Re: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers

[Michael Hulko]

Keep the list posted as I am sure this is having an effect on others…. Oddly 
though, we are not seeing this in our Campus 8.6x environment.  Our “Arp 
Spoofing” issue is with our Housing 6.5x environment.  As I stated earlier, we 
have a number of other fires going..   Since moving to 8.6x in April on the 
recommendation of our SE….


  1.  8.6x GUI issues with blacklisting…  the GUI reports more than what is 
actually happening on the controllers
  2.  IAP to controller tunnel challenges with clustered environment (8.6x) …  
(actually, TAC did come back after 2 weeks troubleshooting and confirmed that 
IAP to controller tunnels will not work when controllers are clustered)
  3.  AP200 series APs on the 8.6x environment started randomly rebooting with 
“out of memory” errors
  4.  7240XM controllers in the 8.6x environment having process crashes and 
restarts plus warnings of CPU utilization peaking over 90%
  5.  ‘Arp Spoofing’
  6.  We are also detecting AP300 series reboots, but have not made any attempt 
to monitor or track these instances at this time.



Not to mention the myriad of user complaints that we generally field



Start of another school year



M

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Nick Rauer 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Monday, September 21, 2020 at 2:12 PM
To: "WIRELESS-LAN@listserv.educause.edu" 
Subject: Re: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba 
Controllers

We just wrapped up a week's worth of troubleshooting with Aruba TAC and a group 
of Aruba developers to troubleshoot a similar issue. They ultimately 
recommended we disable blacklisting clients for “Arp Spoof”. They did not 
correlate the issue related to the iOS update, though. I still have the case 
open, and will pass along the message. We are also seeing users complaining of 
their Windows 10 devices intermittently not connecting to an SSID after waking 
from sleep mode. We are still investigating that issue.

We have an MM/MC dual 7220 Cluster running 8.5.0.9 / AP300,AP500 series 
Deployed.

Thanks,
Nick Rauer
Manager of Networking and Telecommunications
Wheaton College – Massachusetts


From: The EDUCAUSE Wireless Issues Community Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Michael Hulko
Sent: Monday, September 21, 2020 1:10 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba 
Controllers

Yup.. we had to disable the “Arp Spoof” settings in the IDS profiles.  We have 
other irons in the fire so we are not able to do much to investigate this issue 
at this time.

M

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@listserv.educause.edu>> 
on behalf of "McClintic, Thomas" 
mailto:thomas.mcclin...@uth.tmc.edu>>
Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@listserv.educause.edu>>
Date: Friday, September 18, 2020 at 11:46 AM
To: 
"WIRELESS-LAN@listserv.educause.edu<mailto:WIRELESS-LAN@listserv.educause.edu>" 
mailto:WIRELESS-LAN@listserv.educause.edu>>
Subject: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers

We have begun seeing an impact with iOS 14 on our various SSIDs with ARP 
Spoofing events. We had not seen an event this year until July 9th (the date 
beta was released). There has been a large increase since the 16th of the 
events.

The events seem to occur randomly as we are starting to troubleshoot. They 
still occur even when clients disable the privacy setting for the network.

Since our blacklist interval is set to 30 minutes this is causing an 
interruption of service when it occurs.

Has anyone else seen similar events? I have opened a TAC case to assist.

Thanks

TJ McClintic


UTHealth | The University of Texas Health Science Center at Houston
Houston’s Health University

Communications Technology | Network Operations
7000 Fannin | Suite M60 | Houston, TX  77030
713.486.9269 netops | 713.486.2271 office


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email 

Re: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers

[Michael Hulko]

Yup.. we had to disable the “Arp Spoof” settings in the IDS profiles.  We have 
other irons in the fire so we are not able to do much to investigate this issue 
at this time.

M

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of "McClintic, Thomas" 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Friday, September 18, 2020 at 11:46 AM
To: "WIRELESS-LAN@listserv.educause.edu" 
Subject: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers

We have begun seeing an impact with iOS 14 on our various SSIDs with ARP 
Spoofing events. We had not seen an event this year until July 9th (the date 
beta was released). There has been a large increase since the 16th of the 
events.

The events seem to occur randomly as we are starting to troubleshoot. They 
still occur even when clients disable the privacy setting for the network.

Since our blacklist interval is set to 30 minutes this is causing an 
interruption of service when it occurs.

Has anyone else seen similar events? I have opened a TAC case to assist.

Thanks

TJ McClintic


UTHealth | The University of Texas Health Science Center at Houston
Houston’s Health University

Communications Technology | Network Operations
7000 Fannin | Suite M60 | Houston, TX  77030
713.486.9269 netops | 713.486.2271 office


**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Aruba Hospitality Access Points

[Michael Hulko]

Additionally, one reason we also implemented AP303H’s in dorm rooms is that the 
antennas are also more directional (120 degrees horizontal) which also helps 
with placement



From: The EDUCAUSE Wireless Issues Community Group Listserv 
 on behalf of Ronald Loneker 

Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv 

Date: Wednesday, March 4, 2020 at 12:09 PM
To: "WIRELESS-LAN@listserv.educause.edu" 
Subject: Re: [WIRELESS-LAN] Aruba Hospitality Access Points

Hi Everyone -

Thanks for your insights on the hospitality access points - I think right now 
it still won't be as easy for us to implement so we'll stick with our current 
access points and wait for a nice donation or other external funding to come in 
and reconsider it at that time.

I like the idea and the functionality people are saying about these units so 
it's definitely something we'll consider in the future.

Ron
---
Ron Loneker, Jr.
Director, IT Special Projects
College of Saint Elizabeth
Mahoney Library
2 Convent Road
Morristown, NJ  07960

Phone:  973-290-4229

e-mail:  rlone...@cse.edu






On Tue, Mar 3, 2020 at 4:26 PM Ronald Loneker 
mailto:rlone...@cse.edu>> wrote:
Hi Everyone,

I've been following some of the various discussions where people have mentioned 
using Aruba's hospitality access points and I e-mailed our vendor who we use 
about them to compare them with the IAP 215 units we deployed a few years ago 
in our residence halls.

I didn't seem to get a good explanation so now I'm asking this group.

For those who have deployed the hospitality access points, how do they differ 
from an Aruba you would put in an academic/administrative building?

Do you find you are putting more of them into a residence hall?

I'd toy with the idea of possibly swapping the IAP-215 units with hospitality 
units if the numbers were similar and we could move the IAP-215 units into one 
of our buildings with legacy Arubas although from what I think I'm reading, it 
looks like some of you are putting more into the residence halls than we have 
put (it's definitely not one access point for every one or two rooms based on 
the heat maps that were done).

Any thoughts would be appreciated.

Ron Loneker, Jr.
Director, IT Special Projects
College of Saint Elizabeth
Mahoney Library
2 Convent Road
Morristown, NJ  07960

Phone:  973-290-4229

e-mail:  rlone...@cse.edu









**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?

[Michael Hulko]

May not be completely related, but we have had issues with newer AX chipsets 
that utilize NDIS 6.3 code set.  Some of the advanced features had to be turned 
off as a work around such as packet coalescing etc.

ALthough we have no 515’s in our environment, we are progressing to 8.6 (as per 
our SE) in the coming weeks and this does not make me comfortable.  Any issues 
with the 300 series APs and 8.5x? May rethink and downgrade to 8.3x as it also 
seems to only support the AP103Hs as well.

M

On Jan 9, 2020, at 11:44 AM, Lee H Badman 
<00db5b77bd95-dmarc-requ...@listserv.educause.edu>
 wrote:

No insult meant to anyone’s intelligence, but are you also looking at client 
device drivers etc in the context of these issues? Depending on which client 
NIC is in play, the device makers haven’t been doing us any favors of late. Is 
very possible for example that hundreds of AD-managed laptops may all have same 
bum driver.

Just asking…

Lee Badman | Network Architect (CWNE#200)
Information Technology Services
(NDD Group)
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   e lhbad...@syr.edu w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Community Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of David Morton
Sent: Thursday, January 9, 2020 11:39 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?

Ryan, we have been experiencing some of the very same issues. Since installing 
515s and resulting 8.5.x code in our offices (always our first step to any 
migration) we too have experienced unexplained periods of no connectivity. In 
most or all the cases I’ve personally experienced, I believe that I remain 
connected at an 802.11 standpoint but will have that 30 seconds to a couple of 
minutes of no IP connectivity. We have now deployed 515s and 8.5.x in one of 
our residence halls so I am concerned about their experience as well. Just 
before the holiday break we had a series of very high-profile outages that 
impacted our students leading up to and during finals week. The issue got so 
bad that our CIO had to issue a letter to students explaining the problem and 
what we are doing about it. This is the first time that this level of 
communication was needed in my 15 years at the UW using Aruba.

We too are a heavy Juniper shop and have recently received a MIST demo kit. We 
haven’t done anything with it yet due to lack of resources, but if things 
continue on the current path we may give it a more serious look.

David


David Morton
Director, Network & Telecom Design/Architecture
University of Washington
dmorton @uw.edu
tel 206.221.7814

PS I am currently on medical leave so if you wish to reply off-list, please 
direct it to Amel Caldwell, amelc@ uw.edu


On Jan 9, 2020, at 8:15 AM, Turner, Ryan H 
mailto:rhtur...@email.unc.edu>> wrote:

All:

We’ve been an Aruba shop for a very long time and have around 10,000 access 
points.  While every relationship with vendors have their ups and downs, my 
frustration with the Aruba is finally peaking to the point that I am 
considering making the enormous move to choose a different vendor.  The biggest 
reason is with the 8.X code train, and bugs that we just don’t consider 
appropriate to use in production.  It has been one thing after the other, and 
my extremely talented and qualified Network Architect (Keith Miller) might as 
well be on the Aruba payroll as much work as he has been doing for them to 
solve bugs.  Just when we think we have one fixed, another one crops up.

The big one as of late is with 515s running 8.5 code train.  We have them 
deployed in one of our IT buildings.  Periodically, people that are connected 
to these APs in the 5G band will stop working.  To the user, they are browsing 
a site, then it becomes unresponsive.  If they are on their phone, they will 
disconnect from wifi and everything works fine on cell.  Nothing makes an 
802.11 network look worse than switching to cell and seeing a problem resolve.  
Normally, if the users disconnect then reconnect, their problems will go ahead 
(but I think they end up connecting in the 2.4G band).   We’ve been working on 
this problem with them for months.  It always seems as though we have to prove 
there is a real issue.  I’m fed up with it.  We are a sophisticated shop.  If 
we have a problem, 9 times out of 10 when we bring it to the vendor, it is a 
real problem.  I’m extra frustrated that due to issues we’ve seen in ResNet on 
the 8.3X train that we don’t want to abandon our 6 train on main campus.  To 
Aruba’s credit, we purchased around 1,000 515s last year (I think around 
February).  When they could not get good code to support them on, Aruba bought 
back half of the

Re: [WIRELESS-LAN] Measuring RADIUS Performance

[Michael Hulko]

We have also been looking at response times… We also have Airwave and what 
stands out the most is if you look at the details page under clarity for 
Authentication, you will see the breakdown of the servers and client responses. 
 I find that given that airwave is only polling at time (t) the number provided 
by clarity is an average of all the “Client + Server” response times.  I use it 
with a grain of salt.  We use Radiator as our Radius, and it has the ability to 
give the statistics required for a complete Authentication, which we are 
finding is less than 10ms.  Client devices and controller resources also affect 
these numbers in airwave. We also have 7Signal in the environment to monitor 
our large high density classrooms and it gives another perspective, but 
generally the total response time for an authentication has been around 120ms..


[cid:200BA0D2-AF24-4DFE-A4E0-0EF420689038@uwo.ca]

On Mar 15, 2018, at 1:20 PM, Kenny, Eric 
mailto:eric_ke...@harvard.edu>> wrote:

Hi Adam,

We use Aruba ClearPass for our back end MAC and 802.1x authentication.  They 
recommend the authentication request take less than 150ms to complete.  We 
typically see between 50 and 150 ms for 802.1x and 200 to 250 for mac auth.  
This is highly subjective based on the complexity of your enforcement policies.

A few month ago we ran into a major issue that only affected Mac OS X devices 
running 10.12 and up, where if the authentication took longer than 300 ms to 
process, the device would fail to associate to the wireless network.  We went 
back and forth with Apple on that but never really got to the bottom of what 
broke in their network stack.

ClearPass has built in monitoring for request processing time.



From what I’ve seen reported in Airwave, it seems that the authentication 
processing time is less than what is reported in ClearPass.  For example, one 
device authenticating on 802.1x, ClearPass shows "Request processing time = 269 
ms” and below is what Airwave reports.


---
Eric Kenny
Network Architect
Harvard University IT
---

On Mar 15, 2018, at 11:44 AM, Adam Forsyth 
mailto:forsy...@luther.edu>> wrote:

How do you measure the performance of your RADIUS Serve? How fast is fast 
enough? How slow is unacceptable?

We have Aruba Airwave, and its Clarity module provides me a way to measure the 
amount of time that RADIUS Authentication takes.  For our RADIUS MAC SSID's it 
says it takes 63ms, and for our 802.1x SSID it says 2392ms.  The settings 
Airwave comes with by default are that <500ms is marked green meaning good, 500 
-- 1000ms is marked yellow meaning warning and >1000ms is marked read meaning 
poor.

Of course faster is always better, but I wondered if others have opinions on 
whether Airwave's  ranges are reasonable, or whether they have unrealisticly 
expectations.  If they're reasonable, then I probably need to figure out how to 
speed up our 802.1x RADIUS performance.

--
Adam Forsyth
Director of Network and Systems
Luther College Information Technology Services
700 College Drive
Decorah, IA 52101
563-387-1402
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Birds of a feather reporting in Airwave?

[Michael Hulko]

In addition to the reports listed we also create triggers for mac addresses 
from devices reported lost or stolen to Campus Police.

this has been very successful over the years.

M

On Jan 31, 2018, at 10:05 AM, Chris Hart 
mailto:ch...@northwestern.edu>> wrote:

We report on –
RADIUS Authentication Issues by client
Top bandwidth APs
Top APs user counts
User Session reports to verify a good distribution of 5/2.4
RF Health report with most options included in the pre-canned report
Guest SSID users count and bandwidth
Monthly and Quarterly reports that show client breakdown connection type/device 
type unique users

We also have triggers for
Thresholds of traffic for more than 5 minutes.  This was an old one when we had 
some APs connected at 100Mbps and wanted to know if we need to upgrade the 
links to Gig ports.
CPU alerts for the controllers
Channel Utilization


Chris Hart




Chris Hart
Network Operations Engineer Lead
Tel: 847-467-7747
Email: ch...@northwestern.edu
2020  Ridge Ave, Evanston, IL






From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Holland, Ryan
Sent: Tuesday, January 30, 2018 9:23 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Birds of a feather reporting in Airwave?

I didn’t see a reply to this, so fwiw, we use:

RF Health Report, looking for:
- APs with high 5ghz noise floor
- APs with sustained high average channel utilization
- APs with “lots” of channel changes

Device Summary report, looking for:
- APs with high maximum concurrent users
- Buildings/folders with more-than-expected max concurrent users

Client Session report, looking for:
- Device Type (AOS) breakdown
- Summary, which includes unique devices and total number of sessions

Hope that gives you a starting point / comparable.


Ryan Holland
Senior Network Engineer
The Ohio State University
Office of the Chief Information Officer
Telecommunications Network Center (TNC)
320 W. 8th Ave.
Columbus, OH 43201
614-292-9906 Office
holland@osu.edu 
ocio.osu.edu

On Dec 21, 2017, at 5:07 PM, Chad Burnham 
mailto:cburn...@du.edu>> wrote:

HI fellow list members,

I was looking for other folks on this list that use Aruba’s Airwave to generate 
meaningful reports to aid in monitoring and operating your wireless networks.

We have been trying to develop better and more meaningful reporting that shows 
a deeper understanding of the health of all of our wireless networks over time.

As we have invested significant resources in cabling, switches, controllers, 
Clearpass and Airwave servers and new/more next gen WAPs, we are trying to show 
the value more and more to senior management with our various tools.

We have got some reports working today (we are running 8.2.2.1); we are trying 
to find the “best of breed” reporting that you may rely in your environments 
and apply them here @ DU.

Knowing when we have problems before our users do is a goal. Increasing the 
customer perception of excellent wireless service is also a goal. Our audience 
types could be our own team or they may be senior management or even student 
government.

Yes, we are working with our local Aruba/HPE SE and the Aruba/HPE product 
manager of Airwave in this journey; they are an excellent resource and business 
partner.

Some of the area of theme/focus might include:
• Are the networks healthy?
• RF Performance
• RF Capacity
• RF Channel Utilization
• Bandwidth Usage
• Users, device types, etc.

Thanks in advance for anyone that can share what they might be proud of.

Happy Holidays,

Chad



Director of Network Services
Information Technology
University of Denver
2100 S. High St. #106
Denver, CO 80208
SIP URI = chad.burn...@du.edu
Desk Phone: 303-871-4441
Mobile Phone: 303-520-5657
https://du.webex.com/join/cburnham
https://udenver.zoom.us/my/cburnham




** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http

Aruba Clearpass

[Michael Hulko]

We are looking to speak to someone that is currently using Aruba ClearPass, for 
more than just Radius authentication, in their environment and is willing to 
spend some of their valuable time (15 - 30 minutes) off-line on a call to 
discuss your experiences.  Please respond to the co-ordinates provided below.

Thanks in advance.


Michael Hulko
Network Analyst

Western University Canada
Network Operations Centre
Western Technology Services
1393 Western Road, SSB 3300CC
London, Ontario  N6G 1G9

tel: 519-661-2111 x82433
direct: 519-850-2433
e-mail: mihu...@uwo.ca<mailto:mihu...@uwo.ca>




**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Aruba OS 6.5.X

[Michael Hulko]

We disabled the DPI on all our controllers and we stilll had a controller 
reboot.  Might have additional issues not accounted for.  We are moving to the 
s0-called “fix” on our most troublesome controller tonight and monitor the 
controller for the next couple of days

M


On Sep 25, 2017, at 10:28 PM, Wesley Troy Scott 
mailto:tsc...@uwyo.edu>> wrote:


We ran into the SOS Assert crash too and the workaround was to disable Deep 
Packet Inspection. Since then we've been stable.


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Johnson, Christopher mailto:cbjo...@ilstu.edu>>
Sent: Monday, September 25, 2017 12:06:15 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Aruba OS 6.5.X

We’re also on 6.5.3.1 and have ran into the “Reboot Cause: Datapath timeout 
(SOS Assert) (Intent:cause:register 54:86:50:2) “ message with an open TAC 
case. Something else I’d be curious about – for those of your running 6.5.3.1 – 
could you verify via packet-capture that your configured data rates match what 
your APs are actually broadcasting. We’ve recently discovered during a 
packet-capture that our APs had the default 1,2, 5, and 11 rates enabled – even 
though the controllers have those specifically disabled via the running-config 
and webUI. Note this only affected on pair of our 7240 controllers – but not 
another separate pair.

Christopher Johnson
Wireless Network Engineer
AT Infrastructure Operations & Networking (ION)
Illinois State University
(309) 438-8444
Stay connected with ISU IT news and tips with @ISU IT Help on 
Facebook<https://www.facebook.com/ISUITHelp/> and 
Twitter<https://twitter.com/ISUITHelp>
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jake Snyder
Sent: Saturday, September 23, 2017 8:13 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Aruba OS 6.5.X

We had some issues with the controllers crashing on 6.5.2.1. 6.5.3.2 has been 
solid for the same client.

Sent from my iPhone

On Sep 22, 2017, at 1:55 PM, Brian L. Cox 
mailto:cox...@unk.edu>> wrote:
For whatever it is worth, we are going to go from 6.5.2.0 to 6.5.3.2 
conservative release per TAC recommendation

Brian

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Michael Hulko
Sent: Friday, September 22, 2017 2:06 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Aruba OS 6.5.X

I stand corrected… we are experiencing - Reboot Cause: Datapath timeout (SOS 
Assert) (Intent:cause:register 54:86:50:2)  associated with bug ID: 168710

Cause:  "contents in datapath is not freed. New streams are not allocated with 
resources to categorize. Due to this duplicate session deletes were not 
happening and hence the controller was crashing.”


This appears to happen when the controllers reach over 9k users.

We have been experiencing AP103H reboots since 6.4.4.x code base as well as 
increased number of radar events.  These were supposed to be fixed moving to 
6.5.4x code.

We have over 4600 APs on Campus (105, 215, 225, 315,103H, 205H)

M



On Sep 22, 2017, at 12:21 PM, Colin Randall 
mailto:crand...@mines.edu>> wrote:

We’re running 6.5.2.1 as well, without any issues.  That said, we’re running 
mostly AP-225’s and a few AP-335’s, and not running the DFS frequencies at all.
-Colin

Colin Randall
Network Manager
Colorado School of Mines
303-384-2208

On Sep 22, 2017, at 9:18 AM, Amel Caldwell mailto:am...@uw.edu>> 
wrote:



Did they say what the release will be?  Will it be 6.5.2.1 or are they going to 
expect you to jump to 6.5.3 or 6.5.4?  We often request fixes to be put in 
older versions to minimize risk of going to a whole other train of code.

I am curious because I was told 6.5.2 had been “parked”.

Amel Caldwell
University of Washington UW-IT
Wi-Fi Network Engineer
Wi-Fi Service Manager

am...@uw.edu<mailto:am...@uw.edu>
206-543-2915

Ask me about open Network Engineer positions on the wireless team.


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Bucklaew, Jerry" mailto:j...@buffalo.edu>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, September 22, 2017 at 5:46 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Aruba OS 6.5.X


We have been on 6.5.2.1 for a couple months now with no “major issues”.We 
have the

Re: [WIRELESS-LAN] Aruba OS 6.5.X

[Michael Hulko]

I stand corrected… we are experiencing - Reboot Cause: Datapath timeout (SOS 
Assert) (Intent:cause:register 54:86:50:2)  associated with bug ID: 168710

Cause:  "contents in datapath is not freed. New streams are not allocated with 
resources to categorize. Due to this duplicate session deletes were not 
happening and hence the controller was crashing.”


This appears to happen when the controllers reach over 9k users.

We have been experiencing AP103H reboots since 6.4.4.x code base as well as 
increased number of radar events.  These were supposed to be fixed moving to 
6.5.4x code.

We have over 4600 APs on Campus (105, 215, 225, 315,103H, 205H)

M



On Sep 22, 2017, at 12:21 PM, Colin Randall 
mailto:crand...@mines.edu>> wrote:

We’re running 6.5.2.1 as well, without any issues.  That said, we’re running 
mostly AP-225’s and a few AP-335’s, and not running the DFS frequencies at all.
-Colin

Colin Randall
Network Manager
Colorado School of Mines
303-384-2208

On Sep 22, 2017, at 9:18 AM, Amel Caldwell mailto:am...@uw.edu>> 
wrote:

Did they say what the release will be?  Will it be 6.5.2.1 or are they going to 
expect you to jump to 6.5.3 or 6.5.4?  We often request fixes to be put in 
older versions to minimize risk of going to a whole other train of code.

I am curious because I was told 6.5.2 had been “parked”.

Amel Caldwell
University of Washington UW-IT
Wi-Fi Network Engineer
Wi-Fi Service Manager

am...@uw.edu
206-543-2915

Ask me about open Network Engineer positions on the wireless team.


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Bucklaew, Jerry" mailto:j...@buffalo.edu>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, September 22, 2017 at 5:46 AM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Aruba OS 6.5.X


We have been on 6.5.2.1 for a couple months now with no “major issues”.We 
have the 3xx dfs bug and we do see a ton of radar hits.

Waiting for the fix release that is due out in another week or two.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Amel Caldwell
Sent: Thursday, September 21, 2017 5:15 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Aruba OS 6.5.X

Hi y’all—

We have depleted our supply of AP 215s and are wanting to begin installing AP 
315s on our campus and have been having a hard time finding stable 6.5.X code.  
Our school starts next week, and we just had a failed attempt at rolling out 
6.5.1.8 because we saw dozens of radar detected events right after upgrading.  
This was the fourth version of 6.5.1.x we have tried to put on this particular 
set of controllers and each has brought a new set of issue; STM crash and cause 
APs to lose contact with controller; AMON not sending firewall session data; 
radar detection events; LACP and VRRP problems to name a few.

Since most of you have been back in session for a month or so, I thought I 
would ask to see what code version you have, issues you may have experienced, 
and any war stories you might want to share.  It would also be interesting to 
know what types of APs and controllers, and a brief description of your 
environment.

Thanks

Amel Caldwell
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Aruba OS 6.5.X

[Michael Hulko]

We are experiencing the exact same issues across our controllers.  We upgraded 
in August to bring the AP300 series Aps online.  We have been in communication 
with TAC and there is a new release tomorrow to address the STM crashes… no 
word yet on the radar events.  I have not opened the can on the AP103H reboots 
that are constantly plaguing us.  WE are running 6.5.4.0 as it was recommended 
by TAC at the time to resolve the radar events.



On Sep 21, 2017, at 5:14 PM, Amel Caldwell mailto:am...@uw.edu>> 
wrote:

Hi y’all—

We have depleted our supply of AP 215s and are wanting to begin installing AP 
315s on our campus and have been having a hard time finding stable 6.5.X code.  
Our school starts next week, and we just had a failed attempt at rolling out 
6.5.1.8 because we saw dozens of radar detected events right after upgrading.  
This was the fourth version of 6.5.1.x we have tried to put on this particular 
set of controllers and each has brought a new set of issue; STM crash and cause 
APs to lose contact with controller; AMON not sending firewall session data; 
radar detection events; LACP and VRRP problems to name a few.

Since most of you have been back in session for a month or so, I thought I 
would ask to see what code version you have, issues you may have experienced, 
and any war stories you might want to share.  It would also be interesting to 
know what types of APs and controllers, and a brief description of your 
environment.

Thanks

Amel Caldwell
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.





Michael Hulko
Network Analyst

Western University Canada
Network Operations Centre
Western Technology Services
1393 Western Road, SSB 3300CC
London, Ontario  N6G 1G9

tel: 519-661-2111 x82433
direct: 519-850-2433
e-mail: mihu...@uwo.ca<mailto:mihu...@uwo.ca>




**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Per room wireless

[Michael Hulko]

We have started down this road in several of our residences here at Western.

M

On Nov 4, 2016, at 10:48 AM, Michael Blaisdell 
mailto:mblaisd...@francis.edu>> wrote:

How many on the list have moved to a per room model for wireless for student 
residence halls?



Michael Blaisdell
Director of Network Services
IT Services
Learning Commons/Library
Saint Francis University
117 Evergreen Drive
Loretto, PA  15940
814-472-3242
http://www.francis.edu
The best way to predict the future is to invent it. Alan Kay

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.


Michael Hulko
Network Analyst

Western University Canada
Network Operations Centre
Information Technology Services
1393 Western Road, SSB 3300CC
London, Ontario  N6G 1G9

tel: 519-661-2111 x82433
direct: 519-850-2433
e-mail: mihu...@uwo.ca<mailto:mihu...@uwo.ca>




**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Who WiFi vendors does everyone use? REVISITED

[Michael Hulko]

The University of Western Ontario, Canada

28-30k concurrent devices
4000 Aruba APs
Aruba Controllers :  Master - Local with redundancy
Guest Access : Clearpass portal
Airwave monitoring

currently refreshing to ‘AC’ compatible APs.

Mike H

On Apr 1, 2016, at 6:15 PM, Watters, John 
mailto:john.watt...@ua.edu>> wrote:

I was going to give time for other questions to be suggested. However, it seems 
that folks have started replying very quickly.

I will tally this up & send it back out, maybe even tonight (though probably 
not).






-jcw
  

John Watters   The University of Alabama
Office of Information Technology
205-348-3992
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.


Michael Hulko
Network Analyst

Western University Canada
Network Operations Centre
Information Technology Services
1393 Western Road, SSB 3300CC
London, Ontario  N6G 1G9

tel: 519-661-2111 x81390
e-mail: mihu...@uwo.ca<mailto:mihu...@uwo.ca>




**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Who wifi vendors does everyone use?

[Michael Hulko]

The University of Western Ontario, Canada…   Aruba  with just shy of 4k APs

-Mike


> On Apr 1, 2016, at 8:52 AM, Case, Brandon J  wrote:
> 
> Purdue is an all-Cisco shop with about 8500 APs
> 
> -Brandon
> 
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Todd M. Hall
> Sent: Friday, April 1, 2016 8:44 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Who wifi vendors does everyone use?
> 
> Mississippi State is Cisco with 2k APs.
> 
> On Thu, 31 Mar 2016, Brian L. Cox wrote:
> 
>> Date: Thu, 31 Mar 2016 15:17:10 -0500
>> From: Brian L. Cox 
>> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv
>>
>> To: WIRELESS-LAN@listserv.educause.edu
>> Subject: Re: [WIRELESS-LAN] Who wifi vendors does everyone use?
>> 
>> We are identical to Suffolk University ?.just under 1000 Aruba AP?s, 
>> ClearPass, Airwave and Extreme/Enterasys for wired.
>> 
>> __
>> Brian L Cox
>> Information Technology Services
>> Director of Networking & IT infrastructure
>> University of Nebraska Kearney
>> (308)865-8176
>> 
>> 
>> 
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeremy Gibbs
>> Sent: Thursday, March 31, 2016 2:01 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: Re: [WIRELESS-LAN] Who wifi vendors does everyone use?
>> 
>> I am sort of surprised at the low number of people using Extreme Networks.  
>> Then again, maybe I shouldn't be.
>> 
>> 
>> --
>> 
>> Jeremy L. Gibbs
>> Sr. Network Engineer
>> Utica College IITS
>> On Thu, Mar 31, 2016 at 12:55 PM, Norman Mourtada 
>> mailto:nmourt...@suffolk.edu>> wrote:
>> We are all Aruba for wireless just under a 1000 APs, with Clearpass and 
>> Airwave and Extreme/Enterasys for wired.
>> 
>> Norm Mourtada
>> Suffolk University
>> Boston, MA 02108
>> 
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>]
>>  On Behalf Of Watters, John
>> Sent: Thursday, March 31, 2016 12:44 PM
>> To: 
>> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
>> Subject: Re: [WIRELESS-LAN] Who wifi vendors does everyone use?
>> 
>> Cisco -- just under 6K APs right now.
>> 
>> 
>> 
>> 
>> -jcw 
>>  [UA Logo]
>> 
>> John Watters   The University of Alabama
>>   Office of Information 
>> Technology
>>   205-348-3992
>> 
>> 
>> ** Participation and subscription information for this EDUCAUSE 
>> Constituent Group discussion list can be found at 
>> http://www.educause.edu/groups/.
>> ** Participation and subscription information for this EDUCAUSE 
>> Constituent Group discussion list can be found at 
>> http://www.educause.edu/groups/.
>> 
>> ** Participation and subscription information for this EDUCAUSE 
>> Constituent Group discussion list can be found at 
>> http://www.educause.edu/groups/.
>> 
>> **
>> Participation and subscription information for this EDUCAUSE Constituent 
>> Group discussion list can be found at http://www.educause.edu/groups/.
>> 
>> 
> 
> -- 
> Todd M. Hall
> Sr. Network Analyst
> Information Technology Services
> Mississippi State University
> t...@msstate.edu
> 662-325-9311 (phone)
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.


Michael Hulko
Network Analyst

Western University Canada
Network Operations Centre
Information Technology Services
1393 Western Road, SSB 3300CC
London, Ontario  N6G 1G9

tel: 519-661-2111 x81390
e-mail: mihu...@uwo.ca 




**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] troubleshooting wireless issues

[Michael Hulko]

There are several vendors out there that provide a synthetic client that will 
do active monitoring and reporting.  We are in the process of test driving 
AirMagnet (Fluke)’s AHC solution.  I believe 7signal and Spierent (sorry about 
the spelling) are couple as well.  Airdefence (Motorola / Symbol) have been 
doing it for some time with their tri-radiio APs.

One other solution that has come on to the seen is NetBeez… still a bit of 
work, but I think they are heading in the right direction.

M

> On Apr 2, 2015, at 4:09 PM, Alexander, David  wrote:
> 
> I’d like to know what other schools are doing to proactively troubleshoot 
> wireless issues on your campus.
>  
> Our network team does a great job of troubleshooting end user wireless 
> connectivity issues when a customer calls the Service Desk to report an 
> issue, but end users don’t like to call our Service Desk to report issues.  
> Because of this, end users assume our network sucks or they try their own 
> workarounds (eg. using cellular data, etc.).
>  
> What level of success do you have with customers contacting your Service Desk 
> about connectivity issues?  Do you do anything to proactively find out if 
> customers are having connectivity issues?
>  
> It seems like a lot of the issues are on the client side (eg. updating 
> Surface Pro drivers, applying a Mac fix, etc.).  What approaches are you 
> using to communicate about device specific issues?
>  
> I’d appreciate any feedback you have on how you are approaching this issue on 
> your campus to improve end user experience with your wireless network.
>  
> Thanks,
> Dave
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/ <http://www.educause.edu/groups/>.



Michael Hulko
Network Analyst

Western University Canada
Network Operations Centre
Information Technology Services
1393 Western Road, SSB 3300CC
London, Ontario  N6G 1G9

tel: 519-661-2111 x81390
e-mail: mihu...@uwo.ca 






**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] anybody using Aruba's Tarpit Shielding feature?

[Michael Hulko]

We use it here at Western… it does the job well for us, especially mitigating 
ad-hocs using the school’s published SSIDs and rogues.  We have not had any 
issues with clients connecting to Valid APs. 

Mike H

On Aug 11, 2014, at 6:42 AM, Gogan, James P  wrote:

> Was wondering if anyone with a large Aruba deployment has enabled their 
> "Tarpit Shielding" feature for dealing with rogue issues (full description 
> below for anyone not familiar with it)?If so, is that working out for 
> you?Has it caused problems for folks unrelated to rogue units?
>  
> Inquiring minds etc. etc. Thanks in advance!
>  
> -- Jim Gogan
> ITS Communication Technologies
> UNC-Chapel Hill
>  
>  
> description:
> Tarpit Shielding
> 
> The Tarpit Shielding feature is a type of wireless containment. Detected 
> devices that are classified as rogues are contained by forcing client 
> association to a fake channel or BSSID. This method of tarpitting is more 
> efficient than rogue containment via repeated de-authorization requests. 
> Tarpit Sheilding works by spoofing frames from an AP to confuse a client 
> about its association. The confused client assumes it is associated to the AP 
> on a different (fake) channel than the channel that the AP is actually 
> operating on, and will attempt to communicate with the AP in the fake channel.
> 
> Tarpit Shielding works in conjunction with the deauth wireless containment 
> mechanism. The deauth mechanism triggers the client to generate probe request 
> and subsequent association request frames. The AP then responds with probe 
> response and association response frames. Once the monitoring AP sees these 
> frames, it will spoof the probe-response and association response frames, and 
> manipulates the content of the frames to confuse the client.
> 
> A station is determined to be in the Tarpit when we see it sending data 
> frames in the fake channel. With some clients, the station remains in tarpit 
> state until the user manually disables and re-enables the wireless interface.
> 
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.



Michael Hulko
Network Analyst

Western University Canada
Network Operations Centre
Information Technology Services
1393 Western Road, SSB 3300CC
London, Ontario  N6G 1G9

tel: 519-661-2111 x81390
e-mail: mihu...@uwo.ca 






**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] OS X 802.1x auth issue

[Michael Hulko]

We use Radiator backend servers bound to each controller independently with 
failover to another Radius server.  At first we thought it was our radius 
servers having performance issues, but after checking response times and packet 
captures, we found the controller to be the lynch-pin.

M

On 2014-02-03, at 12:56 PM, Wright, Don wrote:

> Michael,  Are you using AAA Fastconnect allowing your controller to handle 
> radius requests instead of using a backend server?  While we haven't done 
> this ourselves, I know of others that have run into the same issue of not 
> being able to keep up with the auth requests.  You'll notice this even more 
> as smartphones will re-auth all the time.
> - Don
> 
> 
> On Fri, Jan 31, 2014 at 4:26 PM, Michael Hulko  wrote:
> One other wrench in this at least from the Aruba standpoint check the cpu 
> load on the Auth process  we found back in late October that one of our 
> heaviest used controller (M3 running 6.1.3.7) was pegging over 90% 
> utilization for the Auth process which at the time
> we believed the authentication was being additionally impacted (mostly 
> drops).  It was indicated (source does not want to be mentioned) that there 
> was a hard limit to the number of auth's per second the controller could 
> handle (approx. 40 - 50/sec), at peak we were
> running around ~100/sec.  We upgraded to the version 6.3.x to resolve other 
> issues.  We noticed that the system now spawned 3 Auth processes, but we 
> still getting complaints.  We then discovered through TAC and internal 
> investigation that a new dot1x throttling 
> mechanism had been introduced in the version of code. This new "Throttling" 
> was still impacting our authentications but saving the cpu's on the auth 
> process.  We were instructed to adjust the Watermarks to reach a balance 
> point from the defaults.  This is a slidiing scale
> the higher the Watermarks, the higher the cpu process, but the less drops 
> experienced.
> 
> to view the cpu process:  "Show cpuload current | include auth"
> 
> On 6.3x code:
> 
> to view the Throttle parameters: "show dot1x counters"  (There is some math 
> involved when the system decides to drop packets)
> to view the dropped auths: "show ap debug client-mgmt-counters" and look for 
> the "Associations Dropped Due to Auth Throttling"
> 
> In the end, the old addage still holds true..."You can never please 100% of 
> the people 100% of the timeKeep calm and carry on"
> 
> M
> 
> 
> 
> On 2014-01-31, at 2:11 PM, Jeffrey Sessler wrote:
> 
>> We noticed that the WLAN with band/load-steering enabled had a high report 
>> rate of Macintosh connectivity issues, and the WLAN that did not was trouble 
>> free.
>>  
>> I suspect what was happening was this: Mac would initially associate 
>> (Ent-WPA2), then the controller would force it to move to another band 
>> and/or AP. It's at this point (a roam) that the Apple certificate issue 
>> would kick in, and it was hit or miss as to the Mac re-associating or 
>> failing. This was especially problematic when a Mac client was equidistant 
>> from two AP's.
>>  
>> Turning off band/load steering pretty much eliminated the bulk of the 
>> connectivity issues, and trusting the certificate solved the rest.
>>  
>> Band/load steering is just problematic because you can never predict how a 
>> client will react to it.
>>  
>> Jeff
>> 
>> >>> On Friday, January 31, 2014 at 10:57 AM, in message 
>> >>> , 
>> >>> Norman Elton  wrote:
>> Interesting. What were the band-steering symptoms? Any way to pin the 
>> problem down to band-steering, or was it trial and error?
>> 
>> Norman
>> 
>> 
>> On Fri, Jan 31, 2014 at 1:44 PM, Edward Ip  wrote:
>> I agree with Jeff, we recently disabled band steering on our Aruba 
>> controllers and it has helped a bit.
>> 
>> Edward Ip
>> Algonquin College | 1385 Woodroffe Avenue | Room C316 | Ottawa | Ontario | 
>> K2G 1V8 | Canada
>> algonquincollege.com
>> 
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey Sessler
>> Sent: Friday, January 31, 2014 1:40 PM
>> 
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: Re: [WIRELESS-LAN] OS X 802.1x auth issue
>> 
>> 
>> We've seen the cert issue, and OS 10.8 and 10.9 don't seem to like 
>> band/load-steering. The cert issue coupled with band-steering and/or 
>> load-steering make the Mac's very unhappy.

Re: [WIRELESS-LAN] OS X 802.1x auth issue

[Michael Hulko]

***
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 
> 
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 



Michael Hulko
Network Analyst

Western University Canada
Network Operations Centre
Information Technology Services
1393 Western Road, SSB 3300CC
London, Ontario  N6G 1G9

tel: 519-661-2111 x81390
e-mail: mihu...@uwo.ca <mailto:mihu...@uwo.ca>






**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Windows 8 and Broadcom wireless cards

[Michael Hulko]

Not necessarily related to Windows 8, but we have had the same issue with Intel 
Centrino family chipsets.  We had the users upgrade the chipset to the latest 
version available from Intel's site and that seemed to resolve the issues.

Never rely on the user to tell you that they have updated the drivers

MH


On 2013-12-04, at 12:59 PM, Joe Roth wrote:

> Shayne,
> 
> We have seen this as well. The instructions from the blog that Don posted are 
> essentially what we use. Our Help Desk has a flash drive with a pile of 
> wireless nic drivers that they keep handy.
> 
> 
> On Wed, Dec 4, 2013 at 12:50 PM, Sullivan, Don  wrote:
> Here is what we did:
> 
>  
> 
> http://blogs.technet.com/b/dennis_schnell/archive/2013/08/31/windows-8-1-wifi-showing-quot-limitied-quot-or-quot-no-internet-access-quot.aspx
> 
>  
> 
> More specifically –
> 
> Here's the instructions:
> 
> # Open Device Manager (search Windows Help if you don't know what this is)
> 
> # Select 'Network adaptors' and then open (double-click) Broadcom 802.11n 
> Network Adaptor
> 
> # Go to the Driver tab and click the Update Driver... button
> 
> # Select 'Browse my computer for driver software'
> 
> # Select 'Let me pick from a list of device drivers on my computer'
> 
> # Select the "Broadcom 802.11n Network Adaptor (Broadcom)" entry from the 
> list, and click Next
> 
> We have had this occur at 3 times and this fixed the issue for us. Hope it 
> helps you.
> 
>  
> 
>  
> 
> Don Sullivan
> 
> Network Adminstrator
> 
> Technology Services
> 
>  
> 
> 205-726-2111 | office
> 
> 205-566-1432 | mobile
> 
> 205-726-2524 | fax
> 
>  
> 
> dsulli...@samford.edu
> 
> www.samford.edu
> 
> 800 Lakeshore Drive, Birmingham, AL 35229
> 
>  
> 
> 
> 
>  
> 
>  
> 
>  
> 
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of T. Shayne Ghere
> Sent: Wednesday, December 04, 2013 11:25 AM
> 
> 
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Windows 8 and Broadcom wireless cards
> 
>  
> 
> Good morning,
> 
>  
> 
> I was wondering if any other school is having issues with the Broadcom 
> Wireless network cards running Windows 8/8.1 pro on a WPA2/AES network?  We 
> have students that are upgrading their Dell computers from Windows 7 to 
> Windows 8 and the cards stop working on our secure network.
> 
>  
> 
> They are prompted for 802.1x credentials, and the ACS server authenticates 
> them as well as the DHCP server handing out an IP address, but the computer 
> always states limited or no connectivity.
> 
>  
> 
> What is really weird is that we have a 1232AG radio and the card will connect 
> ONLY to the A radio, but not to the 1142N-A radio.   We are running 7.0.253.5 
> code because of the older AP’s on campus.   We did purchase a separate 
> controller for a test environment which we have running 7.4.110.0 now and it 
> still won’t connect to the 1142n-a radios.
> 
>  
> 
> Trying to back the driver down to Windows 7-64 bit doesn’t work (won’t allow 
> it to be installed).
> 
>  
> 
> Any ideas?
> 
>  
> 
> Thanks
> 
> Shayne
> 
>  
> 
> -
> 
> Bradley University
> 
> T. Shayne Ghere, CCNA
> 
> Network Engineer
> 
> 1501 W. Bradley Ave.
> 
> Morgan Hall, Suite 205
> 
> Peoria, IL  61625
> 
> sgh...@bradley.edu
> 
> (309) 677-3094  ofc.
> 
> (309) 677-3460 fax
> 
> Class 2011 FBI CA Graduate
> 
>  
> 
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 
> 
> 
> 
> -- 
> Joe Roth
> Network Manager
> Binghamton University
> Ph. 607-777-7528
> Fax 607-777-4009
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 



Michael Hulko
Network Analyst

Western University Canada
Network Operations Centre
Information Technology Services
1393 Western Road, SSB 3300CC
London, Ontario  N6G 1G9

tel: 519-661-2111 x81390
e-mail: mihu...@uwo.ca <mailto:mihu...@uwo.ca>






**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

NAT recording

[Michael Hulko]

This subject was introduced a year ago, and several schools had varying methods 
of recording NAT'd communications for legal requirements.  Several schools use 
the same process as we do, using a combination of Airwave, LanGuardian, and 
Netflow.  We had avoided using Connection tracking local on the box as we feel 
that this would greatly impact service.  I am interested to know what other 
schools are doing in this arena, if anything?

Michael Hulko
Network Analyst

Western University Canada
Network Operations Centre
Information Technology Services
1393 Western Road, SSB 3300CC
London, Ontario  N6G 1G9

tel: 519-661-2111 x81390
e-mail: mihu...@uwo.ca <mailto:mihu...@uwo.ca>






**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Aruba 6.1.3.7

[Michael Hulko]

We have an open case with Aruba on a power issue with the 5Ghz PA when the AP 
is in Hybrid mode for Spectrum Monitoring.  This causes (iin our case) the POE 
switch to reset the port as it sees the AP asking for more current than 
negotiated. This action resets the AP and all clients are lost which 
interpreted to our Helpdesk as intermittent connectivity.  Since disabling the 
Spectrum Monitoring, we have not experienced any further disruptions.  We have 
several controllers running 6.1.3.7 and several running on 6.2.1.0.

Another problem has surfaced for us recently with MAC OSx, in that 10.8.3/.4 
may have keychain issues once more with 802.1x authentication.  Has anyone else 
run into this.  Of all the complaints, the version has always been 10.8.3 or 
higher ( it may have been prevelent on earlier versions as well).  Testing has 
shown that removing the entry in the Keychain resolves the problem for short 
time, but that is only after a reboot to get access to the keychain app.  I 
have not found any other updates by Apple to this issue.  I found this post 
which may still be related:

http://appleinsider.com/articles/12/11/20/keychain-errors-fixed-in-new-os-x-mountain-lion-supplemental-update-20


MH

On 2013-04-23, at 10:29 AM, Steve Hess wrote:

> Any other Aruba shops experiencing performance issues (users intermittently 
> losing network connectivity) since upgrading to 6.1.3.7? 
>  
>  
> Steve Hess
> Network Administrator
> Information Technology Department
> Johnson & Wales University
> 8 Abbott Park Place
> Providence, RI 02903
> Office: 401-598-1561
> Email: steve.h...@jwu.edu
>  
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 



Michael Hulko
Network Analyst

Western University Canada
Network Operations Centre
Information Technology Services
1393 Western Road, SSB 3300CC
London, Ontario  N6G 1G9

tel: 519-661-2111 x81390
e-mail: mihu...@uwo.ca <mailto:mihu...@uwo.ca>






**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Wireless and health issues

[Michael Hulko]

We have had both, Inquiries into our wireless design decisions by staff and 
students and have had protestors on campus against the use of "Wireless".  The 
protestors were vague on which "wireless" standard they were referring to, eg. 
cell vs wifi., but to them the argument was the same.  In several instances on 
Campus with staff having concerns, we pointed our health and safety persons to 
several articles which have been covered by this thread, but since you are from 
Canada, I have also included the "Canadian" prespective in relation to Health 
Code 6 provided by the government of Canada.  This government report is just 
additional information we have used to calm the waters per se.

http://publications.gc.ca/collections/collection_2010/parl/XC62-403-1-1-03-eng.pdf

We also talked directly with Health Canada's technical contact on clarification 
of Health Canada's Code 6 guidelines.  As far as for our vendor (Aruba), their 
stance is that they have the device certified by Canadian standards bodies and 
they provided us a copy of the certificate itself. No real declaration.

Of course, this can be challenged as it was with the protestors, that the 
Government lies to everyone on just about everything.

I have several more references if you are interested, but I think the main ones 
are listed in this thread. We can speak off-line if you have additional 
questions.

Good Luck.

MH


On 2013-01-08, at 11:48 AM, Craig Eyre wrote:

> Thanks everyone for the great information. I like the idea of the web page 
> with links to different safety resources. That way we can just point all our 
> users in that direction.
> 
> Regards,
> 
> Craig Eyre  
> Network Analyst
> IT Services Department
> Mount Royal University
> 4825 Mount Royal Gate SW
> Calgary AB T2P 3T5
> 
> P. 403.440.5199
> E. ce...@mtroyal.ca
> 
> "The difference between a successful person and others is not a lack of 
> strength, not a lack of knowledge, but rather in a lack of will."  Vincent T. 
> Lombardi
> 
> 
> Christina Klam ---01/08/2013 08:33:52 AM---As we get requests 
> every semester to remove wireless access points from apartments and office 
> due to
> 
> From: Christina Klam 
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU, 
> Date: 01/08/2013 08:33 AM
> Subject: [WIRELESS-LAN] Wireless and health issues
> Sent by: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
> 
> 
> 
> 
> As we get requests every semester to remove wireless access points from
> apartments and office due to a fear of radiation, I have added this link
> to our general computing website:
> http://web.princeton.edu/sites/ehs/radiation/nirad.htm
> 
> The link is from Princeton University.  We found it to be well
> researched and written.
> Hope this helps,
> 
> <http://web.princeton.edu/sites/ehs/radiation/nirad.htm>
> 
> -- Christina 
> Christina Klam
> Network Administrator
> Institute for Advanced Study
> Email:  ck...@ias.edu
> 
> Einstein Drive  Telephone: 609-734-8154
> Princeton, NJ 08540 Fax:  609-951-4418
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.
> 
> __
> This communication is intended for the use of the recipient to which it is 
> addressed, and may contain confidential, personal, and or privileged 
> information. Please contact the sender immediately if you are not the 
> intended recipient of this communication, and do not copy, distribute, or 
> take action relying on it. Any communication received in error, or subsequent 
> reply, should be deleted or destroyed.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 



Michael Hulko
Network Analyst

Western University Canada
Network Operations Centre
Information Technology Services
1393 Western Road, SSB 3300CC
London, Ontario  N6G 1G9

tel: 519-661-2111 x81390
e-mail: mihu...@uwo.ca <mailto:mihu...@uwo.ca>






**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Aruba AP Power Issue?

[Michael Hulko]

As a stop gap measure, we increased the available power to 25W on the port of 
the affected AP, assuming the switch can be configured.  We use HP.
This issue may have shortened the life of the AP, specifically the 5Ghz radios, 
but if an AP does go hard down, and if you have purchased the appropriate 
support, it's unfortunately nothing more than a RMA with Aruba to get them 
replaced.

MH

On 2012-11-07, at 3:32 PM, Kellogg, Brian D. wrote:

> We have been working with Aruba on this exact issue as well.  We have had the 
> custom build in place since last Friday morning.  We’ve lost one 105 since 
> the upgrade to the custom build, but nothing since.  What is hard to tell is 
> what APs were on the brink of failing before we installed the custom build.  
> Aruba support and sales has been extremely impressive to work with on this 
> issue, and when it comes to support I am not easily impressed.  We replaced 
> our Cisco install with Aruba here this summer.
>  
>  
> Fyi,
> Brian
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Michael Hulko
> Sent: Wednesday, November 07, 2012 3:26 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: Aruba AP Power Issue?
>  
>  
> We have performed exhaustive troubleshooting with this particular issue.  We 
> tested several switches and found the problem to be the AP.  We have been 
> working with Aruba over the past several weeks (months) and they have 
> determined that the 5Ghz radio profile with the scanning option enabled, 
> causes this phenomena. When the radio comes off scanning, it sends a single 
> broadcast packet that pushes the power on the 5Ghz PA over the AF limits.  
> Aruba has provided a custom build which we are going to test and implement 
> tomorrow.  Aruba feels confident that the software change will solve the 
> issue.  They have performed an exhaustive engineering review of the 
> components and determined it to be software based.  
>  
> I will post results of our upgrade in the next couple of days.
>  
> Michael Hulko
>  
> On 2012-11-07, at 3:05 PM, Jason S. Cash wrote:
> 
> 
> On Wed, 7 Nov 2012, Chuck Enfield wrote:
> 
> 
> Hi Folks,
> We’re experiencing a significant number of problems where our PoE switches
> report that Aruba AP-105s are drawing more than 15.4W.  When this happens
> our switches shut off the power to the offending AP.  The problem is
> intermittent, but seems to occur repeatedly on the same APs, while never
> occurring on other APs.  Our diagnostics have eliminated excessive loss in
> the cabling as the culprit, which seems to leave two possibilities.  Either
> there are some Aruba AP-105s which are using more power than they are
> supposed to, or our switches are incorrectly measuring the power consumption
> of the APs.  If the APs are at fault, it’s unlikely that we would be the
> only ones with this problem.  Is anybody else having any issues with Aruba
> AP-105s drawing more than 15.4W?
> 
> Yes, We have a few ap105s sitting in a box with this exact issue. It doesn't 
> appear the be the switch in that we have seen it occur on both cisco 3560-X 
> and juniper ex3300 switches.
> 
> 
> Jason
> 
> 
> 
>  
> Thanks,
>  
> Chuck Enfield
> Sr. Communications Engineer
> Telecommunications & Networking Services
> The Pennsylvania State University
> 110H, USB2, UP, PA 16802
> ph: 814.863.8715
> fx: 814.865-3988
>  
>  
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>  
> 
> /*   Jason Cash  IT/Network and Systems Services
>   University of Delaware, Newark Delaware
> e:c...@udel.edu  v: 302-831-0461   */
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.
>  
> 
> 
> Michael Hulko
> Network Analyst
> 
> Western University Canada
> Network Operations Centre
> Information Technology Services
> 1393 Western Road, SSB 3300CC
> London, Ontario  N6G 1G9
> 
> tel: 519-661-2111 x81390
> e-mail: mihu...@uwo.ca <mailto:mihu...@uwo.ca>
>  
>  
> 
> 
> 
>  
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/.
> 



Michael Hulko
Network Analyst

Western University Canada
Network Operations Centre
Information Technology Services
1393 Western Road, SSB 3300CC
London, Ontario  N6G 1G9

tel: 519-661-2111 x81390
e-mail: mihu...@uwo.ca <mailto:mihu...@uwo.ca>






**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Aruba AP Power Issue?

[Michael Hulko]

We have performed exhaustive troubleshooting with this particular issue.  We 
tested several switches and found the problem to be the AP.  We have been 
working with Aruba over the past several weeks (months) and they have 
determined that the 5Ghz radio profile with the scanning option enabled, causes 
this phenomena. When the radio comes off scanning, it sends a single broadcast 
packet that pushes the power on the 5Ghz PA over the AF limits.  Aruba has 
provided a custom build which we are going to test and implement tomorrow.  
Aruba feels confident that the software change will solve the issue.  They have 
performed an exhaustive engineering review of the components and determined it 
to be software based.  

I will post results of our upgrade in the next couple of days.

Michael Hulko

On 2012-11-07, at 3:05 PM, Jason S. Cash wrote:

> On Wed, 7 Nov 2012, Chuck Enfield wrote:
> 
>> Hi Folks,
>> We’re experiencing a significant number of problems where our PoE switches
>> report that Aruba AP-105s are drawing more than 15.4W.  When this happens
>> our switches shut off the power to the offending AP.  The problem is
>> intermittent, but seems to occur repeatedly on the same APs, while never
>> occurring on other APs.  Our diagnostics have eliminated excessive loss in
>> the cabling as the culprit, which seems to leave two possibilities.  Either
>> there are some Aruba AP-105s which are using more power than they are
>> supposed to, or our switches are incorrectly measuring the power consumption
>> of the APs.  If the APs are at fault, it’s unlikely that we would be the
>> only ones with this problem.  Is anybody else having any issues with Aruba
>> AP-105s drawing more than 15.4W?
> 
> Yes, We have a few ap105s sitting in a box with this exact issue. It doesn't 
> appear the be the switch in that we have seen it occur on both cisco 3560-X 
> and juniper ex3300 switches.
> 
> 
> Jason
> 
> 
>>  
>> Thanks,
>>  
>> Chuck Enfield
>> Sr. Communications Engineer
>> Telecommunications & Networking Services
>> The Pennsylvania State University
>> 110H, USB2, UP, PA 16802
>> ph: 814.863.8715
>> fx: 814.865-3988
>>  
>>  
>> ** Participation and subscription information for this EDUCAUSE
>> Constituent Group discussion list can be found at
>> http://www.educause.edu/groups/.
>> 
> 
> /*   Jason Cash  IT/Network and Systems Services
>   University of Delaware, Newark Delaware
>     e:c...@udel.edu  v: 302-831-0461   */
> 
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.



Michael Hulko
Network Analyst

Western University Canada
Network Operations Centre
Information Technology Services
1393 Western Road, SSB 3300CC
London, Ontario  N6G 1G9

tel: 519-661-2111 x81390
e-mail: mihu...@uwo.ca <mailto:mihu...@uwo.ca>






**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Radius Load-balancing and Aruba

[Michael Hulko]

So to continue the thought...How are you managing the server certificates.  Does FreeRadius require a certificate per server instance or can you use a single server certificate for all instances?  I can see where having the number of servers providing authentication could give users a challenge where they roam between controllers and have to accept another certificate until they have accepted them all..your thoughts...Thanks again.MHOn 2012-05-16, at 8:54 AM, Colleen Szymanik wrote:We use FreeRadius and we manually load balance.  We try to keep things simple with good naming schemes since, at this point, we have 7 Aruba M3 production controllers with 4 backups supporting over 3000 APs.  We have 8 RADIUS server groups (4 physically different RADIUS servers with 2 instances of FreeRadius running on each of them).  What we decided to do was run each main controller to have a different primary RADIUS server.  We use EAP-TTLS(PAP) – it’s single threaded to a backend Kerberos system, so we needed the extra servers to handle the load (we were peaking over 17K clients on the system at a time this past spring, and who knows what fall will bring).  It was easier for us to do this manually – one less thing to worry about failing and we run reports from our RADIUS servers to make sure we are ok.  We were also running scripts on our controllers to make sure we didn’t get server timeouts as well.  Hope this helps – good luck! Colleen SzymanikUniversity of Pennsylvania From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Michael HulkoSent: Tuesday, May 15, 2012 2:06 PMTo: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUSubject: [WIRELESS-LAN] Radius Load-balancing and Aruba  We are attempting to create a load-balance farm of Radius servers for our 802.1x authentication.  The foundation is: Citrix Netscalars 9000sAruba M3 controllersRadiator radius server (currently 3) on a Windows platform. We have been unable to successfully get authentication to work.  We are getting Aruba involved, but they do not seem to have an answer yet.   Any comments/suggestions if you are already doing this or have alternatives would be greatly appreciated. Thanks Michael HulkoNetwork AnalystWestern University CanadaNetwork Operations CentreInformation Technology Services1393 Western Road, SSB 3300CCLondon, Ontario  N6G 1G9tel: 519-661-2111 x81390e-mail: mihu...@uwo.ca    ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Michael HulkoNetwork AnalystWestern University CanadaNetwork Operations CentreInformation Technology Services1393 Western Road, SSB 3300CCLondon, Ontario  N6G 1G9tel: 519-661-2111 x81390e-mail: mihu...@uwo.ca 

**
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Radius Load-balancing and Aruba

[Michael Hulko]

ArranThanks for your response..Our current testing is to a single radiator server, a single instance of a Radius farm in the Netscalar with "stickiness" to the client session.  We have tested terminating the EAP on both the controller and directly to the server.  We have captured traffic at all points in the path, and it appears in both cases, packets between the controller and the load-balancer is being mis-interpreted by the wireless controller.  We have submitted all captures to the Aruba SE to get something from them.  The load-balancer appears to pass all the packets to and from the controller to the radius server.respectfully,MichaelOn 2012-05-16, at 6:33 AM, Arran Cudbard-Bell wrote:On 15 May 2012, at 20:05, Michael Hulko wrote:We are attempting to create a load-balance farm of Radius servers for our 802.1x authentication.  The foundation is:Citrix Netscalars 9000sAruba M3 controllersRadiator radius server (currently 3) on a Windows platform.We have been unable to successfully get authentication to work.  We are getting Aruba involved, but they do not seem to have an answer yet.  Any comments/suggestions if you are already doing this or have alternatives would be greatly appreciated.Um quick check. All the RADIUS packets for an EAP session are going to the same RADIUS server right? AFAIK Radiator doesn't do EAP session state synchronisation, so you have to ensure the entire EAP exchange goes to a single backend server.-Arran**Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Michael HulkoNetwork AnalystWestern University CanadaNetwork Operations CentreInformation Technology Services1393 Western Road, SSB 3300CCLondon, Ontario  N6G 1G9tel: 519-661-2111 x81390e-mail: mihu...@uwo.ca <mailto:mihu...@uwo.ca>

**
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Radius Load-balancing and Aruba

[Michael Hulko]

Colleen...Thanks for your response..We have included your suggestion as part of a solution matrix to investigate.respectfully,MichaelOn 2012-05-16, at 8:54 AM, Colleen Szymanik wrote:We use FreeRadius and we manually load balance.  We try to keep things simple with good naming schemes since, at this point, we have 7 Aruba M3 production controllers with 4 backups supporting over 3000 APs.  We have 8 RADIUS server groups (4 physically different RADIUS servers with 2 instances of FreeRadius running on each of them).  What we decided to do was run each main controller to have a different primary RADIUS server.  We use EAP-TTLS(PAP) – it’s single threaded to a backend Kerberos system, so we needed the extra servers to handle the load (we were peaking over 17K clients on the system at a time this past spring, and who knows what fall will bring).  It was easier for us to do this manually – one less thing to worry about failing and we run reports from our RADIUS servers to make sure we are ok.  We were also running scripts on our controllers to make sure we didn’t get server timeouts as well.  Hope this helps – good luck! Colleen SzymanikUniversity of Pennsylvania From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Michael HulkoSent: Tuesday, May 15, 2012 2:06 PMTo: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUSubject: [WIRELESS-LAN] Radius Load-balancing and Aruba  We are attempting to create a load-balance farm of Radius servers for our 802.1x authentication.  The foundation is: Citrix Netscalars 9000sAruba M3 controllersRadiator radius server (currently 3) on a Windows platform. We have been unable to successfully get authentication to work.  We are getting Aruba involved, but they do not seem to have an answer yet.   Any comments/suggestions if you are already doing this or have alternatives would be greatly appreciated. Thanks Michael HulkoNetwork AnalystWestern University CanadaNetwork Operations CentreInformation Technology Services1393 Western Road, SSB 3300CCLondon, Ontario  N6G 1G9tel: 519-661-2111 x81390e-mail: mihu...@uwo.ca    ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Michael HulkoNetwork AnalystWestern University CanadaNetwork Operations CentreInformation Technology Services1393 Western Road, SSB 3300CCLondon, Ontario  N6G 1G9tel: 519-661-2111 x81390e-mail: mihu...@uwo.ca 

**
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Radius Load-balancing and Aruba

[Michael Hulko]

Philippe...Thanks for the response...Yes..we are considering all options including the Radiator load-balancing features and suggestions from other listserv members to achieve our goal.Running an external load-balance service was just one of the options we were exploring to solve our authentication challenges/opportunities.  respectfully,Michael HulkoOn 2012-05-16, at 12:56 PM, Hanset, Philippe C wrote:




Michael,


Have you inquired about the built-in load balancing features of RADIATOR?
You might not need an extra load balancer...
Specifically one of these clauses:
 , , 
LOADBALANCE>, , .






Philippe





Philippe Hanset
Univ. of TN, Knoxville
www.eduroamus.org





On May 15, 2012, at 2:05 PM, Michael Hulko wrote:





We are attempting to create a load-balance farm of Radius servers for our 802.1x authentication.  The foundation is:


Citrix Netscalars 9000s
Aruba M3 controllers
Radiator radius server (currently 3) on a Windows platform.


We have been unable to successfully get authentication to work.  We are getting Aruba involved, but they do not seem to have an answer yet.  


Any comments/suggestions if you are already doing this or have alternatives would be greatly appreciated.


Thanks






Michael Hulko
Network Analyst

Western University Canada
Network Operations Centre
Information Technology Services
1393 Western Road, SSB 3300CC
London, Ontario  N6G 1G9

tel: 519-661-2111 x81390
e-mail: mihu...@uwo.ca <mailto:mihu...@uwo.ca>










** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at
http://www.educause.edu/groups/.











**
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.


Michael HulkoNetwork AnalystWestern University CanadaNetwork Operations CentreInformation Technology Services1393 Western Road, SSB 3300CCLondon, Ontario  N6G 1G9tel: 519-661-2111 x81390e-mail: mihu...@uwo.ca <mailto:mihu...@uwo.ca>

**
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Radius Load-balancing and Aruba

[Michael Hulko]

We are attempting to create a load-balance farm of Radius servers for our 802.1x authentication.  The foundation is:Citrix Netscalars 9000sAruba M3 controllersRadiator radius server (currently 3) on a Windows platform.We have been unable to successfully get authentication to work.  We are getting Aruba involved, but they do not seem to have an answer yet.  Any comments/suggestions if you are already doing this or have alternatives would be greatly appreciated.Thanks
Michael HulkoNetwork AnalystWestern University CanadaNetwork Operations CentreInformation Technology Services1393 Western Road, SSB 3300CCLondon, Ontario  N6G 1G9tel: 519-661-2111 x81390e-mail: mihu...@uwo.ca 

**
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Aruba Mobility Design Options

[Michael Hulko]

@Stan::  we spoke some time ago when were making a decision on vendor to 
replace our wireless environment with 11N.  I would also like to chat off line 
as we are in the same scencario as Mr. Schilling on making a decision which way 
to go with 1: VLAN pooling and 2: Mobility

Thanks

Michael Hulko
Network Analyst
 
University of Western Ontario
Network Operations Centre
Information Technology Services
 
1393 Western Road, SSB 3300CC
London, Ontario  N6G 1G9
 
tel: 519-661-2111 x81390
e-mail: mihu...@uwo.ca


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@listserv.educause.edu] On Behalf Of Brooks, Stan
Sent: Tuesday, January 18, 2011 1:08 PM
To: WIRELESS-LAN@listserv.educause.edu
Subject: Re: [WIRELESS-LAN] Aruba Mobility Design Options

Shiling -

The answers to your questions depend a lot on which code you are running.  I 
can speak for the the code we are running at Emory (3.3 and 3.4 code trains - 
we haven't made the jump to 5.0 yet).

We run in a multi core/VRF environment and have just changed out mobility model 
from IP mobility to VLAN due to a limitation with are versions of Aruba code.  
There is an issue with IP mobility in a multi-core environment.  Aruba will 
tunnel the IP traffic from the foreign agent (controller) to the home agent 
(controller) to effect user mobility, BUT it will use the home agent default 
route for the traffic.  If the default route is on a different core, you've got 
a broken path for the traffic, especially if you've got firewalls between 
cores.  Aruba is working on this limitation, but I don't know when they will 
have a fix for it.

VLAN pooling is the best thing since sliced bread and named VLANs and named 
VLAN pools are fantastic features (I've been asking for them since 2005 - they 
were implemented a year ago).  There is currently a limitation that you cannot 
assign a VLAN pool name through RADIUS, but I think it will be supported in the 
(hopefully near) future.

We do use VLAN pooling extensively and our pools are large - 16 to 20 /24 
subnets.  I don't think there is any issue going higher, but I don't know what 
the upper limit is.

I'd be happy to discuss our architecture with you off list.  You might also 
want to engage your Aruba Systems Engineer to advise you on the best way to 
integrate the Aruba hardware into your network architecture.

>>-> Stan Brooks - CWNA/CWSP
  Emory University
  University Technology Services
  404.727.0226
AIM/Y!/Twitter: WLANstan
   MSN: wlans...@hotmail.com
GoogleTalk: wlans...@gmail.com


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of schilling 
[schilling2...@gmail.com]
Sent: Tuesday, January 18, 2011 11:40 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Aruba Mobility Design Options

Hi All,

I tried to join the list with my edu email, but still not received any
confirmation email yet. Resubscribe got email of "Rejected - similar
commands already pending".  So I am posting this message with my gmail
account.

We are trying to implement mobility for student. In order to fit into
our campus network virtualization with MPLS L3VPN, we would like to
have WLANs default gateway at Core routers, so we could have the
flexibility to selectively put certain WLANs to a MPLS L3VPN i.e
facstaff or students. We would also like to put certain clients into
certain WLAN pools according to their AD/LDAP attribute.  I knew we
could have dedicated controllers for each specific group of users. I
wish Aruba could provide multi-vrf/vrf-lite capability. All security
device like Cisco ASA/Juniper ScreenOS/Fortigate Firewall all have the
virtual router/context capability.

There are two ways to do mobility, layer 2/VLAN mobility, layer 3/IP
mobility. I am trying to explore both mobility options with the
constraint of WLAN default gateway in the Core router.

Attached please find two diagram,
student-alternatives-vlan-mobility.jpeg with the following notes/questions
Notes: Layer 2/VLAN mobility requires all user VLANs/WLANs to be
present on all controllers in the same mobility domain.

Is it feasible/recommended to have 10 Aruba Controllers w/ 80%*512 AP
termination in a layer 2/VLAN mobility group?

Is it feasible/recommended to have 4000 users/devices in a layer
2/VLAN mobility group w/ 16 /24 VLANs in a VLAN pool?

student-alternatives-ip-mobility.jpeg with the following notes/questions
Notes: Layer 3/IP mobility requires ip address for user VLAN -WLAN to
correctly forward layer-3 broadcast/multicast traffic to clients
when they are away from home network

Could Core be the default gateway for user VLANs/WLANs while still
have an IP address in Aruba Controllers for
corresponding user VLANs/WLANs to provide layer 3/IP mobility?

Could VLAN pooling feature be used in thi

RE: [WIRELESS-LAN] Cutting way back on Cisco APs- turns out they have a lot more potential output than we thought

[Michael Hulko]

This is part of the Cisco "Clean Air" initiative..

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Justin Hao
Sent: Monday, August 30, 2010 12:52 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cutting way back on Cisco APs- turns out they have 
a lot more potential output than we thought

 

my favorite is how 100dbm is the *default* setting.

 

-justin

 

On Aug 30, 2010, at 10:18 AM, Chuck Enfield wrote:





Evaporating all nearby clients should also help reduce the number of trouble 
calls.  RF design made easy!

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman
Sent: Monday, August 30, 2010 11:05 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cutting way back on Cisco APs- turns out they have a 
lot more potential output than we thought

 

Hopefully the graphic makes it. turns out we have the capability of getting a 
little better than 3.9 Million kilowatts out of our Cisco APs, so we may just 
install one in the middle of campus and pretty much cover the entire western 
hemisphere and parts of numerous galaxies:

 



 

 

-Lee Badman 

 

 

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found 
athttp://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

 

 

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/. 


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.