from:"Norman Elton"

Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] WLAN onboarding

2021-04-07 Thread Norman Elton

We are SecureW2 for EAP-TLS. In addition to working well, and handling the
recent Android changes fairly well, I’ll commend their excellent support
staff. They are always quick to respond and extremely knowledgeable about
all things CA related.

A word to those looking to go EAP-TLS, whether securew2 or not ... you have
to make lots of important decisions up front (particularly around your CA
structure) and then live with them, basically, forever. Talk to a number of
other institutions about how they’ve named & labeled things before
beginning to onboard users.

Norman Elton
William & Mary

On Wed, Apr 7, 2021 at 2:55 PM Adam T. Ferrero  wrote:

>
>
>   I love the geteduroam app!  It is awesome, easy, pretty, and simple.  We
> are planning to leverage it for more of our onboarding.
>
>
>
>   We are open SSID with Aruba Clearpass captive portal, SMS texted
> credentials for self service guests (via Twilio), and switch to WPA2
> enterprise for actual internet access.  We’d been using Aruba OS specific
> landing pages to feed their Quick Connect tool to onboard.  Aruba is
> encouraging Onboard rather than Quick Connect but that comes with license
> fees.  With Android 11 changes and a desired to deprecate our PEAP/MSCHAP
> we’ve been spending time here.
>
>
>
>   Still a work in progress but geteduroam app is a win!  Nice work to that
> team!
>
>
>
>   Adam
>
>
>
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Philippe Hanset
> *Sent:* Wednesday, April 7, 2021 10:55 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* [External] Re: [WIRELESS-LAN] WLAN onboarding
>
>
>
> Lee,
>
>
>
> Based on your timeframe you might also want to consider the new
> development that is done in Europe called “geteduroam”.
>
> https://www.geteduroam.app
>
> It is App based and will feed from CAT but it is based on EAP-TLS or on
> EAP-TTLS/PEAP if preferred.
>
>
>
> So you could start with CAT  and username/password (CAT allows you to
> provision eduroam and other SSIDs as well) and evolve later to EAP-TLS.
>
>
>
> Philippe
>
>
>
>
>
> Philippe Hanset, CEO
> www.anyroam.net
> Operator of eduroam-US
> +1 (865) 236-0770
>
>
>
>
>
>
>
> On Apr 7, 2021, at 10:05 AM, Lee H Badman <
> 00db5b77bd95-dmarc-requ...@listserv.educause.edu> wrote:
>
>
>
> Hello everyone, hope your semesters are going along smoothly and that you
> are all staying healthy. As always- this message is not an invite for
> vendors to contact me.
>
>
>
> Looking out down our short timeline, we need to make a number of decisions
> about various aspects of our WLAN operations. One of these decision points
> is if/how to do the 802.1X onboarding after our current solution goes End
> of Everything at year’s end. To that end, I’m looking for any and all
> feedback on these questions:
>
> - If you are using PEAP/MS-CHAP v2, what is your onboarder of choice (even
> if none, with manual config as methodology)?
>
> -If you are doing PEAP-TLS, what is your onboarder of choice?
>
> -Have you recently piloted any onboarders that you just hate for any
> reason?
>
> -For those using eduroam as your 802.1X environment, have you found the
> free configuration tool to be reliable? Any downsides to using it at scale?
>
>
>
> Interested in 3rd party, native, whatever.
>
>
>
> Thanks as always,
>
>
>
> Lee Badman
>
>
>
> *Lee Badman* | Network Architect (CWNE#200)
>
> Information Technology Services
> (NDD Group)
> 206 Machinery Hall
> 120 Smith Drive
> <https://www.google.com/maps/search/120+Smith+Drive+%0D%0ASyracuse,+New+York+13244?entry=gmail&source=g>
> Syracuse, New York 13244
> <https://www.google.com/maps/search/120+Smith+Drive+%0D%0ASyracuse,+New+York+13244?entry=gmail&source=g>
>
> *t* 315.443.3003  * e* lhbad...@syr.edu *w* its.syr.edu
>
> Campus Wireless Policy:
> https://answers.syr.edu/display/network/Wireless+Network+and+Systems
>
> *SYRACUSE UNIVERSITY*
> syr.edu
>
>
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community
>
>
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email rep

Re: [WIRELESS-LAN] Wireless Upgrade Project

2020-12-31 Thread Norman Elton

I don't want to double-down on the Juniper/Mist praise, but we're migrating
there after many years with Aerohive (now Extreme). We're phasing the
migration in over the next 5-ish years.

We got away from controllers many years ago (we were previously
Airespace/Cisco), and haven't looked back. We appreciate that Aruba sweeps
up the higher-ed market, and have evaluated them numerous times. Their
local engineer is by far the most knowledgeable field engineer we've ever
met.  But I'm not jealous when I hear about controller failures, APs
dropping their tunnel, HA problems, etc. We do have to architect a network
that supports VLANs to each AP, but we already provide similar VLANs for
wired devices. It's trivial to configure their wireless equivalents and
configure trunk ports for the AP. I'll gladly do that if we get away from
controller headaches. Back in the day, controllers enabled all sorts of
cool features. But those differentiators are dwindling as cooperative /
cloud-managed APs continue to mature.

As a bonus, we can do rolling upgrades, testing new firmware in limited
buildings before rolling out across campus. No more holiday-break
campus-wide upgrades!

I'd love to talk to other Aerohive customers who are riding out the Extreme
acquisition. Feel free to respond here, or privately.

Norman Elton
Director, IT Infrastructure
William & Mary

On Thu, Dec 31, 2020 at 12:31 PM Nadim El-Khoury 
wrote:

> Hi Everyone,
>
> We migrated away from on-premises Aruba Controllers to Juniper Mist and
> Mist Edge devices (to address the L2 problem). We chose Juniper Mist
> because of the personal WLAN technology, easy deployment, and
> other diagnostics tools such as Marvis and automatic capturing of packets
> when issues arise in the middle of the night. With Aruba, students in the
> dorms could not easily connect their gaming devices, Roku devices, smart
> TVs, Firestick, Alexa, and so forth. With Juniper Mist Personal WLAN,
> students get their pre-shared key for those devices and easily connect
> them. We have seen those devices stay connected for more than 30 days at a
> time. When using Aruba, they barely stayed connected.
>
> We spent hours on troubleshooting calls with Aruba, and now those are
> behind us, especially since we have a tiny team (6 people including myself)
> to manage systems and the network infrastructure.
>
> There is still room for improvement for the Juniper Mist product, however,
> going back to an on-prem solution is something that I am not in favor of
> anymore.
>
> I will be more than happy to answer any questions.
>
> Best,
>
> Nadim El-Khoury
> Director of Networks, Systems, Infrastructure, and Information Security
> Officer
> Springfield College
> E-mail: nel-kho...@springfield.edu
> Office: +1-413-748-3925
>
>
> On Thu, Dec 31, 2020 at 11:46 AM Lee H Badman <
> 00db5b77bd95-dmarc-requ...@listserv.educause.edu> wrote:
>
>> Using Meraki in our branch locations, we have a couple of sites with 35
>> APs, several more with anywhere from just one to a handful. I have zero
>> regrets. The bugs are few and far between. We don’t have many VLANs in
>> these sites, which would be the nut to crack in larger deployments. Here’s
>> an aging article I wrote on that
>> https://www.toolbox.com/tech/cloud/blogs/why-were-not-all-flocking-to-mist-and-meraki-wireless-the-layer-2-situation-101518/
>>
>> But VLANs aside, it is soo nice not having a buggy controller and
>> semi-worthless bloated NMS to keep up, given that those are Meraki’s
>> problem. We are still controller-based on the big WLAN, so we are living in
>> both worlds.
>>
>> Lee Badman (mobile)
>>
>> On Dec 31, 2020, at 11:38 AM, Ian Lyons  wrote:
>>
>> 
>> I will provide a disclaimer that "things cloud" are not my favorite-in
>> the regards that you have to prove that your network is not the problem
>> before vendors truly commit in a down/crisis issue.  But the new world
>> order is here.
>>
>> Having said that, have people who have gone to the cloud have diverse end
>> user client gear? Ipads,Iphones, IOT, PC,Mac etc.   Going back in time, I
>> had Meru and RingMaster and with a pure PC client I never had an issue. As
>> soon as the Macs etc (anything other than a PC) came online, chaos ensued.
>>
>> Solution was to go with a newer (or better-sorry Meru)  on prem
>> controller and when Apple did the "walled garden" fiasco, the controller
>> vendors did a GREAT job un'effing what Apple did to us (again as a school
>> in Sept/Oct) -just as classes were in full swing-with students who blithely
>> get the latest greatest Apple software and then were not able to

Re: [WIRELESS-LAN] Status of Wi-Fi 6 Client Drivers?

2020-09-23 Thread Norman Elton

We uncovered the same driver issue shortly after deploying 802.11ax.
We mitigated by leaving 802.11ax enabled on the 5GHz radios, but
disabling on the 2.4 radios. This way, compliant devices can connect
and take advantage of 5Ghz connectivity. Those devices with faulty
Intel drivers can still connect, albeit at substantially reduced data
rates. There may be some inner workings of 802.11ax that I don't
recall, but this worked for us!

This was on our Mist AP43s, limited to a single building. The rest of
campus is running 802.11ac access points from Aerohive.

Norman Elton
William & Mary

On Wed, Sep 23, 2020 at 5:38 PM Lee H Badman
<00db5b77bd95-dmarc-requ...@listserv.educause.edu> wrote:
>
> What is truly frustrating is that all vendors involved are likely members of 
> the Wi-Fi Alliance, whose "interoperability" testing obviously isn't getting 
> it done.
>
> One man's opinion. 
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  on behalf of Ethan Grinnell 
> 
> Sent: Wednesday, September 23, 2020 5:31:30 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Status of Wi-Fi 6 Client Drivers?
>
> I recently wanted to do testing with an affected driver and was able to 
> obtain them on OEM websites instead of directly from Intel. This build has 
> the issue with WiFi6 SSID visibility: 
> https://support.lenovo.com/us/en/downloads/DS103594
>
> Also, I noticed that the Windows 10 built-in driver for many Intel WiFi chips 
> is version 17.x (It was on my test client) which didn't seem to have the 
> issue. So that's fun, it's not just versions lower than some baseline build 
> number being affected. I didn't test many different builds, but it looked 
> like 17.x was good, 18.x, 19.x, and 20.x had some affected builds. More 
> information here: 
> https://www.intel.com/content/www/us/en/support/articles/54799/network-and-i-o/wireless.html
>
> The issue is still around. Many BYOD types require users to update their own 
> drivers, which few seem to do. Windows doesn't always update the drivers 
> either, so there could potentially be lingering issues from outdated drivers 
> for a long time.
>
> Ethan Grinnell
> CCIE R&S #39723, BS CmpE
> Network Engineer
> Office of Information Technology, Technology Infrastructure, Networking
> Portland State University
>
>
> On Wed, Sep 23, 2020 at 2:01 PM Mike Atkins  wrote:
>>
>> We deployed our ax capable APs without ax enabled for the same Intel driver 
>> issues.  I wanted to test something with a flawed driver recently and 
>> noticed it is no longer available from Intel.  I think Intel revamped their 
>> downloads page at the end of last year to remove all but the newest 
>> revisions of drivers.   We use SecureW2 for eduroam onboarding so we can get 
>> a sense of drivers used by Windows devices.  We will probably enable Wi-Fi 6 
>> next year if the numbers continue to look good.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Mike Atkins
>>
>> Infrastructure Architect
>>
>> Office of Information Technology
>>
>> University of Notre Dame
>>
>> Phone: 574-631-7210
>>
>>
>>
>>
>>
>>    .__o
>>
>>- _-\_<,
>>
>>---  (*)/'(*)
>>
>>
>>
>>
>>
>> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>>  On Behalf Of Nadim El-Khoury
>> Sent: Wednesday, September 23, 2020 4:41 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: Re: [WIRELESS-LAN] Status of Wi-Fi 6 Client Drivers?
>>
>>
>>
>> Hi Eric,
>>
>>
>>
>> One more thing that I forgot to answer. We elected to keep Wi-Fi 6 enabled 
>> and just disabled it in the vicinity of our Technical Support Center (User 
>> Support) in the Library building.
>>
>>
>>
>> Best,
>>
>>
>>
>> Nadim
>>
>>
>>
>> On Wed, Sep 23, 2020 at 4:35 PM Floyd, Brad  wrote:
>>
>> Eric,
>> I have deployed almost 200 of the Aruba 530 series APs so far in the last 
>> 2-3 months. I saw, first hand, what happens with the 802.11ax enabled SSID 
>> and the flawed Intel drivers. The SSIDs don't appear to those devices. When 
>> we were discussing whether or not to deploy the ax APs vs stick with ac APs, 
>> we decided we wanted the longer remaining life span before end-of-sale / 
>> end-of-support of the APs of the ax vs the ac. The added benefit Aruba 
>> provides is that it is very simple to disable the features (just a s

Re: [WIRELESS-LAN] MAC authentication bypass on Freeradius

2020-08-28 Thread Norman Elton

Ahh yep ... we use EAP-TLS, but continue to advertise an open SSID for
onboarding (we use SecureW2), and for devices that do not support
EAP-TLS.

By default, users are required to use eduroam. Students can
self-enroll their devices (gaming consoles, etc) onto the open SSID.
Some inevitably self-enroll their laptops for various reasons. But
getting everyone connected to eduroam while on campus streamlines
their experience when they travel to another institution.

Norman

On Fri, Aug 28, 2020 at 10:38 AM Tim Cappalli
<0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:
>
> Yes, EAP-TLS, EAP-TTLS and PEAPv0/EAP-MSCHAPv2 are the common three EAP 
> methods deployed, with TEAP becoming more popular.
>
> Great care should be taken when using a legacy method like PEAPv0 with user 
> credentials. Ensure the device is under management and the user cannot modify 
> the supplicant configuration (same with EAP-TTLS/PAP or EAP-TTLS/MSCHAPv2).
>
> Ideally these devices should just use what the rest of your students, faculty 
> and staff are using.
>
> tim
> 
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  on behalf of Nadim El-Khoury 
> 
> Sent: Friday, August 28, 2020 10:35
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> Subject: Re: [WIRELESS-LAN] MAC authentication bypass on Freeradius
>
> Hi Tim,
>
> Thank you for the information and advice.
> Maybe use EAP-TLS or PEAP with EAP-TLS as the inner authentication method.
> Do you think that would work?
> Has anyone done that with Freeradius and eduroam?
>
> Best,
>
> Nadim
>
> On Fri, Aug 28, 2020 at 9:57 AM Tim Cappalli 
> <0194c9ecac40-dmarc-requ...@listserv.educause.edu> wrote:
>
> eduroam is an 802.1X network. You need to use an EAP-based authentication 
> method. MAC address can only be used as authorization context (but really 
> shouldn't be).
>
> Tim
> 
> From: The EDUCAUSE Wireless Issues Community Group Listserv 
>  on behalf of Nadim El-Khoury 
> 
> Sent: Friday, August 28, 2020 9:52:08 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> Subject: Re: [WIRELESS-LAN] MAC authentication bypass on Freeradius
>
> Hi Norman,
>
> Let me better explain what we trying to do.
> We used to have an open hidden SSID using a WEP key to connect loaner laptops 
> (Windows, Macs), iPads, and Chromebooks.
> We upgraded our wireless network to MIST and we decided to only advertise 
> eduroam.
> We want to connect the above devices to eduroam using Mac address 
> authentication, and it is not working.
>
> Best,
>
> Nadim
>
> On Thu, Aug 27, 2020 at 9:38 PM Norman Elton  wrote:
>
> Do you mean authenticate non-802.1x clients based on MAC address? Yes.
> It works fine. We have an Open Access SSID, with "MAC address
> authentication by RADIUS lookup". We provide our RADIUS server IP &
> secret. Our FreeRADIUS server takes the request and responds with an
> Accept/Reject, and the following attributes:
>
> Tunnel-Type = "GRE"
> Tunnel-Medium-Type = "IP"
> Tunnel-Private-Group-ID = 
>
> I don't remember any specific challenges, but if you can post what's
> not working, I'm happy to help. And/or jump on a call and compare
> experience with Mist.
>
> Norman
>
> On Thu, Aug 27, 2020 at 4:14 PM Nadim El-Khoury
>  wrote:
> >
> > Hi Everyone,
> >
> > Has anyone been able to get MAC authentication bypass to work properly with 
> > FreeRadius and MIST Wireless?
> >
> > Best,
> >
> > Nadim
> >
> > **
> > Replies to EDUCAUSE Community Group emails are sent to the entire community 
> > list. If you want to reply only to the person who sent the message, copy 
> > and paste their email address and forward the email reply. Additional 
> > participation and subscription information can be found at 
> > https://www.educause.edu/community
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community
>
> **
> Replies to EDUCAUSE Community G

Re: [WIRELESS-LAN] MAC authentication bypass on Freeradius

2020-08-27 Thread Norman Elton

Do you mean authenticate non-802.1x clients based on MAC address? Yes.
It works fine. We have an Open Access SSID, with "MAC address
authentication by RADIUS lookup". We provide our RADIUS server IP &
secret. Our FreeRADIUS server takes the request and responds with an
Accept/Reject, and the following attributes:

Tunnel-Type = "GRE"
Tunnel-Medium-Type = "IP"
Tunnel-Private-Group-ID = 

I don't remember any specific challenges, but if you can post what's
not working, I'm happy to help. And/or jump on a call and compare
experience with Mist.

Norman

On Thu, Aug 27, 2020 at 4:14 PM Nadim El-Khoury
 wrote:
>
> Hi Everyone,
>
> Has anyone been able to get MAC authentication bypass to work properly with 
> FreeRadius and MIST Wireless?
>
> Best,
>
> Nadim
>
> **
> Replies to EDUCAUSE Community Group emails are sent to the entire community 
> list. If you want to reply only to the person who sent the message, copy and 
> paste their email address and forward the email reply. Additional 
> participation and subscription information can be found at 
> https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Re: [WIRELESS-LAN] MAC Randomization, a step further...

2020-08-07 Thread Norman Elton

Just a Friday afternoon update ...

I upgraded to Beta 4, and noticed that I was back to my physical MAC
address. This was also the case when I first went from iOS 13 to Beta 3, it
took a few days to start randomizing my address. I’ll keep an eye on things
over the next few days and let you know what I find out.

Norman



On Thu, Aug 6, 2020 at 8:05 PM Turner, Ryan H 
wrote:

> Are you referring to the serial?   Would Chad be willing to post his ulang
> for thr freeRadius config?
>
> Ryan Turner
> Head of Networking, ITS
> The University of North Carolina at Chapel Hill
> +1 919 274 7926 Mobile
> +1 919 445 0113 Office
>
> On Aug 6, 2020, at 5:02 PM, Philippe Hanset <
> 005cd62f91b7-dmarc-requ...@listserv.educause.edu> wrote:
>
>  About EAP-TLS blocking ...
>
> You do not need to revoke a cert (too painful indeed for operator and
> user). Chad wrote a hook for the Anyroam service that identifies the
> certificate’s fingerprint. So If a device misbehaves, you can just block
> the device via the certificate’s fingerprint. With one certificate per
> device, you end up with the same as a SIM card (or the good ol MAC address
> :)
>
> Philippe Hanset, CEO
> ANYROAM LLC
> www.anyroam.net
> www.eduroam.us
> +1 (865) 236-0770
>
> On Aug 6, 2020, at 11:29 AM, Turner, Ryan H 
> wrote:
>
> 
>
> The other issue comes in with blocking devices.  On open networks/PSK
> networks, this will make isolating bad devices really difficult.  We have
> relied on MAC address blocks for over a decade.  They work very well.  Yes,
> you can get a determined individual that can get past/change their MAC
> address.  But that is going to be a tiny fraction of cases, and MAC
> blocking is an effective way of blocking a bad device.
>
>
>
> We require registration for our PSK network.  So the private MAC addresses
> will be blocked effectively there.  But we haven’t required registration on
> eduroam (our primary), because we have identity in the certificate.  We
> chose not to use OCSP (but we can), but if we revoke a cert, we have to
> also block the user from getting another certificate (2 steps, instead of
> one, which is why we have stayed with MAC blocking).  We could require
> folks to register for eduroam, but that is such a nasty thing to do to the
> users.   Gr.  Not an easy fix.
>
>
>
> Ryan
>
>
>
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Enfield, Chuck
> *Sent:* Thursday, August 6, 2020 11:14 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] MAC Randomization, a step further...
>
>
>
> I’ll also add that identity is what makes a private network private.  Yes,
> you can check identity at connection time then throw it away and still
> remain private, but that’s never been an option for us when designing
> services with our risk, legal and info security departments.
>
>
>
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Julian Y Koh
> *Sent:* Thursday, August 06, 2020 10:59 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] MAC Randomization, a step further...
>
>
>
> On Aug 6, 2020, at 09:51, Enfield, Chuck  wrote:
>
>
>
> How can we fulfill DMCA requirements when we can’t even identify a device,
> let alone the user?  If you want to remain anonymous, use a different
> network.
>
>
>
> IANAL, and I don’t even play one on TV, but my admittedly old
> understanding of the DMCA is that it’s not necessarily mandating that you
> have to be able to identify every single device on your network.  Indeed,
> some institutions’ responses to DMCA notices has been that they don’t have
> the necessary information to be able to take action.  So IMO, assuming
> (which is dangerous) that I’m correct, that if MAC randomization puts an
> undue burden and/or large obstacles on your ability to track down a
> device/user and cut it off from the network, the DMCA alone shouldn’t be
> seen as a mandate to try to disable MAC randomization.
>
>
> --
>
> Julian Y. Koh
>
> Associate Director, Telecommunications and Network Services
>
> Northwestern Information Technology
>
> 
>
> 
>
>
>
> 
>
> 2020 Ridge Avenue #331
> 
>
> Evanston, IL 60208
> 
>
> +1-847-467-5780
>
> Northwestern IT Web Site:

Re: [WIRELESS-LAN] MAC Randomization, a step further...

2020-07-21 Thread Norman Elton

This is all fascinating, I’m looking forward to getting my hands on a
public beta.

Those “in the know” ... does this impact 1x networks as well as open? It
seems that if you’re connecting with credentials, there’s already a trust
relationship in place.

And is the feature enabled for networks that were configured before
upgrading to iOS 14?

Fun times,

Norman Elton



On Tue, Jul 21, 2020 at 2:55 PM Rios, Hector J <
hector.r...@austin.utexas.edu> wrote:

> I just finished reading the “Apple Beta Software Program Agreement”.
> Interesting information:
>
>
>
> “Don’t blog, post screen shots, tweet, or publicly post information about
> the public beta software, and don’t discuss the public beta software with
> or demonstrate it to others who are not in the Apple Beta Software Program.”
>
>
>
> So, I need everyone to sign up to the beta software program so we can
> continue this conversation (J/K)
>
>
>
> Hector Rios, Wireless Network Architect
>
> The University of Texas at Austin
>
>
>
>
>
>
>
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Tim Cappalli
> *Sent:* Tuesday, July 21, 2020 1:06 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] MAC Randomization, a step further...
>
>
>
>  Yeah, good catch Chris! I’d be interested in seeing some field data as
> well. The only info I saw was that it changed every 24 hours, but it sounds
> like there’s a * which indicates inactivity / not associated.
>
>
>
> It makes much more sense that it wouldn’t change if the device maintains
> an active connection as there are really no privacy concerns until the
> device disconnects and moves.
>
>
>
> tim
>
>
>
> *From: *The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Date: *Tuesday, July 21, 2020 at 13:15
> *To: *WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
> *Subject: *Re: [WIRELESS-LAN] MAC Randomization, a step further...
>
> Tim had mentioned the following: “On iOS 14, the MAC is set per ESSID and
> is changed once every 24 hours.”
>
>
>
> Chris then mentioned that he found one iOS 14 device that, as long as it
> remains connected, the MAC remains the same, even beyond 24hrs.
>
>
>
> Has anyone else done testing? Please share your results.
>
>
>
> Hector Rios, Wireless Network Architect
>
> The University of Texas at Austin
>
>
>
>
>
>
>
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Johnson, Christopher
> *Sent:* Monday, July 20, 2020 10:19 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] MAC Randomization, a step further...
>
>
>
> Default behavior matters indeed. Got a preview of what to expect over the
> weekend.
>
>
>
> Found one individual that was in Aruba Airwave “12 Times” for their iPhone
> 14.0 over past couple of weeks and another “6 times”. It appears that as
> long as the device remains “connected” to the network beyond the 24 hours,
> the MAC Address will remain the same. Although if they’re fully
> de-authenticated or move say into an elevator or outside (or a class phone
> reboot occurs in the pocket) – then the MAC Address will update upon
> establishing a new connection – that is just the initial observation I saw.
>
> *Christopher Johnson*
> Wireless Network Engineer
> Office of Technology Solutions | Illinois State University
> (309) 438-8444
>
> Stay connected with ISU IT news and tips with @ISU IT Help on Facebook
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2FISUITHelp%2F&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cc141f9922e2241c5153b08d82d99b43e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637309485473827397&sdata=FGJLeAaYuQi53K0C3dSVpVbg7exX195P4eSHJJGLjUU%3D&reserved=0>
> and Twitter
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2FISUITHelp&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cc141f9922e2241c5153b08d82d99b43e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637309485473837398&sdata=bC3HH3eN2hDSeTLdAbF9%2Fwgs286voXLDLZXX1VuSlxk%3D&reserved=0>
>
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Enfield, Chuck
> *Sent:* Tuesday, July 14, 2020 12:36 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] MAC Randomization, a step further...
>
>
>
> *[This message came from an external source. If suspicious, report to
>

Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?

2020-01-10 Thread Norman Elton

I agree with 100% of that. But here's a question ...

>> I absolutely will not sacrifice an otherwise sound WLAN by tweaking configs 
>> or code upgradin
>> for some small minority of poorly designed or suddenly misbehaving clients 
>> that can be fixed from the client side

What about Intel's AX driver bugs? I absolutely hate the idea of
disabling AX to support a few clients. But how many people are telling
their helpdesk to upgrade drivers on whatever BYOD laptop shows up?
What about a conference with 200 laptops that suddenly finds that half
are unsupported?

But, once it's disabled, will we ever re-enable AX? It's easy to say
that we'll disable it "short term", but we know those drivers won't
magically update themselves. We could be looking at crippling our
wireless indefinitely :-/.

Our current AX test environment has it turned off on the 2.4 radio, so
that at least those users can connect someplace. Leave 5 GHz for those
that can support AX. I don't like the compromise, but the alternative
("hey we're trying out a brand new wireless network that won't work
for random people") is equally unappetizing.

Sigh.

Norman Elton
William & Mary

On Fri, Jan 10, 2020 at 9:36 AM Lee H Badman
<00db5b77bd95-dmarc-requ...@listserv.educause.edu> wrote:
>
> I know a lot of people are likely following along, so I’ll throw one more 
> rant nugget out there (and this is not meant to distract from Ryan’s original 
> question):
>
>
>
> Over the many years I’ve been doing this, I have found that MOST problems on 
> a healthy, well-designed wireless network are absolutely client-related. Even 
> on the likes of Active Directory managed PCs where the assumption is that 
> Windows updates make everything fine. These updates don’t tend to touch WLAN 
> adapter, BIOS, and chipset drivers which are often the root cause of wireless 
> issues.
>
>
>
> Then there is the fallacy that the latest Intel/Broadcom driver is the 
> “best”. Sometimes you have to use an older one on a specific model PC or NIC- 
> especially where you are doing 802.1X. The whole effect is greatly magnified 
> in the BYOD world that many of us live in with endless mainstream and not so 
> mainstream client OS’s. Is it the WLAN vendor’s job to make up for all the 
> goofy, ill-designed crap that’s out there? (Talking myself back from the 
> ledge here, before I go off on the Wi-Fi Alliance). This situation sucks 
> largely, and we’re stuck with it so we have to manage as best as we can.
>
>
>
> Then there are the optional features- for example, I’ve seen band steering 
> make life tough for Windows PCs seemingly out of the blue. Except it wasn’t 
> out of the blue- it was after Windows’ Patch Tuesday. In this case, disabling 
> long-enabled band steering “fixed” the problem of users having wireless 
> connectivity but not getting anywhere and losing massive amounts of pings. 
> BTW… band-steering is not part of the 802.11 standard. Where does “fault” lie 
> in this situation? Microsoft? The WLAN adapter/driver vendor? The WLAN 
> vendor? Me? It’s messy as hell at times, given that “standards” are often a 
> big fat lie when it comes to wireless in my opinion. Disagree? I’ll fight ya J
>
>
>
> So… my premise is that MOST of the time the clients are the issue. And for 
> me, I absolutely will not sacrifice an otherwise sound WLAN by tweaking 
> configs or code upgrading for some small minority of poorly designed or 
> suddenly misbehaving clients that can be fixed from the client side, and I 
> don’t hold any WLAN vendor responsible for fixing the endless list of issues 
> in the client space.
>
>
>
> But when infrastructure code deficiencies DO hit, and all of the optional 
> features have been disabled and all of the client devices have been proven to 
> be as healthy as they can be first, it’s the worst of the worst situations 
> for those of us who run big networks because it’s truly out of our hands. 
> While I don’t expect Cisco or Aruba or whoever to make up for client 
> shortcomings or to jump through hoops so some unholy bizarre feature can be 
> implemented (vendors do TOO MUCH of this, in my opinion), I do expect the 
> vendors to absolutely keep their own houses in order and to understand that 
> in big university settings STABILITY IS EVERYTHING.
>
>
>
> If code is bad, tell us. Tell everyone, proactively. Get it the hell off of 
> the website so no one else downloads it. Don’t leave us in “we need to gather 
> data” status- that’s why vendors have million dollar test facilities (and 
> I’ve seen many of them)- gather your own data and just get us back on the 
> rails. If code is considered “bleeding edge”, be honest about that with big 
> red w

Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and why?

2020-01-09 Thread Norman Elton

The wireless-lan mailing list is always interesting, but this is by far the
best thread yet :)

We are a longtime Aerohive customer, and are aware of Extreme’s plans.
Happy to talk about my feelings regarding Aerohive off-list. Whomever
explained that startups are responsive at first, and start to lose their
luster as they grow ... spot on.

We are testing Meraki, Juniper/Mist, and Arista/Mojo. As always, some of
the shine wears off once you get into the product. I’ve found some
surprising RADIUS bug on Mist. Their initial support is responsive, but the
resolution is ... forthcoming. We are a big Juniper shop, so are excited
about their ability to monitor & manage (one day) our EX switches.

If you start and eval, make sure you open tickets and explore how their
support operation responds to requests (and bugs!).

Norman



On Thu, Jan 9, 2020 at 12:47 PM Turner, Ryan H 
wrote:

> At this time, this doesn’t appear to bother anything other than the 515s.
> We have 315s on the same code and have not gotten reports.
>
>
>
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Norman Chu
> *Sent:* Thursday, January 9, 2020 12:08 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and
> why?
>
>
>
> We have been running v8.5.0.4 (clustered controllers off of a mobility
> master) with a little over 4100 AP305’s and AP325’s for a couple of months
> and things have been stable here.  Prior to this, v8.3.0.8 was causing us a
> few issues.
>
>
>
> *Norman Chu*
>
> Systems Administrator, Network Infrastructure Team
>
> IT Services
>
> T:  514-398-7299
>
> norman@mcgill.ca  |   www.mcgill.ca/it
>
> 805 rue Sherbrooke Ouest
> ,
> Burnside Hall, Montréal, QC. H3A-0B9  Canada
>
> [image: 1501096696117_IITSlogo4email-cleaner-350.png]
>
>
>
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Michael Hulko
> *Sent:* January 9, 2020 11:58 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and
> why?
>
>
>
> May not be completely related, but we have had issues with newer AX
> chipsets that utilize NDIS 6.3 code set.  Some of the advanced features had
> to be turned off as a work around such as packet coalescing etc.
>
>
>
> ALthough we have no 515’s in our environment, we are progressing to 8.6
> (as per our SE) in the coming weeks and this does not make me comfortable.
> Any issues with the 300 series APs and 8.5x? May rethink and downgrade to
> 8.3x as it also seems to only support the AP103Hs as well.
>
>
>
> M
>
>
>
> On Jan 9, 2020, at 11:44 AM, Lee H Badman <
> 00db5b77bd95-dmarc-requ...@listserv.educause.edu> wrote:
>
>
>
> No insult meant to anyone’s intelligence, but are you also looking at
> client device drivers etc in the context of these issues? Depending on
> which client NIC is in play, the device makers haven’t been doing us any
> favors of late. Is very possible for example that hundreds of AD-managed
> laptops may all have same bum driver.
>
>
>
> Just asking…
>
>
>
> *Lee Badman* | Network Architect (CWNE#200)
>
> Information Technology Services
> (NDD Group)
> 206 Machinery Hall
> 120 Smith Drive
> 
> Syracuse, New York 13244
> 
>
> *t* 315.443.3003  * e* lhbad...@syr.edu *w* its.syr.edu
>
> *SYRACUSE UNIVERSITY*
> syr.edu
>
>
>
> *From:* The EDUCAUSE Wireless Issues Community Group Listserv <
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *David Morton
> *Sent:* Thursday, January 9, 2020 11:39 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] Who has transitioned away from Aruba, and
> why?
>
>
>
> Ryan, we have been experiencing some of the very same issues. Since
> installing 515s and resulting 8.5.x code in our offices (always our first
> step to any migration) we too have experienced unexplained periods of no
> connectivity. In most or all the cases I’ve personally experienced, I
> believe that I remain connected at an 802.11 standpoint but will have that
> 30 seconds to a couple of minutes of no IP connectivity. We have now
> deployed 515s and 8.5.x in one of our residence halls so I am concerned
> about their experience as well. Just before the holiday break we had a
> series of very high-profile outages that impacted our students leading up
> to and during finals week. The issue got so bad that our CIO had to issue a
> letter to students explaining the problem and what we are doing about it.
> This is the first time that this level of communication was needed in my 15
> years at the UW using Aruba.
>
>
>
> We too are

Re: [WIRELESS-LAN] Onboarding Android devices

2018-08-08 Thread Norman Elton

Thanks all. If you're doing PEAP / MSCHAPv2, are you expecting some
users to stumble through the process? Or do you somehow encourage all
users to use the onboarding tool? Obviously the tool would be required
if you're going down the EAP-TLS path.

Norman
On Wed, Aug 8, 2018 at 7:35 AM Osborne, Bruce W (Network Operations)
 wrote:
>
> We changed onboarding tools for non-AD devices to SecureW2 last September and 
> have been more than happy with their service & support.
>
> They tend to officially support OS versions before official release, which 
> can be useful in a Higher-Ed environment.
>
> Bruce Osborne
> Liberty University
>
> -Original Message-
> From: Norman Elton [mailto:normel...@gmail.com]
> Sent: Tuesday, August 7, 2018 3:25 PM
> Subject: Onboarding Android devices
>
> We've got an encrypted network with the classic PEAP + MSCHAPv2 combo, 
> allowing users to connect with their domain credentials. We've shied away 
> from onboarding tools like SecureW2, especially for student devices, as they 
> seem more cumbersome than just having the user configure the connection 
> properly the first time.
>
> Preparing for the fall, we've noticed that recent versions of Android make 
> the process a little more cumbersome. It appears that 8.1 & 9.0 allow the 
> user to validate the certificate by domain, which is great.
> Although the steps to get this setup are far from intuitive.
>
> 8.0 doesn't give that option, instead displaying a scary warning, "This 
> connection will not be secure". The user is forced to go ahead with "do not 
> validate certificate", leaving them open to leak their credentials to a rogue 
> AP. Far from ideal.
>
> Theoretically, we could ask the user to trust the CA certificate in advance, 
> and (hopefully) the warning message would go away. But I haven't gotten this 
> to work.
>
> Is there a general consensus that these devices are better served with an 
> onboarding tool that can accommodate the various flavors of Android? Or is 
> there a recipe for a user to setup 802.1x securely (with some sort of 
> certificate validation) on Android devices pre-8.1?
>
> Thanks,
>
> Norman Elton
>
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/discuss.
>
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/discuss.
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Onboarding Android devices

2018-08-07 Thread Norman Elton

We've got an encrypted network with the classic PEAP + MSCHAPv2 combo,
allowing users to connect with their domain credentials. We've shied
away from onboarding tools like SecureW2, especially for student
devices, as they seem more cumbersome than just having the user
configure the connection properly the first time.

Preparing for the fall, we've noticed that recent versions of Android
make the process a little more cumbersome. It appears that 8.1 & 9.0
allow the user to validate the certificate by domain, which is great.
Although the steps to get this setup are far from intuitive.

8.0 doesn't give that option, instead displaying a scary warning,
"This connection will not be secure". The user is forced to go ahead
with "do not validate certificate", leaving them open to leak their
credentials to a rogue AP. Far from ideal.

Theoretically, we could ask the user to trust the CA certificate in
advance, and (hopefully) the warning message would go away. But I
haven't gotten this to work.

Is there a general consensus that these devices are better served with
an onboarding tool that can accommodate the various flavors of
Android? Or is there a recipe for a user to setup 802.1x securely
(with some sort of certificate validation) on Android devices pre-8.1?

Thanks,

Norman Elton

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Photos of outdoor APs on building

2018-05-09 Thread Norman Elton

For those folks doing creative installations in light poles (very cool
pictures), how are you uplinking the AP? And how about power? If
you're using fiber, does the light pole have constant power to supply
the AP?

Thanks!

Norman

On Tue, May 8, 2018 at 3:20 PM, Steven Wrinkle  wrote:
> Working with the architects for our most recent construction project drove me 
> to put this together for both indoor and outdoor APs.
>
> -Steven
> Sacred Heart University
>
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/discuss.
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Helpdesk Troubleshooting of Wireless Issues

2017-03-01 Thread Norman Elton

Wow, that's fantastic. All good things to chew on.

Thanks!

Norman

On Wed, Mar 1, 2017 at 12:41 PM, Bryan Sherwood 
wrote:

> We take a slightly different approach to what has already been shared when
> it comes to students. When students in either a residence hall or other
> campus building call in, our student employees on the phone collect the
> following:
>
> · Drivers (check for updates, ensure that correct drivers are
> installed)
>
> · Power Settings (ensure that maximum performance is chosen for
> battery and plugged in)
>
> · Delete/Re-Add Saved Wireless Networks
>
> · Disable Link-Layers
>
> · Disable Printer/File Sharing
>
>
>
> If the issue can’t be resolved there, they send it on to our full-time
> helpdesk staff. We ensure that there’s not an obvious issue (major
> interference detected by the nearest WAP, WAP unplugged or otherwise not
> functioning as expected) with our access to Cisco Prime Infrastructure. We
> also look at the client in Cisco to see if they are connecting over 2.4 or
> 5GHz, etc. If there isn’t anything obvious, we then schedule an appointment
> with one of our student employees in the field. They have different
> training then our phones techs and regularly handle wireless network issues.
>
>
>
> In the field, we ask our student techs to collect the following:
>
>
>
> · Document Client Info:
>
> oWhat is the student's primary band? (5.0GHz or 2.4GHz)
>
> oRecord and label all device MAC addresses with limited connectivity.
>
> · AirCheck (for ResNet and for ResNet-Alt):
>
> · ResNet: Strongest 2.4GHz (g/n) AP dBm: SNR: AP Name/MAC address:
>
> · ResNet: Strongest 5GHz (a/n) AP dBm: SNR: AP Name/MAC address:
>
> · ResNet-Alt: Strongest 2.4GHz (g/n) AP dBm: SNR: AP Name/MAC
> address:
>
> · ResNet-Alt: Strongest 5GHz (a/n) AP dBm: SNR: AP Name/MAC
> address:
>
> · Does the Aircheck show varying dBm?
>
> · Does the Aircheck show non-802.11 interferers in the "Channels"
> menu?
>
> · Does the AirCheck show any rouge APs/Printers? (Include names
> of networks, channels, dBm)
>
> · On MacBook Air:
>
> oCheck connection speed:  10MB file.
>
> oTime to download file:
>
> oDoes the MacBook Air stay connected to the AP?
>
> §  If not, how long does it stay connected?
>
>
>
> Our techs use Netscout Airchecks
> <https://www.amazon.com/NETSCOUT-AIRCHECK-Display-Operating-Temperature/dp/B003JZ076U?sa-no-redirect=1>
> to collect much of this information.
>
>
>
> Once we collect that information, the helpdesk full-time staff work with
> our network engineers for further solutions. Many times this involves a
> power level change, WAP relocation, or additional WAP being added. We are
> always the ones to communicate with the end-user.
>
>
>
> This generally works well, as we’re able to filter out many client-side
> issues before they reach our network engineers. For more complicated
> issues, we may also coordinate to have a network engineer meet us in the
> field for additional troubleshooting or analysis.
>
>
>
> --
> Bryan Sherwood
>
> End-User Computing Specialist, Sr.
>
> Student Technology Center
>
> Information Technology Services
>
> Northern Arizona University
>
>
> [image: logo-email-sig]
>
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Norman Elton
> Sent: Monday, February 27, 2017 4:13 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Helpdesk Troubleshooting of Wireless Issues
>
>
>
> I'm curious if people can share their delineation of duties between the
> support organization (help desk) and the network administration
> (engineering, etc) teams, especially as it surrounds the triaging and
> troubleshooting of wireless connectivity issues.
>
>
>
> What is expected from the support organization before an issue is
> escalated? Who communicates with the end user? What tools, resources, and
> training are made available to techs? Are all support techs qualified, or
> just a "wifi strike team"? Lessons learned?
>
>
>
> Thanks!
>
>
>
> Norman Elton
>
> William & Mary
>
>
>
> **
>
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at http://www.educause.edu/
> discuss.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Helpdesk Troubleshooting of Wireless Issues

2017-02-27 Thread Norman Elton

I'm curious if people can share their delineation of duties between
the support organization (help desk) and the network administration
(engineering, etc) teams, especially as it surrounds the triaging and
troubleshooting of wireless connectivity issues.

What is expected from the support organization before an issue is
escalated? Who communicates with the end user? What tools, resources,
and training are made available to techs? Are all support techs
qualified, or just a "wifi strike team"? Lessons learned?

Thanks!

Norman Elton
William & Mary

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

WLPC in Phoenix

2017-02-13 Thread Norman Elton

Last year, a number of higher-ed folks got together at the Wireless
LAN Professional Conference for dinner and a productive story-swap. If
you're going this year (highly recommend!) and want to do the same,
let me know and we'll see if we can't put something together.

Hope to see you there!

Norman Elton
William & Mary

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Annual Conference (Anaheim) Wireless-LAN session notes

2016-12-06 Thread Norman Elton

I agree, all look like good "trending topics".

>> I’m not going to include all of my notes from the session or this email will 
>> be painfully long.

To the contrary, I've love to review your notes. If they're already
electronic, would you mind sharing a copy?

Thanks!

Norman Elton
William & Mary

On Mon, Dec 5, 2016 at 4:06 PM, Brian Helman  wrote:
>
>
> As I said Friday when I sent out the notes from the NETMAN session, let me
> start off my apologizing for taking a full month to get these out…
>
>
>
> Secondly, again a huge thanks to Ryan Turner (UNC Chapel Hill) for putting
> the surveys together for both the Wireless-LAN and NETMAN discussions.  Also
> as I said Friday, this is the first time we tried this method.  I think we
> worked the bugs out during the NETMAN session, making the limited
> Wireless-LAN session time more efficient …
>
>
>
> I’m not going to include all of my notes from the session or this email will
> be painfully long.  I’ve commented on some topics, but hopefully this list
> will spur continued conversation on the list.  I’ve also included a few
> items from the NETMAN session that touched on wireless networking (first 3
> bullet items).
>
>
>
> Just a quick metric, we had 57 people in the session, representing  ~50
> different institutions.
>
>
>
> Top Trending Topics
>
> · NAC (just doesn’t want to go away) – onboarding for both wired and
> wireless networks
>
> · Use of “hospitality wireless units” such as the Aruba 205H
> (physically, where are they being places?  For lower installs, are they
> being damaged?)
>
> · People are just now starting to look at MGBase-T (2.5/5Gbs
> Ethernet, especially for access point uplinks)
>
> · Wireless performance – how best to measure/test
>
> · 2.4GHz vs 5GHz – clients still preferring 2.4GHz unless radio very
> close
>
> · How are you designing your placement of AP’s – checkboard vs every
> room
>
> o   Is there a placebo effect – if the AP isn’t in the room, do people
> complain that their signal isn’t good even if the signal strength is
> excellent?
>
> · 20MHz vs 40HMz vs 80MHz channels
>
> · Transitioning vendors
>
> o   Who are you currently with; who are you moving to?
>
> o   Cisco & Aruba are dominating the industry (of the 50ish unique
> institutions, Cisco and Aruba were about equal, combined accounting for 90%
> of the installs.  There were no more than 2 institutions using the same
> vendor).
>
> · TLS vs PEAP vs MSCHAPv2 – discussion about forcing install of
> certs on Guest Wireless
>
> · EDUROAM – mix of using EDUROAM as primary SSID
>
> o   Branding was not a driving force for not/using
> institutionally-associated SSID name (e.g SalemState)
>
> o   Dual SSID’s was common to begin rollout, with intention of only using
> EDUROAM down the line
>
> · Open wireless – moving toward (1) or away (4)
>
> · Usual issues with students bringing up their own hotspots in
> ResNet settings
>
> · Has anyone adopted WiFi calling?
>
>
>
> To those who attended, thank you (especially considering it was such an
> early start!).  If you didn’t .. next year we’re in Philadelphia.  We hope
> to see you there!
>
>
>
> -Brian Helman, Salem State University
>
> -Ryan Turner, UNC Chapel Hill
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] College Sports Venue Wireless- In-House vs 3rd Party

2016-11-08 Thread Norman Elton

Just following up on this, were there any additional responses?

Norman Elton
William & Mary

On Mon, Jun 6, 2016 at 11:33 AM, Lee H Badman  wrote:

> Thanks, TJ- great input.
>
>
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Norton, Thomas (IT
> Operations Admin)
> *Sent:* Monday, June 06, 2016 11:16 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] College Sports Venue Wireless- In-House vs
> 3rd Party
>
>
>
> Hey Lee,
>
>
>
> Let me know if you would like to talk off line about it, but we have
> recently deployed two LPV environments in the last year here at Liberty.
> Our largest being able support 12k+ devices during convocation 3 times a
> week  when our students are here. We are currently looking to deploy one
> other in the next year, and hopefully our football stadium in the next 3-5
> years.
>
> · Do you provide fan facing wireless? Yes
>
> · Have you contracted with a 3rd party for the actual running of
> the fan wireless network? We have looked at a couple different options.
> But everything is currently supported in house and plan to keep it that
> way.
>
> · During events, do you (as in central IT for the school) provide
> on-site support for wired and wireless operations? Yes for major events,
> and on-call. But everything is on a per event/venue basis.
>
> · Are these operations treated as overtime for your staff? Depends
> on the venue. All of our staff are salaried employees so we typically work
> out comp time if able.
>
> · Have you ever hired more staff for event support? Yes, But we
> are still evaluating options as we do not have enough to dedicate a person
> just yet.
>
> · Do you in any way try to emulate the “Wi-Fi Coach” thing that
> pro venues do- where you have uniformed staff roaming the crowd in direct
> support of fans? If we deploy at our football stadium possibly. However,
> We don’t believe this would enough for a full time position just yet, as we
> already have 5 people on our wireless team. We currently only have two LPV
> environments at the moment. These environments are constantly being
> monitored, and supported t as they are extremely sensitive rf wise, that
> doesn’t even include the additional services we have to offer for them.
>
> · Are you doing any school-IT-run “fan experience” applications?
> (video replay, buy food, indoor mapping, etc over mobile devices) If so,
> how is it working out and do you have SLA with the venue/Athletics?  We
> have talked about this, and have our eye on http://www.venuenext.com/ but
> don’t have the buy in just yet from athletics. I do suggest working with
> them as they will be the biggest advocate and driver for this. Currently we
> are utilizing guest, and custom portal pages for some of our venues.
>
> · If your central IT supports the events and fan experience Do
> you contract out the “fan experience” stuff? Everything is supported in
> house at the moment, but if we ever go the full time fan experience route
> our staff would most likely be part of our central IT department
>
> · How does PCI fit into this, and who handles it? My team works
> closely with the compliance and security team on deployments, if a special
> request, or change is required it is vetted accordingly before being
> deployed.
>
>
>
>
>
> *T.J. Norton*
>
> *Sr. Wireless Network Engineer - Team Lead*
> *Network Services - Wireless*
>
> *(434) 592-6552 <%28434%29%20592-6552> *
>
>
>
> [image: http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]
>
> *Liberty University  |  Training Champions for Christ since 1971*
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> ] *On Behalf Of *Lee H Badman
> *Sent:* Monday, June 6, 2016 10:53 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* [WIRELESS-LAN] College Sports Venue Wireless- In-House vs 3rd
> Party
>
>
>
> Let me respectfully preface this with a note for the vendor/VAR list
> folks: Please do not respond to this message, or use the discussion that
> might ensue as a trigger to contact those discussing about stadium
> services/fan experience services. I’m well aware of all, and am looking to
> speak to my higher ed colleagues without looking for outside input. Meant
> respectfully- but also firmly for this conversation.
>
>
>
> For those on list with large sports venues, I’d like to just pick your
> brains as we ponder things off in the future. I’m talking mostly about
>

Wireless LAN Professionals Conference in Phoenix

2016-02-17 Thread Norman Elton

Anyone going to the WLPC in Phoenix this year?

http://wlanpros.com/WLPC2016

I'd be happy to line up a higher ed get-together if anyone else is going.

Norman Elton
College of William & Mary

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] NAT tracking question

2015-02-24 Thread Norman Elton

I think you've got it! Responses inline...

> 1. student joins wlan and is presented with captive portal
> 2. student logs in to the captive portal

They can use our captive portal or connect straight to our encrypted
802.1X SSID, which authenticates them on the fly. But, yes, we somehow
learn the device ownership.

> 3a. if first time logging in, student is assigned 4 internal IP addresses 
> (per building) and DHCP reservations are configured in the DHCP server(s) and 
> device gets address from the reservation.
> 3b. If not first time logging in and reservation exists for this device, 
> device gets address from reservation

Yep.

> 3c. if not first time logging in and no reservation exists for this device, a 
> new reservation is configured for the new device (up to 4) and device gets a 
> lease.

Well, if a device is connecting for the first time, but the user
already has a group-of-four set aside for them ... then yes. Perhaps
they connected a laptop in the morning, and a tablet in the afternoon.
The tablet is assigned the second reservation slot. If this is their
fifth device connecting, a new group-of-four is assigned.

> 4. student does their thing on their device, probably Netflix or some such. 
> Maybe even school work.

Let's go with Netflix :)

The key is that our F5 NAT's each group-of-four to a unique public IP.
And since a group-of-four is assigned to an individual user, we've
effectively mapped a public IP to an individual user.

> 5. NAT translations/streams are logged and if needed can be traced back to an 
> internal IP.
> 6. based on the internal IP reservation, you know the student.

We can use the flow logs to determine which of the four devices were
responsible for an individual flow, but if we can't pin it down 100%
(perhaps the timestamp is wrong, or we don't get a port number), we at
least know the public IP <--> student mapping.

> Do I assume that you clear your reservations on a yearly or semester basis?

Right now, yearly. We've discussed releasing the reservations more
often (say, after three months of inactivity), allowing us to
accommodate more devices. But, at this point, we've still plenty of
room for growth.

Norman




On Tue, Feb 24, 2015 at 10:22 AM, Oliver, Jeff  wrote:
> Thanks Norm, really appreciated.
>
> Just to be clear and make sure that I am understanding your setup (high level 
> anyway)
>
> 1. student joins wlan and is presented with captive portal
> 2. student logs in to the captive portal
> 3a. if first time logging in, student is assigned 4 internal IP addresses 
> (per building) and DHCP reservations are configured in the DHCP server(s) and 
> device gets address from the reservation.
> 3b. If not first time logging in and reservation exists for this device, 
> device gets address from reservation
> 3c. if not first time logging in and no reservation exists for this device, a 
> new reservation is configured for the new device (up to 4) and device gets a 
> lease.
> 4. student does their thing on their device, probably Netflix or some such. 
> Maybe even school work.
> 5. NAT translations/streams are logged and if needed can be traced back to an 
> internal IP.
> 6. based on the internal IP reservation, you know the student.
>
> Anything that I have missed? Do I assume that you clear your reservations on 
> a yearly or semester basis?
>
>
> Cheers,
> Jeff
>
>
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Norman Elton
> Sent: Tuesday, February 24, 2015 7:57 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] NAT tracking question
>
> Here's a write-up I did a few months back. I'm happy to elaborate as needed!
>
> Norman Elton
> College of William & Mary
>
> =
>
> We recently converted to NAT, to solve two issues. The obvious is the growth 
> in wireless devices. Our five /21s simply couldn't keep up with the demand, 
> and we got tired of shoehorning extra subnets to accommodate. We were also 
> concerned with the amount of broadcast traffic, which being sent at the 
> lowest supported data rate, was needlessly occupying airtime.
>
> We knew some sort of NAT was in our future, and we wanted it partitioned down 
> to the building (or region) level to contain broadcast traffic. But our 
> security folks were apprehensive about tracking usage. Even with flow logs, 
> responding to a DMCA complaint could take a significant amount of research. 
> We brainstormed, whiteboarded, and head-scratched. Wouldn't it be nice if 
> each student had exactly one public IP address, which front-ended whatever 
> devices they had on campus, where-ever they

Re: [WIRELESS-LAN] NAT tracking question

2015-02-24 Thread Norman Elton

Here's a write-up I did a few months back. I'm happy to elaborate as needed!

Norman Elton
College of William & Mary

=

We recently converted to NAT, to solve two issues. The obvious is the
growth in wireless devices. Our five /21s simply couldn't keep up with
the demand, and we got tired of shoehorning extra subnets to
accommodate. We were also concerned with the amount of broadcast
traffic, which being sent at the lowest supported data rate, was
needlessly occupying airtime.

We knew some sort of NAT was in our future, and we wanted it
partitioned down to the building (or region) level to contain
broadcast traffic. But our security folks were apprehensive about
tracking usage. Even with flow logs, responding to a DMCA complaint
could take a significant amount of research. We brainstormed,
whiteboarded, and head-scratched. Wouldn't it be nice if each student
had exactly one public IP address, which front-ended whatever devices
they had on campus, where-ever they were located? This would require
some sort of deterministic NAT, whereby the NAT appliance knows the
owner of a particular internal IP address, mapping any outbound
traffic to the public IP address associated with that user.

Here's how we got there...

Each building (or region) is assigned a /16 within 100.64.0.0/10
(reserved for CG-NAT). So, Jones Hall would be 100.72.0.0/16. A
student computer, upon being authenticated to our NAC system, is
immediately assigned an IP address within every building's /16. In
fact, they are assigned the same last two octets across our entire
campus. So a student roaming across campus would get 100.###.154.24,
where the second octet corresponds to their local building number.

When we assign an address to a device (say, 154.24), we reserve a
block of four contiguous IP addresses for that particular user. So if
their laptop, being seen first on the network, gets assigned 154.24,
their iPad might get 154.25, their phone would get 154.26. If they
need more than four addresses, we reserve them another block. Remember
these assignments represent the last two octets of the device's IP
address. The first two are dependent on the building (100.72 = Jones
Hall, etc).

All of this IP address logic allows the actual NAT to run very fast,
with very little logic. The outbound NAT is handled by an F5 Local
Traffic Manager, in our case, a 4000S. This box can handle very rich
NAT applications using their iRules. In our case, it uses a simple
mathematical algorithm to examine the incoming IP address, mapping
each block-of-four internal addresses, regardless of building, to a
single public IP address. It sounds complicated, but it boils down to
10-12 lines of iRules logic. The magic is really the glue between our
NAC system and our DHCP servers. As soon as we learn the ownership of
an onboarded system, we determine an IP address and jam it into our
DHCP server.

The vast majority (96%) of our students have four or fewer devices. So
they occupy a single block of contiguous IP addresses. A small
percentage have five or more computers, so they actually are given two
blocks of addresses, which correspond to two public IP addresses.

Admittedly, this is hard to explain. It takes a few passes. And we
were a bit apprehensive about how it would scale. But, surprisingly,
it's working like a champ. No timeout values, no indeterminate NAT.
Room for growth. No need to dive into flow records, our security folks
are happy.

The only hiccup, and it was not unexpected, involves supporting game
consoles. Unlike your home Linksys router, the F5 does not support
uPNP. This will likely impact anyone doing NAT on an enterprise
firewall. Some peer-to-peer games do not work. But since a particular
game console is always assigned the same public IP address, we can
configure an inbound NAT rule for applications that use fixed ports.
This comes up VERY rarely (maybe three or four times so far).

On Tue, Feb 24, 2015 at 9:33 AM, Oliver, Jeff  wrote:
> Hey Norm,
>
> For those of us with limited IP space, this sounds really interesting. Not
> sure if it belongs on the listserv or not (feel free to contact me off-line)
> but I am interested in your setup/config and would like to know more about
> it. Would you be able to supply some details?
>
> ---
> Jeff
>
>
>
> From: Norman Elton 
> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv
> 
> Date: Monday, February 23, 2015 8:11 PM
> To: The EDUCAUSE Wireless Issues Constituent Group Listserv
> 
>
> Subject: Re: [WIRELESS-LAN] NAT tracking question
>
> We deterministicly NAT up to four devices for an individual user to a single
> public IP. As our typical user has less than four devices, it works out that
> most students have a single public IP assigned to them. Should they
> authenticate a fifth device, a second IP is assigned to cover devices five,
> six, seven, and

Re: [WIRELESS-LAN] NAT tracking question

2015-02-23 Thread Norman Elton

We deterministicly NAT up to four devices for an individual user to a
single public IP. As our typical user has less than four devices, it works
out that most students have a single public IP assigned to them. Should
they authenticate a fifth device, a second IP is assigned to cover devices
five, six, seven, and eight. The effect is that we've quadrupled our IP
utilization.

It's mostly a matter of handing out predetermined IP addresses which
include a series of bits used to identify which "group of four" it should
be NATed to. Our F5 box can examine the private IP, do a little bit
shuffling, and calculate the corresponding public IP. This calculation is
extremely light-weight, allowing the whole system to scale quite well. The
heavy lifting occurs when the device is on boarded the first time, at which
point a "group of four" is allocated for the user.

Norman Elton
College of William & Mary


On Monday, February 23, 2015, Chuck Anderson  wrote:

> If you have 1 public IP address reserved for each individual user, why
> do you need to do NAT at all?  This is a serious question--if you
> aren't saving public IPs by doing 1:many NAT, why do NAT at all?
>
> Thanks.
>
> On Mon, Feb 23, 2015 at 11:33:45AM -0500, Norman Elton wrote:
> > We play tricks with our ISC DHCP server and a pair of F5 LTMs (similar
> > to the A10 gear). The DHCP server hands out predetermined private IP
> > addresses to devices as soon as we determine ownership (through our
> > NAC). For outbound traffic, the F5 uses this private IP address to NAT
> > to a public IP address that is reserved for the individual user. The
> > end result is that no matter where the device is on campus, we know
> > that 128.239.x.y is something owned by Joe Smith. If we need to know
> > exactly which device, we consult our flow logs. But at least we're 99%
> > confident we're dealing with the right student.
> >
> > I'm happy to share the gory details if someone wants to wrap their
> > head around it.
> >
> > Norman Elton
> > College of William & Mary
> >
> >
> >
> > On Mon, Feb 23, 2015 at 10:30 AM, Danny Eaton  > wrote:
> > > We've got our Juniper SRX 5800 doing our NAT for all wireless, plus
> all students and visitors (wired or wireless).
> > >
> > > We send those logs (and the SRX is VERY CHATTY about NAT) to our
> Splunk server for the tying together of date/time, public IP and private IP
> - in the event we get a notice from some TLA.
> > >
> > > -Original Message-
> > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU ] On Behalf Of Heath
> Barnhart
> > > Sent: Monday, February 23, 2015 9:12 AM
> > > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
> > > Subject: Re: [WIRELESS-LAN] NAT tracking question
> > >
> > > We use a Sonicwall E8500 for NAT, it will log all NAT translations and
> send them as syslog to a server for storage. I have logrotate changing
> files every hour to make it easier to search on.
> > > --
> > > Heath Barnhart
> > > ITS Network Administrator
> > > Washburn University
> > > Topeka, KS
> > >
> > >
> > > On Wed, 2015-01-14 at 14:49 -0500, Jerry Bucklaew wrote:
> > >> To ALL:
> > >>
> > >> We have a large Cisco wireless deployment with public ip address
> > >> space.  Getting more public IP's is getting difficult so we are
> > >> considering going to NAT.  The issue we have with NAT is that we still
> > >> want to be able to map an outside IP back to a individual user.  Once
> > >> you go to NAT that of course becomes more difficult to do.   I know a
> > >> lot of you are probably already doing this and I was wondering how and
> > >> what products do you use?  I assume most have a one to many NAT and
> then
> > >> use something like a netflow collector to to track the inside NAT IP
> to
> > >> the outside Src-IP/DST-IP/Port/Time. Any good working solutions or
> > >> products would be helpful.
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] NAT tracking question

2015-02-23 Thread Norman Elton

We play tricks with our ISC DHCP server and a pair of F5 LTMs (similar
to the A10 gear). The DHCP server hands out predetermined private IP
addresses to devices as soon as we determine ownership (through our
NAC). For outbound traffic, the F5 uses this private IP address to NAT
to a public IP address that is reserved for the individual user. The
end result is that no matter where the device is on campus, we know
that 128.239.x.y is something owned by Joe Smith. If we need to know
exactly which device, we consult our flow logs. But at least we're 99%
confident we're dealing with the right student.

I'm happy to share the gory details if someone wants to wrap their
head around it.

Norman Elton
College of William & Mary



On Mon, Feb 23, 2015 at 10:30 AM, Danny Eaton  wrote:
> We've got our Juniper SRX 5800 doing our NAT for all wireless, plus all 
> students and visitors (wired or wireless).
>
> We send those logs (and the SRX is VERY CHATTY about NAT) to our Splunk 
> server for the tying together of date/time, public IP and private IP - in the 
> event we get a notice from some TLA.
>
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Heath Barnhart
> Sent: Monday, February 23, 2015 9:12 AM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] NAT tracking question
>
> We use a Sonicwall E8500 for NAT, it will log all NAT translations and send 
> them as syslog to a server for storage. I have logrotate changing files every 
> hour to make it easier to search on.
> --
> Heath Barnhart
> ITS Network Administrator
> Washburn University
> Topeka, KS
>
>
> On Wed, 2015-01-14 at 14:49 -0500, Jerry Bucklaew wrote:
>> To ALL:
>>
>> We have a large Cisco wireless deployment with public ip address
>> space.  Getting more public IP's is getting difficult so we are
>> considering going to NAT.  The issue we have with NAT is that we still
>> want to be able to map an outside IP back to a individual user.  Once
>> you go to NAT that of course becomes more difficult to do.   I know a
>> lot of you are probably already doing this and I was wondering how and
>> what products do you use?  I assume most have a one to many NAT and then
>> use something like a netflow collector to to track the inside NAT IP to
>> the outside Src-IP/DST-IP/Port/Time. Any good working solutions or
>> products would be helpful.
>>
>> **
>> Participation and subscription information for this EDUCAUSE Constituent 
>> Group discussion list can be found at http://www.educause.edu/groups/.
>
> !DSPAM:911,54eb4678132511923187575!
>
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Network Engineer Position at Syracuse University

2014-11-24 Thread Norman Elton

Well, good thing "competent at sending email" is not on the list of
requirements. Apologies for the spam.

Norman Elton

Network Engineering
College of William & Mary

On Mon, Nov 24, 2014 at 4:55 PM, Norman Elton  wrote:
> Lee,
>
> I'm not in a position to apply for this job, but I do keep an eye on
> what such jobs are paying. I know the pay band (S6) is somewhat wide.
> Are you able to share any details here? Just curious.
>
> Thanks,
>
> Norman Elton
>
> Network Engineering
> College of William & Mary
>
> On Mon, Nov 24, 2014 at 3:40 PM, Lee H Badman  wrote:
>> FYI
>>
>> https://www.sujobopps.com/postings/56877
>>
>>
>>
>> Lee Badman
>> Wireless/Network Architect
>> ITS, Syracuse University
>> 315.443.3003
>> (Blog: http://wirednot.wordpress.com)
>>
>>
>>
>> ** Participation and subscription information for this EDUCAUSE
>> Constituent Group discussion list can be found at
>> http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Network Engineer Position at Syracuse University

2014-11-24 Thread Norman Elton

Lee,

I'm not in a position to apply for this job, but I do keep an eye on
what such jobs are paying. I know the pay band (S6) is somewhat wide.
Are you able to share any details here? Just curious.

Thanks,

Norman Elton

Network Engineering
College of William & Mary

On Mon, Nov 24, 2014 at 3:40 PM, Lee H Badman  wrote:
> FYI
>
> https://www.sujobopps.com/postings/56877
>
>
>
> Lee Badman
> Wireless/Network Architect
> ITS, Syracuse University
> 315.443.3003
> (Blog: http://wirednot.wordpress.com)
>
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Macs Dropping EAPOL Frames

2014-11-12 Thread Norman Elton

We have an encrypted SSID authenticating against our Active Directory
infrastructure. Typical MS-CHAPv2, nothing magical. Aerohive APs, with
FreeRADIUS serving as a proxy between the APs and the domain
controllers.

On Mac laptops, we've noticed the wifi indicator laddering up and down
for an unusual amount of time, perhaps 20-30 seconds, as the laptop
tries to connect (or, in some cases, roam). During this interval, I've
spotted a suspicious error in the system.log, as if there were some
EAP authentication problems:

kernel[0]: inputEAPOLFrame: Dropping EAPOL frame, not key frame

Unfortunately, it's hard to pin down whether this is an expected
message, or something out of the norm. It doesn't show up on the
googles. I've done packet captures of RADIUS, but my EAP knowledge is
pretty anemic. Can't really make heads or tails of the packets, or
what qualifies as a "key frame".

So, question is... If you have MS-CHAPv2 authentication running, do
you ever see this error in your logs? Suggestions on how to poke at
it?

Thanks for any advice,

Norman Elton
College of William & Mary

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] SSID Naming & 5ghz

2014-08-18 Thread Norman Elton

Just a heads up, we had W-M_Wireless and W-M_Wireless_Turbo. People
figured out that the turbo network was faster. We thought that was a
little more transparent than "premium".

We eventually abandoned the idea, as most clients were correctly
choosing the 5 GHz radios anyway. In addition, clients had to be set
to prefer your turbo network. This wasn't always the case.

I don't think think the second SSID really helped the overall adoption
of 5 GHz. Hopefully your mileage will vary :)

Norman Elton
College of William & Mary

On Wed, Aug 13, 2014 at 1:56 AM, Jason Cook  wrote:
> Thanks Bruce,
>
>
>
> Cisco. We disabled band select a few years ago, but from some replies so far
> it might be worth a try again.
>
>
>
> Time to start some testing.
>
>
>
> Regards
>
>
> Jason
>
>
>
> --
>
> Jason Cook
>
> The University of Adelaide, AUSTRALIA 5005
>
> Ph: +61 8 8313 4800
>
> e-mail: jason.c...@adelaide.edu.au<mailto:jason.c...@adelaide.edu.au>
>
>
>
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W
> (Network Services)
>
>
> Sent: Tuesday, 12 August 2014 9:04 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] SSID Naming & 5ghz
>
>
>
> You do not say what wireless vendor you use.
>
>
>
> We find Aruba’s Client Match & Bans Steering work quite well to steer
> clients to 5GHz and less used APs.
>
>
>
> Bruce Osborne
>
> Network Engineer – Wireless Team
>
> IT Network Services
>
>
>
> (434) 592-4229
>
>
>
> LIBERTY UNIVERSITY
>
> Training Champions for Christ since 1971
>
>
>
> From: Jason Cook [mailto:jason.c...@adelaide.edu.au]
> Sent: Monday, August 11, 2014 2:33 AM
> Subject: SSID Naming & 5ghz
>
>
>
> HI All,
>
>
>
> I’m sure I’ve seen discussions like this but can’t seem find any.
>
>
>
> Has anyone gone down the path of creating 5ghz only SSID’s simply to get
> around the issue of devices connecting at 2.4ghz even though they support
> 5ghz? We find this occurs a lot and in the dense environments users have a
> pretty average time using 2.4 or swapping between 2.4 and 5. So far in
> testing having a 5ghz only SSID has helped a lot.
>
>
>
> This unfortunately provides another SSID in the air, but the benefits should
> be worth it.
>
> Currently we have
>
> UofA (primary SSID)
>
> UofA-help (open SSID with web-redirect to guides/documentation)
>
> eduroam
>
> We are looking  at creating
>
> UofA Premium
>
> Or a different word(gold, Ultra, platinum etc), just something that makes
> someone want to use it if they see it. The current workaround uses UofA
> 5ghz, however a technical name isn’t the best idea as it means nothing to
> most users.
>
>
>
> So has anyone else taken this path? What naming did you use, anything that
> seems less bland that premium would be goodJ
>
>
>
> Apart from that has anyone successfully worked around the issue of devices
> connecting at 2.4ghz despite being 5ghz capable using another method?
> Cisco’s Band Select doesn’t impress. Some devices can be configured to
> prefer 5ghz, but this is very limited.
>
>
>
> Regards
>
>
>
> Jason
>
>
>
> --
>
> Jason Cook
>
> Technology Services
>
> The University of Adelaide, AUSTRALIA 5005
>
> Ph: +61 8 8313 4800
>
> e-mail: jason.c...@adelaide.edu.au<mailto:jason.c...@adelaide.edu.au>
>
>
>
> CRICOS Provider Number 00123M
>
> ---
>
> This email message is intended only for the addressee(s) and contains
> information which may be confidential and/or copyright.  If you are not the
> intended recipient please do not read, save, forward, disclose, or copy the
> contents of this email. If this email has been sent to you in error, please
> notify the sender by reply email and delete this email and any copies or
> links to this email completely and immediately from your system.  No
> representation is made that this email is free of viruses.  Virus scanning
> is recommended and is the responsibility of the recipient.
>
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Wireless "Fix" in Apple Update

2014-07-10 Thread Norman Elton

More interesting, to me anyway, is that you seemed to have found
intelligent life at Apple that is willing to talk to you. Care to share
your experience, and how you went about finding them?

Thanks,

Norman

On Monday, July 7, 2014, Travis Schick  wrote:

> I'll double check -  I know I was getting seeds for Mavericks - If the
> Yosemite seed is available I will test again after upgrading.
>
> Travis
>
>
> On Wed, Jul 2, 2014 at 4:27 PM, Wright, Don  > wrote:
>
>> We have a case open for the EAP roaming and dropout issue with Apple
>> support and they've sent us the following:
>>
>> Engineering continues to investigate your issue. We believe they have
>> identified corrective actions available now in pre-release software.  The
>> following pre-release software is now available through the Apple OS X
>> Developer Program or the Software Customer Seeding Program.
>>
>> - OS X Yosemite v10.10 - Build: 14A238x
>>
>> Members of these programs may install this software to test, in their
>> environment, on non-production devices.
>>
>> AppleCare Enterprise Technical Support and Apple Engineering would
>> greatly appreciate your testing of your current issue using this
>> pre-release version of OS X.
>>
>> I haven't done any first hand testing yet so I can verify if this is the
>> resolution.  I'm hoping to get a laptop with this version on it next week
>> and will give it a try.
>>
>> -
>>  Don Wright
>> Brown University
>> CWSP, CWNA, ACMP
>>
>>
>>
>>
>>
>>
>>
>> On Wed, Jul 2, 2014 at 6:28 AM, Michael Dickson > > wrote:
>>
>>> I'm guessing the 10.9.4 "fix" refers strictly to a wake-from-sleep issue
>>> and not the intermittent-delay-with-EAP issue outlined at
>>> http://support.apple.com/kb/TS5258.
>>>
>>> Mike
>>>
>>> Michael Dickson
>>> Network Analyst
>>> Office of Information Technologies
>>> University of Massachusetts Amherst
>>> Voice 413.545.9639
>>>
>>> On Jul 1, 2014, at 12:14 PM, Travis Schick >> > wrote:
>>>
>>> > Just did some testing with my macbook using 10.9.4 I still see the
>>> same 15+ second delay re-authenticating with eap.
>>> >
>>> > I have not yet heard from apple what version of mavericks will contain
>>> the fix - but appears 10.9.4 was not it.
>>> >
>>> > Travis
>>> >
>>> >
>>> > On Mon, Jun 30, 2014 at 12:47 PM, Lee H Badman >> > wrote:
>>> > Did you all see this one:
>>> http://www.cultofmac.com/285567/os-x-mavericks-10-9-4-released-big-wifi-fix-updated-safari/
>>> >
>>> >
>>> > -Lee
>>> >
>>> > Lee Badman
>>> > Wireless/Network Architect
>>> > ITS, Syracuse University
>>> > 315.443.3003
>>> > (Blog: http://wirednot.wordpress.com)
>>> >
>>> >
>>> >
>>> > ** Participation and subscription information for this
>>> EDUCAUSE Constituent Group discussion list can be found at
>>> http://www.educause.edu/groups/.
>>> >
>>> >
>>> > ** Participation and subscription information for this
>>> EDUCAUSE Constituent Group discussion list can be found at
>>> http://www.educause.edu/groups/.
>>> >
>>>
>>> **
>>> Participation and subscription information for this EDUCAUSE Constituent
>>> Group discussion list can be found at http://www.educause.edu/groups/.
>>>
>>
>> ** Participation and subscription information for this EDUCAUSE
>> Constituent Group discussion list can be found at
>> http://www.educause.edu/groups/.
>>
>>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Epitiro StreetWise, 7signal

2014-07-10 Thread Norman Elton

We were introduced to 7Signal from their presentation at the Wireless
Field Day, and seeing them on a few listserv conversations. We
currently have ~15 sensors (eyes) scattered around our network, mostly
in residence halls. There is an upfront cost, and yes, their licensing
seems a little more complicated than it really needs to be. That
aside, it is a very powerful tool. To be honest, we don't use it as
much as we should. More on that in a moment.

7Signal Eyes gather tons of statistics, some passive (signal strength,
percentage of retries in the air, etc), others collected by connecting
to the AP (TCP throughput, DNS availability). The data is passed back
to a database, where a web-based analyzer allows you to slice and dice
into graphs and SLAs.

We purchased the product for two main purposes. First, to help
investigate student complaints. If someone complains that wireless is
sluggish every night between 2:00 and 3:00 AM, we can deploy an Eye to
gather statistics. Is it just a matter of load? Airtime exhaustion?
Interference? Second, to help guide us in making tweaks to our AP
configuration. What happens when we enable 40-MHz wide channels? What
gains were made when we enabled DFS channels? How about tweaking the
beacon interval? These are all changes that theoretically help the
network, but we don't have a way to actually measure their effect.

They sell the product with a hefty professional services overhead. I
see two reasons behind this...

First, they want to show you how to use the product, then make
suggestions on how to improve your wireless network, and show you how
to verify that the improvements resulted in performance gains. None of
their suggestions were groundbreaking, but their engineers (at least
those I worked with) knew their stuff. We're reasonably intelligent
wireless folks, but they deal with tweaking networks every day. We
felt it was money well spent.

The second reason points to our major complaint with 7Signal. Their
web-based analyzer has a very steep learning curve. It's akin to
learning the US tax system by reading the IRS tax code. Sure it's
possible, but you really need a CPA to help guide you along. You're
dealing with a very powerful GUI with lots and lots of knobs, not all
of which are clearly explained or even relevant to what you're doing.
I get the impression that the product was developed over many years by
very smart wireless people who used it every day, but never bothered
to step back and look at it as a product a customer would buy / learn
/ use.

We've expressed this concern, and have been assured that they are
working on a new analyzer platform. But until it's running on our
servers, it's vaporware :-/.

So, all of that said, it's a powerful tool. We've gotten useful
information from it, and they have guided us through a number of
tweaks. We have not seen a gigantic performance improvement, but feel
our ability to monitor performance justifies the product.

I'm happy to answer other questions or jump on a call.

Norman Elton

p.s. I'm really convinced that 85% of their statistics could be
gathered by the AP directly. I'm pushing our vendor, Aerohive, to
implement SFlow with 802.11-level information. Instead of collecting
information from a few sensors, every AP could report a
statistically-meaningful amount of sampled packets. If anyone else
feels this would be useful, let's get that conversation going!

On Thu, Jul 10, 2014 at 12:27 PM, Lee H Badman  wrote:
> Thanks, Norman. I'm thinking a lot of people are curious. I know one glaring 
> point is that there seems to be heavy push for professional services, and I'm 
> not real keen on needing multiple licenses to bring an Eye to  life 
> (seemingly to spread costs out) but those are my personal biases. Anything 
> you can share would be appreciated!
>
> -Lee
>
> -Original Message-
> From: Norman Elton [mailto:normel...@gmail.com]
> Sent: Thursday, July 10, 2014 10:18 AM
> To: The EDUCAUSE Wireless Issues Constituent Group Listserv
> Cc: Lee H Badman
> Subject: Re: [WIRELESS-LAN] Epitiro StreetWise, 7signal
>
> Lee -
>
> Just saw your email. We have 7Signal at William & Mary. Would love to
> chat about our experience. Let me know if you're still interested.
>
> Thanks,
>
> Norman Elton
> College of William & Mary
>
> On Mon, Apr 28, 2014 at 3:14 PM, Lee H Badman  wrote:
>> Greetings to the list-
>>
>> Wondering if anyone is using or has taken a serious look at (to the point
>> where you’ve gotten quotes) either 7signal or Eptiro StreetWise for wireless
>> performance measurement. Epitiro is newer to Wi-Fi game, less PR to date,
>> but established in mobile carrier world.
>>
>> We can chat on list or off, as you’re comfortable with.
>>
>> For those using either:

Re: [WIRELESS-LAN] Epitiro StreetWise, 7signal

2014-07-10 Thread Norman Elton

Lee -

Just saw your email. We have 7Signal at William & Mary. Would love to
chat about our experience. Let me know if you're still interested.

Thanks,

Norman Elton
College of William & Mary

On Mon, Apr 28, 2014 at 3:14 PM, Lee H Badman  wrote:
> Greetings to the list-
>
> Wondering if anyone is using or has taken a serious look at (to the point
> where you’ve gotten quotes) either 7signal or Eptiro StreetWise for wireless
> performance measurement. Epitiro is newer to Wi-Fi game, less PR to date,
> but established in mobile carrier world.
>
> We can chat on list or off, as you’re comfortable with.
>
> For those using either:
>
>
> Which one?
> For how long?
> How “bad” did your network need this sort of help before you started?
> Biggest win?
> Any frustration?
> Perspective on company, support, etc?
> Now that you’re in it with them, has the investment been worth it?
> Has the time commitment to get value been acceptable?
>
>
> For those shopping:
>
> Which one?
> Actively considering?
> Did sticker shock chase you away?
>
>
> Any other thoughts or comments on the general topic welcome as well, as we
> research whether to go this path.
>
> Thanks-
>
> Lee Badman
> Syracuse University
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] 11ac migration question

2014-03-17 Thread Norman Elton

>> We are using directional patch antennas to keep the coverage to the
auditorium as well as use a higher mandatory rate.

Mind sharing what antennas you use?

Thanks

Norman


On Mon, Mar 17, 2014 at 3:12 PM, McClintic, Thomas <
thomas.mcclin...@uth.tmc.edu> wrote:

>  We have installed in a few auditoriums to help enhance the wireless
> there. We are using directional patch antennas to keep the coverage to the
> auditorium as well as use a higher mandatory rate.
>
>
>
> I have seen no issues with clients hanging on to ac, however I see only
> about 5-10% of users associating with ac right now. I'm sure that will
> change in the next year.
>
>
>
> This is our strategy on ac for now, we are deploying in high density areas
> and using various mechanisms to isolate the coverage cell.
>
>
>
>
>
> *TJ McClintic*
>
> Senior Network Engineer, Network Operations
>
> [image: 2269655.jpg]
> Communication Services | Network Operations
>
> 7000 Fannin | Suite M50 | Houston, TX 77030
>
> (713) 486-2271 tel | (713) 364-8683 mob
>
> www.uth.edu
>
>
>
>
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Cameron, Damien L.
> *Sent:* Monday, March 17, 2014 2:03 PM
>
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] 11ac migration question
>
>
>
> I believe it's recommended that you upgrade floor by floor, and building
> by building.
>
>
>
> If you don't have that capability, I would suggest upgrading the hardware,
> but not enable the VHT capabilities until all hardware has been upgraded.
> I'm not totally sure of .11ac's protection mechanisms, but doing this would
> also avoid any unforeseen issues of an mixing VHT clients/APs with non-VHT
> clients/APs.
>
>
>
> *Damien Cameron*
>
> Network Engineer
>
> Norfolk State University
>
> Office of Information Technology
>
> Marie v. McDemmond Center for applied Research
>
> Room 401
>
> 555 Park Avenue
>
> Norfolk, VA 23504
>
> O: (757) 823-9123
>
>
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
> *On Behalf Of *Jeff Kell
> *Sent:* Sunday, March 16, 2014 1:05 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] 11ac migration question
>
>
>
> Have seen similar results with Dell laptop locking onto 802.11n at a
> distance and ignoring "same room" a/b/g.  We are trying to avoid mixed
> deployments, and sounds like the same concerns extend to 11ac as well.
>
> Jeff
>
> On 3/15/2014 11:12 PM, Alok Vimawala wrote:
>
>  Hi Frank,
>
>
>
> We just had an interesting incident in one of our buildings where half of
> the ac radios stopped working. The building has Cisco 3602i APs with the
> add-on 802.11ac Wave-1 module. So, the building turned into a mixed 802.11n
> and 802.11ac deployment on the 5GHz spectrum. What we saw in that building
> was that new Apple MacBook Pros with the 802.11ac capable chipsets were
> preferring to associated with a bad 802.11ac signal rather than connecting
> to a great (AP right above the laptop) 802.11n signal.
>
>
>
> Clients seem to prefer protocols with highest theoretical throughput
> regardless of signal strength and that behavior hasn't really changed since
> the days when 802.11n was first introduced. My recommendation would be to
> avoid mixed 5GHz 802.11n and 802.11ac environments.
>
>
>
> Thanks,
>
>
>
> Alok Vimawala
>
> University of Michigan
>
>
>
> On Sat, Mar 15, 2014 at 9:54 PM, Frank Sweetser  wrote:
>
> Hello all,
>
>   we're beginning plans to upgrade our wireless infrastructure from 11n to
> 11ac, and I'm hoping that someone can chime in on their experience with
> mixed capability buildings.
>
> When we first went from  11a/b/g to 11n, we found that clients in
> buildings with mixed capability APs had some odd roaming issues - and by
> "odd", I mean utterly braindead.  A fair number of clients would
> aggressively latch onto an 11n AP at -80, while ignoring an a/b/g AP in the
> same room at -50, with predictably poor results.  In the end, we had to
> ensure that buildings were upgraded in full, rather than incrementally, to
> fix the complaints.
>
> My question is, has anyone seen similar issues in buildings with a mix of
> 11ac and 11n APs?
>
> --
> Frank Sweetser fs at 
> wpi.edu
>|  For every problem, there is a solution that
> Manager of Network Operations   |  is simple, elegant, and wrong.
> Worcester Polytechnic Institute |   - HL Mencken
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at 
> http://www.educause.edu/groups/

Re: [WIRELESS-LAN] Aerohive

2014-03-10 Thread Norman Elton

We have ~1400 Aerohive APs and have been a customer since early 2009.
I'm happy to talk to folks about our experience, and would love to
talk to other large .edu deployments. Email and we can setup a time.

Norman Elton
College of William & Mary
wne...@wm.edu / 757-221-7790

On Mon, Mar 10, 2014 at 9:09 PM, LaMarr Baucom  wrote:
> I just purchased 205 Aerohive APs, for two of our dorms and our on Campus
> Apartments. I am purchasing another 40, for another dorm in about a month,
> and hopefully an additional 150 before June for 5 more of our dorms. At the
> beginning of the fiscal year, I would like to replace the remaining APs in
> our dorms.
>
> I have been looking at Aerohive for about two years now and have talked in
> depth with 3 Higher Ed's and many others from various sects that are very
> pleased. We were a complete Cisco shop up until this point, but I plan on
> splitting that and keeping our Campus side on Cisco and using the non EOL
> APs and WiSM2 from the dorms on the Campus side. The only thing that has
> kept me from switching sooner is having to support two wireless systems, but
> we had some funding so it made since.
>
> Various reasons played apart in making the switch.
>
> 1) Cisco licensing (there are no extra licensing costs with Aerohive).  For
> example Layer 7 visibility is available out of the box.  You don't run into
> the Cisco licensing problems where you have to purchase licenses for the WLC
> and PI, as well as having to purchase the AVC, Clean Air, MSE, ISE, extra PI
> licenses.
> 2) Cisco's 7.4x code has been a nightmare for us. PI hasn't been much better
> 3) The timing was right with replacing the remaining EOL APs in the dorms,
> and we also need to replace some on the Campus side so we will just use the
> newer APs from the dorms on the Campus side, as we deploy more Aerohive
> gear.
>
> Note: The per AP costs are about the same so this was not a factor in our
> decision.
>
> If I had one complaint about the Aerohive stuff (if you would call this a
> complaint) it would be that you can do so much with the system, that it
> makes doing minor changes a little more difficult than in the Cisco world.
>
> I do have contact info for a University that has been an Aerohive customer
> for over 5 years and has over 1000 APs. He told me he doesn't mind me giving
> out his contact info as a reference. Email me directly if you would like his
> info (he is not a member of this listserv).
>
>
> Let me know if you have any questions.
>
> LaMarr Baucom
> Wireless Network Engineer
> Murray State University
> (270) 809-2299
> lamarr.bau...@murraystate.edu
>
> MSU Information Systems staff will never ask for your password or other
> confidential information via email.
>
>
> On Mon, Mar 10, 2014 at 7:08 PM, Glassman, Stephen 
> wrote:
>>
>> Please keep this public or at least leave your contact info if you run
>> Aerohive
>>
>> Thanks,
>>
>> Steve
>>
>> -Original Message-
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Daniel Eklund
>> Sent: Monday, March 10, 2014 7:27 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: [WIRELESS-LAN] Aerohive
>>
>> If any of you have a large installation of Aerohive I'd like to talk with
>> you privately about your experiences.
>>
>> Thanks
>>
>> --
>> Daniel Eklund
>> Network Planning Manager
>> ITS Communications Systems and Data Centers University of Michigan
>> 734.763.6389
>>
>> **
>> Participation and subscription information for this EDUCAUSE Constituent
>> Group discussion list can be found at http://www.educause.edu/groups/.
>>
>> **
>> Participation and subscription information for this EDUCAUSE Constituent
>> Group discussion list can be found at http://www.educause.edu/groups/.
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] How many drops 802.11ac phase 2

2014-02-13 Thread Norman Elton

To chime in, we just had a round-and-round conversation about this,
deciding to continue pulling a single Cat6 to access points. While
802.11ac will theoretically be able to saturate the link, we feel
standards will continue to evolve, and APs will begin shipping 10gig
uplinks, long before our clients will actually be pushing multi-gig
traffic through a single AP.

Norman Elton
College of William & Mary

On Tue, Feb 11, 2014 at 9:16 PM, Ron Walczak  
wrote:
> You are correct...  Sorry for any confusion
>
>
> On Tue, Feb 11, 2014 at 8:47 PM, Peter P Morrissey  wrote:
>>
>> Cat6a is 100 meters for 10 Gig. You may be thinking of Cat6 which was
>> supposed to go 55 meters for 10 Gig, but now I think they are saying 37
>> meters for Cat6.
>>
>>
>>
>> Pete Morrissey
>>
>>
>>
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ron Walczak
>> Sent: Tuesday, February 11, 2014 7:45 PM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: Re: [WIRELESS-LAN] How many drops 802.11ac phase 2
>>
>>
>>
>> 10G over copper is limited to 53 meters for cat6a...  What percentage of
>> your AP's are that close to your data switch?
>>
>> A Re-design would be necessary
>>
>>
>>
>> On Tue, Feb 11, 2014 at 9:30 AM, Cameron, Damien L. 
>> wrote:
>>
>> Wouldn't switches with 10G access ports (also 10G uplink ports on AP)and
>> 802.3at POE solve this issue?
>>
>> I understand resiliency is a plus  with two data drops, but with RRM I
>> still can't see the benefit of two data drops. Doubles cabling cost, and you
>> still need the switch ports to support it. I've searched to see if Cisco had
>> any switches with 10G access ports; however, I've only seen this in Nexus
>> models for the DC. I think I came across a switch by Arista that was 10G
>> access. And we know with the pace that technology changes those two data
>> drops may not be needed in the future.
>>
>> Damien Cameron
>> Network Engineer
>> Norfolk State University
>> Office of Information Technology
>> Marie v. McDemmond Center for applied Research
>> Room 401
>> 555 Park Avenue
>> Norfolk, VA 23504
>> O: (757) 823-9123
>>
>>
>> -Original Message-
>> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Center
>> Sent: Tuesday, February 11, 2014 8:41 AM
>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> Subject: Re: [WIRELESS-LAN] How many drops 802.11ac phase 2
>>
>> Hi Bruce,
>>
>> I was referring to the future 802.11ac phase 2 APs.
>>
>>
>> -John
>>
>>
>> On 02/11/2014 07:40 AM, Osborne, Bruce W (Network Services) wrote:
>> > What brand of APs are you using? Aruba APs will only accept PoE from the
>> > first Ethernet port.
>> >
>> > Bruce Osborne
>> > Network Engineer - Wireless Team
>> > IT Network Services
>> >
>> > (434) 592-4229
>> >
>> > LIBERTY UNIVERSITY
>> > Training Champions for Christ since 1971
>> >
>> > -Original Message-
>> > From: John Center [mailto:john.cen...@villanova.edu]
>> > Sent: Monday, February 10, 2014 5:44 PM
>> > Subject: Re: How many drops 802.11ac phase 2
>> >
>> > Hi Philippe,
>> >
>> > Another reason for 2 drops is resiliency.  I envision connecting the
>> > AP's 2 ports to a 2-switch stack.  We rarely see the need for redundant
>> > power supplies in an edge switch, but have seen failure on a switch ASIC
>> > cause one or more ports to go dead.  With 2 connections, one switch having
>> > issues won't take out the AP.  I think LAG'g both ports across the stack &
>> > supporting LACP will become a future requirement.
>> >
>> >   -John
>> >
>> >
>> > --
>> > John Center
>> > Villanova University
>> >
>> > On 02/07/2014 10:21 AM, Hanset, Philippe C wrote:
>> >> Is the main justification for two drops due to power/bandwidth/the-two?
>> >>
>> >> With many services and most killer apps going to the cloud, I would
>> >> suspect that the bandwidth to the WAN is so limiting, that this
>> >> excess of capacity on Wireless is a complete overkill (a vendor
>> >> driven non-sense).
>> >>
>> >> Yes, those 802.11ac Phase2 APs can generate

Re: [WIRELESS-LAN] OS X 802.1x auth issue

2014-01-31 Thread Norman Elton

Sorry for the spam today, one last question for those that have experienced
the cert issue. What was the client symptom? That is, what does the user
see during the 10 second delay? Wifi icon is all grey, laddering up and
down, all dark?

Thanks,

Norman Elton

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] OS X 802.1x auth issue

2014-01-31 Thread Norman Elton

Interesting. What were the band-steering symptoms? Any way to pin the
problem down to band-steering, or was it trial and error?

Norman


On Fri, Jan 31, 2014 at 1:44 PM, Edward Ip  wrote:

> I agree with Jeff, we recently disabled band steering on our Aruba
> controllers and it has helped a bit.
>
> *Edward Ip*
>
> *Algonquin College* | 1385 Woodroffe Avenue | Room C316 | Ottawa | 
> Ontario|K2G 1V8|Canada
>
> algonquincollege.com
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Jeffrey Sessler
> *Sent:* Friday, January 31, 2014 1:40 PM
>
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] OS X 802.1x auth issue
>
>
>
> We've seen the cert issue, and OS 10.8 and 10.9 don't seem to like
> band/load-steering. The cert issue coupled with band-steering and/or
> load-steering make the Mac's very unhappy.
>
>
>
> Jeff
>
> >>> On Friday, January 31, 2014 at 10:05 AM, in message <
> CAPCnwUdAuZqKuFwOycKrGmXgiKCrb_Wy82=o5xc3be+o7an...@mail.gmail.com>,
> Norman Elton  wrote:
>
> And a follow up. Has anyone actually confirmed that this bug is
> actually causing client complaints? We do seem to riding a wave of
> complaints from MacBook owners. We are only just now starting to
> change cert trust settings. Hopefully we'll know more next week as
> students have a chance to test things out over the weekend.
>
> Norman Elton
> College of William & Mary
>
> On Fri, Jan 31, 2014 at 12:59 PM, Norman Elton 
> wrote:
> >> It also appears specific to certs based on 2048 bit keys.   Also there
> is no
> >> cert validation delay upon initial connect... only when attempting to
> >> reauth... ie after a death or a roam event.
> >
> > Can anyone confirm the bug only affects certs with 2048 bit keys? I
> > don't see that listed anywhere in Apple's release. It's an interesting
> > twist.
> >
> > Thanks!
> >
> > Norman Elton
> > College of William & Mary
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at 
> http://www.educause.edu/groups/.<http://www.educause.edu/groups/>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] OS X 802.1x auth issue

2014-01-31 Thread Norman Elton

And a follow up. Has anyone actually confirmed that this bug is
actually causing client complaints? We do seem to riding a wave of
complaints from MacBook owners. We are only just now starting to
change cert trust settings. Hopefully we'll know more next week as
students have a chance to test things out over the weekend.

Norman Elton
College of William & Mary

On Fri, Jan 31, 2014 at 12:59 PM, Norman Elton  wrote:
>> It also appears specific to certs based on 2048 bit keys.   Also there is no
>> cert validation delay upon initial connect... only when attempting to
>> reauth... ie after a death or a roam event.
>
> Can anyone confirm the bug only affects certs with 2048 bit keys? I
> don't see that listed anywhere in Apple's release. It's an interesting
> twist.
>
> Thanks!
>
> Norman Elton
> College of William & Mary

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] OS X 802.1x auth issue

2014-01-31 Thread Norman Elton

> It also appears specific to certs based on 2048 bit keys.   Also there is no
> cert validation delay upon initial connect... only when attempting to
> reauth... ie after a death or a roam event.

Can anyone confirm the bug only affects certs with 2048 bit keys? I
don't see that listed anywhere in Apple's release. It's an interesting
twist.

Thanks!

Norman Elton
College of William & Mary

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] WPA and Wireless LAN Server Certificate?

2008-11-19 Thread Norman Elton

We're using a Verisign cert on IAS, but our users are still prompted
to accept the cert upon initial connect. We asked Verisign about this,
and they basically said, "that's the way it's designed to work". We
did some poking around on the interwebs, and could find a good
solution. This was two or three years ago.

Has anyone managed to find a cert that XP/Vista will accept without prompting?

Thanks

Norman Elton

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Logging into a Active Directory domain via wireless & 802.1x

2008-07-21 Thread Norman Elton

The computer should first authenticate to IAS with its machine
credentials. Assuming your IAS server is properly setup, the machine
get on wireless to authenticate a user. When a user logs in, it will
re-authenticate with the user's credentials.

Norman Elton
College of William & Mary

On Mon, Jul 21, 2008 at 2:10 PM, Youngquist, Jason R.
<[EMAIL PROTECTED]> wrote:
> We have several kiosk computers setup in our Student Commons area, and they
> are accessing the Internet wirelessly.  What I'd like to be able to do is
> join the computers to a domain and then have the students login with their
> Active Directory credentials.  We will also be configuring the computers to
> use 802.1x over wireless.  From what I've googled, wireless doesn't appear
> to be setup until a person logs into the computer.
>
>
>
> Is there any way to accomplish this?
>
>
>
> Thanks.
>
> Jason Youngquist
>
> Network Engineer - Security
>
> Technology Services
>
> Columbia College
>
> 1001 Rogers Street, Columbia, MO  65216
>
> (573) 875-7334
>
> [EMAIL PROTECTED]
>
> http://www.ccis.edu
>
>
>
>
>
>
>
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Support headache of WPA2 Enterprise

2008-07-10 Thread Norman Elton

Thanks, all, for the great responses. It seems that the IDEngines
product is well recommended. We'll look into it.

We were originally hesitant to have students download an application,
mainly because we've been repeatedly telling them not to trust
attachments, random downloads, etc. For them to suddenly get a message
of "please download and run this application" may rub some people the
wrong way.

For those of you that initially had "headaches" and turned to the
IDEngines product... what kind of headaches? We're hoping that with
automatic updates, most students will have SP3, negating the need for
the WPA2 hotfix. Our freshmen and sophomores all have Vista anyway,
and more students are showing up with Macs. We realize that third
party wireless managers will likely be a problem. What else did you
run into?

John... I can certainly make our instructions available. If I
remember, I'll post a URL once ours are publicly available. Drop me a
note if I forget! We actually found that googling for "site:.edu wpa2"
pulled up lots of useful information :).

Thanks again!

Norman Elton
College of William & Mary

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Support headache of WPA2 Enterprise

2008-07-09 Thread Norman Elton

We're looking to deploy WPA2 Enterprise with MSCHAPv2 this fall. All
of our students have centralized accounts, so they should know their
name and password. We've created full instructions, with pictures,
which will be made available to anyone connecting to our unencrypted
network.

For Macs and Vista, the process is relatively painless. Some people
will probably figure it out without any help.

Windows XP; however, is another beast. We've boiled things down to
twelve steps, all necessary to configure PEAP, MSCHAPv2, trust levels,
etc.

For people that have done this in the past... how much support
overhead was involved in your deployments? With clear instructions
made available, were the majority of students able to figure the
process out? We'll obviously have plenty of extra support staff on
hand during fall move-in, but are wondering if they'll be facing a
tidal wave or trickle.

Thanks for any advice, stories, etc.

Norman Elton
College of William & Mary

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

40 matches

Mail list logo