RE: ArubaOS 8.5.0.9 Clients not getting an address

[Michael Holden]

If you’re using a LACP link between the controller/MD and the uplink switch 
double check that LACP signaling is correct.
We’ve seen this with at least one switch vendor where the LAG showed up, but 
traffic was intermittent.


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jerry Bucklaew
Sent: Thursday, July 8, 2021 1:02 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] ArubaOS 8.5.0.9 Clients not getting an address

To ALL:


  We are experiencing and issue on our aruba os 8.5.0.9 code and I am 
wondering if anyone else has seen it.  Starting this week we have had 
complaints of users not getting an ip address.   It seems to be isolated to two 
buildings for the most part.On the dhcp server we see the discover and 
offer, but never a request.   On the controller packet capture we see the same 
thing, discover and offer but no request.  On a client side packet capture we 
see discover but no offer.  It seems to be ap related and a reboot of the ap 
seems to fix it, sometimes we have to reboot many ap’s as a bunch in the same 
area have the issue.   For those with netinsight the insight, “no dhcp request 
after offer” seems to catch it.
For now it is only affect about 50 people out of 5k so a small number.  But 
it also seems to be affecting about 50 Ap’s out of 6k, so again a small number. 
 But we really have not confirmed that it is the ap.   We have confirmed that a 
client on the same ap will continually have the problem no matter how many 
times we reboot him or de-auth him.  We have confirmed that many times if we 
get him to go to a different ap/location it does seem to clear up.


So again, just wondering if we are the only ones or if someone else has seen 
this.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] Aruba AP 510 Series/Windows Devices

[Michael Holden]

Yes, this was AP manufacturer independent as the root cause of the issue was in 
the way the device driver handles 802.11ax (WiFi 6).
If the user has updated their driver the issue is resolved, but you’d have to 
rely on the user to properly upgrade their devices. If all they connect to is 
wireless, they can’t update the device driver.

To disable the High Efficiency Radio,
Go to Configure -> System -> Profiles -> Wireless LAN
Select the High-Efficiency Radio and disable
Aruba WebHelp Doc
https://www.arubanetworks.com/techdocs/ArubaOS_8.8.0_Web_Help/Content/arubaos-solutions/virtual-ap/high-effi-aps.htm

Or go to the AP Group, then at the top right drop down your username, select 
Preferences, enable Show advanced profiles.
Select You AP Group, and click profiles expand RF Management Expand 5GHz radio, 
and update the radio profile you’re using for the AP Group.



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Ronald Loneker
Sent: Tuesday, June 8, 2021 12:39 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Aruba AP 510 Series/Windows Devices

Hi Everyone -

With the limited number of Aruba IAP 515 devices we have remaining, we've been 
upgrading a number of buildings to this device model from our old legacy Arubas.

Back in January, I came across a thread about Aruba AP 510 series and conflicts 
with a version of an Intel driver I thought on this list for its high 
efficiency profile setting that we needed to disable to avoid wireless issues.  
I can't seem to find the thread, however.

Has anyone noticed this issue anymore with this series of Arubas?  I'm not sure 
whether we still should keep this profile setting off or we should enable it to 
take more advantage of its functionality.  Most of our students are now off 
campus so testing it right now isn't really an option.

Any thoughts from your experiences?

Ron Loneker, Jr.
Director, IT Special Projects
Saint Elizabeth University
Mahoney Library
2 Convent Road
Morristown, NJ  07960

Phone:  973-290-4229

e-mail:  rlone...@steu.edu


Saint Elizabeth University's IT department will never ask for your password, 
social security number or other personal information in an e-mail message.

Please do not share any information with others!






**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

[Michael Holden]

We've seen much the same.
A Pixel 2XL and a Pixel3XL fully updated, the 2XL had the Don't Validate 
option, but the Pixel3XL did not.

We added the CA cert to a subpage on the guest captive portal for ease of 
access to the Wireless device, and provided some instructions for the devices.
The workflow to manually add the Wireless Trust was a bit flaky too with Modify 
Settings not really working.

The instruction set that appeared to work as of the current (January 2021) 
Android software release on the Pixel 3XL not tested on Pixel 4/4a/5:


  1.  Download the CA cert from the ClearPass Guest Captive Portal Page
  2.  Go to Settings
  3.  Network & Internet
  4.  Wi-Fi
  5.  Wi-Fi preferences
  6.  Advanced
  7.  Install Certificate
  8.  Choose the Certificate downloaded in the first step
  9.  Name the Certificate
  10. Connect to the Secure SSID
 *   Change the Certificate from System Certs to the Certificate name 
entered in the previous step
 *   Domain to 
 *   Identity as the username
 *   Password as the user’s password
 *   Connect
  11. Confirm Wireless is connected to the WPA2-Enterprise SSID
 *   You may have to forget and add network as the Modify Setting on the 
SSID does not appear to work properly as of January, 2021 Android Software 
release


There is a QR code that can be created for PSK networks, has anyone seen if 
this is possible for WPA2/3-Enterprise?



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Sent: Tuesday, February 2, 2021 12:54
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

Screenshot please.




From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Walter Reynolds 

Sent: Tuesday, February 2, 2021 12:46
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

Can someone explain something to me?

I have a Pixel 3 that I did a factory rest on.  Next I did all the updates 
needed and it is running Android 11.  The build number is RQ1A.210205.004 which 
includes the latest security patch for the phone.

When I go to configure a WPA2 Enterprise network I still have the "Don't 
validate" option.

What am I missing here?


Walter Reynolds
Network Architect
Information and Technology Services
University of Michigan
(734) 615-9438


On Tue, Feb 2, 2021 at 8:51 AM Hurt,Trenton W. 
mailto:trent.h...@louisville.edu>> wrote:
LOL if it’s working now on those android 11 devices as is then I guess it is.  
And if it’s not well then Feb 15th I guess will be fun

Trent Hurt

University of Louisville


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Tim Cappalli 
<0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Sent: Monday, February 1, 2021 6:06:41 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021


CAUTION: This email originated from outside of our organization. Do not click 
links, open attachments, or respond unless you recognize the sender's email 
address and know the contents are safe.

If the supplicant is properly configured, then yes.


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Hurt,Trenton W. 
mailto:trent.h...@louisville.edu>>
Sent: Monday, February 1, 2021 18:03
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021

Tim

I know you can’t comment specifically on my setup or environment but if I have 
android 11 pixel 4 and others that have the December update already and the do 
not validate is not an option for those devices but they can use our onboard 
eap tls workflow and the devices auth via that method.  Do you think that my 
setup (regardless if it’s not the most secure way or whatever) will still work 
after this feb 15 date?

Trent Hurt

University of Louisville


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Trenton Hurt mailto:trenth...@gmail.com>>
Sent: Monday, February 1, 2021 5:55:20 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] android 11 upcoming changes Feb 15th 2021


CAUTION: This email originated from outside of our organization. Do not 

RE: Weak Security

[Michael Holden]

+1 Kill WEP and TKIP
Please beware of enabling WPA3 or OWE!
Can’t wait to be able to use them, but there are still some serious driver 
issues out there.
For instance, the Google Pixel 3 used to (may still) kernel panic and reboot 
the phone when connecting to a WPA3-Personal SSID. No error, no warning, just 
reboots the device, it’s a really sweet denial of service actually.
We also have many reports of various device types requesting passwords when 
connecting to OWE SSID’s.
Can’t wait to be able to use them, it’ll just take a while before we can deploy 
without worry; Or be able to blame the device manufacturers for not updating 
their drivers for years.

For those of you using Aruba and Aruba ClearPass, if you are looking at the 
SSID name in the service, OWE SSID’s will prepend OWE_ to the SSID, so make 
sure you’re using Contains or a RegEx if possible rather than Equals 

A friendly PSA:
While you’re at it, you may want to take 1 and 2 mbps rates off your 2.4 GHz; 
Unless you have specific devices that require it (scan guns, emergency pull 
strings, and industrial / HVAC devices come to mind).
They travel quite a ways, and user experience is poor at best when connected at 
1/2 mbps.
If you support printers in your RESNET beware of all 1-11 rates off, we’ve seen 
some printers with g/n 2.4 radios will still require to connect at 6 mbps then 
negotiate up.


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Jennifer Minella
Sent: Wednesday, December 2, 2020 5:35 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Weak Security

+1 on removing TKIP as an option and staying with AES as a minimum. TKIP has 
been deprecated for years and even in a BYOD/high ed environment, it is 
exceptionally unlikely any devices won’t support the AES/CCMP suite; if they 
*don’t* support it, you may not wan them on that network anyway  With the new 
Wi-Fi security standards out, including WPA3 (in addition to Open 
Enhanced/OWE), even our current AES will be at the low end of the security 
totem pole (down the road).

___
Jennifer Minella, CISSP, HP MASE
VP of Engineering & Security
Carolina Advanced Digital, Inc.
www.cadinc.com
j...@cadinc.com
919.460.1313 Main Office
919.539.2726 Mobile/text
[CAD LOGO EMAIL SIG]

From: Entwistle, Bruce 
mailto:bruce_entwis...@redlands.edu>>
Sent: Tuesday, December 1, 2020 7:14 PM
Subject: Weak Security

Apple devices that are updating to IOS 14 are now reporting that wireless 
security is weak.   We are currently using a combination of WPA/TKIP and 
WPA2/AES for security, but are considering the move to WPA2/AES only.  I was 
looking to see what others have done and what challenges you faced in making 
these changes.

https://discussions.apple.com/thread/251805737

Thank you
Bruce Entwistle
Network Manager
University of Redlands


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

Visit 
https://cadinc.com/blog
 for tech articles and news.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] [EXTERNAL] [WIRELESS-LAN] Clearpass onboarding redirect not working on Safari

[Michael Holden]

For the wireless side the ASE has a pretty good walkthrough.

https://ase.arubanetworks.com/solutions/id/161

Does the captive portal happen if you try to go to another non-https site on 
Apple while connected?

If so, there's a check box for Apple Captive-portal Network Assistant by-pass 
that can cause some issues.

For the wired side make sure you check out the  tech note for wired auth.

For Cisco wired Auth check the ASE has a really good solution as well:
https://ase.arubanetworks.com/solutions/id/237






On Nov 16, 2020 6:23 PM, Aaron Abitia  wrote:

Hi Rong,



Because Onboarding has Layer 3, you need to have an IP address on the VLAN 
on/of the controller so that the user device can redirect from the controller 
to Clearpass.  Perhaps you’ve already got this since you mentioned Chrome 
works, but it’s something to check. This one bit us.



-Aaron, Cal Poly SLO.





From: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Monday, November 16, 2020 at 2:44 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
Subject: [EXTERNAL] [WIRELESS-LAN] Clearpass onboarding redirect not working on 
Safari

We are in the process of implementing Aruba Clearpass Onboarding on our campus 
wired and wireless network. When testing onboarding on Macbook, I didn't have 
success redirecting Safari to the onboarding page. Chrome can automatically 
redirect without any problem. I tried with Safari version 13.1.2  running on 
MacOS Mojave version 10.14.6, , and our Clearpass server is running version 
6.9.3. Aruba tech support engineer was very helpful on this issue.



I am looking for some help here. Any suggestions would be appreciated.



Thanks!



Rong



--

Rong Wang

Network Engineer

Santa Clara University





[https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fmailfoogae.appspot.com%2ft%3fsender%3dacnp3YW5nQHNjdS5lZHU%253D%26type%3dzerocontent%26guid%3d0eaa3e16-ceb2-4f25-babd-7eb38c7749cc=E,1,Z9BJYl5axSEXgk_Kuvh9A6Wps3oGTKjIx3-5Z5uuRKaugz4roWjIMGOqObbKSUzn_M0zOEgW1p4ZralFPEx6798yqHtyduecGKAg8WmtEf9oc2An68CaQSAD=1]ᐧ

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] Status of Wi-Fi 6 Client Drivers?

[Michael Holden]

The new encryptions can also cause issues with some of the supplicants.

We’ve seen some clients requesting user/pass when connecting to an Open network 
running the Open Wireless Enhanced (OWE).
Google Pixel 3’s used to Seg fault and rebooting the phone when connecting to 
WPA3-Personal along with a few other unable to connect issues.


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of John Rodkey
Sent: Thursday, October 1, 2020 1:20 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Status of Wi-Fi 6 Client Drivers?

This was our experience as well.

John Rodkey
Director of Servers and Networks
Westmont College


Verification: Unsure if this is a legitimate email to an email list? Make sure 
it is recorded at 
https://my.westmont.edu/it_emails



"God-fearing faith... is neither brash nor foolhardy and does not tempt God." - 
Martin Luther


On Thu, Oct 1, 2020 at 10:08 AM Patrick McEvilly 
mailto:patrick_mcevi...@harvard.edu>> wrote:
Thanks Brad.  Not exactly what I wanted to hear but good to know for sure.

The option mentioned by Norman Elton of disabling 802.11ax on 2.4ghz is 
interesting.  Have other done something similar?


On 10/1/20, 1:04 PM, "The EDUCAUSE Wireless Issues Community Group Listserv on 
behalf of Floyd, Brad" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
on behalf of bfl...@mail.smu.edu> wrote:

Patrick,
Neither my open guest network nor my 802.1X network appeared to a client 
with the impacted Intel drivers while the ax features were enabled. As soon as 
the ax features were disabled, the SSIDs appeared.
Thanks,
Brad

-Original Message-
From: The EDUCAUSE Wireless Issues Community Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Patrick McEvilly
Sent: Thursday, October 01, 2020 12:01 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Status of Wi-Fi 6 Client Drivers?

[EXTERNAL SENDER]


Hello

Does anyone know if the Intel driver issue depends on the authentication 
method?  Would an open SSID that gets folks to a captive portal where we can 
have information/links to get to download/update drivers work?  For some reason 
I thought the issue was limited to 802.1x SSIDs but now I'm thinking I made 
that up.  If anyone here that might have seen the problem first hand could 
comment that would be appreciated.

Thanks

Patrick



On 9/25/20, 10:42 AM, "The EDUCAUSE Wireless Issues Community Group 
Listserv on behalf of Enfield, Chuck" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> 
on behalf of cae...@psu.edu> wrote:

I don’t think waiting to enable ax features will provide much relief 
for the intel driver problem.  People don’t update their wireless drivers 
without a reason, so most of the drivers that are incompatible today will still 
be incompatible next fall.  IMHO, we're just going to have to suffer through 
that problem.

My  bigger concern is IoT stuff, which is far less likely to have a fix 
available.  Anybody have ax enabled in their dorms?  How's it working there?

Thanks,

Chuck

-Original Message-
From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Norman Elton
Sent: Wednesday, September 23, 2020 9:44 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Status of Wi-Fi 6 Client Drivers?

We uncovered the same driver issue shortly after deploying 802.11ax.
We mitigated by leaving 802.11ax enabled on the 5GHz radios, but 
disabling on the 2.4 radios. This way, compliant devices can connect and take 
advantage of 5Ghz connectivity. Those devices with faulty Intel drivers can 
still connect, albeit at substantially reduced data rates. There may be some 
inner workings of 802.11ax that I don't recall, but this worked for us!

This was on our Mist AP43s, limited to a single building. The rest of 
campus is running 802.11ac access points from Aerohive.

Norman Elton
William & Mary

On Wed, Sep 23, 2020 at 5:38 PM Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu>
 wrote:
>
> What is truly frustrating is that all vendors involved are likely 
members of the Wi-Fi Alliance, whose "interoperability" testing obviously isn't 
getting it done.
>
> One man's opinion. 
> From: The EDUCAUSE 

RE: [WIRELESS-LAN] Ex: Re: [WIRELESS-LAN] neighbors 'jamming' 2.4GHz spectrum

[Michael Holden]

Aruba gives the following warning when doing containment / deauth

The Federal Communications Commission ("FCC") and some third parties have 
alleged that, under certain circumstances, use of containment functionality 
violates 47 U.S.C. Section 333 and/or other FCC rules, regulations or policies. 
Before using any containment functionality, you should determine whether your 
intended use is allowed under the applicable rules, regulations and policies. 
Aruba shall not be liable for any claims, sanctions, or other direct, indirect, 
special, consequential or incidental damages related to your use of containment 
functionality.



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Julian Y Koh
Sent: Wednesday, January 29, 2020 9:50 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Ex: Re: [WIRELESS-LAN] neighbors 'jamming' 2.4GHz 
spectrum

On Jan 29, 2020, at 08:38, Coehoorn, Joel 
mailto:jcoeho...@york.edu>> wrote:

I don't know about that. The enforcement example that stands out to me is 
Marriott was not allowed to use the fine print when you get a room to prohibit 
hot spots, interfering or not, and they paid a hefty fine because of it.

The details are a little hazy with the passage of time, but IIRC the Marriott 
case was special because they were using the active rogue disassociation 
features of their wireless network to intentionally knock people off of any 
SSIDs other than the ones that they were operating.  So that goes beyond simply 
radiating on a channel.

Corrections/clarifications welcome as always! :)

--
Julian Y. Koh
Associate Director, Telecommunications and Network Services
Northwestern Information Technology

2020 Ridge Avenue #331
Evanston, IL 60208
+1-847-467-5780
Northwestern IT Web Site: 
PGP Public Key: 


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [External] [WIRELESS-LAN] Joining Sonos to a campus network

[Michael Holden]

We’ve had issues specifically with Sonos and Aruba AirGroups, even custom built 
AirGroup definitions didn’t work.

This was left at the engineering level with Aruba working for an AOS8 patch to 
resolve the issue.
The last version we tested with was 8.3.0.9 and that still wasn’t patched / 
updated to work with Sonos and AirGroups.

We ended up just putting the users and the Sonos speakers into the same layer 2 
and disabled the broadcast filters for a small group as a work around.


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Norton, Thomas (Network 
Operations)
Sent: Wednesday, November 27, 2019 12:29 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [External] [WIRELESS-LAN] Joining Sonos to a campus 
network

Yeah it’s really really condiluded, as well like you said each product is 
different. Some support AirPlay, and others don’t. We have it working for a 
couple one offs, but have it completely isolated from the rest of the network.

Caveats include, Have to be in the same layer 2, and broadcast filtering has to 
be disabled particularly for discovery.

 If an Aruba environment that also means the role has to have all the proper 
exceptions, and if running AOS8 with centralized AirGroup open flow has to be 
disabled at the role so that the mm doesn’t know about it



Sent from my iPad


On Nov 27, 2019, at 11:45 AM, Paul Reimer 
mailto:prei...@uw.edu>> wrote:



[ EXTERNAL EMAIL: Do not click any links or open attachments unless you know 
the sender and trust the content. ]


Hi everyone,

I was wondering how you’re managing actually joining Sonos products to your 
network. If you’ve had the pleasure of setting some of these up you may know 
why I need to ask.

They don’t really like to individually be directed to join a network and they 
don’t really have a UI that just lets you log in a manage a units network 
connection.

The best I’ve come up with is a kind of convoluted process that requires 
setting them up wired first and then directing the set you want to manage with 
a given (newly required) user account to join the network at the same time.

I think there’s also differences between product lines. So far my experience is 
with Play:1’s, Play:5’s, and Connects which our process works with.

Thanks,

Paul Reimer
UW-IT | Network Design and Architecture
Wi-Fi Engineer

4545 15th AVE NE Seattle, WA 98105
Office 206.543.8902 | Mobile 850.408.0747
prei...@uw.edu



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] Aruba 8.5.0.3

[Michael Holden]

Yes.
If you have AP-515’s you should be on 8.5.0.x code, DO NOT USE 8.4.x CODE.

So far it looks like the same fixes in the 8.3.0.8 code are in the 8.5.0.3, but 
several folks are still having mDNS and SSDP issues with AirGroups on both.

Not sure about 8.3.0.9 just yet.


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Adam Forsyth
Sent: Tuesday, October 15, 2019 10:39 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Aruba 8.5.0.3

Has anyone tried 8.5.0.3? In the release notes I see some fixes for airgroups 
have been made and makes me think I would like to try it.

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] Feasibility of an open SSID for student use

[Michael Holden]

Has anyone got the eduroam CAT working with EAP-TLS?

Couldn’t find a good way for loading the certificates.
May have missed the documentation for that portion.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Enfield, Chuck
Sent: Friday, September 13, 2019 8:42 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

“We run eduroam and a completely open guest SSID. The open SSID has no captive 
portal, no click through terms of services, and no restrictions on Internet 
access for content or speed.”

I’m jealous Felix.  I made a strong push for this approach, but General Counsel 
stopped it.  FWIW, I think they got it right, but life would be easier and 
users would be happier your way.

Their rationale is that to get the protections afforded to ISP’s under DMCA we 
need to inform users that they’re not allowed to share copyrighted materials 
and that their connection will be blocked if they do.  For account holders we 
make them agree to these terms and more when they activate their account.  But 
if the network doesn’t require an account this notification seems to demand a 
captive portal.

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Felix Windt
Sent: Friday, September 13, 2019 8:26 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

I’d pay a fair price for an easily administered solution that lets us roll out 
PPSK in the dorms and deploy broadcast/multicast domains scoped to specific 
users.

We run eduroam and a completely open guest SSID. The open SSID has no captive 
portal, no click through terms of services, and no restrictions on Internet 
access for content or speed. That SSID bridges through to VLANs in a DMZ, and 
its only real restriction is that it can only reach proper public IP addresses 
on campus, plus 2-3 applications on private IPs that are specifically 
permitted. That’s enforced on the firewalls between campus and the DMZ.
We do see quite a lot of students on that SSID permanently. As a huge amount of 
our student applications are either cloud hosted or available on the public 
Internet, that works just fine for them. We’d prefer them on eduroam, but user 
experience trumps our preferences. The only real problem are devices such as 
Sonos sound bars, Google appliances, and other devices that will only support 
PSKs for wireless. For those we don’t have a solution right now.

Once WPA3/OWE is out and widely supported I genuinely don’t know how much we’ll 
care about where devices are. At that point it seems not just more user 
friendly but easier for IT overall to just throw reasonable security in front 
of web apps that the student and faculty population need to access, and let 
them sit on the SSID that’s easier to get on to. Administrative machines under 
central control would probably be kept on properly authenticated networks, but 
those are easier to solve if you have reasonable mass device management options.

For what it’s worth, we use the eduroam CAT tool for onboarding.

thx,

Felix Windt
Dartmouth College

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Rumford, Charles" 
mailto:charl...@isc.upenn.edu>>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Thursday, September 12, 2019 at 2:26 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

I agree that complicated onboarding is the worst from the end user perspective 
and a pain to manage.

I started designing a PPSK/MPSK design to take over our primary 802.1x network. 
The biggest hurdle I ran into with it was the randomization of MAC addresses 
for device. I've been told Android 10 has it on by default,and I know that 
windows support also. I could only see issues from a support issue coming down 
the line. O need to spend some more research time with it.

--
Charles Rumford
IT Architect
ISC Tech Services
University of Pennsylvania
OpenPGP Key ID: 0xF3D8215A
(Sent from Mobile)

From: "Enfield, Chuck" mailto:cae...@psu.edu>>
Sent: Thursday, September 12, 2019 14:11
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

Seconded.

And for those who think that security is more important than the user 
experience in some cases, I wouldn’t argue, but I would point out that an 
improperly configured 1x device puts the user’s credentials at risk.  802.1x 
isn’t all upside from a security perspective either.

Chuck

From: The EDUCAUSE Wireless 

Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

[Michael Holden]

2nd that, self guided EAP-PEAP is convenient, but the Evil Twin Attack isn't 
exactly new or difficult.

 In the past I've used a optional layered approach.

 Give an option on the open SSID captive portal for initial onboarding, or 
limited Guest access (weekly type) captive portal re-login after student 
credentials.
With open SSID disclaimers that no one reads of course. One place asked for a 
counter so the user could only do the extended captive portal 3 times.

Android 10 now defaulting daily MAC randomization on Open SSIDs is likely going 
to kill this type of option.

 If EAP-PEAP on the 802.1x give another optional captive portal that pops back 
up every so often, once a month or once a semester type deal reminding them 
they should OnBoard for EAP-TLS.

This tends to stagers the more arduous adopters and reduce the help desk calls 
after password resets.


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

RE: [WIRELESS-LAN] [Ext] Re: [WIRELESS-LAN] Residential Wireless and Gaming

[Michael Holden]

Check out the RF and Roaming Optimization Guide here:
https://community.arubanetworks.com/t5/Validated-Reference-Design/RF-and-Roaming-Optimization-for-Aruba-802-11ac-Networks/ta-p/508678

Some of this is very applicable even in a Cisco WLC environment.
Such as making sure that you disable 1,2,5,and 9 mbps rates.
The guide says to disable 11 as well, but I’ve found that some cheaper printers 
while they have the g radio and will connect at higher rates have to have at 
least the 11 mbps rate.

Use device registration to get things like printer on the network or they will 
end up trashing your 2.4 with individuals setting up ad hoc everywhere.

Make sure your basic rates have been set up to 12 and/or 24.

Also set your beacon rate up to 12 mbps.

There’s plenty other fun and games that can be done, but diching the lower 
rates has a pretty significate impact. Ultimately though, 2.4 GHz is just noisy.

We polish it as best we can, but its still 2.4 GHz…

Also check out:
https://community.arubanetworks.com/t5/Validated-Reference-Design/Very-High-Density-802-11ac-Networks-Validated-Reference-Design/ta-p/230891



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Michael Usher
Sent: Tuesday, September 3, 2019 12:51 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [Ext] Re: [WIRELESS-LAN] Residential Wireless and 
Gaming

We are in the same situation.  The way I look at it, the "basic network 
service" we provide in dorms is simply changing from wired to wireless.  In 
fairness to other students, I think everyone should receive the same "basic" 
service.  If an individual wants a wired port (assuming cabling is still there, 
and isn't Cat3), then I think "user pays" is appropriate for a "premium" level 
of service, along with installation and activation fees if needed.  $100/yr 
seems very reasonable for the recurring charge.

Michael

On Tue, Sep 3, 2019 at 8:29 AM Kurtz, Eric 
mailto:ku...@susqu.edu>> wrote:
We deactivated all wired ports in the Res Halls and charge $100/year for wired 
ports. We get 10-15 users that still want a wired port. We use port security to 
only allow 1 mac address per port.

Our students just started complaining about the rubber banding issue. They said 
it wasn’t an issue over the summer, but it is now. Typical latency is 40ms.

Eric Kurtz
Senior Systems Engineer
Office of Information Technology
Susquehanna University
514 University Avenue
Selinsgrove, PA 17870-1164


From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Stephen Belcher
Sent: Tuesday, September 3, 2019 11:08 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [Ext] Re: [WIRELESS-LAN] Residential Wireless and 
Gaming

We have 100% wireless residential halls with no ethernet option. We have a 
single AP per room in our traditional residential complexes. We profile gaming 
consoles and hand them a public IP address. We work with the students to make 
sure they are on 5Ghz if their device supports it. We try to minimize any 
interference from other devices in their rooms and their neighbors rooms.

During testing, the user will consistently get between 40Mb and 50Mb download 
and upload speeds. Latency is always less than 20ms.

The gamers still complain about lagging and glitching and rubber banding.

You can provide amazing bandwidth and minimize latency as much as you want, but 
there is nothing you can do about the jitter that is inherent in a Wi-Fi 
network. Especially as groups of people congregate by the elevator (which 
happens to be right outside of this particular student’s room).

As others have pointed out, there is no real fix.

We haven’t decided to let the students plug in yet, but we are discussing it.


/ Stephen Belcher
Director of Network Operations and Telecommunications
WVU Information Technology Services
One Waterfront Place / PO Box 6500
Morgantown, WV  26506

(304) 293-8440 office
(681) 214-3389 mobile
steve.belc...@mail.wvu.edu




From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of John Turner
Sent: Tuesday, September 3, 2019 10:45 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [Ext] Re: [WIRELESS-LAN] Residential Wireless and 
Gaming

Hard core gamers will tell you wired is always better - they will also blame 
latency for their lack of skill ;-)

However you CAN create a low latency small cell environment with hospitality 
AP's, DFS enabled, and a careful 2.4 plan.

In the end you will still have issues with older clients and streaming hogs, 
but it's the best you can do. Yes AX sounds promising but we are years away 
from any meaningful adoption and bug fixes. (AC wave 2 came out 3 years ago...)

On Tue, Sep 3, 2019 at 10:38 AM Biggs, Nathanael