Packetfence.

[Matthew Gracie]

We're looking at replacing our current NAC solution in the residence
halls, and one of the contenders is Packetfence.

1) Has anyone used Packetfence as a Resnet NAC system? Any tips, horror
stories, things to watch for?

2) Has anyone integrated a 4400-based Cisco LWAPP deployment with it?
The web site says it's supported, but as with most open source products,
the documentation seems a bit lacking.

Thanks for any help,

--Matt

-- 
Matt Gracie (716) 888-8378
Information Security Administrator  grac...@canisius.edu
Canisius College ITSBuffalo, NY
http://www2.canisius.edu/~graciem/graciem_public_key.gpg

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] share 802.1x experience?

[Matthew Gracie]

Kay Sandacz wrote:
> Hey folks.
> 
>  
> 
> Anyone care to share experience in rolling out 802.1x?  We’re looking
> only at wireless just now.  Support issues or user experience would be
> particularly helpful.
> 
>  
> 
> And did anyone attempt to run 802.1x on a previously existing SSID?

We're actually rolling out 802.1x right now - I just brought two more
buildings into the fold this morning.

Rather than using a previous SSID, the new AP configuration includes
three SSIDs - the "legacy" one, the new WPA2-enabled one, and a new
"guest" network. That way, the transition should be essentially
transparent to users, as their old configuration will continue to work
on the "legacy" network.

With Cisco autonomous APs, each SSID is assigned a different VLAN, so
the access layer switches need to be set up properly for trunking, etc.
It's a bigger project than it seems like to people unfamiliar with the
details.

("This isn't that complicated. Setting up WPA is just a checkbox on my
Linksys router at home!" :) )

--Matt

-- 
Matt Gracie (716) 888-8378
Information Security Administrator  grac...@canisius.edu
Canisius College ITSBuffalo, NY
http://www2.canisius.edu/~graciem/graciem_public_key.gpg

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses

[Matthew Gracie]

Watters, John wrote:
> I have 7 or 8  machines with this MAC address  on our campus. Is it
> possible that Apple did something not nice with the MAC addresses in
> the MacBooks? We will try to track some of them down, but it won't be
> easy even using the block-it-nd-they-will-come method.

My guess would be a manufacturing problem. When I was working for a
broadband provider, we sent out a boatload of NICs that had all been
shipped from the manufacturer with the MAC address FF:FF:FF:FF:FF:FF.

This was, unsurprisingly, problematic.

-- 
Matt Gracie (716) 888-8378
Information Security Administrator  grac...@canisius.edu
Canisius College ITSBuffalo, NY
http://www2.canisius.edu/~graciem/graciem_public_key.gpg

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Observed Signal Strength On Encrypted Wireless

[Matthew Gracie]

David Blahut wrote:
> Hello All,
> 
>  
> 
> We are a Cisco CAPWAP shop and recently switched from non-encrypted web
> portal authenticated wireless to WPA2/802.1X/AES encrypted wireless with
> RADIUS and LDAP in the back end.  I have received several help desk
> tickets with reports along the lines that “now that we are using the
> encrypted wireless the signal is weaker or unusable”.
> 
>  
> 
> Anyone else experience this phenomenon?  I can’t believe it’s the
> wireless network, same radios after all.  I could see the client
> interpreting the signal level differently or the client associating to a
> more distant access point because the closer one is more heavily taxed
> due to the encryption.  I could even see that the encrypted wireless is
> more sensitive to RF interference.
> 
>  
> 
> Anyway, any thoughts or ideas are welcomed.

We get occasional complaints like this from users on our WPA2 network -
generally, checking the logs shows that their client was roaming between
APs at the time, and the time to break down the connection and
authenticate a new one is interpreted as "lag" by the end user.

-- 
Matt Gracie (716) 888-8378
Information Security Administrator  grac...@canisius.edu
Canisius College ITSBuffalo, NY
http://www2.canisius.edu/~graciem/graciem_public_key.gpg

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Wireless Printing in Dorm Rooms

[Matthew Gracie]

On 01/03/2011 12:17 PM, Holland, Stephen wrote:
> Currently my school provides wireless access to some dorms.  We do not
> support wireless printers and I have been asked to provide a solution as
> students want to use wireless printers in their dorm rooms. From my
> perspective this would be a logistics nightmare as each student could
> bring in their own printer which could be manufactured by a number of
> different vendors.  In addition different operating systems locate
> printers using different means (Bonjour for example) and this would
> further complicate the issue.  I'm curious to know if other schools have
> implemented such a solution and how successful the implementation has been.

We give them directions to an office supply store where they can buy a
USB cable.

Your instinct is correct - these are a nightmare to support in any sort
of NAC/802.1x environment.


-- 
Matt Gracie (716) 888-8378
Information Security Administrator  grac...@canisius.edu
Canisius College ITSBuffalo, NY
http://www2.canisius.edu/~graciem/graciem_public_key.gpg

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Wireless Printers/Wi-Fi Direct, couple of other devices

[Matthew Gracie]

On 02/17/2011 07:45 AM, Osborne, Bruce W wrote:
> One of the big savings for wireless is to move areas to all
> wireless., minimizing the wired drops & switches. We have a couple of
> office areas with wireless desktops and we have a couple of wireless
> printers. We do not support student wireless printers, though.  We
> are also seeing large interest in using portable wireless scanners
> for scanning id badges. There I s also a trial using handheld
> scanners for stadium concessions.
> 
> We have moved our residences to wireless only, by default. We
> currently connect a wired port on request. We were still able to
> reclaim / recycle half of our switches. They are being deployed
> elsewhere as we continue to expand.

How do you deal with appliances like Blu-ray players or various media
streaming boxes that require a wired connection? Do you supply bridges,
or just tell the resident that it's unsupported?

-- 
Matt Gracie (716) 888-8378
Information Security Administrator  grac...@canisius.edu
Canisius College ITSBuffalo, NY
http://www2.canisius.edu/~graciem/graciem_public_key.gpg

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] iPad spontaneous reboots?

[Matthew Gracie]

On 03/15/2011 06:59 PM, Lee H Badman wrote:

> It's always fun when toy-quality wireless devices hit the enterprise WLAN (he 
> said rather sarcastically).

*cough* Kindles *cough*

-- 
Matt Gracie (716) 888-8378
Information Security Administrator  grac...@canisius.edu
Canisius College ITSBuffalo, NY
http://www2.canisius.edu/~graciem/graciem_public_key.gpg

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Interference in dorms.

[Matthew Gracie]

On 07/21/2011 01:43 PM, Johnson, Neil M wrote:
> Thanks for the heads up, but all our WLAN's require 802.1X
> authentication which the Wii can't do.  We're telling users to buy the
> wired adapter if they want to connect them to the net.
> 
> -Neil

Darn it, where's the "Like" button on Thunderbird...

> 
> -- 
> Neil Johnson
> Network Engineer
> The University of Iowa
> Phone: 319 384-0938
> Fax: 319 335-2951
> Mobile: 319 540-2081
> E-Mail: neil-john...@uiowa.edu
> 
> 
> From: Rick Coloccia mailto:coloc...@geneseo.edu>>
> Date: Thu, 21 Jul 2011 13:12:23 -0400
> To: The EDUCAUSE Wireless Issues Constituent Group Listserv
>  >
> Cc: Neil Johnson mailto:neil-john...@uiowa.edu>>
> Subject: Re: Interference in dorms.
> 
> Be careful disabling 2 mbps.  We were told at the Cisco conference in a
> wireless class just last week that the Wiis require 2mbps to
> successfully find and join the wireless network. I have not personally
> verified this, but the source is reliable...
> 
> -Rick
> 
> On 7/21/2011 12:58 PM, Johnson, Neil M wrote:
>> We are struggling with the same issues. We are finding that X-boxes
>> and PS3s generate lots of interference (they use a proprietary 2.4
>> protocol between the joysticks and console).
>>
>> This summer we've added over 100 AP to the dorms, moved several,
>> changed our AP's antenna configuration, disabled 1 and 2 Mbps data
>> rates, and are implementing channel layering (Meru)  to try and
>> address the issue.
>>
>> We are also planning on being more aggressive at getting rid of
>> student installed wireless AP's.
>>
>> We are considering adding a 5GHz only SSID in the dorms to encourage
>> users to use 5 GHz ( we do have band steering enabled, but a dedicated
>> SSID would insure that devices only use 5GHz and not fall back to 2.4).
>>
>> We'll see what happens.
>>
>> -Neil
>>
>> -- 
>> Neil Johnson
>> Network Engineer
>> The University of Iowa
>> Phone: 319 384-0938
>> Fax: 319 335-2951
>> Mobile: 319 540-2081
>> E-Mail: neil-john...@uiowa.edu
>>
>>
>> From: "Lay, Daniel" mailto:dl...@samford.edu>>
>> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv
>> > >
>> Date: Thu, 21 Jul 2011 11:16:29 -0500
>> To: > >
>> Subject: [WIRELESS-LAN] Interference in dorms.
>>
>> Last year we had several students that would complain about poor
>> wireless coverage in their rooms. It was usually followed by the
>> comment that they did not have this problem at home or in other areas
>> of the campus. After performing various test and wireless scans I am
>> of the opinion that a good portion of these problems were introduced
>> by the students themselves by bringing in various devices that emit
>> 2.4 interference. I am curious about how any of you guys have
>> addressed this problem and informed the students of these potential
>> interferences. Have any of you added a section to orientation that
>> discusses the problem of interference and did it have good results.
>> Did any of you do a poster campaign with good results or did you issue
>> a Faraday cage to each student to store their stuff in (yes that was a
>> joke). I can only see this problem getting worse with wireless
>> printers and game consoles that all have a potential to cause
>> interference. I am open to any ideas and or suggestions. Thanks.
>>
>>  
>>
>> Daniel Lay
>>
>> Networking Specialist
>>
>> Samford University
>>
>>  
>>
>> ** Participation and subscription information for this
>> EDUCAUSE Constituent Group discussion list can be found at
>> http://www.educause.edu/groups/. ** Participation and
>> subscription information for this EDUCAUSE Constituent Group
>> discussion list can be found at http://www.educause.edu/groups/.
>>
> 
> -- 
> Rick Coloccia, Jr.
> Network Manager
> State University of NY College at Geneseo
> 1 College Circle, 119 South Hall
> Geneseo, NY 14454
> V: 585-245-5577
> F: 585-245-5579
> 
> CIT will never ask for your password or other confidential information via 
> email. 
> 
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
> 


-- 
Matt Gracie (716) 888-8378
Information Security Administrator  grac...@canisius.edu
Canisius College ITSBuffalo, NY
http://www2.canisius.edu/~graciem/graciem_public_key.gpg

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Guest portal vendor recommendations

[Matthew Gracie]

On 07/29/2011 11:00 AM, Fleming, Tony wrote:
> Crew,
> 
> I would like to know what guest portal solutions being used today. I
> realize that most wireless controllers provide a simplified guest portal
> mechanism. However, we are interested portals that provide advanced
> functionality.

We're using Wifidog for our guest wireless network - it provides a
simple self-registration process for users, and some pretty advanced
reporting capabilities. (Additional information is sent to a Netflow
collector with fprobe for tracking down DMCA notices and the like.)

Essentially, everyone just goes into a NAT pool behind the Linux box
that's running the software, and then the outside interface is plumbed
into the campus border firewall as a completely separate network.

-- 
Matt Gracie (716) 888-8378
Information Security Administrator  grac...@canisius.edu
Canisius College ITSBuffalo, NY
http://www2.canisius.edu/~graciem/graciem_public_key.gpg

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Wireless in dorms

[Matthew Gracie]

On 09/19/2011 11:04 AM, Ray DeJean wrote:
> All,
> 
> We don't currently provide wireless in our dorms, and our official
> policy is to not allow students to bring their own wireless devices.  We
> don't actively enforce this policy though, and as long as the students'
> device isn't causing problems, they typically don't hear from us.  (We
> do provide at least a 100mbps wired connection to each student).
> 
> We are considering changing our policy to allow BYOD (bring your own
> device) in the dorms.   I know lots of students already BYOD, but we're
> not policing it.  We're considering the costs associated with deploying
> our Aruba system to all the dorms, and the fact that students are going
> to BYOD anyway.   Rather than fight them, allow it.  We'll secure our
> wired network obviously, but also have workshops and online instructions
> to show the students how to properly connect and secure their device.  
> Of course we realize the interference issues that may arise in a crowded
> 2.4ghz space...
> 
> The University of Wisconsin-Madison
> (http://www.housing.wisc.edu/resnet/gameConsoles.php) already has a
> policy like this in place.   Just looking to hear from other
> universities who have or are considering a policy such as this.

You don't mention what kind of network architecture you have - if you're
using a relatively flat topology, with comingling of residence hall,
administrative, and academic traffic, be sure that you've got technology
and procedures in place to shut down misconfigured endpoints.

Nobody will be happy when they start getting RFC1918 addresses from the
DHCP server on little Timmy's free-with-rebate Linksys AP.


-- 
Matt Gracie (716) 888-8378
Information Security Administrator  grac...@canisius.edu
Canisius College ITSBuffalo, NY
http://www2.canisius.edu/~graciem/graciem_public_key.gpg

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Wireless in dorms

[Matthew Gracie]

On 09/20/2011 04:06 AM, Jethro R Binks wrote:

> My other concern is for those cases where you have a mix of wifi
> vendor technologies.  For example you might like this Motorola
> product in some deployments, but otherwise be running C-word wireless
> or A-word wireless. Or perhaps with T-word wireless, you also want to
> deploy a Xirrus box in a particularly dense environment.  How do you
> deal with managing these two sets of wireless network?  Are there
> integration tools?  Is roaming possible (or desirable?).  Or, do we
> just say that we already have a number of management tools for
> different bits of the network anyway, so one more won't make much
> difference.

I've heard good things about the AirWave product (formally independent,
now owned by Aruba) for this sort of thing; it was actually designed as
a control console for multiple vendor gear, so as long as you're dealing
with relatively common equipment, you should be able to manage
everything from one place with it.

(No hands-on experience, just demos before Aruba bought it up.)

-- 
Matt Gracie (716) 888-8378
Information Security Administrator  grac...@canisius.edu
Canisius College ITSBuffalo, NY
http://www2.canisius.edu/~graciem/graciem_public_key.gpg

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] selectively disabling wireless in classrooms

[Matthew Gracie]

On 09/23/2011 08:21 AM, Gogan, James P wrote:

> the response I usually get back is "well, I KNOW that
> other universities are doing it, so …. FIX IT".

I wonder how these faculty members would react to a student who makes
bold, improbable assertions with no citations to back it up.

-- 
Matt Gracie (716) 888-8378
Information Security Administrator  grac...@canisius.edu
Canisius College ITSBuffalo, NY
http://www2.canisius.edu/~graciem/graciem_public_key.gpg

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Visitor access

[Matthew Gracie]

On 10/14/2011 11:39 AM, Entwistle, Bruce wrote:
> We are having a increasing number of parents and prospective students
> who are visiting to tour the campus requesting access to our wireless
> network.   I was wondering what other schools are doing to accommodate
> these requests.

We use Wifidog on a guest-only SSID; it allows for self-registration,
and all connections coming from the guest VLAN are treated as
"untrusted", as if they were coming in from the Internet at large.

-- 
Matt Gracie (716) 888-8378
Information Security Administrator  grac...@canisius.edu
Canisius College ITSBuffalo, NY
http://www2.canisius.edu/~graciem/graciem_public_key.gpg

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] College deals with wireless issues

[Matthew Gracie]

On 11/11/2011 11:58 AM, Coehoorn, Joel wrote:
>> If we could provide great / sufficient / pervasive "non-wired"
> coverage using 
>> $40 AP instead of $400 Cisco AP, resident might not want to bring in their
>> own $40 AP.
> 
> Actually, you can do that. Those cheap $40 access points can be easily
> reconfigured to act as a thick access point by just turning off dhcp,
> setting a static IP in the correct range, and connecting your uplink
> line to a LAN port rather than the WAN port.  Spend about $100 on a
> nice buffalo that supports dd-wrt with a customized config file ready to
> load, and you can get something close to a vendor system for less than
> 1/4 the price.
> 
> Of course, that means doing a lot of leg work yourself: configuring
> access points, setting up subnets/zones, multiple ssids, security, and
> every change means a manual deployment to individual access points. I'd
> love to see a feature added to dd-wrt that allows polling a config
> server for those.
> 
> But the really big thing you give up here is the reporting. You can make
> up for some of that with existing syslog or gateway reporting tools, but
> some of the information you'd get from a controller-based solution is
> just not replaceable.
> 

Slightly off-topic, but are there any consumer level APs that support
Power-over-Ethernet? That would be the huge sticking point for me, and
I'm sure I'm not alone. Most people haven't run AC to their ceiling data
drops.

-- 
Matt Gracie (716) 888-8378
Information Security Administrator  grac...@canisius.edu
Canisius College ITSBuffalo, NY
http://www2.canisius.edu/~graciem/graciem_public_key.gpg

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Transition from open to encrypted

[Matthew Gracie]

Howie Frisch wrote:
> I would be interested to know if this trouble is a result of "sniffing"
> 802.11 packets over the air or sniffing what is on the LAN after the AP
> (which is far easier).  If the sniffing it taking place on the LAN, then
> encrypting the air channel will do nothing at all for your case since
> the encryption is finished at the AP and the network would put the same
> thing onto the LAN with or without encryption.
> 
> Howie

I don't know that LAN sniffing is easier, especially on a switched
network; something like Kismet (or the Mac port, KisMAC) can be run by a
novice user with no problem to pick up traffic from multiple networks
simultaneously.

Even Wireshark (formerly Ethereal) can be used this way, if the sniffer
machine is already attached to the unencrypted network.

--Matt

> 
> 
> 
> From: Nathan Hay [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, April 25, 2007 9:25 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Transition from open to encrypted
> 
>  
> 
> We've been running our main SSID without encryption to make it easier
> for students to connect and to make life easier for our help desk.  Not
> surprisingly we've started to have problems with students sniffing
> packets and capturing the IM passwords, etc of other students.
> 
>  
> 
> Because of this, we are working on a plan to make our main SSID
> encrypted by the start of next school year.
> 
>  
> 
> Does anyone have a recommended scheme for encryption that supports a
> wide variety of clients?  We have Windows, Mac, Linux, Nintendo Wii, and
> many different types of handheld devices on campus.  Our wireless
> network is Meru.
> 
>  
> 
> We don't have any 802.1x experience, but we are willing to learn if that
> is where we need to head.  We'd like a scheme that makes it as easy for
> the client to connect as possible, but still provides a good level of
> security.
> 
>  
> 
> Any thoughts or suggestions would be appreciated,
> 
>  
> 
> Nathan
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
> 
>  
> 
>  
> 
>  
> 
> Nathan P. Hay
> Network Engineer
> Computer Services
> Cedarville University
> www.cedarville.edu  
> 
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.
> 


-- 
Matt Gracie (716) 888-2403
Information Security Administrator  [EMAIL PROTECTED]
Canisius College ITS425531N / 0785109W
http://www2.canisius.edu/~graciem/graciem_public_key.gpg

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] 802.1x and Secure Password Storage

[Matthew Gracie]

Ryan Lininger wrote:
> I could use some help understanding the password storage situation as it
> relates to LDAP, radius, and 802.1x.  Currently we store hashes of
> passwords in an LDAP database that is used for user authentication.  I
> would like to implement WPA on our wireless network but in my reading
> all the explanations I have come across state that you have to store
> user passwords in clear text rather then hash form.

I think it's dependent on how you're implementing your RADIUS server;
we've done testing with FreeRADIUS authenticating to a SunONE LDAP,
which is storing everything hashed, and it works fine.

Check out the documentation for your RADIUS server, specifically the
section that documents the differences between PAP and CHAP authentication.

--Matt

-- 
Matt Gracie (716) 888-2403
Information Security Administrator  [EMAIL PROTECTED]
Canisius College ITS425531N / 0785109W
http://www2.canisius.edu/~graciem/graciem_public_key.gpg

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Restricting Students Wireless Access Based on In Class Roles

[Matthew Gracie]

Gary Moore wrote:
> My apologies ahead of time if this thread subject has been posted
> before.  We are looking to shut off wireless access of students based on
> a scheduled system of when they are in class. 

Doesn't that negate the advantages of having wireless in classroom
buildings? If you don't want the students using wireless networking
while they're in class, the easiest thing to do might be to unplug the
APs in that building.

(Tongue in cheek, sort of.)

--Matt

-- 
Matt Gracie (716) 888-2403
Information Security Administrator  [EMAIL PROTECTED]
Canisius College ITS425531N / 0785109W
http://www2.canisius.edu/~graciem/graciem_public_key.gpg

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

[Fwd: Cisco Security Advisory: Wireless ARP Storm Vulnerabilities]

[Matthew Gracie]

For those of you who are speculating about the ARP problem, but don't
subscribe to bugtraq.

--Matt

 Original Message 
Subject: Cisco Security Advisory: Wireless ARP Storm Vulnerabilities
Date: Tue, 24 Jul 2007 13:22:52 -0400
From: Cisco Systems Product Security Incident Response Team
<[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
CC: [EMAIL PROTECTED]


Cisco Security Advisory: Wireless ARP Storm Vulnerabilities

Advisory ID: cisco-sa-20070724-arp

http://www.cisco.com/warp/public/707/cisco-sa-20070724-arp.shtml

Revision 1.0

For Public Release 2007 July 24 1600 UTC (GMT)

---

Summary
===

Cisco Wireless LAN Controllers (WLC) contain multiple vulnerabilities
in the handling of Address Resolution Protocol (ARP) packets that could
result in a denial of service (DoS) in certain environments.

Cisco is notifying customers and partners and has made free software
available to address these vulnerabilities for affected customers.
There are workarounds available to mitigate the effects of these
vulnerabilities.

This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20070724-arp.shtml.

Affected Products
=

Unless otherwise specified, the vulnerabilities addressed in this
document affect versions 4.1, 4.0, 3.2, and prior versions of the
Wireless LAN Controller software. To identify the earliest software
releases that include fixes for these vulnerabilities, please consult
the Software Versions and Fixes section of this advisory.

To determine the version of WLC system software running on a particular
device, one of the following methods may be used:

  * In the web interface, choose the Monitor tab, click Summary in the
left-hand pane, and note the "Software Version."
  * From the command-line interface, type "show sysinfo" and note the
"Product Version."

Vulnerable Products
+--

Vulnerable versions of software may be running on any of the following
hardware platforms:

  * Cisco 4100 Series Wireless LAN Controllers
  * Cisco 4400 Series Wireless LAN Controllers
  * Cisco Airespace 4000 Series Wireless LAN Controller
  * Cisco Catalyst 6500 Series Wireless Services Module (WiSM)
  * Cisco Catalyst 3750 Series Integrated Wireless LAN Controllers

Products Confirmed Not Vulnerable
+

The following hardware platforms are not affected by these
vulnerabilities:

  * Cisco 2000 Series Wireless LAN Controllers
  * Cisco 2100 Series Wireless LAN Controllers
  * Cisco Airespace 3500 Series WLAN Controller
  * Cisco 526 Wireless Express Mobility Controller
  * Cisco Wireless LAN Controller Module
(NM-AIR-WLC6-K9,NME-AIR-WLC8-K9,NME-AIR-WLC12-K9)
  * Standalone Access Points such as the 1100 Series, 1200 Series and
AP340/350
  * Cisco 3800 Series Integrated Services Routers
  * Cisco 2800 Series Integrated Services Routers
  * Cisco 1800 Series Integrated Services Routers
  * Cisco 800 Series Routers

Details
===

Cisco Wireless LAN Controllers provide real-time communication between
lightweight access points and other Wireless LAN controllers for
centralized system wide WLAN configuration and management functions.

The Address Resolution Protocol, or ARP, provides a mapping between a
device's IP address and its hardware address on the local network.

The WLC contains vulnerabilities in the processing of unicast ARP
traffic where a unicast ARP request may be flooded on the LAN links
between Wireless LAN Controllers in a mobility group.

RFC4436 defines a method for IP Version 4 hosts to
detect if they have re-attached to a previously attached network. In
such cases, it may be unnecessary to request a new DHCP address lease
if the current lease is still active. To determine reattachment, the
host may send a unicast ARP request to the address of the default
gateway that it had previously used.

A vulnerable WLC may mishandle unicast ARP requests from a wireless
client leading to an ARP storm. In order for the vulnerability to be
exposed, two WLCs attached to the same set of Layer-2 VLANs must each
have a context for the wireless client. This can occur after a Layer-3
(cross-subnet) roam or when guest WLAN (auto-anchor) is in use.

If the client sends a unicast ARP request with a destination MAC
address that has not been learned by the Layer-2 infrastructure, that
request will be flooded to all ports in the Layer-2 domain after
egressing the WLC. This allows the second WLC to reprocess the ARP
request and incorrectly reforward this packet back into the network.
This vulnerability is documented as CSCsj69233.

If the arpunicast feature has been enabled on the WLC, the WLC will
re-forward broadcast ARP packets targeting the IP address of a known
client context. This creates an ARP storm if more than one WLC is
installed on the corresponding VLAN. This vulnerability is documented
as CSCsj50374 and only affects version 4.1 of the WLC software
(v

Re: [WIRELESS-LAN] Rogue DHCP on wireless network

[Matthew Gracie]

Ryan Lininger wrote:
> I have been having some issues recently with DHCP on the wireless
> network.  It really has been misconfigured laptops running internet
> connection sharing so far (notion malicious) but we have been
> experiencing outages because of it.  We are a Cisco Switched environment
> but our wireless network is a Cisco and 5G network with a bluesocket
> captive portal.  I have DHCP snooping running on all the switches in our
> environment that can run it but that is the only way that I have been
> able to battle this issue.  Everything else is manually hunt done the
> culprit and meet with them to fix their machine.
> 
> I would like to know how others have been battling the problem of rogue
> systems serving DHCP on their wireless network?  I wouldn't mind hearing
> how people have battled this problem on the wired network either (these
> solutions may port over).
> 
> Any help is appreciated.
> 
> Ryan.
> 

We get these in the dorms periodically, when a student who doesn't know
the difference between a hub, a switch, an AP, and a router starts
plugging things in wrong.

The usual approach on the wired side is just to find someone who got an
invalid address from the rogue server (they're usually on the other end
of the Help Desk phone line) and check the ARP cache on their machine to
get the MAC correlating to the IP that handed them an address. Then we
check the centralized collection of CAM tables from our Cisco switches
to find the port that they're plugged into and shut it off.

--Matt

-- 
Matt Gracie (716) 888-2403
Information Security Administrator  [EMAIL PROTECTED]
Canisius College ITS425531N / 0785109W
http://www2.canisius.edu/~graciem/graciem_public_key.gpg

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Handheld Support with WPA and PEAP

[Matthew Gracie]

Joseph Karam wrote:
> Hi Folks,
> 
> We implemented a secure wireless network this summer with WPA security
> and PEAP authentication.  Now many of our folks with older handhelds
> cannot use the wireless network because their devices do not support WPA
> and PEAP.  Some folks want to open back up portions of the wireless
> network for these people to use handhelds and I think this is a bad
> idea.  How have other places handled support for devices which do not
> work in their secure wireless environments? 

What do people want to use these handhelds for?

It would be possible, at least in a Cisco environment (since that's what
I'm familiar with), to set up an "insecure" SSID that maps traffic to
another VLAN set up for Internet access only. That would satisfy most
users, who seem to just want email and web access wherever they go.

If people want to use their handhelds to access "secure" services, on
the other hand, stick to your guns and tell them to use a more secure
client. There's no reason to compromise security for convenience, no
matter how many dancing pigs they promise.

--Matt

-- 
Matt Gracie (716) 888-2403
Information Security Administrator  [EMAIL PROTECTED]
Canisius College ITS425531N / 0785109W
http://www2.canisius.edu/~graciem/graciem_public_key.gpg

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] 11n/WiMax

[Matthew Gracie]

Frank Bulk - iNAME wrote:
WiMAX is a MAN solution will generally offer lower throughput than 
802.11n.  It’s generally not a good enterprise fit.


It sure does look interesting as a secondary/backup Internet connection, 
though. An additional path without laying additional redundant fiber? 
Sign me up!


Is anyone using a WiMax connection in this way? I haven't seen anything 
locally, but Buffalo isn't generally on the cutting edge for this sort 
of thing.


--Matt



 


Frank

 

*From:* The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:[EMAIL PROTECTED] *On Behalf Of *Lee H Badman

*Sent:* Thursday, March 13, 2008 6:45 PM
*To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
*Subject:* [WIRELESS-LAN] 11n/WiMax

 

Just a half-baked notion: wondering if anyone currently running 11a/g 
may be contemplating the merits of forgoing 11n for WiMax looking 12-24 
months down the road?


 


Regards-

 


Lee

 


Lee H. Badman

Wireless/Network Engineer

Information Technology and Services

Syracuse University

315 443-3003

 

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.



--
Matt Gracie (716) 888-8378
Information Security Administrator  [EMAIL PROTECTED]
Canisius College ITSBuffalo, NY
http://www2.canisius.edu/~graciem/graciem_public_key.gpg

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Yesterday's Doonesbury Comic

[Matthew Gracie]

Larry Press wrote:

I just saw the comic and I can tell you that it is very true.


For more along these lines see:

http://cis471.blogspot.com/2008/03/characteristics-of-todays-students.html

I also "audited' a class via podcast from Harvard Law School:

http://blogs.law.harvard.edu/cyberone/

where there was a lot of discussion of whether and how students should 
be allowed to use Laptops during class.


Do you all encourage or discourage it?


Personally, when I teach, I ask the students with laptops to sit in the 
back of the class. That's because when I'm taking classes, there is very 
little more irritating than someone sitting in the front, with their 
screen visible to the whole classroom, noodling around on the Internet 
or playing video games.


The typical student response is "I paid for this class, so I can do what 
I like if you're making me attend". Ignoring the implicit assumption 
that I should cater to the customer, I can see where they're coming 
from; but that doesn't give them the right to annoy and distract the 
other students in the class.


Given something like a law school, which I imagine has a pedagogical 
bent much more Socratic and discussion-oriented than the average class, 
I can imagine that having a large number of students distracted and 
unresponsive could really ruin the teacher's flow.


Now, leaving my own personal feelings aside, Canisius College as a whole 
doesn't have a policy on this. Every classroom building has wireless 
access, and we allow the professors to deal with classroom management 
policies.


--Matt

--
Matt Gracie (716) 888-8378
Information Security Administrator  [EMAIL PROTECTED]
Canisius College ITSBuffalo, NY
http://www2.canisius.edu/~graciem/graciem_public_key.gpg

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Wireless policies for students

[Matthew Gracie]

Monte Schmeiser wrote:
We are fairly new to wireless at our institution and was wondering if 
anyone out there could help us.  We are getting ready to roll out 
wireless to the students next week.  Because we are a small institution, 
we have limited resources, and thus, limited bandwidth.  We have the 
ability to throttle wireless users but was wondering if anyone has an 
example of something you state to your students about using the wireless 
network for things such as music downloads, video, etc.  Any examples of 
written policies would be very helpful.  No use re-inventing the wheel.


Students will use wireless for everything. _Everything_. We've got one 
port per pillow in our residence halls, and the vast majority of 
students will still connect exclusively over wireless, no matter how 
slow the service is because of access point crowding.


Add to that the fact that game consoles are all coming with wireless 
connectivity as well, and you might as well just stop upgrading switches 
and start doubling up on APs instead.


--Matt

--
Matt Gracie (716) 888-8378
Information Security Administrator  [EMAIL PROTECTED]
Canisius College ITSBuffalo, NY
http://www2.canisius.edu/~graciem/graciem_public_key.gpg

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.