" balloon pop-up, we inititially shot
ourselves in the foot somewhat as part of our Novell client build was a
registry tweak to disable such pop ups (this was done long before .1x
was even a twinkle in the eye). That little pop up is critical to
getting the initial login box. And to say credentials are cached
indefinitely may be stretching it- when users change their passwords in
AD (or whatever) the cached credentials then become invalid (just to be
complete).

Lee

Lee Badman
Network/Wireless Engineer
Syracuse University
315 443-3003

>>> [EMAIL PROTECTED] 2/1/2007 1:28 PM >>>
I would think this would be a RADIUS /IAS Issue. I do ths almost daily:
 Add a temporary user to AD/ACS/RADIUS and log in with my WZC utility. 
It prompts on the first  login attempt for my uname/pw and to verify the
cert.  However, this box does not often show itself easily and seems to
hide behind any window that happens to be open.  clear all windows from
desktop and during the auth process, continually click on the little
wireless icon in the task bar.  This seems to force the window from the
realm of invisibility.  Once you do this, it will cash the credentials
indefinately.  I've had varying degrees of success with the "clear
cached credential" registry change that msoft talks about...

How to remove cached user credentials that are used for PEAP
authentication in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;823731 

>>
>> 1.  A laptop that belongs to our domain, but the user has never 
>> logged into it before (so no cached creditentials exist) it errors 
>> with the Domain is not available.  If cached creditentials do exist

>> then they get logged in.

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Problems with Windows 802.1x supplicant

[Lee Weers]

I set this gpo, and the login scripts are still not running, and it
still didn't allow a person without cached creditials to login.  The
iBook user I setup yesterday took it home, connected wirelessly at home,
and now can't get connected here again.  Even after deleting all of the
info and his keychain. 

-Original Message-
From: Michael Griego [mailto:[EMAIL PROTECTED] 
Sent: Thursday, February 01, 2007 8:32 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Problems with Windows 802.1x supplicant

I took a quick look, and the GPO is "Always wait for the network at
computer startup or logon".  It's found under Computer Configuration
\Administrative Templates\System\Logon.

--Mike


On Jan 31, 2007, at 7:46 PM, Ruiz, Mike wrote:

> If someone has handy the GPO for this I'd be interested.  I would like

> to compare the changes made to the registry ptions for the supplicant.
>
>
> -
> Michael G. Ruiz, ESSE ACP A+
> Network and Systems Engineer
> Hobart and William Smith Colleges
> Information Technology Services
>
> P.315-781-3711  F.315-781-3409
> Team Leader: Derek Lustig ([EMAIL PROTECTED])
>
>
> Did you know that HWS Students, Faculty, Staff, Alums, etc can 
> purchase computers, accessories, electronics and software at a 
> discount through our partner CDW-G?
> http://www.cdwg.com/hws/
> -
>
>
> 
>
> From: Michael Griego [mailto:[EMAIL PROTECTED]
> Sent: Wed 1/31/2007 6:52 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Problems with Windows 802.1x supplicant
>
>
>
> We push a group policy to all of our machines to re-enable the 
> Windows-2000-esque behavior that forces the client to wait until 
> network connectivity is established before presenting the login 
> screen.  I don't remember the exact GPO off the top of my head, but it

> does allow our wireless/802.1x clients to process domain credentials, 
> login scripts, etc. as expected since a network connection is 
> established before the user attempts to login.
>
> --Mike
>
>
> On Jan 31, 2007, at 5:40 PM, Ruiz, Mike wrote:
>
>> Lee,
>>The Windows 802.1x supplicant operates by default with some 
>> annoying timers that are nearly always the cause of your #1 and #2 
>> issue.  Essentially the system starts and the supplicant allows 
>> authentication as the computer account with a timer counting down.
>> IF the timer reaches zero before a user authentication event happens 
>> then the supplicant deauthenticates completely.  Zero usually always 
>> comes before the user can even type in their username/password and 
>> press okay, or comes so closely after that bad things happen during 
>> login.  Oddly enough issue #3 can be related to this as well.
>>
>>I recommend you pick up a free utility called XTweak for Windows 
>> 2k/XP/2k3.  It's written by Enterasys and is a free applet that gives

>> you a GUI to tweak the hidden registry parameters for the MS 802.1x 
>> supplicant.  The great thing is that it also shows all the keys to 
>> you in the log output so you can quickly see what does what.  The 
>> utility will allow you to do "computer only"
>> authentication which is great for labs, as well as tweaking how the 
>> user/computer handoff operates.  http://www.enterasys.com/support/ 
>> Tools2/XTweakSetup.exe
>>
>> Cheers,
>> Mike
>>
>>
>> -
>> Michael G. Ruiz, ESSE ACP A+
>> Network and Systems Engineer
>> Hobart and William Smith Colleges
>> Information Technology Services
>>
>> P.315-781-3711  F.315-781-3409
>> Team Leader: Derek Lustig ([EMAIL PROTECTED])
>>
>>
>> Did you know that HWS Students, Faculty, Staff, Alums, etc can 
>> purchase computers, accessories, electronics and software at a 
>> discount through our partner CDW-G?
>> http://www.cdwg.com/hws/
>> -
>>
>>
>> 
>>
>> From: Lee Weers [mailto:[EMAIL PROTECTED]
>> Sent: Wed 1/31/2007 6:00 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: [WIRELESS-LAN] Problems with Windows 802.1x supplicant
>>
>>
>>
>> I'd appreciate any help I can get on my problems.
>>
>> Environment:
>> I've setup a secure SSID that is using WPA-TKIP/WPA2-AES encryption.

>> The EAP type is PEAP and MS-CAHP-V2.  The wireless hardware is a mix 
>> of Aruba, and HP Procurve (thin).  The SSID name is the same on both 
>> vendors.  MS IAS is the Radius server with the Versign wireless LAN 
>> certificate.  Laptops are XP SP2 all fully patched throu

RE: [WIRELESS-LAN] Problems with Windows 802.1x supplicant

[Lee Weers]

Is the GPO setting to have Fastboot disabled?  We have this set so that
GPO's get processed in order. 

-Original Message-
From: Michael Griego [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 31, 2007 5:53 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Problems with Windows 802.1x supplicant

We push a group policy to all of our machines to re-enable the
Windows-2000-esque behavior that forces the client to wait until network
connectivity is established before presenting the login screen.  I don't
remember the exact GPO off the top of my head, but it does allow our
wireless/802.1x clients to process domain credentials, login scripts,
etc. as expected since a network connection is established before the
user attempts to login.

--Mike


On Jan 31, 2007, at 5:40 PM, Ruiz, Mike wrote:

> Lee,
>The Windows 802.1x supplicant operates by default with some 
> annoying timers that are nearly always the cause of your #1 and #2 
> issue.  Essentially the system starts and the supplicant allows
> authentication as the computer account with a timer counting down.   
> IF the timer reaches zero before a user authentication event happens 
> then the supplicant deauthenticates completely.  Zero usually always 
> comes before the user can even type in their username/password and 
> press okay, or comes so closely after that bad things happen during 
> login.  Oddly enough issue #3 can be related to this as well.
>
>I recommend you pick up a free utility called XTweak for Windows 
> 2k/XP/2k3.  It's written by Enterasys and is a free applet that gives 
> you a GUI to tweak the hidden registry parameters for the MS 802.1x 
> supplicant.  The great thing is that it also shows all the keys to you

> in the log output so you can quickly see what does what.  The utility 
> will allow you to do "computer only"
> authentication which is great for labs, as well as tweaking how the 
> user/computer handoff operates.  http://www.enterasys.com/support/ 
> Tools2/XTweakSetup.exe
>
> Cheers,
> Mike
>
>
> -
> Michael G. Ruiz, ESSE ACP A+
> Network and Systems Engineer
> Hobart and William Smith Colleges
> Information Technology Services
>
> P.315-781-3711  F.315-781-3409
> Team Leader: Derek Lustig ([EMAIL PROTECTED])
>
>
> Did you know that HWS Students, Faculty, Staff, Alums, etc can 
> purchase computers, accessories, electronics and software at a 
> discount through our partner CDW-G?
> http://www.cdwg.com/hws/
> -
>
>
> 
>
> From: Lee Weers [mailto:[EMAIL PROTECTED]
> Sent: Wed 1/31/2007 6:00 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Problems with Windows 802.1x supplicant
>
>
>
> I'd appreciate any help I can get on my problems.
>
> Environment:
> I've setup a secure SSID that is using WPA-TKIP/WPA2-AES encryption.  
> The EAP type is PEAP and MS-CAHP-V2.  The wireless hardware is a mix 
> of Aruba, and HP Procurve (thin).  The SSID name is the same on both 
> vendors.  MS IAS is the Radius server with the Versign wireless LAN 
> certificate.  Laptops are XP SP2 all fully patched through Nov 06 or 
> newer.
>
> The problems I am having are as follows:
>
> 1.  A laptop that belongs to our domain, but the user has never logged

> into it before (so no cached creditentials exist) it errors with the 
> Domain is not available.  If cached creditentials do exist then they 
> get logged in.
>
> 2.  When the user gets logged in the login scripts may or may not run 
> so drive may or may not be mapped.
>
> 3.  Users who connect to the encrypted SSID take it home and connect 
> to the wireless network at home, but then they don't get connected 
> again when they come back.  The logs show that it is using the 
> domainname\computername rather than domainname\username, hence access 
> denied.  It doesn't seem to matter if the Authenticate as computer is 
> checked or unchecked.
>
> 4.  UTStar vx6700 does not recoginize the Verisign root certificate.  
> When we installed the Verisign root certificate again on the device it

> broke a bunch of other things like activesync and being able to make a

> wifi connection.
>
> Other than #4, this is reproducable on Dell D510's, IBM Tablets, and 
> other older laptops.  I have not seen these problems with the Mac 
> iBook's.  It doesn't make a difference if the WPA2 patch
> (KB893357) is installed or not.
>
> What I would like to see happen is the same behavior whether it is  
> a wire connection to the network or using the wireless connection.   
> That was my interpretation as to the advantage of 802.1x.  We do not 
> currently use 802.1x on the wired network.
>

Problems with Windows 802.1x supplicant

[Lee Weers]

I'd appreciate any help I can get on my problems.

Environment:
I've setup a secure SSID that is using WPA-TKIP/WPA2-AES encryption.  The EAP 
type is PEAP and MS-CAHP-V2.  The wireless hardware is a mix of Aruba, and HP 
Procurve (thin).  The SSID name is the same on both vendors.  MS IAS is the 
Radius server with the Versign wireless LAN certificate.  Laptops are XP SP2 
all fully patched through Nov 06 or newer.

The problems I am having are as follows:

1.  A laptop that belongs to our domain, but the user has never logged into it 
before (so no cached creditentials exist) it errors with the Domain is not 
available.  If cached creditentials do exist then they get logged in.

2.  When the user gets logged in the login scripts may or may not run so drive 
may or may not be mapped.

3.  Users who connect to the encrypted SSID take it home and connect to the 
wireless network at home, but then they don't get connected again when they 
come back.  The logs show that it is using the domainname\computername rather 
than domainname\username, hence access denied.  It doesn't seem to matter if 
the Authenticate as computer is checked or unchecked.

4.  UTStar vx6700 does not recoginize the Verisign root certificate.  When we 
installed the Verisign root certificate again on the device it broke a bunch of 
other things like activesync and being able to make a wifi connection.

Other than #4, this is reproducable on Dell D510's, IBM Tablets, and other 
older laptops.  I have not seen these problems with the Mac iBook's.  It 
doesn't make a difference if the WPA2 patch (KB893357) is installed or not.

What I would like to see happen is the same behavior whether it is a wire 
connection to the network or using the wireless connection.  That was my 
interpretation as to the advantage of 802.1x.  We do not currently use 802.1x 
on the wired network.

Thank you,
 
Lee Weers
Assistant Director for Network Services
Central College IT Services
(641) 628-7675


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Auto-configuring Windows XP Native Client for 802.1x

[Lee Weers]

I would be interested in this script as well. 

-Original Message-
From: Emerson Parker [mailto:[EMAIL PROTECTED] 
Sent: Friday, January 26, 2007 11:52 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Auto-configuring Windows XP Native Client
for 802.1x

The script is only for windows XP WZC..

I will unicast to you.

-Emerson 

-Original Message-
From: Casey, J Bart [mailto:[EMAIL PROTECTED]
Sent: Friday, January 26, 2007 12:10 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Auto-configuring Windows XP Native Client
for 802.1x

Emerson,

We would be very interested in your script.  Would this script also be
able to do the same thing for a wired connection?

Regards,

J. Bart Casey
Network Engineer
Wofford College

-Original Message-
From: Emerson Parker [mailto:[EMAIL PROTECTED]
Sent: Friday, January 26, 2007 10:48 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Auto-configuring Windows XP Native Client
for 802.1x

Let me know if you want one.  I'll place it on a DL server for you.
Don't forget the latest WZC can be GPO'd for all the settings.


-Emerson 

-Original Message-
From: Lee Badman [mailto:[EMAIL PROTECTED]
Sent: Friday, January 26, 2007 9:48 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Auto-configuring Windows XP Native Client for
802.1x

Wondering if anyone has gone down the road of scripting the steps to
configure 802.1x on the native Windows supplicants- as opposed to just
providing "how to" guidance, wondering if anyone is providing an
executable that selects EAP type, encryption type, etc along with the
few other settings required?

(PEAP/MSCHAP v2/TKIP in our case).


Lee

Lee Badman
Network/Wireless Engineer
Syracuse University
315 443-3003

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Extending an external antenna

[Lee Weers]

Title: Extending an external antenna






We have a situation in which we need to cover our baseball and softball fields wirelessly.  There is currently no infrastructure there.  What we are looking to do is put a high gain antenna on the football stadiums scoreboard.  There is a conduit that we can run some coax through out to the scoreboard.  My question is this:

1.  Can you extend an antenna from an AP 250 ft?  (That's how long it is to the scoreboard)

2.  What kind of coax do we need to use to do a/b/g?


We would like to mount the ap inside of the building and then just extend the external antenna to the scoreboard.


Thank you,

 

Lee Weers

Assistant Director for Network Services

Central College IT Services

(641) 628-7675




**
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] wireless wall-jacks an option for res halls?

[Lee Weers]

We have 3 of them installed in our Science building.  They are about the
size of a door bell cover.  I wish they would put a different radio in
them so that they would do a and b/g at the same time.  We mounted ours
to the recessed 2x4 box.  We didn't pass any ports through as they are
about 12 ft in the air.  

They are a fixed ap, so once in place they can't be moved.  We also have
some of the new AP 65's that are about the size of a 2 gang box.  They
do a/b/g at the same time.  You do have to order the special mounting
bracket for them.  They do not have any pass thru capability.   The AP
70 is bigger, but does have a pass thru ethernet port.

-Original Message-
From: Michael Dickson [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, April 18, 2006 12:03 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] wireless wall-jacks an option for res halls?

Hi all,

We are constructing new dormitories on our Amherst campus and are
considering adding blanket wireless coverage in addition to the
ethernet-port-per-pillow wired infrastructure.

I was wondering if anyone has had experience with the Otronics (Aruba
back end) Wi-Jack wireless wall jacks, or if there are any other
AP-in-a-jack solution.

(Please, no vendor or sales calls)

Thanks,
  Mike

***
Michael Dickson  Phone: 413-545-9639
Network Analyst [EMAIL PROTECTED]
University of Massachusetts 
Network Systems and Services
***

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Why 802.11 vs Wi Max or 3G or 4G

[Lee Weers]

Title: Why 802.11 vs Wi Max or 3G or 4G






I am going to be presenting a presentation to the Technology committee about a campus wide wireless project.  The preliminary project I put together is the traditional 802.11 a/b/g solution.  Some of the things I'm going to be asked will be why this implementation as opposed to doing something with Wi Max, or talking to Cellular vendors and doing a 3G solution.  I do not know a lot about the other wireless solutions.  I would like as much feedback as possible for pros and cons of each.

Thank you,

 

Lee Weers

Assistant Director for Network Services

Central College IT Services

(641) 628-7675




**
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.