Re: [WIRELESS-LAN] EAP-PEAP, RADIATOR, AD ?
At UTD, in order to support MSCHAPv2 for Windows supplicants, we went ahead and added a secondary attribute to hold the NTLM hash and restricted access to that attribute to an LDAP DN that the RADIUS servers authenticated with. Going this route works well, except you have to plan ahead a little, because you'll need time to populate the new attribute. We handled this by adding code into our account management system about six months ahead of our 802.1x rollout to begin populating the attribute during password changes. Since the password policy forced password changes periodically, that picked up most of the users before the 802.1x rollout. The rest of the users were simply instructed to reset their passwords to force population of the new attribute. --Mike If you have a cleartext password in LDAP, you don't need to do anything, though, as most RADIUS servers can create the NTLM has from it on the fly. On Aug 30, 2008, at 8:59 AM, Ryan Lininger wrote: Frank is right that PEAP requires that the passwords be stored in a specific format. We tried to use FreeRadius and OpenLDAP with PEAP but couldn't get it to work because it required that we store the passwords in the LDAP database in either clear text or NTLM hash. We store our passwords in a more secure (and not supported by MSCHAPv2) format so we had to move to EAP-TTLS with PAP. Also, if it helps, this site has some setup instructions that you may find helpful: http://vuksan.com/linux/dot1x/802-1x-LDAP.html Ryan. Frank Bulk wrote: I'm sure you could use LDAP is you stored your passwords in the format necessary for MSCHAPv2, but the problem is that with LDAP most often the passwords is clear text or some other format. Frank -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of John York Sent: Tuesday, August 26, 2008 9:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] EAP-PEAP, RADIATOR, AD ? I've been wanting to do PEAP with an ldap backend, but could never find a way to do it. EAP needs authentication traffic that RADIUS supports, but ldap doesn't. In fact, TTLS with secureW2 was recommended to me as the way to do it--unfortunately, our Cisco ACS doesn't support TTLS. We do use PEAP with the built-in Vista client and authentication from Cisco ACS to a Windows RADIUS (IAS) backend. It works fine (assuming the ADS guys cooperate--don't know why they wouldn't, since IAS is easy to configure.) If you find a combination that will let you use PEAP and an ldap backend, please let me know. Thanks John John York Network Engineer Blue Ridge Community College Weyers Cave, VA -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Philippe Hanset Sent: Tuesday, August 26, 2008 10:06 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] EAP-PEAP, RADIATOR, AD ? All, We want to move to EAP-PEAP instead of EAP-TTLS (secure W2), and try to use the built-in client in Vista and XP. We use RADIATOR for RADIUS and have two identical back end directories: LDAP and Active Directory. Considering the hashing issue that MSchapV2 introduces we want to authenticate against AD. But our AD admin is giving us a hard time. He wants us to join his domain and do NTSM/Kerberos. This involes a lot of SAMBA and I'm more of a Tango guy! Is there a better way with UNIX Based RADIUS (RADIATOR in our case)? Thank you in advance, Philippe -- Philippe Hanset University of Tennessee, Knoxville Office of Information Technology Network Services 108 James D Hoskins Library 1400 Cumberland Ave Knoxville, TN 37996 Tel: 1-865-9746555 -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/ groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/ groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Using an SSL cert with an IAS server
Actually, I don't believe that you *can* use wildcard certs with IAS. When IAS looks for a certificate in the local computer store to use for PEAP, it looks for one that matches the local hostname of the IAS server exactly. If it doesn't find a cert with a CN or subjectAltName exactly matching the local hostname of the IAS server (case insensitive of course), it doesn't try any of the other certs, so it fails to find a usable cert. At least this has been my experience in the past. --Mike On Aug 26, 2008, at 10:24 PM, Mike Tennyson wrote: Thanks for the reply John, Digicert requests this as well when getting a CSR from the server. We tried, we failed. I don't know if this is a problem with a *.cert and IAS or if I am just missing something in the setup. John W Turner wrote: Ughhh - We don't use wild card certs on IAS but we do use regular old server certs (from Thawte) One thing we run into time and time again is getting the CSR generated on IAS, while it is possible to do via certreq the easiest and the way MS has told us to do this, is to temporarily install IIS on IAS and use the certificate request and install tool in IIS to get the cert onto the IAS server. This seems like a really bad idea, but it does work consistently, and we make sure the web server portion never gets turned on, and we uninstall it right after the process is complete. Hope this helps ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] EAP-PEAP, RADIATOR, AD ?
Actually, we didn't give the AD domain any control over the box itself. PAM and NSS were set up to authenticate local machine users (ssh) from our Unix (Sun) LDAP. Samba was only set up for use with the RADIUS authentication process. You *can* give AD accounts control over the machine, but you have to specifically set up PAM and NSS for that. When everything Samba-wise was configured and set, the only process we actually ran was winbindd, which is required for ntlm_auth to work, which is what FreeRADIUS uses for PEAP-to-AD authentication. smbd, nmbd, etc. were not running. --Mike On Aug 26, 2008, at 11:20 AM, Philippe Hanset wrote: Michael, Thanks. How much control do you have to give to the domain controller to have that scheme working? (Somehow having AD, and the AD guys, controlling our UNIX box gives me the schills... ;-) Philippe -- Philippe Hanset University of Tennessee, Knoxville Office of Information Technology Network Services 108 James D Hoskins Library 1400 Cumberland Ave Knoxville, TN 37996 Tel: 1-865-9746555 -- On Tue, 26 Aug 2008, Michael Griego wrote: Philippe, At UTD, we used FreeRADIUS to authenticate against Active Directory. It required that you set up Samba and join it to the domain, but it wasn't that difficult to get set up and running. I do remember that sometimes Samba would have a hard time *creating* the machine trust account, so, to get around that, we'd usually create the trust account manually, then join Samba to it. --Mike On Aug 26, 2008, at 9:06 AM, Philippe Hanset wrote: All, We want to move to EAP-PEAP instead of EAP-TTLS (secure W2), and try to use the built-in client in Vista and XP. We use RADIATOR for RADIUS and have two identical back end directories: LDAP and Active Directory. Considering the hashing issue that MSchapV2 introduces we want to authenticate against AD. But our AD admin is giving us a hard time. He wants us to join his domain and do NTSM/Kerberos. This involes a lot of SAMBA and I'm more of a Tango guy! Is there a better way with UNIX Based RADIUS (RADIATOR in our case)? Thank you in advance, Philippe -- Philippe Hanset University of Tennessee, Knoxville Office of Information Technology Network Services 108 James D Hoskins Library 1400 Cumberland Ave Knoxville, TN 37996 Tel: 1-865-9746555 -- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] SPAM Proxim terminal connection on a Mac
I usually use Minicom (via Fink) to do work like that, and I don't usually have issues connecting to gear from my MBP with the Keyspan adapter. I often have to play with the terminal settings, but I can usually get it to work. --Mike On Jun 18, 2008, at 4:00 PM, Philippe Hanset wrote: Proxim's users, (AP-4000, AP-2000...) We are not able to connect via a serial link to Proxim's AP with Macintosh based terminal emulators (Z-term etc...) using a K-Span USB to Serial adapter. or other flavors. Has anyone out there figured out a way? -We have the right serial cable -We can make it work on Cisco devices -Has been working for years with Windows :( Any tip welcome (Except get a PC or run it over Parallel or Fusion in a PC env. ;-) Philippe -- On Tue, 22 Apr 2008, Philippe Hanset wrote: Brian, This is something we wanted to do as well in our dorms last summer, but we then balanced convenience versus price and decided to spend some money on a CBA architecture, to sleep better at night. I still believe that the system would have been great. Ethan Sommer at gac.edu did a presentation at Educause about their deployment of Linksys APs. http://connect.educause.edu/Library/Abstract/UsingConsumerLinuxBasedAc/42004 Here is how we wanted to do it at Univ of TN: -Open-Wrt on Linksys APs -use PoE http://www.webpowerswitch.com -Take the existing cat5 circuit in the student room and let the student use ports on the linksys to replace the lost port (no wiring cost) For management, with the money that you save, hire a full time coder(proficient in SNMP)/WLAN engineer ;-) Philippe -- Philippe Hanset University of Tennessee, Knoxville Office of Information Technology Network Services 108 James D Hoskins Library 1400 Cumberland Ave Knoxville, TN 37996 Tel: 1-865-9746555 -- On Tue, 22 Apr 2008, Brian J David wrote: I was wondering if there are other schools who have deployed or where thinking of deploying open source code flashed access points. The students want wireless in the dorms as you all know but because of budget and time we are looking into some alternative temporary solutions, like dd-wrt flashed linksys access points. We where thinking of deploying a pre-configured AP with the antenna power setting set to it's lowest power level and a few other minor configuration. I know this could be a challenge in managing these devices (although they have appliances/software out there that can manage them). If we could give the students an alternative to bringing into their dorm a rogue AP until we can get a permanent wireless infrastructure the benefits could out weight the headaches. Comments? Brian J David Network Systems Engineer Boston College ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
iPhone getting 802.1x
Thought the folks on this list would be interested in the news. Apple has officially announced that the iPhone will be getting 802.1x and WPA2 support, as well as Cisco IPSec VPN support, in release 2.0, due out in June. This should be a big help to universities who have already deployed 802.1x for wireless access. --Mike ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Leopard/802.1x question
Just out of curiosity, which domain are you having your users use? System or User? (I assume you're not having them use login window since their credentials on the laptop would have to match their university credentials). I assume User, but I thought I'd ask. --Mike On Nov 1, 2007, at 8:41 AM, Stelfox, Samuel G @ VTC wrote: We have been seeing the same problem on our network. Unfortunately we haven't found a solution yet either. We would also be very interested in a solution to this problem. - Sam Stelfox From: Lee H Badman [mailto:[EMAIL PROTECTED] Sent: Thursday, November 01, 2007 9:31 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Leopard/802.1x question With a growing number of Leopard users on our 802.1x wireless network, we’re finding that Leopard does not store user name and passwords the same way OS X 10.4 did- hence a lot of questions from users. I am seeing this on my own Mac- and can’t find an answer on the web yet, nor can our desktop folks. Anyone know how to make Leopard store user name and password for 802.1x… Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1x without AD or LDAP?
Your biggest hurdle will be which EAP type to support. It sounds like you'd really like to authenticate your wireless users against your existing Linux user base. If you want your users to use their existing usernames and passwords, that rules out straight EAP-TLS since that's certificate based (and would require setting up a PKI infrastructure if you don't already have one). Are your Linux users in the standard passwd/shadow format using DES or MD5 salted encryption? If so, you'll be further limited in what EAP types you can support pretty much to EAP-TTLS/PAP. FreeRADIUS can do this just fine, but you'll have to install a supplicant on your Windows users' laptops. A popular choice for this is the SecureW2 supplicant, found at http://www.securew2.com. --Mike On Jul 5, 2007, at 1:27 PM, David Gillett wrote: The Identity Engines product is basically RADIUS on steroids, and can back-end the authentication against a variety of different systems. It might address your need. David Gillett -Original Message- From: Emily Harris [mailto:[EMAIL PROTECTED] Sent: Thursday, July 05, 2007 11:09 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] 802.1x without AD or LDAP? I am curious if anyone has (successfully) implemented WPA/802.1x with authentication via RADIUS to something OTHER than Active Directory or LDAP. We unfortunately are somewhat behind in our method of campus-wide user management - LDAP is coming in 2008 but for now we have to make do with authenticating against Linux servers. Last year we used static WEP with Webauth, using a RADIUS script for user/password verification. That means two configurations and way too much user training, so we wanted to do something a little less cumbersome this year. FYI we're using Meru MC3000 and AP208s. Any replies would be appreciated - thank you! -- Emily Harris, BC '95 Associate Director, Network Systems Barnard College, MINS Department 3009 Broadway, New York, NY 212-854-8795 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] The strategic importance of 5GHz
802.3af does indeed have the ability to support GigE by combining power and data on a pair. In fact, a good portion of the 802.3af spec is focused on providing this ability without damaging devices that don't support it. --Mike On Jun 27, 2007, at 9:40 AM, Enfield, Chuck wrote: Since we can't do 3af power with GigE, that one connection would have to be 100Mb. If we're going to use two cables for power let's hope we'll be given the chance to use two data channels as well. Chuck -Original Message- From: Tomo [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 27, 2007 4:14 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] The strategic importance of 5GHz The Airwave webinar (for which a link was sent round last week) mentioned that some vendors are looking at providing two Ethernet sockets on MIMO / 802.11n Access Points, so they could draw 2 x 802.3af power connections and one live Ethernet connection. _ Tomo | Senior Network Telecommunications Infrastructure Engineer Direct line: +44 (0)20 7000 | Email: [EMAIL PROTECTED] www.london.edu -Original Message- From: Frank Bulk - iNAME [mailto:[EMAIL PROTECTED] Sent: 27 June 2007 02:32 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] The strategic importance of 5GHz Dale: I've heard from at least one vendor that a b/g radio with and 802.11n radio may operate within 802.3af power limits. But I've heard nothing absolutely definite so far and I anticipate that we'll know more by the end of the summer as these products move from short-run samples to production. The whole 802.11n PoE and GigE port thing really puts most organizations into a pickle...they can cheat with using 100BaseT at the edge but if you really want to do full 802.11n on two radios it's going to necessitate a midspan, PoE injectors, or a new switch (and that will be at least a year away). If vendors can make an AP with an 802.11b/g radio and an 802.11n radio operate within 802.3af power limits that should give organizations the breathing room they need to upgrade their edge switching infrastructure over the next 3-5 years. Frank -Original Message- From: Dale W. Carder [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 26, 2007 3:55 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] The strategic importance of 5GHz On Jun 25, 2007, at 11:57 AM, Enfield, Chuck wrote: We currently only have one UTP cable to an AP location. The alternative is one GigE drop with either local power or proprietary UTP based power (including possible pre-standard 802.3at). One thing we did for the last 3 years is to pull siamese cable to each AP location, setting up the infrastructure in advance for a technology change. What will probably screw us as you mention is not enough PoE via 802.3af. Having an AP with bg on 2.4 and MIMO on 5 will probably require 802.3at. So in addition to replacing your AP's, you are now also forklifting your PoE switches... Dale ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/ groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/ groups/. _ _ This email has been scanned by the MessageLabs Email Security System on behalf of the London Business School community. For more information please visit http://www.messagelabs.com/email _ _ __ This email has been scanned by the MessageLabs Email Security System on behalf of the London Business School community. For more information please visit http://www.messagelabs.com/email __ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] What do you do for 3rd Party Client Configuration Tools and SecureW2
We only officially support the built in supplicant for Windows and Mac OS X (we're using PEAP). Sometimes our helpdesk will configure the client that comes with the card, though. The default and only officially supported connect mechanism is to turn all that off and use MS' supplicant. --Mike On May 3, 2007, at 12:10 PM, Matt Ashfield wrote: Hi We're preparing to roll-out our new wireless system to users on campus and are running into a bit of snag. We require our users to use SecureW2. However many of our uses are experiencing issues because of 3rd party wireless connection tools from Intel or IBM or Dell, etc.. I'm just wondering what others are doing to deal with this? Are you mandating that you only support connections using Windows as the connection tool? Any advice is appreciated. Thanks Matt [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. smime.p7s Description: S/MIME cryptographic signature
Re: [WIRELESS-LAN] microcell vs virtual cell
In addition, at UTD, during our transition, we are running Meru systems right alongside the legacy Proxim AP-2000s and AP-4000s we're replacing (same building, same floor, adjacent cells). I've never seen any issues with this setup. And, as Michael Ruiz said, Meru did go through a *re*certification process just to prove this point. --Mike On Apr 9, 2007, at 8:58 AM, Ruiz, Mike wrote: Id like to share two pieces of info on this. We have been running meru as a neighbor to several other smaller wireless installs and have never seen any issues that were unexpected. This is both in an overlapping and a non-overlapping channel scenario. Secondly, a short time ago we hosted an independent lab who tested for the bad neighbor issue. They were unable to find any problems. I would expect the wifi recertification should also speak worlds on this alleged issue. - Michael Ruiz - Sent using Exchange Mobile Active Sync -Original Message- From: Lee Badman [EMAIL PROTECTED] To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU WIRELESS- [EMAIL PROTECTED] Sent: 4/9/2007 9:05 AM Subject: Re: [WIRELESS-LAN] microcell vs virtual cell I've heard a growing number of anectdotal instances where the virtual cell model causes problems for neighboring WLAN systems by trying to control their timing parameters and such- though can't say that I have talked to anyone directly that has experienced this supposed bad radio neighbor effect. Has anyone who actually uses the virtual cell hardware had reports from nearby systems of this negative effect, or is this a bit of a competitors' urban legend? Regards- Lee [EMAIL PROTECTED] 4/7/2007 12:15 PM We too are Meru users, since December 2005. Michael has done a very good job articulating details of the Virtual Cell. I would be pleased to provide information if needed. Additionally I would be pleased to talk offline about some interesting technology we are alpha-testing from Meru. For what its worth, I wouldn't recommend doing Wi-Fi any other way. In the interim, I recall some independent layer 1 testing and operational testing done out of the UK a while ago. I'm trying to track down that information. Mike - Michael G. Ruiz, ESSE ACP A+ Network and Systems Engineer Hobart and William Smith Colleges Information Technology Services P.315-781-3711 F.315-781-3409 Team Leader: Derek Lustig ([EMAIL PROTECTED]) Did you know that HWS Students, Faculty, Staff, Alums, etc can purchase computers, accessories, electronics and software at a discount through our partner CDW-G? http://www.cdwg.com/hws/ - From: Michael Griego [mailto:[EMAIL PROTECTED] Sent: Fri 4/6/2007 6:49 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] microcell vs virtual cell Where virtual cell deployments really shine is in a couple of ways: 1. By timing the transmissions of both the APs and the clients, they cut *way* down on the number of collisions and retransmits. This alone is what causes the throughput of a normal AP to completely tank after 20-30 users. So, by cutting down on the amount of waisted air created by the random backoffs and the collisions themselves, you gain quite a bit of usable throughput and the ability to reliably support more than 20 users (since the available spectrum can be equally divided without the clients fighting like a bunch of siblings). 2. By moving to an almost TDMA approach, 802.11g clients get better performance when 802.11b clients are sharing the cell than they would with traditional APs (at least this is true for Meru). This is because the AP will give each client the same amount of air*time* instead of the same number of frames, allowing the 802.11g client to transmit more data before again having to wait on another client. 3. Most people don't realize (or it just doesn't dawn on them) that you *can* run all 3 channels in a virtual cell deployment. You do have to install more APs to support this configuration, but, by doing this, you get 3 virtual cells spanning your campus and all of the available bandwidth that goes along with it (which, for the reasons listed above, is more than you would get using a traditional 3 channel deployment, making your actual aggregate available throughput much closer to the 162Mbps theoretical max for 2.4GHz usage). One of the other nice benefits of virtual cell deployments is the lack of client-initiated roaming. This is especially useful for cutting down roam times when the WLAN is 802.1x authenticated (and it doesn't require PMK). Since, even though the client has moved his association to a new physical AP, he's still talking on the same channel and to the same BSSID, he has no clue that he has roamed and his session state has been seamlessly moved by the controller. I'd be happy to discuss (offline) our Meru system with anyone who'd like to ask questions. --Mike On Apr 6, 2007, at 3:30 PM, Ringgold, Clint wrote: I am
Re: [WIRELESS-LAN] microcell vs virtual cell
Where virtual cell deployments really shine is in a couple of ways: 1. By timing the transmissions of both the APs and the clients, they cut *way* down on the number of collisions and retransmits. This alone is what causes the throughput of a normal AP to completely tank after 20-30 users. So, by cutting down on the amount of waisted air created by the random backoffs and the collisions themselves, you gain quite a bit of usable throughput and the ability to reliably support more than 20 users (since the available spectrum can be equally divided without the clients fighting like a bunch of siblings). 2. By moving to an almost TDMA approach, 802.11g clients get better performance when 802.11b clients are sharing the cell than they would with traditional APs (at least this is true for Meru). This is because the AP will give each client the same amount of air*time* instead of the same number of frames, allowing the 802.11g client to transmit more data before again having to wait on another client. 3. Most people don't realize (or it just doesn't dawn on them) that you *can* run all 3 channels in a virtual cell deployment. You do have to install more APs to support this configuration, but, by doing this, you get 3 virtual cells spanning your campus and all of the available bandwidth that goes along with it (which, for the reasons listed above, is more than you would get using a traditional 3 channel deployment, making your actual aggregate available throughput much closer to the 162Mbps theoretical max for 2.4GHz usage). One of the other nice benefits of virtual cell deployments is the lack of client-initiated roaming. This is especially useful for cutting down roam times when the WLAN is 802.1x authenticated (and it doesn't require PMK). Since, even though the client has moved his association to a new physical AP, he's still talking on the same channel and to the same BSSID, he has no clue that he has roamed and his session state has been seamlessly moved by the controller. I'd be happy to discuss (offline) our Meru system with anyone who'd like to ask questions. --Mike On Apr 6, 2007, at 3:30 PM, Ringgold, Clint wrote: I am interested in the findings as well. My concern is the actual throughput. It would seem to me that a virtual 3 ap setup would be 54MB while in a microcell it would be 162MBPotential. I hope I'm wrong and or can get clarification. -Original Message- From: Scholz, Greg [mailto:[EMAIL PROTECTED] Sent: Friday, April 06, 2007 3:59 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] microcell vs virtual cell I am also interested in anything you find. -Original Message- From: Steve Fletty [mailto:[EMAIL PROTECTED] Sent: Friday, April 06, 2007 3:33 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] microcell vs virtual cell Is there any scholarly or technical data/analyis of the single-channel virtual cell architecture vs the traditional micro-cell WIFI achitecture? I don't want to hear from vendors. I don't want bake-off results or vendor white papers. I'd like to know if there's any hard science comparing the two contrasting schemes. -- Steve Fletty Network Design Engineer University of Minnesota ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. smime.p7s Description: S/MIME cryptographic signature
Re: [WIRELESS-LAN] 802.1x With A One-Way Certificate
Just be aware that not validating the certificate opens you up to fairly easy session hijacking attacks since anyone can come up with a cert and get your clients to connect to their APs instead of yours (since the client is not checking cert validity)... The attacker would then have access to the data stream as it would appear on the LAN, so you potentially lose a lot of the security benefit. --Mike On Apr 4, 2007, at 10:19 AM, Rick Coloccia wrote: Yes. We aren't using the wpa-tkip with acs, but we do use ias (windows) for radius, we have our clients uncheck the 'Validate Server Certificate' option and away they go. http://www.geneseo.edu/CMS/display.php?page=5200dpt=cit http://www.geneseo.edu/CMS/display.php?page=5198dpt=cit http://www.geneseo.edu/CMS/display.php?page=5199dpt=cit We like how it works. We run 4 4404's with 350 1242ag access points. -Rick ktaillon wrote: We are trying to implement a WPA/TKIP Wireless authentication. We are using ACS Solution Engine which backs into AD for Authentication. We are currectly using WEP. We are looking for the least amount of client setup to make this change. Cisco has told us to use the PEAP MSCHAPv2 connection with a one-way cert, the cert or CA would only be installed on the ACS server and the client would uncheck the 'Validate Server Certificate' under the protected EAP properties. They also told us that the PEAP tunnel that is created would be comparable to having a cert on the client. This seems to be working fine in our tests and is very simple setup for the clients. Are any of you running your connection setup this way? Ken Taillon Network Support Specialist Information Technology Services Wesleyan University 860-685-5657 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. -- Rick Coloccia, Jr. Network Manager State University of NY College at Geneseo 1 College Circle, 119 South Hall Geneseo, NY 14454 V: 585-245-5577 F: 585-245-5579 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. smime.p7s Description: S/MIME cryptographic signature
Re: [WIRELESS-LAN] 802.1x With A One-Way Certificate
Yes, if you purchase a commercial cert from one of the CAs who's certs are included with the OS, all the user has to do is: a) pick your certificate's CA from the list in the PEAP setup b) enter your certificate's CommonName in the server list The user does not have to download anything. Doing both of these, though, is extremely important to gain the highest level of security and prevent the possibility of session hijacking. In our environment, we purchased a certificate from Verisign and used a bogus hostname of 8021x.utdallas.edu. In our instructions, we tell the users to check the Secure Server CA box *and* enter 8021x.utdallas.edu into the server list field. The only thing the client has to obtain to get configured is the instructions. I'm not quite sure what your Cisco rep was talking about, --Mike On Apr 4, 2007, at 12:39 PM, ktaillon wrote: One of the things that I didn't point out is we are running the new LWAPP AP's and controller setup. After I told Cisco about the one-way cert he said this is ok to run in this setup because the peap tunnel that is created from the client to the AP and to the ACS/Controller could not be interfered with. Not like a web server cert that could be hijacked. If I were to install a Cert(Verisign, GTE.)on the ACS that is on the XP list of trusted names, can the client just check off that name without having to go to a web server to download and install the cert? I'm just trying to keep the client setup as simple as possible but not in a way that lowers security. Ken -Original Message- From: Michael Griego [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 04, 2007 11:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.1x With A One-Way Certificate Just be aware that not validating the certificate opens you up to fairly easy session hijacking attacks since anyone can come up with a cert and get your clients to connect to their APs instead of yours (since the client is not checking cert validity)... The attacker would then have access to the data stream as it would appear on the LAN, so you potentially lose a lot of the security benefit. --Mike On Apr 4, 2007, at 10:19 AM, Rick Coloccia wrote: Yes. We aren't using the wpa-tkip with acs, but we do use ias (windows) for radius, we have our clients uncheck the 'Validate Server Certificate' option and away they go. http://www.geneseo.edu/CMS/display.php?page=5200dpt=cit http://www.geneseo.edu/CMS/display.php?page=5198dpt=cit http://www.geneseo.edu/CMS/display.php?page=5199dpt=cit We like how it works. We run 4 4404's with 350 1242ag access points. -Rick ktaillon wrote: We are trying to implement a WPA/TKIP Wireless authentication. We are using ACS Solution Engine which backs into AD for Authentication. We are currectly using WEP. We are looking for the least amount of client setup to make this change. Cisco has told us to use the PEAP MSCHAPv2 connection with a one-way cert, the cert or CA would only be installed on the ACS server and the client would uncheck the 'Validate Server Certificate' under the protected EAP properties. They also told us that the PEAP tunnel that is created would be comparable to having a cert on the client. This seems to be working fine in our tests and is very simple setup for the clients. Are any of you running your connection setup this way? Ken Taillon Network Support Specialist Information Technology Services Wesleyan University 860-685-5657 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. -- Rick Coloccia, Jr. Network Manager State University of NY College at Geneseo 1 College Circle, 119 South Hall Geneseo, NY 14454 V: 585-245-5577 F: 585-245-5579 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. smime.p7s Description: S/MIME cryptographic signature
Re: [WIRELESS-LAN] Investigating Wireless Back Haul
We just installed a pair of the new AR60s in a 2-leg connection between a couple of remote sites. These guys are pretty cool since they'll drop down to 100Mbps in case of bad weather to insure a stable connection. --Mike On Feb 23, 2007, at 2:58 PM, Steven Osit wrote: Definitely take a look at the Bridgewave family of products. On Feb 23, 2007, at 1:40 PM, Mike Testa wrote: Hello, I am investigating wireless back haul products as an option to reach a remote area of our campus. It is not feasible to run either copper or fiber to the location. However, line of sight is possible. I am interested if others have set up wireless back haul links and what products they have used. Products that we are currently investigating are: Proxim's (Terabeam) Terabridge; ZyXEL's fixed wireless back haul; and Canon's Canobeam. Any information that you may have would be appreciated. Thanks, Mike -- Mike Testa Technical Services Manager Computing Services Denison University Granville, Ohio 43023 Ph. 740.587.6333 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Question about WPA 802.1x
On Feb 15, 2007, at 9:43 PM, Frank Bulk wrote: FB If Fast Connect refers to the feature in IEEE 802.11i to perform pre-authentication, then yes, I can see the necessity of using the same RADIUS server between two APs. Actually, the Fast Reconnect in Windows has been around since before 802.11i was ratified (or even draft for that matter). I'm pretty sure that it actually refers to whether or not to use TLS Session Resumption, a method that allows the two parties to reauthenticate to each other by simply proving that they know the shared master secret, a method which reduces the length of the EAP conversation by more than half since certificates, etc. don't have to be exchanged. My question is how would you setup more then one IAS server and still allow Fast Reconnect across all APs? FB Depending on your WLAN infrastructure, you could configure one RADIUS server as primary and the backup one as secondary. Most APs and wireless switches/controllers have the ability to have multiple RADIUS servers configured in them, as Frank eluded to. In these cases, its simply a failover scenario where, if the primary stops responding, the AP/switch will switch to using the backup controller. Another option here is to use some sort of front-end load balance/ failover appliance, such as Zeus or something like that that's capable of talking RADIUS. In this case, you'd have a RADIUS server farm behind your proxy to handle the actual requests, and appliances such as Zeus usually have cluster capability so that they seemlessly switch to the backup unit in case of failure in one of the appliances. Another question is about load on the RADIUS server. We currently have at peak 800 users using the Wireless network. What specs for the server or servers should I use to handle this load? I'm not sure how these numbers compare to Windows and IAS, but we have FreeRADIUS running on a pair of older (circa 2004) Dell PowerEdge 650s with single 2.4GHz processors and 512MB RAM. The OS they run is Fedora Core. We have a fairly decent sized implementation (~800 APs and more coming online), and the load average on the boxes stays fairly low, even though we currently require every user to reauthenticate every 15 minutes, which keeps the RADIUS process pretty busy. I don't know that we're quite to the 50/s request state yet, but we're definitely in the ~20 RADIUS requests per second during peak times crowd. The only real overhead to 802.1x is the TLS processing for any EAP- TLS-based EAP type (EAP-TLS, PEAP, EAP-TTLS, etc), and that processing isn't that bad. So, unless your OS needs a beefy machine, 802.1x/EAP/RADIUS itself shouldn't require overly beefy hardware. --Mike ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1x and Wireless Config Utility problems
I've seen this from time to time on some machines, even with the built in Windows supplicant. If the 802.1x state timers on the RADIUS server timeout before the user enters his credentials, then the next EAP exchange following the user entering his credentials will result in the RADIUS server refusing the authentication. This will cause the supplicant to try to authenticate again, usually resulting in the user being presented with the password prompt again. I can't see I've ever seen an instance, though, where it's the fault of the supplicant itself that things aren't happening quickly enough. Usually, its a user not paying attention to the little popup balloon asking him to enter his credentials that results in the auth timeout. --Mike On Feb 2, 2007, at 11:14 AM, Matt Ashfield wrote: Hi All This kind of has to do with a thread that has been ongoing, except we do not use Active Directory or Novell in our situation. We're currently trying to do some testing with 802.1x username/ password authentication. Basically a user connects to an SSID, and gets prompted for credentials via a dialog box, credentials are entered, compared against LDAP via Radius and then they get connected. This does work, but we're seeing some oddness between laptops. The main problem seems to be on laptops which use wireless vendor configuration utilities such as Dell or IBM ThinkVantage, etc.. In some of those, it seems like the user is not prompted for credentials quick enough. And once they are prompted, it either doesn't work, or they get prompted again, and eventually they will work and connect. I'm just wondering if anyone else ran into this or a similar type problem and if so, what did you do to correct it? Any info is greatly appreciated. Matt Ashfield [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Problems with Windows 802.1x supplicant
We push a group policy to all of our machines to re-enable the Windows-2000-esque behavior that forces the client to wait until network connectivity is established before presenting the login screen. I don't remember the exact GPO off the top of my head, but it does allow our wireless/802.1x clients to process domain credentials, login scripts, etc. as expected since a network connection is established before the user attempts to login. --Mike On Jan 31, 2007, at 5:40 PM, Ruiz, Mike wrote: Lee, The Windows 802.1x supplicant operates by default with some annoying timers that are nearly always the cause of your #1 and #2 issue. Essentially the system starts and the supplicant allows authentication as the computer account with a timer counting down. IF the timer reaches zero before a user authentication event happens then the supplicant deauthenticates completely. Zero usually always comes before the user can even type in their username/password and press okay, or comes so closely after that bad things happen during login. Oddly enough issue #3 can be related to this as well. I recommend you pick up a free utility called XTweak for Windows 2k/XP/2k3. It's written by Enterasys and is a free applet that gives you a GUI to tweak the hidden registry parameters for the MS 802.1x supplicant. The great thing is that it also shows all the keys to you in the log output so you can quickly see what does what. The utility will allow you to do computer only authentication which is great for labs, as well as tweaking how the user/computer handoff operates. http://www.enterasys.com/support/ Tools2/XTweakSetup.exe Cheers, Mike - Michael G. Ruiz, ESSE ACP A+ Network and Systems Engineer Hobart and William Smith Colleges Information Technology Services P.315-781-3711 F.315-781-3409 Team Leader: Derek Lustig ([EMAIL PROTECTED]) Did you know that HWS Students, Faculty, Staff, Alums, etc can purchase computers, accessories, electronics and software at a discount through our partner CDW-G? http://www.cdwg.com/hws/ - From: Lee Weers [mailto:[EMAIL PROTECTED] Sent: Wed 1/31/2007 6:00 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Problems with Windows 802.1x supplicant I'd appreciate any help I can get on my problems. Environment: I've setup a secure SSID that is using WPA-TKIP/WPA2-AES encryption. The EAP type is PEAP and MS-CAHP-V2. The wireless hardware is a mix of Aruba, and HP Procurve (thin). The SSID name is the same on both vendors. MS IAS is the Radius server with the Versign wireless LAN certificate. Laptops are XP SP2 all fully patched through Nov 06 or newer. The problems I am having are as follows: 1. A laptop that belongs to our domain, but the user has never logged into it before (so no cached creditentials exist) it errors with the Domain is not available. If cached creditentials do exist then they get logged in. 2. When the user gets logged in the login scripts may or may not run so drive may or may not be mapped. 3. Users who connect to the encrypted SSID take it home and connect to the wireless network at home, but then they don't get connected again when they come back. The logs show that it is using the domainname\computername rather than domainname\username, hence access denied. It doesn't seem to matter if the Authenticate as computer is checked or unchecked. 4. UTStar vx6700 does not recoginize the Verisign root certificate. When we installed the Verisign root certificate again on the device it broke a bunch of other things like activesync and being able to make a wifi connection. Other than #4, this is reproducable on Dell D510's, IBM Tablets, and other older laptops. I have not seen these problems with the Mac iBook's. It doesn't make a difference if the WPA2 patch (KB893357) is installed or not. What I would like to see happen is the same behavior whether it is a wire connection to the network or using the wireless connection. That was my interpretation as to the advantage of 802.1x. We do not currently use 802.1x on the wired network. Thank you, Lee Weers Assistant Director for Network Services Central College IT Services (641) 628-7675 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1X and Mac Supplicant
Walter Reynolds wrote: The problem is that you have the user validate the cart. A hacker could provide another cert at a later time and a user, being used to having to accept a cert, may just click it. What we want to do is avoid that. I very much understand the usability concerns here. The way to work around that, though, is to go ahead and set your certificate to be automatically accepted once validated. This way, if the user is presented with a popup later, they aren't tempted to click without checking. Just the presence of the popup should cause them to take notice and second-guess the validity. This still allows the availability of users accepting other certs. All this will do is allow the cart we Always accept to work of EAP authentication. It will not prevent other certificates from working. No, but with a small amount of user education, it will cause them to take notice if they're asked to authorize something. I agree that the exposure is somewhat limited, but it replies on users not only setting up the certificate and accepting them, but also to know not to accept others which I am not sure they will do. I would argue that we should be continually educating our users to not blindly accept popups of any type... --Mike ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] 802.1X and Mac Supplicant
One thing to keep in mind is that the Apple supplicant does *not* accept *any* certificates automatically by default. IOW, you have to manually validate the presented certificate upon the first authentication of each session. So, the vulnerability to session hijacking is low. You *can* set the per-certificate policy for you cert to Always Accept for EAP authentication. It would be *better* to be able to bind that cert to an ESSID, but you're somewhat protected by the fact that you're auto-validating individual certs and not CA certs. So, an attacker would have to have a cert you've previously authorized, not just a cert from a CA you've authorized. --Mike - original message - Subject:[WIRELESS-LAN] 802.1X and Mac Supplicant From: Walter Reynolds [EMAIL PROTECTED] Date: 11/10/2006 3:07 pm Howdy, I am looking to get some feedback on those deploying 802.1x and an issue with the Mac built in supplicant. Currently, there is no way to bind specific certificates to the connection. The allows a user with malicious intent to be able to present their valid certificates to the user and hijack the session and users credentials. Currently this is available under Windows built in PEAP supplicant (validate server certificate and connect to these servers) properties. It is also under the windows SecureW2 supplicant (verify server certificate and verify server name). Is this preventing anyone from deploying 802.1X? Has someone found a solution? Has anyone reported this to Apple? Any comments you have on this would be appreciated. -- Walter Reynolds Principle Systems Security Development Engineer Information Technology Central Services University of Michigan (734)615-9438 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Ethernet Wireless Bridge that supports 802.1x
The Linksys WET54G (version 2 and above) supports 802.1x with EAP-TLS or EAP-TTLS. I believe the same is true for Ruckus wireless gateways. --Mike On Oct 4, 2006, at 10:22 AM, King, Michael wrote: I've found a few. ZyXel made one of them, the G-405 (802.1x and WPA) http://us.zyxel.com/web/product_family_detail.php? PC1indexflag=20040520161256CategoryGroupNo=01D0FA7A-6FC9-4C60-9A80-50 8E650AD105 It looks like they also have the G-470 now (With support for WPA2) http://us.zyxel.com/web/product_family_detail.php? PC1indexflag=20040520161256CategoryGroupNo=PDCA2006039 I've also bought a Pegasus Outdoor Bridge (The same people that make the WiJet) http://www.pegasuswirelesscorp.com/products/products.html (These support WPA-Enterprise only, not WPA2) Just a note, some AP's don't allow Bridges. They only allow the MAC's that are associated to them to pass. I'd try one out before committing to this route. (You can get it to work, but you need a NAT router at the far end, we found this too much trouble) I know about, but haven't tried Lantronix's product line. (We use quite a bit of Lantronix here, we like the company based on other products) http://www.lantronix.com/device-networking/embedded-device-servers/ wiport.html We do use several of these however: http://www.lantronix.com/device-networking/external-device-servers/ wibox.html The Wibox allows Serial Devices to communicate over the IP network. We use these on Cash Registers and on Vending Machines. Mike King Bridgewater State College From: Landau, Gary [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 04, 2006 9:58 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Ethernet Wireless Bridge that supports 802.1x Does anyone know of an Ethernet to Wireless Bridge that supports 802.1x (with PEAP and MSCHAPv2)? We have a system that only has an Ethernet interface and we want to connect it wirelessly. However, the only supported security that I’ve found on the various manufacturer’s websites that have wireless bridges are WEP and WPA. Thanks in advance, Gary Gary Landau, CISSP, CCNP Director | Network Services - Loyola Marymount University Information Technology One LMU Drive | Los Angeles, CA 90045 p.310.338.4434 f.310.338.2326 [EMAIL PROTECTED] | http://its.lmu.edu - LMU|LA IT: We Deliver! ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Frequent reassociations/reauthentications in 802.1x WLAN
On Sep 27, 2006, at 3:15 PM, Shumon Huque wrote: Is frequent reassociation the normal behavior in a dense deployment of APs? I can understand that it might be for highly mobile stations like wireless VoIP phones. But our environment is composed of mostly stationary wireless laptops in student rooms. My assumption was that roaming typically happened when a user moves towards a stronger signal AP and at some configured signal quality threshold, the station started scanning for a better AP. Am I wrong? The truth of the matter is that the roaming algorithm in many wifi drivers and chipsets is crap. In a case where you have clients sitting where two APs are showing roughly the same signal strength to a client, the client may flap back and forth as the environment causes one to look stronger this second then weaker the next. Having a dense AP deployment exacerbates the situation. Or is this more likely something in our radio environment or insufficient coverage etc? Our wireless LAN engineers are currently investigating this, but I'd be interested to hear the experience of others. We see some of that. To be honest, this is one of the things about the Meru system that we're moving to that I really like. Since the wireless cloud appears to the clients as a single AP (even though its supported by multiple APs), the client's roaming algorithm never comes into play. This means no drops during reassociation/ reauthentication, because there never *is* a reassociation/ reauthentication. Do we need a fast roaming solution to deal with this? Having access points and stations able to cache the PMK (Pairwise Master Key) would probably help the best, as that would allow them to often establish a secure association without conducting a heavyweight authentication dialog with the RADIUS server. But I'm not sure if access points or typical endstations support this. TLS session resumption will probably help a bit also (if supported). We use cisco aironet 1200/1100 access points. The clients are mostly PCs running SecureW2, Macs running with the built-in EAP-TTLS/802.1x support in Mac OS X, and a smaller number of Linux machines. Having TLS session resumption enabled in the RADIUS server would be the most open solution you could pursue from the fast reauth scenario. Having fast reauth, though, just means the drop during reassociation/reauth is shorter. It doesn't take care of the *cause* of the problem whatever that is (overly dense?). One thing I noted is that you said that your clients are doing a DHCP renew. If that's true, then they're not truly roaming, but actually dropping the connection completely then coming back online. Something else may be a factor in that case. --Mike ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1X accounting, PEAP outer identity
On Jul 14, 2006, at 4:23 PM, Jeff Wolfe wrote: You may also want to consider Radiator. I've found the support from the OSC folks to be much more friendly that some of the folks on the freeradius list. Heh... Yeah, Alan (DeKok) can come off a bit harsh sometimes. You have to understand, though, that he and the rest of the support folks (myself included from time to time) deal with the same questions every single day from people who don't read through the list archives to see if their questions have been answered in the past. Since FreeRADIUS is one of a very few free RADIUS servers that support EAP, lots of people try to use it for this without having any clue what they're doing. Its the same issue as with lots of other open source projects. Because the support is free as well as the software, people are expected to do their homework and ask intelligent questions. Unfortunately this doesn't happen in many cases. There *are* companies, though, that do offer support contracts for FreeRADIUS IIRC. --Mike ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. smime.p7s Description: S/MIME cryptographic signature
Re: [WIRELESS-LAN] SSIDs: broadcast and non-broadcast
If I had to make an educated guess, I'd say yes. Since the WPS IE is something that the AP would have to determine and broadcast in management frames, I'd say that the two (IE and RADIUS pieces) are related but not reliant on each other. --Mike On Jul 11, 2006, at 12:33 PM, Frank Bulk wrote: Mike: Ah, now I see what you're talking about! They are related, but not the same. Can you have take advantage of the WPS IE frames (i.e.: one broadcast frame about multiple SSIDs) in Windows XP without the backend? Frank -Original Message- From: Michael Griego [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 11, 2006 9:28 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] SSIDs: broadcast and non-broadcast Very interesting. I'm pretty familiar with the concepts behind WPS, but I was *not* aware of the WPS IE. Given the article title, I assume that's only available when using WPA2, which is not widely deployed yet. This looks to be very useful in the future. What I (and I assume a lot of others) think of when I think of WPS is the Microsoft extension to PEAP that allows for provisioning of account information and the client connection settings. Currently, as far as I know, it is only actually implemented in IAS. http://www.microsoft.com/technet/community/columns/cableguy/ cg1203.mspx --Mike On Jul 10, 2006, at 8:33 PM, Frank Bulk wrote: Michael: I plead my ignorance here: what does WPS IE support have to do with RADIUS servers? AFAIK, to support it you need APs that can broadcast the information by forming the SSID broadcast frame correctly and clients with the correct software so they can understand it. http://support.microsoft.com/?id=893357 Frank -Original Message- From: King, Michael [mailto:[EMAIL PROTECTED] Sent: Monday, July 10, 2006 3:37 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] SSIDs: broadcast and non-broadcast -Original Message- From: Frank Bulk [mailto:[EMAIL PROTECTED] Microsoft's development of WPS IE should hopefully reduce the problem. Frank Frank, Have you seen any uptake on WPS from any of the third party RADIUS Servers? So far I assume it's still an IAS only solution. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/ groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. smime.p7s Description: S/MIME cryptographic signature
Re: [WIRELESS-LAN] WPS
Right, but from my reading of the WPS IE, RADIUS does not *have* to be involved. Its perfectly legal to broadcast 3 non-802.1x-secured BSSIDs in the WPS IE and not be using the WPS extensions for IAS, therefore never have a RADIUS server anywhere in the loop. --Mike On Jul 11, 2006, at 4:20 PM, Emerson Parker wrote: So WPS is not necessarily tied to the encryption method. When installed with the WPA2/WPS IE Update, a Windows XP/SP2 client recognizes the WPS IE in the Beacon or Probe Response frames. Wireless Auto Configuration on the client uses PEAP-TLS to connect to the WISP network as it passes a NULL user name and no certificate to the IAS server. After PEAP-TLS authentication, PEAP-TLV is used to send the URL of the provisioning server to the client. WPS on the client downloads the XML master file and the appropriate sub files. After the guest server permits the client (after payment for instance) and Updates AD with the uname/pw, Wireless Auto Configuration on the client disassociates from the AP, reassociates, and then attempts authentication using PEAP-MSCHAPv2 using valid user/password; IAS server authenticates and authorizes the connection request against the new account in AD. In this example, RADIUS is quite involved. -Emerson -Original Message- From: Michael Griego [mailto:[EMAIL PROTECTED] Sent: Tue 7/11/2006 2:02 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] SSIDs: broadcast and non-broadcast If I had to make an educated guess, I'd say yes. Since the WPS IE is something that the AP would have to determine and broadcast in management frames, I'd say that the two (IE and RADIUS pieces) are related but not reliant on each other. --Mike On Jul 11, 2006, at 12:33 PM, Frank Bulk wrote: Mike: Ah, now I see what you're talking about! They are related, but not the same. Can you have take advantage of the WPS IE frames (i.e.: one broadcast frame about multiple SSIDs) in Windows XP without the backend? Frank -Original Message- From: Michael Griego [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 11, 2006 9:28 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] SSIDs: broadcast and non-broadcast Very interesting. I'm pretty familiar with the concepts behind WPS, but I was *not* aware of the WPS IE. Given the article title, I assume that's only available when using WPA2, which is not widely deployed yet. This looks to be very useful in the future. What I (and I assume a lot of others) think of when I think of WPS is the Microsoft extension to PEAP that allows for provisioning of account information and the client connection settings. Currently, as far as I know, it is only actually implemented in IAS. http://www.microsoft.com/technet/community/columns/cableguy/ cg1203.mspx --Mike On Jul 10, 2006, at 8:33 PM, Frank Bulk wrote: Michael: I plead my ignorance here: what does WPS IE support have to do with RADIUS servers? AFAIK, to support it you need APs that can broadcast the information by forming the SSID broadcast frame correctly and clients with the correct software so they can understand it. http://support.microsoft.com/?id=893357 Frank -Original Message- From: King, Michael [mailto:[EMAIL PROTECTED] Sent: Monday, July 10, 2006 3:37 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] SSIDs: broadcast and non-broadcast -Original Message- From: Frank Bulk [mailto:[EMAIL PROTECTED] Microsoft's development of WPS IE should hopefully reduce the problem. Frank Frank, Have you seen any uptake on WPS from any of the third party RADIUS Servers? So far I assume it's still an IAS only solution. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/ groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/ groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. smime.p7s Description: S/MIME cryptographic signature
Re: [WIRELESS-LAN] 802.1x authentication using LDAP
Hey, Matt, This setup is actually almost identical to what we're doing here at UT Dallas. As is commonly seen on the FreeRADIUS mailing lists, I think you may be confusing how to use PEAP with LDAP a little. In order to use PEAP with LDAP, you don't use LDAP authentication in FreeRADIUS. You have to store either a cleartext password or an NTLMv2 password hash in your LDAP directory for each of your users. Be sure if you do this to set appropriate ACLs on the attribute containing the password/hash so that only the RADIUS connect profile can get to that attribute. In any case, once you've done this, the LDAP module goes in your authorize section in FR so that it can pull the password or hash out and use it to perform the authentication itself using the mschap module. Also, for PEAP, you only need a certificate for your RADIUS servers to authenticate the network to the users. Your users don't need personal certificates as they would using EAP-TLS. If you purchase a commercial certificate from one of the CAs included by default in your client OSes, then you don't have to install anything on the clients and just have to configure them for access. These links might be useful for you: UTD's 802.1x setup instructions for Windows XP: http://www.utdallas.edu/ir/cats/network/wlan/8021x/winxp/index.html I actually gave an Educause Live presentation on UTD's 802.1x deployment. Its archived here: http://www.educause.edu/LIVE058 Hope that helps! --Mike On Jul 7, 2006, at 1:50 PM, Matt Ashfield wrote: Hi All I'm trying to configure 802.1x wireless authentication using credentials stored in LDAP. I am running FreeRadius and SunOne ldap server. The Radius server is correctly doing authentication attempts to the LDAP server (I issue the radtest command with a username/passwd from LDAP and I get an authenticate-accept back). The next step is setting up an XP client to talk to an Access Point, which is configured to authenticate via the Raidus server, via LDAP. So far, in my minimal testing, I've seen the client try to connect using it's Windows credentials rather than giving the user a chance to enter a username/password. I'm sure others out there are doing this. I'm just wondering what you're using? EAP-TLS, PEAP, etc..? I guess I need to get my acronyms straight first and go from there. From what I can tell PEAP will require my users to install a certificate. We'd much rather prefer them to have to enter their LDAP usernames and passwords. Any advice is appreciated. Thanks Matt Ashfield [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. smime.p7s Description: S/MIME cryptographic signature
Re: [WIRELESS-LAN] point to point wireless
Proxim and Bridgewave were the only two manufacturers I could find that had gigabit capable non-optical wireless solutions. Our not-so- happy experiences with Proxim is what pointed us initially towards Bridgewave for our current point to point project. --Mike On Apr 19, 2006, at 12:37 PM, King, Michael wrote: Or Pre-WiMax Stuff as well Here's a list of everything Proxim sells.. (Had a very good product spread. Licensed, unlicensed, laser, etc. I've never used Proxim personally) http://www.proxim.com/products/bwa/point/ -Original Message- From: Philippe Hanset [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 19, 2006 1:21 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] point to point wireless Bruce, If it's for a point-to-point and you don't worry about standardization, you could always consider pre-802.11n solutions! http://www.extremetech.com/article2/0,1697,1949656,00.asp Just an idea, we haven't done anything like that...yet! Philippe Hanset University of Tennessee On Wed, 19 Apr 2006, Entwistle, Bruce wrote: We are currently using a pair of Cisco 1300 wireless bridges to connect some student residences to the campus network. While these bridges have worked well we now need something which is capable of a higher speed connection without using multiple links. The current distance between the two antennas is about 300 feet. I was wondering what products others have used and how they performed. Thank you Bruce Entwistle Network Manager University of Redlands ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. smime.p7s Description: S/MIME cryptographic signature
Re: [WIRELESS-LAN] load test? 802.1x?
I did some homegrown load testing against FreeRADIUS using the eapoltest diagnostic program that comes with wpa_supplicant. You're going to have a very very hard time getting FreeRADIUS to show a problem with load even with thousands of clients reauthenticating regularly. The only time you run into load issues is if you're authorizing or authenticating against databases that aren't properly indexed. --Mike Archana Vemulapalli wrote: Any suggestions on load tests to assess the Radius server reliability and the 802.1x authentication process? We have a freeRadius/PEAP-MSCHAP-v2 set up. Was wondering if there are any tried and tested methods to build a reliability study before rolling out the service as production. Thanks Archana Archana Vemulapalli Georgetown University 202-687-4264 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless Guest Access
We require 802.1x authentications for all users on our network. As such, I recently wrote an application that will allow a FTE staff/faculty member to request a guest 802.1x login for their guest(s). The account is then autogenerated, loaded into our RADIUS servers (FreeRADIUS), and we get an email notifying us of the new account. The accounts all start with guest-, and the users is allowed to pick an up-to-8-character identifier for their users to make the login easy to remember, so the actual username ends up being guest-identifier. The password is autogenerated. Currently, due to limitations in our equipment, they're stuck on the same VLAN as the rest of our wireless users, however we expect to segregate these users once we get some upgraded hardware in place. The though there is to, once they've authenticated, force each user to a captive portal where they can acknowledge our AUP before continuing. So far, the application seems to have been very well received. Previously, a sponsor had to contact the help desk to have the MAC address of the user(s) registered and get the user set up with the correct WEP key. Now, a sponsor can simply follow the directions to request an account, and no help desk or other outside human intervention is required. When the account is created, the sponsor is given a web link on how to properly configure the wireless settings for our network that can be given to the guest ahead of time or printed for when he/she/they arrives on campus. So, the only time the help desk or other personnel get involved is when there is a problem. And, we didn't have to open up our network to allow guest access. :) --Mike Bennefield, Cully A. wrote: We are exploring the possibility of offering guest wireless access and I would like to get a feel for how others might be handling it. Any and all information and opinions will be greatly appreciated. Thanks, Cully Cully Bennefield Baylor University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Palm TX finally does 802.1x
I had given up hope on this, but it seems Palm has actually come through on it. http://www.palminfocenter.com/news/8471/ --Mike ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. smime.p7s Description: S/MIME cryptographic signature
Re: [WIRELESS-LAN] Does anyone use Meru?
We are using it. Its extremely stable. I haven't seen a single stability issue yet. We have 2 controllers currently, a 1000 series with about 10 APs and a 3000 series with 35 APs. We're just getting into the VoWLAN capabilities. We expect to begin testing it here soon and will have more data then. Their architecture, though, is well suited to this. --Mike Nathan Hay wrote: We are looking into using Meru for a large wireless deployment. Is anyone currently using them? If you are, here are some questions: How stable of a system is it? How many APs are you running on a controller? How has it lived up to their claims as far as the single channel architecture and the VoWLAN capabilities? If you have looked at them and decided on another vendor, what influenced your decision? Thanks, Nathan Nathan P. Hay Network Engineer Computer Services Cedarville University Office: 937-766-6516 Email: [EMAIL PROTECTED] Web: www.cedarville.edu** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Obtaining MAC of associated AP in XP, OS-X within the OS?
In XP, its very difficult to determine this... I believe they're adding something to Vista to correct this. On Mac OS X, the Internet Connect utility will show you the MAC address/BSSID of the AP you're connected to. You can also find this information from dmesg. Look for a line similar to the following: AirPort: Link Active: UTDALLAS - 000ce6a56f26 - chan 6 --Mike On Feb 27, 2006, at 3:40 PM, Michael Dickson wrote: Is there any trick to determine the radio MAC address of the associated AP on an XP or MacOS-X client *without* using a 3rd party application like NetStumbler? Our help desk would like to have this data point when opening up a trouble ticket. Thanks in advance. Mike *** Michael Dickson Phone: 413-545-9639 Network Analyst [EMAIL PROTECTED] University of Massachusetts Network Systems and Services *** Julian Y. Koh wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 11:12 -0500 02/27/2006, Landry, Michael wrote: Can anyone share any info they might have on using WPA2 and 802.1x on a Mac running OS/X? We don't officially support them, and I don't have one here for testing, but I'm being told it can't be done/doesn't work. If anyone has some info I could use to get started, I'd appreciate it! Oh, it works great. The consensus seems to be that it's easier to set up than on a Windows box. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.4 (Build 4042) Comment: http://bt.ittns.northwestern.edu/julian/pgppubkey.html iQA/AwUBRAMl6w5UB5zJHgFjEQI0CwCglkhBMZILBrC0j32n5HYD+4AJTcUAnjZF q6gk6PIoK8A3Gnmidnl1o/nO =s6n9 -END PGP SIGNATURE- ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http:// www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. smime.p7s Description: S/MIME cryptographic signature
Re: [WIRELESS-LAN] FW: Registry keys to control Microsoft Zeroconfig
That's awesome! Too bad it won't configure the EAPOL settings as well though (other than the EAP type). --Mike Frank Bulk wrote: From the ResNET listserv Frank *From:* Resnet Forum [mailto:[EMAIL PROTECTED] *On Behalf Of *Jeremy Mlazovsky *Sent:* Monday, January 30, 2006 10:34 AM *To:* [EMAIL PROTECTED] *Subject:* Re: Registry keys This is what I use to configure the wireless through a script. http://www.engl.co.uk/products/zwlancfg/ ENGL Zwlancfg 1.2 ENGL Zwlancfg is a FreeWare utility designed to configure Microsoft wireless network settings from the command line. Zwlancfg will write success and failure messages to the log file 'zwlancfg.log'. *Requirements* * Windows XP Professional (SP2) * Windows Server 2003 (SP1) * Windows Wireless Management *Usage* * zwlancfg /? Jeremy Mlazovsky Senior System Engineer - Enterprise Desktop UDit-Central Hardware Systems Network Storage University of Dayton 300 College Park Dayton, Ohio 45469-2230 Office: 937-229-4019 Cell: 937-603-3338 Fax: 937-229-2249 AIM/M$N/Yahoo! IM: mlazovjp http://vmpconfig.sourceforge.net/ http://regeditpe.sourceforge.net *Landry, Michael [EMAIL PROTECTED]* Sent by: Resnet Forum [EMAIL PROTECTED] 01/30/2006 10:55 AM Please respond to Resnet Forum [EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject Registry keys Hi gang – Does anyone have the XP needed registry keys to do any of the following: - Disable network bridging - Disable internet connection sharing - Configure a wireless network and its settings I’ve had varying degrees of luck finding info that works, so if anyone has successfully done any of these and is willing to share, I would appreciate it. Thanks! Michael Landry Quinnipiac University ___ You are subscribed to the ResNet-L mailing list. To subscribe, unsubscribe or search the archives, go to http://LISTSERV.ND.EDU/archives/resnet-l.html ___ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] 802.1x- Who's doing it and how far along
- How many of you are using 802.1x as your primary production wireless security mechanism? 802.1x is required to obtain access to our wireless LAN in all locations. - EAP type(s)? Primarily PEAP/EAP-MSCHAPv2, however we are likely going to add TTLS/PAP to that mixture soon to be able to support the new Linksys WET56Gv2 (802.1x capable wireless/wired bridge) and its 5 port sibling. - RADIUS type? FreeRADIUS. - Has anybody started down the 802.1x road, then bailed out with no intention of going back to it? Why? Absolutely not. Even our guest access requires 802.1x using a generated guest credential. This is mainly to keep accountability in our network resources, but limitations in the equipment helped to further this. :) --Mike ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] IAPP multicast storms?
Which firmware version and which platform are you using (AP-3, AP-4, etc?) --Mike Matt Ashfield wrote: We're using Avaya AP's here and had a major multicast storm from one of our Access Points. The destination address was 224.0.1.76. Just wondering if anyone has seen such a problem before? THanks Matt [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] IAPP multicast storms?
That model is equivalent to the Proxim AP-4000. We're not running the 2.6 code as we've had other problems with it and decided to hold back. One thing I think would be worth mentioning on this list is to keep a watch on your multicast IGMP allow lists at your network perimeters. One of the things you can view via the SNMP MIB that you can't see via the telnet or web interfaces is a list of other Proxim APs that the AP in question has been able to see or contact via IAPP. By walking this portion of the MIB, you should at least see all the APs on the same subnet as the AP in question. If you have multicast routing enabled, you should also see APs across subnet boundaries. The problem with this is that, in many cases, multicast routing is enabled across many institutions I2 links and on the I2 backbone. As such, the AP-2000/4000s are able, and do, muticast their IAPP announcements to all members of that multicast group. I noticed a long time ago, kind of on a fluke walking that MIB, that I was seeing lists of APs from other institutions, and it struck me as odd. :) After a little research, I figured out what was going on and had that multicast group (224.0.1.76, IAPP) set up so group memberships wouldn't exist across our perimeter, thereby stopping us from seeing other institutions AP lists and other institutions from seeing ours. I'm not sure that this is at all related to your problem, however it can cause your APs to have to keep up with a long list of IAPP neighbors, not to mention expose your APs' management interfaces to discovery. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas Matt Ashfield wrote: It is an Avaya Ap-8 running 2.60 code. It was spewing out about 50,000 packets/second! Seems to have stopped now. Nothing shows up in the logs. Matt Ashfield Network Analyst Integrated Technology Services University of New Brunswick (506) 447-3033 [EMAIL PROTECTED] -Original Message- From: Michael Griego [mailto:[EMAIL PROTECTED] Sent: December 13, 2005 12:38 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] IAPP multicast storms? Which firmware version and which platform are you using (AP-3, AP-4, etc?) --Mike Matt Ashfield wrote: We're using Avaya AP's here and had a major multicast storm from one of our Access Points. The destination address was 224.0.1.76. Just wondering if anyone has seen such a problem before? THanks Matt [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] wireless authentication for Macintosh
We use 802.1x authentication with dynamic WEP encryption. For Mac OS X, we give the users instructions for configuring the 802.1x supplicant built in to the OS. It requires Panther (10.3) or better, but it's worked pretty flawlessly for us. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas Jeffrey LeMay wrote: I am interested in knowing how other academic institutions authenticate their wireless users, particularly for Macintosh clients. At Ithaca College, we currently require wireless users to authenticate via an SSL VPN device (firepass from F5 Networks). This allows us to see who is using the wireless network (via the logs) and provides a level of security for the users as well. This solution works very well for Windows clients but Macintosh clients have experienced a number of problems. We have been working with F5’s technical support on the Mac problems for quite some time. Is there an alternative that we could look at? Do other institutions support SSL VPN for Macintosh clients? ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Radius Authentication
It really depends on the reliability of the connection. If you don't have any collisions or deferments that would require packet retransmission, then the authentication can appear to be instantaneous. If you have a pretty noisy environtment, though, having to do a single retransmit can cause the authentication to take several seconds. It also depends on which authentication method you're using to some degree. Standard EAP-TLS based protocols will take longer because they have to exchange more packets, meaning more possibility for lost packets/retransmits. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas David Morton wrote: Depending upon the network and other variables I have seen it take anywhere from under one to several seconds. David On Nov 30, 2005, at 7:41 AM, Tom Klimek wrote: Trying to determine an acceptable length of time it takes to authenticate a user from an AP to a Radius server. Length of time from radius Access-Request to Access-Accept ? Our experience is 1 - 2.5 seconds. Is this typical ? --Tom Klimek University of Notre Dame ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Proxim AP-4000, problems!
Good luck. We had a similar issue with the most recent revs of the AP-2000 firmware. The AP would lock up solid about once per day requiring a physical power reset of the device. We've had to hang back on the firmware revisions of those guys due to these various issues. It was about that time that Proxim stopped releasing any new firmware revisions for the 2000s. As to the 4000s, I've not noticed the problems you mention, but we're hanging back a few revs on the firmware for those guys too. We do use VLAN tagging, but not multiple SSIDs... we just use it currently to separate management traffic from user traffic. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas Philippe Hanset wrote: To respond to Mike, we use AP-4000. But not the controller yet. Which leads to my question: anyone else using the AP-4000 and noticing uncontrolled reboots on a daily basis? The AP-4000 was working fine until we enabled VLAN tagging and security/SSID (eg: nomad does unencrypted traffic and nomadx does 802.1x based traffic with dynamic WEP). Please let me know as we are trying to solve this issue with Proxim. Regards, Philippe Hanset University of Tennessee On Wed, 9 Nov 2005, Michael Griego wrote: You are correct in your belief that these units are simply bridges. Proxim does have a new controller, though, that will turn our AP-4000 installations into a switched wireless infrustructure, similar to Airespace/Aruba/Meru deployments. I have not looked at this, however it seems possible that this box may be able to do NAT for the clients. --Mike Matt Ashfield wrote: Hi All I'm using avaya ap-8's which is the same as the proxim4000 unit. A request came in to have the box act as a NAT box. I had thought this was not possible, but I see NAT listed as one of the options on a few sites on the Internet. Is anyone using these boxes, and if so, do you know if they have router/nat capabilities? Thanks Matt [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] anyone using avaya ap-8 or proxim 4000?
You are correct in your belief that these units are simply bridges. Proxim does have a new controller, though, that will turn our AP-4000 installations into a switched wireless infrustructure, similar to Airespace/Aruba/Meru deployments. I have not looked at this, however it seems possible that this box may be able to do NAT for the clients. --Mike Matt Ashfield wrote: Hi All I'm using avaya ap-8's which is the same as the proxim4000 unit. A request came in to have the box act as a NAT box. I had thought this was not possible, but I see NAT listed as one of the options on a few sites on the Internet. Is anyone using these boxes, and if so, do you know if they have router/nat capabilities? Thanks Matt [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless-only Dorms?
All of the issues listed here are great examples of the complex nature of designing an 802.11 environment with such stringent requirements. With only 3 channels, even if you plan very carefully and precisely control the output power of your APs, you're going to get channel overlap. This will further reduce your capacity due to the inherent collisions/retransmissions. Especially when you factor in the client devices. A client device transmitting on a channel will force any other device operating on the same channel that can hear it (APs included if course) to wait on it to complete its transmission before it can commence. So, you have to realize that, even though 2 APs may not be able to hear each other, a client card between them that can hear both of them will tie up available bandwidth on BOTH APs while it is transmitting. Further complicating matters is a situation where two clients connected to two different APs on the same channel can hear each other but not both APs. In such a circumstance, client 1 and the AP 2 (the AP client 2 is connected) may transmit simultaneously. When this happens the signals will interfere with each other upon reaching client 2, causing client 2 to be unable to decode the packet, forcing AP 2 to retransmit the packet. Complicated indeed! Guaranteeing signal strengh and bandwidth alotments is extremely difficult. And, this totally ignores the problems inherent with outside interference or the fact that the environment (bookshelves, etc) change on a regular basis, possibly forcing you to revisit your ever-so-finely-tuned RF plan. Interestingly enough, all these issues are also extremely relevant if you're interested in looking to deploy any sort of VoIP/WiFi (VoFi). I'd suggest that, if you're truly interested in providing coverage/bandwidth that takes a lot of these issues into account, you might want to take a look at the Meru Virtual AP architecture. The controllers in these systems keep track of every 802.11 device each AP can here and employ a pretty darn impressive scheduling algorithm for getting the most out of the available channel capacity. Not only that, but they actually control when clients are allowed to transmit, further removing unknowns from the RF use equations and improving channel usage and capacity. I believe they do this using the PCF, or Point Coordination Function, in the 802.11 spec... I've not seen any other wireless switch system that makes use of it near to the level that the Meru system does. It's pretty cool. We're in the process of deploying Meru as our second generation wireless overlay here at UTD, mainly to decrease the need for complex channel planning, individual AP configuration, and to support a future VoFi implementation. --Mike Phil Raymond wrote: If someone forced me to assign a rule of thumb at this high level, I would assign a conservative data rate of 1 Mbps to each student as a requirement. For an 802.11g ONLY network running at the highest data rate (aka strongest signal) using enterprise class AP's (data thruput does vary between AP vendors, be careful here), you should expect to get 15-20 Mbps of upper layer thruput per AP. That would yield 15-20 students per AP. For 802.11a, this will probably hold. For 802.11g, due to the limit of 3 channels, you will get an overall reduction in capacity due to shared bandwidth between AP's in a densely deployed AP environment. Also, this assumes that you design the network for the highest signal strength - a very important point. In most instances this won't be possible due to the environment. Thus I would reduce the available bandwidth by 33% and say that 10Mbps is available. Hence I would go with the low end of 10Mbps available per AP. To take this to a lower level of analysis, I would want to know what applications the students would be running. Perhaps you use the analogy of a low end DSL connection that provides 768Kbps downlink and 128kbps uplink. Then you stick with the 1 Mbps/student and assume it supports most if not all applications they will use. You might also consider a swag at peak operating times (evenings) and assume ~50% of the available students are online (simple queuing theory assumption). Then you could say that a single AP would cover minimally 20 students. There is my rule of thumb at this high level. I would consider it conservative if you design the network properly. In a typical dorm with a lot of walls (and bookcases...), you will probably find that your coverage requirements and capacity requirements will be in alignment (and thus balanced). What I mean by that is that you will find that in order to provide a good signal in a dorm environment you will need to place a denser AP deployment (due to the thick walls, etc.). This means that as a consequence your capacity will also be increased due to the denser deployment. Other factors not considered here are the use of client cards. Performance
Re: [WIRELESS-LAN] 802.1x Active Directory GPOs
Are you using IAS for your RADIUS server? If so, what you may be running into is just Windows XP's helpful bring-the-login-box-up-before-the-network-is-ready feature. Windows 2000 and below wouldn't show you the login box until the network connections had been completed, however Windows XP will show it before its done. This, combined with eager users, means that a login attempt will occur before the machine can contact a domain controller, resulting in the use of cached credentials, etc. Unfortunately I can't remember or put my finger on document that lists the exact registry key at the moment, but there is a registry key in XP that you can set that will change the behavior so that the login window is *not* displayed until XP has brought up all the network connections, including 802.1x authenticated connections. --Mike Katie Rose wrote: At Notre Dame, we're finding some issues when using 802.1x on computers that belong to our Active Directory domain. The authentication to access the wireless network appears to happen after the user has actually logged into the computer, so some GPOs to manage the computer don't get applied properly during login. Is anyone else seeing this issue? If so, how are you handling it? Thanks in advance, Katie Rose University of Notre Dame - OIT ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Apple Airport 4.2 software
Indeed, the same issue exists with a cert signed by a public CA (VeriSign in our case). The way I found to fix the issue for now is to go into the users Keychain (via the Keychain Access utility), find the certificate being used for the network in the login keychain. Open it up and scroll to the bottom. Under the Trust Settings area, you can change the EAP trust setting to Always Trust. Once I did that, it stopped asking me to keep trusting the cert every time I connected. It seems they've made the default policy on certs to be ask on every use unless it matches some magic criteria. The Help file for the Keychain Access utility notes that this magic criteria is that EAP certs have to match the DNS hostname of the server. I'd sure like to know how they expect to verify that the DNS hostname of the server matches the certificate when they don't have any network connectivity to do DNS lookups! --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas Michael Griego wrote: I'll test it later today and report back. We're using a VeriSign-signed cert. --Mike King, Michael wrote: Hmm.. Any have a Verisign/Thawte/Somebody Top level CA and a Mac to test this on? We're self generated CA's here as well, so this will be a problem for us as well. -Original Message- From: Julian Y. Koh [mailto:[EMAIL PROTECTED] Sent: Thursday, July 14, 2005 5:48 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Apple Airport 4.2 software -BEGIN PGP SIGNED MESSAGE- Apple released version 4.2 of their Airport software today. Most notably, it adds WPA2 support. However, after applying the update to my Mac OS X 10.3.9 laptop, I can no longer get it to trust the test certificates that we generated for testing out 802.1X and EAP-PEAP. Earlier today with the Airport 4.1.1 software, everything was fine after I imported the test root certificate and accepted the server cert. I can get connected now with the 4.2 software, but the computer asks me every time to verify the server certificate, claiming that the root certificate is untrusted -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.0.1 (Build 2185) Comment: http://bt.ittns.northwestern.edu/julian/pgppubkey.html iQEVAwUBQtbPky5elU+tqml1AQGTGQgAp1xRhzTt+pYvZkzCnVSGruZ0yCXFZntp C3zSSKl1wm/WTYLFFZua8fEthk4D8xxznC0ju6qIvfVx0JOKCOdWMikPDNa3UJQA F6uI3pColUol+zIbXQpbpGu3pwG1CNm/QE2ZhaJIMnF5yekWhUN2i0zptoGTZYPx svFB0163FTAIlJ6lSbP3vRidrPQE8hkoXC5dfdF/6Dior+GJQh97P92Hi+D3UVub 9dqR0qXTw0gcGFbB05dYZnHy1qQbIQxRdK5aqyRvnC7LfP2D68Km01ER5URuOErR 3OOfHuP1bQPSqod14mgbWsiSk17Aisti0kBTSsn3vcs9lJXsQlY0aw== =hf7O -END PGP SIGNATURE- -- Julian Y. Koh mailto:[EMAIL PROTECTED] Network Engineer phone:847-467-5780 Telecommunications and Network Services Northwestern University PGP Public Key:http://bt.ittns.northwestern.edu/julian/pgppubkey.html ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Peap info
That's great news! Awesome work on getting them to figure out the problem! It's not quite what I expected, but it's very good news that they've found the reason for it. Now, I wonder if the same is true for IAS...? --Mike King, Michael wrote: One quick warning here. Be very careful about running Steel Belted RADIUS on Windows doing domain authentication or IAS in an environment where the machines authenticating via 802.1x are *not* domain member machines with users logging in via domain accounts. The builtin WinXP supplicant refuses to reprompt the user for his new password if his domain password is changed. It keeps trying to auth with the old password, resulting in an eventual account lockout. You have to actually remove the registry key that contains the cached network credentials to get the machine to stop attempting to auth with the bad credentials. The only ways to get around this are to a) make sure all machines are domain members and the users are logging in with their domain accounts or b) don't use IAS or SBR. We use FreeRADIUS, and we don't have this problem with our student laptops. Michael, I have spoken extensively with Funk Software, and have managed to deleve into why this is different between FreeRadius and Steel Belted Radius. FreeRadius - When a password is bad (fail MS-CHAPv2), the FreeRadius server will send an EAP-Failure inside the EAP-PEAP tunnel, then send a second payload of an EAP-Failure Steel-Belted Radius - When a password is bad (fail MS-CHAPv2), the SBR server will ONLY send an EAP-Failure, it will not send the EAP-Failure inside the EAP-PEAP tunnel, basically, it skips a step. Apparently, the EAP-Failure inside the EAP-PEAP tunnel is what triggers the XP client that the password is wrong and it should reprompt. Funk has told me they will open a case with engineering to have it addressed in their code, but I have no timetable. Maybe if people using Funk products would call them and push them for the same problem I did, it might get a little more of a push. Michael King Bridgewater State College ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Peap info
checkbox in the EAP setup in Windows and leaves the Domain field blank when providing his username and password. In the case where the windows credentials *are* used, I actually believe it presents the identity in DOMAIN\username for both the outer and inner authentications. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Peap info
Chris Hessing wrote: Assume for a second that you decide the right way to go is to purchase server certificates from Verisign. The client is probably going to already have a copy of their public root CA on their machine. During the TLS phase of the authentication, the client will verify that the server certificate was signed by Verisign. Right. This is indeed the correct way to do it So, assume that the bad guy also purchases a certificate from Verisign. If he provides the certificate to the client, the client will check that it was signed by Verisign, which it is, so he will go ahead and authenticate. (There is a but coming...) I hope there's a but coming, because if that's all you're verifying, then you do indeed have a problem... :) So now you have the TLS tunnel established between the client and the bad guy AP. The bad guy then establishes a TLS tunnel with the real AP, and just bridges data from the client through the tunnels. Since there is nothing inside the tunnel that that ties itself to the establishment of the tunnel, the real AP happily authenticates the bad guy. The bad guy is then free to do whatever that user is allowed on to the network. So, the issue of checking validity. If all you are doing is checking validity by making sure that the certificate presented to you is signed by some chain that goes back to the proper CA, then this attack still works. In order to make it so this attack doesn't work, you need to find another way to verify that the server is who they say it is. The best way I have seen is to require that the CN in the certificate match the server name that is handing it out. But, since the client can't do anything on the network until they have authenticated, they have a chicken and the egg problem. So, this is why you have the option of specifying a server name when you configure PEAP or TTLS. That way you can say that if the CN isn't myserver.foo.com, or at least ends in foo.com then I should disconnect because the AP I am speaking to isn't who they claim to be. Bingo. When I said if you are not setting up your clients to verify the network cert, I meant verifying the CN or subjectAltName as well. If you're so inclined, check out http://www.utdallas.edu/ir/cats/network/wlan/8021x/winxp/index.html. These are the instructions we give our students. You'll find in there that we do indeed tell our students to make sure to set the allowed servers field to the CN of our VeriSign cert. To not do so would be allowing the kind of attacks you are talking about. In the end, we're on the same page. So, what I was trying to point out is that 802.1X isn't a magic bullet. You need to make sure that best practices are in place (and followed) in order to keep your users safe. Unfortunately, the users have the ability to change their configuration in a way that makes them vulnerable. So this may not be an optimal situation. It's the best bullet if appropriate practices are followed as outlined above. As to the users changing their configuration to make them vulnerable, that will be true as long as we have users. In any system, VPN included, users must trust the other end. Either they need to be told who and how to trust, or they will just end up trusting anyone. The other alternative is to roll your own root CA. This way it could be harder for the bad guy to get a valid server certificate. (Assuming you have good protections in place.) However, that also leaves room for screwing that up (I have had long discussions with security people about the pros and cons of rolling your own in this case), and requires that you distribute a new root CA certificate to everyone that wants to get on your network. Too much of a headache. :) You don't have to put yourself through that. --Mike ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] WinXP 802.1x and password changes
Actually, a packet capture would likely be of little use. What's most likely different in the response from a FreeRADIUS server versus an IAS server (that manifests itself in the does-a-user-get-a-password-prompt question anyway) is the MSCHAPv2 response. Since this response is tunneled inside TLS, a packet capture would not show anything useful. --Mike King, Michael wrote: Anyone have FreeRadius? I'm sure this can answered with a packet capture. (The message the client is receiving) -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Michael Griego Sent: Monday, April 25, 2005 3:56 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes Are you running SBR on Windows doing full domain authentication? I wouldn't be surprised if SBR on Windows doing domain authentication is using some of the same API services that IAS is causing it to have the same difficulty. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas King, Michael wrote: Interesting. I joined the list just because of this issue. I'm running on Funk SBR and it does not appear that the client is prompting for a new password. Could it be in the answerback that the radius server is sending? -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Frank Bulk Sent: Monday, April 25, 2005 2:57 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes I attend Mike Griego's excellent online webinar today (courtesy of EDUCAUSE), and he said that with FreeRADIUS the WinXP client properly prompts for a new password to be entered, which is not the case with IAS. Can anyone else confirm that? Frank -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Frank Bulk Sent: Tuesday, January 25, 2005 10:49 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes Can Mike and Katie report to the group what kind of access points and software revisions they are running? My aide in this diagnosis suspects it could be some kind of communication flow between the AP and the client that causes some WLAN systems to prompt for the credentials and others not to. Regards, Frank -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Michael Griego Sent: Tuesday, January 25, 2005 10:57 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes No problem. If the credentials they use to login to their personal machines (username and password only... domain/machine name is discarded), then they can leave the use my Windows login box checked. I have tested this and it does work. Of course, if the credentials get out of sync (perhaps by a password change in AD), then I suppose it would produce the symptoms seen by Katy. Removing the credentials cache key in the registry, however, would not solve this problem. Anyway, we don't tell our users to do this. With the use my Windows login unchecked, even if the credentials happen to match, I have never seen the XP supplicant *not* ask for credentials, so they should get asked for their username and password in this scenario regardless. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas Frank Bulk wrote: Mike: My apologies for misunderstanding your response. What happens if their personal credentials match the network credentials? Frank -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Michael Griego Sent: Tuesday, January 25, 2005 8:50 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WinXP 802.1x and password changes Frank, I very much understood Katy's question. As for us, this is an issue we simply have not run into. I have always seen the XP supplicant re-ask for credentials if its attempts to use cached credentials fail. That's why I provided the link to our setup pages, in case our client setups differed from hers in any way that could be helpful. The only time our help desk staff have had to perform the registry key removal is if they have used their personal credentials to test authentication and succeeded, causing the user's laptop to cache those credentials. --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas Frank Bulk wrote: Mike: Katie's question is not if 802.1x can be rolled out with AD, but what's challenging her is that upon changing the password the user is not re-asked for their credentials. Is that an issue you've been able to overcome? Regards, Frank -Original Message- From: 802.11 wireless issues listserv [mailto
Re: [WIRELESS-LAN] Q: external antenna pigtail suggestions
Hyperlink Technologies sells pigtails for the Proxim AP-4000s (which I think is the same as the Avaya AP-8). That's where we've gotten ours from. http://www.hyperlinktech.com N male and N female are standard, but I think you can get RP-SMA and RP-TNC as well. --Mike David Boyer wrote: We're using Avaya AP-8 A/B/G access points and we're looking to add external antennas (Pacific Wireless TriBand APXtender) in some locations. I need pigtails that have Mini-SMB on one end and either RPSMA or RPTNC on the other end. Does anyone know where I can find these or suggest a company that can make them? TIA! ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] anyone try an ap-8 yet?
It's the same product as the Proxim AP-4000. If you're using the Proxim/Avaya equipment, then the AP-4000 is a good upgrade. The .11G performance in my testing has been more solid than the performance of the .11G upgrade kit for the AP-2000 (Avaya AP-3). Other than that, the management interface is identical to the AP-2000/AP-3. Having antenna connectors for the .11A side is a nice new feature of the 4000s/8s. -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas On Mon, 2004-07-26 at 08:23, Matt Ashfield (UNB) wrote: Hi All We currently use Avaya's Access Points on our campus, and the latest product they've released is the AP-8. I've read the pdf's and heard the supplier's details, but just thought I'd ask this group if anyone has used it and if so, what are their impressions? Any info you can provide is greatly appreciated. Thanks Matthew Ashfield Network Analyst Integrated Technology Services University of New Brunswick (506) 447-3033 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/.
Re: [WIRELESS-LAN] anyone try an ap-8 yet?
http://www.hyperlinktech.com/web/antennas_5800.php It's always legal to use an external antenna as long as the EIRP does not exceed regulations (36dBm, or 4 watts normally). The FCC has, however, added extra regulations in recent years pertaining to who can purchase amplifiers. End users are required to purchase amplifier/antenna kits so as to not exceed EIRP limits. -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas On Mon, 2004-07-26 at 12:00, Chris Hessing wrote: I find the 802.11a antenna connection to be interesting. I have had several vendors give me different stories about 802.11a antennas on APs. Does anyone know if using the 802.11a antennas is legal in the US? (Or was the port put on there for use by other countries.) And if it is legal, where can you get antennas for it? I spoke with Maxrad at Interop, and they didn't seem to have any antennas that would do it. Thanks! -- Chris Spanky Hessing Networking University of Utah [EMAIL PROTECTED] Marriott Library Friends are people that know everything about you, but love you anyway. On Mon, 26 Jul 2004, Michael Griego wrote: It's the same product as the Proxim AP-4000. If you're using the Proxim/Avaya equipment, then the AP-4000 is a good upgrade. The .11G performance in my testing has been more solid than the performance of the .11G upgrade kit for the AP-2000 (Avaya AP-3). Other than that, the management interface is identical to the AP-2000/AP-3. Having antenna connectors for the .11A side is a nice new feature of the 4000s/8s. -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas On Mon, 2004-07-26 at 08:23, Matt Ashfield (UNB) wrote: Hi All We currently use Avaya's Access Points on our campus, and the latest product they've released is the AP-8. I've read the pdf's and heard the supplier's details, but just thought I'd ask this group if anyone has used it and if so, what are their impressions? Any info you can provide is greatly appreciated. Thanks Matthew Ashfield Network Analyst Integrated Technology Services University of New Brunswick (506) 447-3033 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/.
Re: [WIRELESS-LAN] VLAN spanning on Cisco wireless nets
The MAC Miniport Bridge adapter on XP can be enabled quite easily by accident. It is *not* enabled by default. A user can enable it by right-clicking on a physical adapter in the Network Connections folder and choosing Bridge Connections. It is also quite easy to enable it by accident in the Wizard that sets up a network connection. I suspect a lot of uninformed users get caught in the latter of these two. Usually, we don't have any problems when we find an offending machine. We find a way to get the users attention by disabling his network access, then, when he calls our helpdesk, they walk him through removing the bridge. Another related scenario we've run into here is users who have set up Internet Connection Sharing *backwards*. This causes them to start handing out 192.168 DHCP leases onto our network, then routing the traffic for the poor unfortunate souls who get these addresses through their machines. We've had users who run into one of these two scenarios that wonder why their connections were so slow, then, when they realize its because they've been bridging traffic through their machines for 50 or so other people, they begin to understand. -- --Mike -- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas On Wed, 2004-06-23 at 09:56, Metzler, David wrote: Thanks for this! We are needing to pursue this same setup for similar reasons. Can you tell me whether the XP bridging adapter is on by default, or is this something that people turn on to share their internet connection with another computer? What is your policy once you find the offending machine? David Metzler Network Services The Evergreen State College 360-867-6728 [EMAIL PROTECTED] http://www.evergreen.edu/netservices ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/.
Re: [WIRELESS-LAN] client roaming
You can change the allowed data rates on the AP. If you have plenty of coverage, changing this to only allow the highest data rates will force a client to roam faster than if he can stepdown his data rate and stay on the current AP longer. -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas On Fri, 2004-03-26 at 08:47, James Savage wrote: Hi, We use Cisco 350/1100s exclusively and our users, of course, use many different types of cards/clients. I've noticed, when walking around, some clients like to hang on to the 'current' AP longer than others before roaming to a closer (stronger signal) AP. It also seems that some roam quicker when they generate traffic rather than just sitting idle. Are there adjustments that can be made from the AP side to optimize this.or is it strickly a client issue? ..thanks in advance..J James Savage York University Senior Com. Tech. 108 Steacie Bldg. [EMAIL PROTECTED] 4700 Keele Street phone: 416-736-2100 ext.22605 Toronto, Ontario fax: 416-736-5701 M3J 1P3, CANADA /\ /\ /\ /\ / \/ \/ \/ \ \ /\ /\ / \/ \/ \/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/.
Re: [WIRELESS-LAN] RAD - now what?
On Tue, 2004-03-16 at 11:51, Philippe Hanset wrote: (I wish that Proxim would include the Signal Strength of the rogue AP detected...I made a request to them...let's hope for the next software release) I also wish they'd include the ESSID and a few other wireless bits (such as whether WEP is enabled). If a user is broadcasting our official ESSID on a rogue access point, I'd really like to know so I can pay him a visit ASAP. -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/.
Re: [WIRELESS-LAN] Authentication Gateways and Windows Domains
I believe there is also a domain authentication passthrough piece to Bluesocket. One thing we've used to get around this is allowing unregistered users to pass packets to our VPN server. They then use the Cisco VPN software to start the tunnel before they perform the Windows logon process. This allows the users to still authenticate in *some* way (VPN) while still allowing the NT auth process to take place. --Mike On Thu, 2004-01-22 at 09:39, Michael Dickson wrote: Interesting problem. One thing to try (security issues notwithstanding) is to grant access to the appropriate windows services in the Un-registered role. This is the first role a user is put into before they actually authenticate. Maybe windows authentication is sufficient, and adding the appropriate policy to the Un-registered role would be ok. Your call. We do not have a campus wide windows authentication policy. Maybe that's why we do not hear of any complaints on this. *** Michael Dickson Phone: 413-545-9639 Network Analyst Fax: 413-545-3203 University of Massachusetts Email: [EMAIL PROTECTED] Network Systems and Services *** Colleen Szymanik wrote: We have been testing the Bluesocket wireless authentication gateway which uses a web intercept model for authentication purposes. We have had some complaints from windows users because they cannot connect to network drives (windows attempts this connection at startup) because they still have to authenticate. We have also had issues authenticating a new user using windows domains since the computer cannot see the network domain itself without first being authenticated (not an issue if it's been cached). Has anyone else experienced this or have some type of work around? ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/. -- *** Michael Dickson Phone: 413-545-9639 Network Analyst Fax: 413-545-3203 University of Massachusetts Email: [EMAIL PROTECTED] Network Systems and Services *** ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/. -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/.
Re: [WIRELESS-LAN] wireless health risks
My standard response to something like that goes something like this: A standard wireless NIC in your laptop computer transmits at roughly 30mW, a miniscule amount of energy. Your cellphone, on the other hand, transmits up to 600mW. That's 20 times the energy being radiated right next to your brain. How worried are you about holding that cell phone near your head? Not only that, our wireless LAN access points also transmit at the same 30-60mW range. Cell phone basestations, on the other hand, routinely transmit at around 100 WATTS (not milliWatts). The biggest of the two points, though, is the first one. The amount of radiated energy is much less from a standard off-the-shelf wireless NIC than your cell phone. Many many people are using cell phones these days. -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/.
Re: [WIRELESS-LAN] 802.1x in WLAN design
On Mon, 2003-08-25 at 16:18, Philippe Hanset wrote: As an add-on to Dewitt's question: If you use 802.1x with another solution for encryption, how to you solve the catch 22 problem of registration? (The 802.1x client needs to have an entry in the database before it can reach the network, how do you register if you cannot reach the network) My approach to this was going to be to set up a standalone AP by our help desk (and possibly a couple of others in hot locations) with open settings (broadcast SSID, no encryption, anyone can associate) on private IP space with no routing (on a non-routed VLAN). The only accessible thing on that AP will be a web page with an enrollment application, accessible through transparent proxy (much like Bluesocket and such use for the logins). This would be only for enrollment of your 802.1x TLS certificate. Once you get that, you reconfigure for the true wireless LAN, and off you go. -- --Mike Michael Griego Wireless Network Administrator University of Texas at Dallas ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/.
Re: [WIRELESS-LAN] Monitoring user connectivity to base stations
Using SNMP, you can monitor user associations on the Cisco 1200 series APs (and, I assume the 350s since you can see them in the web interface). The Avaya AP-1000s also have a portion of the MIB where you can see who is currently associated with the AP. The AP-2000s though, seem to lack this feature. This is very frustrating for me as I like to track this information as well. MRTG is well suited to this as well since it relies on SNMP to get its statistics. I don't know the OIDs off the top of my head for the AP-1000s, but I can find them if you'd like. Also, I'd appreciate help beating up Proxim to add this functionality to their APs. I like the AP-2000s, but it's very unnerving to not even be able to track the associations on the AP when just about every other enterprise-class AP on the market will do this, and their own older models will do this. Anyway, MRTG is designed to poll SNMP devices every so often and pull whatever statistics you tell it, so you can tell it to monitor the OIDs of the client association table and have it create time-based graphs of this data. --Mike --- Michael Griego Wireless Network Administrator University of Texas at Dallas On Mon, 2003-03-31 at 17:02, Phill Solomon wrote: Hello, I am seeking feedback about how different universities are monitoring wireless base stations. Here at the University of Melbourne we currently have around 65 Avaya AP-3 and around a dozen Cisco Aironet 350, and a handful of AP-1000s. What I would like to do is to produce MRTG style graphs for each base station showing how many users are connected and when. This will show where the most popular locations are and at what times. Are others doing this ? Are there commercial products / tools available that can do this ? / Can it be done over different platforms ? Thanks in advance, Phill Solomon More information about our Wireless network MUWIRELESS http://www.infodiv.unimelb.edu.au/wireless Phill Solomon Networks - Systems and IT Infrastructure - Information Division University of Melbourne Phone 834 48804 Fax 9347 4804[EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/memdir/cg/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Re: [WIRELESS-LAN] Wireless Network Hubs Article Washington Post.
We use the Tsunami point-to-multipoint system out here to connect several phases of our on-campus apartments to the campus backbone. Minus a lightening storm that took out some of the equipment, we've had pretty good luck with them so far. Just remember that on the multipoint system that the bandwidth (60Mbps in our case) is time sliced between all of the subscribers, so it's not 60Mbps to each building, but 60Mbps combined bandwidth. -- --Mike Michael Griego Wireless Network Administrator University of Texas at Dallas On Thu, 2002-10-10 at 10:50, Scott Genung wrote: All, Is anyone evaluating or using the Tsunami multipoint products from Proxim (was Western Multiplex)? We are just starting to chat with them about the possibility of evaluating this product as a candidate to creating a wireless MAN using one of our residence halls as a mounting point. I'm intrigued by the technology but I'd like to hear about anyone's experiences with it before we get too far down the path. Scott Genung Manager of Networking Systems Telecommunications and Network Support Services 124 Julian Hall Illinois State University (309)438-8731 http://www.tnss.ilstu.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/memdir/cg/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Re: [WIRELESS-LAN] Question about fluctuating transmit rates
We have quite a number of AP-2000s running in our student housing and on-campus areas... I've never seen them spontaneously reboot, and most of them do indeed have two cards in them. I did run into a problem where their hardwire connection would get extremely slow (1-4 *second* ping times if it didn't drop the packet), but upgrading the firmware to 1.4 seems to have cleared that up somewhat. I only finished the upgrade last week, but I haven't seen any of them do it since then, so that's a good sign. -- --Mike -- Michael Griego University of Texas at Dallas On Wed, 2002-10-02 at 09:39, Philippe Hanset wrote: Matt, We have experienced this with client joining AP-2000 (I assume that AP-2 is the same as AP-2000...I always got lost with the AVAYA/AGERE/ORINOCO/PROXIM naming mess) with D-Link and Linksys cards. Even though their signal strength shows in the 30 dB SNR, they transfer rate is in the 1 Mbps range... A trouble ticket has been submitted to PROXIM (or will be!) We also noticed that AP-2000s with 2 cards in it self-reboot on a random basis. Have you tried the new code release? Does this occur with Lucent cards as well? Philippe Hanset University of Tennessee On Tue, 1 Oct 2002, Matt Ashfield (UNB) wrote: HI All, I'm not sure if this list is still active, but thought I'd throw out a question here. I have some Lucent AP-2's installed in a building and users are complaining things are either very slow, or they sometimes have problem logging on. I took a laptop up with a wireless client and did some testing. It seems that the transfer rate between laptop and Access Point is pretty much always fluctuating from 1 to 2, to 5 to 11 Mbits/sec. I don't seem to have a lot of noise based on what the client software tells me. Has anyone seen this? My guesses are at the following: - A flaky card in the Access Point itself. - The positioning of the Access Point. The access point is mounted on the side of the wall, with the lights facing downward towards the floor and therefore the cards facing upwards. I'm wondering if this may case some of the problem. - We do have 2 cards in the Access Points. The channels are separated as best as possible, but it's possible some leakage from upper floors may be causing interference. Should I play with the Distance Between AP's setting if I have two cards in the one AP? Any advice/comments you could offer would be much appreciated. Cheers Matt Ashfield [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/memdir/cg/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/memdir/cg/.