RE: Wireless Only in Student Housing?

[Osborne, Bruce W (Network Operations)]

Our first attempt at wireless-only was pushed by the cabling team for an old 
shoe factory building we use for document storage. That was unsuccessful due to 
the bulding construction & the user envorpnment. We are primarily wireless 
there with phones connected wired.

We are in an environment which is constantly changing with additional IT 
purchases needed.

IT Management, with coordination from our Network Operations team, initially 
decided to move the dorms to all-wireless with ports by request only. We then 
later moved to charging for a wired port. We not do not offer wired ports 
except for our RAs & RDs for our wired Cisco phones.

Since moving all-wireless, we also have Wi-Fi door locks in our newer residence 
buildings. We have a couple of computer labs where additional APs were 
purchased with a dedicated SSID only for the Lab computers because that was 
less expensive than providing the switch hardware to wire all the computers.

I would say our wireless-only implementation was eventually successful.

Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Edward Fishman [mailto:efish...@stevens.edu]
Sent: Tuesday, August 28, 2018 11:42 AM
Subject: Re: Wireless Only in Student Housing?

Hello.

I have been following this thread with great interest as we have a new student 
housing project in the works.

My questions are:


  1.  Who was involved in the decision to go all wireless (or not) on your 
campus?
  2.  Were cost savings involved in the overall decision, if there were cost 
savings, considering the potential need for a greater density of APs?
  3.  From where was the greatest push-back not to go all-wireless?  
Conversely, who were the biggest fans of moving in the all-wireless direction?

Thanks


Edward M. Fishman
Director of Networking and Systems Administration
Division of Information Technology

Stevens Institute of Technology
1 Castle Point on Hudson
Samuel C. Williams Library - Lower Level
Hoboken, NJ 07030

T 201-216-5147 | C 917-817-4088
http://www.stevens.edu
edward.fish...@stevens.edu

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Wireless Only in Student Housing?

[Osborne, Bruce W (Network Operations)]

Good question.

We generally try to support them for the same timeframe as the vendor We spent 
a lot of time last year working with connectivity & roaming issues with the 
PS4s and realized they were misbehaving 3.4 GHz client. Now there is a newer 
alternative, it was determined to no longer provide support for the older 
generation.
We do not ban them but just decline to help much with connectivity issues.

From: Chris Adams (IT) [mailto:chris.ad...@ung.edu]
Sent: Monday, August 27, 2018 11:32 AM
Subject: Re: Wireless Only in Student Housing?

This raises an interesting point, somewhat tangential to the original 
conversation.

How do you determine & maintain a list of “supported” residential network 
devices? If someone brings in a later gen PS4 and has connectivity issues, will 
your staff lay hands on the device to resolve the connectivity concern? Or is 
the approach just to say that the devices has been known to be compatible in 
the past and verify that the network is working properly?

We’ve had more tickets about ROKU TVs this fall than any other quantity of 
incidents, and trying to find a happy medium of providing connectivity VS 
supporting every device under the sun has been a point of controversy.


Thanks,

Chris Adams, M.S., CISSP

Associate CIO, Network & Telecom
Division of Information Technology
University of North Georgia

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Osborne, Bruce W (Network Operations)
Sent: Monday, August 27, 2018 9:46 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Wireless Only in Student Housing?

When we initially went from wired/wireless to wireless + port request, we 
initially pulled out $1million worth of switches to be reused in other projects.

We have since moved to wireless only. In some cases of clients with poor NICs 
we provide temporary USB based loaner NICs. We have a list of supported 
wireless solutions for desktop systems. For gaming systems these days almost 
all can use wireless if the system if properly designed. This year we have 
dropped official support for the 1st Gen 2.4 only PS4 due to misbehaving 
wireless.

Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Enfield, Chuck [mailto:cae...@psu.edu]
Sent: Friday, August 24, 2018 2:52 PM
Subject: Re: Wireless Only in Student Housing?

I don’t want to hijack Dan’s thread, but I wouldn’t mind adding to it if he 
doesn’t mind.

I know from previous threads that lots of schools have gone Wi-Fi-only, and 
issues are minimal.  But, as an institution that has both wired and wireless 
enabled throughout the residence halls, about 15% of our residents still plug 
in.  It was easy for us to do both because we were really late to provide 
Wi-Fi, so our legacy wired network is still serviceable.  At some point in the 
next couple years we’ll have to decide whether or not to replace it.  That 
requires an assessment of the value proposition.  15% use seems to suggest that 
there’s still significant value in providing wired connectivity, but I’m not 
sure it satisfactorily answers the question.  It’s safe to assume that some 
users really want that wired connection for good reasons, and other users who 
prefer a wired connection if it’s available, but really wouldn’t miss it if it 
wasn’t.  It’s to determine how many each make up that 15%.

I’m curious to hear from institutions that provide wired connections upon 
request.  If you do that, how many get requested?  Is it free, or is there a 
charge?  If a charge, how much?  …and anything else illuminating you can 
no-doubt contribute.

Thanks,

Chuck


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Entwistle, Bruce
Sent: Friday, August 24, 2018 2:16 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Wireless Only in Student Housing?

Last year we converted our first residence hall to wireless only and there were 
minimal challenges.   You could consider installing the small hospitality APs 
in the rooms and then there would be wired ports available if necessary.

Bruce Entwistle
Network Manager
University of Redlands


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Daniel Wurst
Sent: Friday, August 24, 2018 11:12 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Wireless Only in Student Housing?

Hi All,

We are looking into building a new student housing building and are considering 
going Wifi only for network connectivity. We were wondering if anyone else has 
gone the route of only allowing ne

RE: Wireless Only in Student Housing?

[Osborne, Bruce W (Network Operations)]

Our Xbox users are fine since we have a dense wireless deployment in the 
residential areas.

Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: AIS [mailto:a...@reinhardt.edu]
Sent: Friday, August 24, 2018 2:55 PM
Subject: Re: Wireless Only in Student Housing?

How do your xbox users feel about it?

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Entwistle, Bruce
Sent: Friday, August 24, 2018 2:16 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Only in Student Housing?

Last year we converted our first residence hall to wireless only and there were 
minimal challenges.   You could consider installing the small hospitality APs 
in the rooms and then there would be wired ports available if necessary.

Bruce Entwistle
Network Manager
University of Redlands


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Daniel Wurst
Sent: Friday, August 24, 2018 11:12 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Wireless Only in Student Housing?

Hi All,

We are looking into building a new student housing building and are considering 
going Wifi only for network connectivity. We were wondering if anyone else has 
gone the route of only allowing network connectivity via wireless. If so, can 
you share your experience, lessons learned, and advice.

Thank you,

Dan
--
Daniel Wurst
Network Engineer
Denison University
wur...@denison.edu
740-587-6229

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Wireless Only in Student Housing?

[Osborne, Bruce W (Network Operations)]

When we initially went from wired/wireless to wireless + port request, we 
initially pulled out $1million worth of switches to be reused in other projects.

We have since moved to wireless only. In some cases of clients with poor NICs 
we provide temporary USB based loaner NICs. We have a list of supported 
wireless solutions for desktop systems. For gaming systems these days almost 
all can use wireless if the system if properly designed. This year we have 
dropped official support for the 1st Gen 2.4 only PS4 due to misbehaving 
wireless.

Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Enfield, Chuck [mailto:cae...@psu.edu]
Sent: Friday, August 24, 2018 2:52 PM
Subject: Re: Wireless Only in Student Housing?

I don’t want to hijack Dan’s thread, but I wouldn’t mind adding to it if he 
doesn’t mind.

I know from previous threads that lots of schools have gone Wi-Fi-only, and 
issues are minimal.  But, as an institution that has both wired and wireless 
enabled throughout the residence halls, about 15% of our residents still plug 
in.  It was easy for us to do both because we were really late to provide 
Wi-Fi, so our legacy wired network is still serviceable.  At some point in the 
next couple years we’ll have to decide whether or not to replace it.  That 
requires an assessment of the value proposition.  15% use seems to suggest that 
there’s still significant value in providing wired connectivity, but I’m not 
sure it satisfactorily answers the question.  It’s safe to assume that some 
users really want that wired connection for good reasons, and other users who 
prefer a wired connection if it’s available, but really wouldn’t miss it if it 
wasn’t.  It’s to determine how many each make up that 15%.

I’m curious to hear from institutions that provide wired connections upon 
request.  If you do that, how many get requested?  Is it free, or is there a 
charge?  If a charge, how much?  …and anything else illuminating you can 
no-doubt contribute.

Thanks,

Chuck


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Entwistle, Bruce
Sent: Friday, August 24, 2018 2:16 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Only in Student Housing?

Last year we converted our first residence hall to wireless only and there were 
minimal challenges.   You could consider installing the small hospitality APs 
in the rooms and then there would be wired ports available if necessary.

Bruce Entwistle
Network Manager
University of Redlands


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Daniel Wurst
Sent: Friday, August 24, 2018 11:12 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Wireless Only in Student Housing?

Hi All,

We are looking into building a new student housing building and are considering 
going Wifi only for network connectivity. We were wondering if anyone else has 
gone the route of only allowing network connectivity via wireless. If so, can 
you share your experience, lessons learned, and advice.

Thank you,

Dan
--
Daniel Wurst
Network Engineer
Denison University
wur...@denison.edu
740-587-6229

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Cisco - Field Notice - 70253 - Wireless Client Fails to Associate: AID Error

[Osborne, Bruce W (Network Operations)]

Lee,

I cannot say a lot about the 6.7 licensing since we have not yet made that move 
but I do not think we will see much of an impact from that.

I do know their old OnBoard licensing per certificate was way out of touch with 
reality. A year ago, when our sales team quoted "a real good deal" we told 
them, with all seriousness, that they need to start at 10% of that quote to be 
competitive.

The above are my experiences & opinions and may not be those of Liberty 
University.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 
 (434) 592-4229
 
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Lee H Badman [mailto:lhbad...@syr.edu] 
Sent: Friday, August 24, 2018 8:09 AM
Subject: Re: Cisco - Field Notice - 70253 - Wireless Client Fails to Associate: 
AID Error

I can't say I love ClearPass (we use it) and the recent relicensing felt very 
much like yet another revenue grab. Not sure the grass is totally greener 
anywhere. If Mist would tone down the buzzword-driven marketing and start 
highlighting real-world value proposition and case studies of very large 
accounts, that could be interesting. Likewise, if Ubiquiti could get their 
enterprise approach together and stop feeling so wonky on the company side, 
they too could be interesting. I'll admit there where we use cloud-managed in 
our branches, I LOOOVE no keeping up controllers or NMS systems, as I've 
had years where I have spent months dealing with bugs on both. 

I do wish every WLAN company CEO would remind themselves that there are end 
users at the end of the string out there, and that stability trumps feature 
bloat and that phrases like "our new blood-sucking licensing insures you have 
access to INNOVATION!" just sound desperate. (Oh, and I want a pony, too!)

-Lee


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 On Behalf Of Osborne, Bruce W (Network 
Operations)
Sent: Friday, August 24, 2018 7:53 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco - Field Notice - 70253 - Wireless Client 
Fails to Associate: AID Error

Actually Aruba has moved from the "HA Pair" structure to a Cluster structure in 
AOS 8. We have 8 controllers in our Campus Cluster. Actually, the AP, SSID, & 
client can all be on different controllers within the cluster, each with a 
designated backup controller.

Since our cluster is split between 2 data centers, we have grouped the 
controllers so the standby is always in the opposite data center to the active 
one chosen.

Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 
 (434) 592-4229
 
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Joachim Tingvold [mailto:joac...@tingvold.com]
Sent: Thursday, August 23, 2018 10:21 AM
Subject: Re: Cisco - Field Notice - 70253 - Wireless Client Fails to Associate: 
AID Error

On 23 Aug 2018, at 15:48, Jeffrey D. Sessler wrote:
> It’s great to hear Aruba is adding features such as “automated RF 
> management” that Cisco has had for over a decade.

My understanding of the “automated RF management” part is directly related to 
the upgrade process (and not DCA/TPC, as you’re suggesting, which Aruba has had 
for some time).

It splits the APs automatically into groups based on their channel assignment 
(since, given similar approach as DCA, this gives a rough estimation on “APs 
that are overlapping each other” — could also be improved in the future using 
signal strength an AP sees other APs). 
It then moves clients off of one of those groups (making them join other, 
adjacent APs), reloading those clientless APs into the new software version, 
and then moves clients back when it moves onto the next “channel group”. 
Cleanse and repeat until all groups are done, giving you “zero downtime”.

This is at least how it was last time I read about it, and is by far superior 
to the way Cisco does it (where you manually have to fiddle with groups within 
Prime — and that’s without talking about Prime itself…).

The Cisco-solution also requires a separate controller to do this, whilst Aruba 
uses it’s redundant controller by automatically handling “splitting” the 
HA-pair (by upgrading one of them, moving the APs according to the “channel 
groups”, and then finally upgrading the last controller).

The “equivalent” with Cisco would be to split your HA pair manually, move all 
APs to one of them, upgrade the other, move them using the 
rolling-AP-group-thingie in Prime, then upgrade the last, and finally join them 
back as a HA, causing significantly more downtime than a normal Cisco upgrade 
process. Or you could buy a completely separate WLC to achieve this, but that’s 
somewhat a waste of money if you already do HA/SSO (and buy WLCs in pairs).

> In all seriousness,. if you’re talking specifically about AP updates, 
> cisco has had AP code pre-

RE: Cisco - Field Notice - 70253 - Wireless Client Fails to Associate: AID Error

[Osborne, Bruce W (Network Operations)]

Actually Aruba has moved from the "HA Pair" structure to a Cluster structure in 
AOS 8. We have 8 controllers in our Campus Cluster. Actually, the AP, SSID, & 
client can all be on different controllers within the cluster, each with a 
designated backup controller.

Since our cluster is split between 2 data centers, we have grouped the 
controllers so the standby is always in the opposite data center to the active 
one chosen.

Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 
 (434) 592-4229
 
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Joachim Tingvold [mailto:joac...@tingvold.com] 
Sent: Thursday, August 23, 2018 10:21 AM
Subject: Re: Cisco - Field Notice - 70253 - Wireless Client Fails to Associate: 
AID Error

On 23 Aug 2018, at 15:48, Jeffrey D. Sessler wrote:
> It’s great to hear Aruba is adding features such as “automated RF 
> management” that Cisco has had for over a decade.

My understanding of the “automated RF management” part is directly related to 
the upgrade process (and not DCA/TPC, as you’re suggesting, which Aruba has had 
for some time).

It splits the APs automatically into groups based on their channel assignment 
(since, given similar approach as DCA, this gives a rough estimation on “APs 
that are overlapping each other” — could also be improved in the future using 
signal strength an AP sees other APs). 
It then moves clients off of one of those groups (making them join other, 
adjacent APs), reloading those clientless APs into the new software version, 
and then moves clients back when it moves onto the next “channel group”. 
Cleanse and repeat until all groups are done, giving you “zero downtime”.

This is at least how it was last time I read about it, and is by far superior 
to the way Cisco does it (where you manually have to fiddle with groups within 
Prime — and that’s without talking about Prime itself…).

The Cisco-solution also requires a separate controller to do this, whilst Aruba 
uses it’s redundant controller by automatically handling “splitting” the 
HA-pair (by upgrading one of them, moving the APs according to the “channel 
groups”, and then finally upgrading the last controller).

The “equivalent” with Cisco would be to split your HA pair manually, move all 
APs to one of them, upgrade the other, move them using the 
rolling-AP-group-thingie in Prime, then upgrade the last, and finally join them 
back as a HA, causing significantly more downtime than a normal Cisco upgrade 
process. Or you could buy a completely separate WLC to achieve this, but that’s 
somewhat a waste of money if you already do HA/SSO (and buy WLCs in pairs).

> In all seriousness,. if you’re talking specifically about AP updates, 
> cisco has had AP code pre-download for years, resulting in between 2 
> to 4 minutes downtime when rebooting a multi-thousand AP controller. 
> Not hitless, but low impact for sure.

I’ve never managed to do less than ~400 seconds on HA/SSO-enabled 8540s with 
3k+ APs. That’s “a lot of time” many places (maybe not edu, but for sure in 
healthcare or other mission-critical businesses), which would be reduced to 
whatever time it takes for a client to re-associate after being “kicked” off 
the network (so time depends on the client, but would probably be sub-1s in 
many cases).

--
Joachim

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Cisco - Field Notice - 70253 - Wireless Client Fails to Associate: AID

[Osborne, Bruce W (Network Operations)]

Aruba introduced client band steering before we became their customer in 2008. 
At that time Cisco said band steering was not possible. Aruba has had spectrum 
monitoring since before Cisco’s CleanAir technology. We know who is following 
whom. That is why we made our choice.

Aruba has had ap preload for years but this is hands off seamless automated 
updating of controllers & APs.
.

I am very interested in what Aruba bugs have not been addressed, assuming they 
were running supported code. We work very closely with their support and they 
insure our needs are met. I am sure large companies like Microsoft, Google, & 
Toyota would not use Aruba if the support was lacking behind others.

With Aruba (& Cisco) one needs to move carefully when updating to insure the 
new version meets your stability requirements while fulfilling your needs.


The above is strictly my personal opinion and not that of my employer

Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Jeffrey D. Sessler [mailto:j...@scrippscollege.edu]
Sent: Thursday, August 23, 2018 9:48 AM
Subject: Re: Cisco - Field Notice - 70253 - Wireless Client Fails to Associate: 
AID Error

It’s great to hear Aruba is adding features such as “automated RF management” 
that Cisco has had for over a decade. In another ten years maybe they’ll catch 
up to Cisco’s CleanAir technology?  :D

In all seriousness,. if you’re talking specifically about AP updates, cisco has 
had AP code pre-download for years, resulting in between 2 to 4 minutes 
downtime when rebooting a multi-thousand AP controller. Not hitless, but low 
impact for sure.

If you make use of Prime 3.3 or above, you’ve got Rolling AP Upgrade, ensuring 
that AP’s are updated and rebooted in defined groups so that clients are 
minimally impacted i.e. they roam to another AP while an adjacent is being 
updated. It’s not hitless since the client must roam, but it’s as transparent 
as you’re going to get.

In my opinion, the only way we’re going to see better results for enterprise 
WiFi in EDU will be as customers transition to cloud-based managed-services. In 
this scenario, the vendor gains significant visibility on everything deployed 
in the field and isn’t waiting for a customer to decide to open a case and do 
all the necessary log/data collection e.g. Meraki.

The campuses in our consortium that had been on Aruba have been migrating to 
Cisco this summer. Since the purchase by HP, support and innovation has waned, 
with bugs they’ve hit not being addressed. Clearly, like the difference in mu 
and Lee’s Cisco experience, it’s not all rainbows and unicorns on the Aruba 
side either.

Jeff



From: 
"wireless-lan@listserv.educause.edu" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "bosbo...@liberty.edu" 
mailto:bosbo...@liberty.edu>>
Reply-To: 
"wireless-lan@listserv.educause.edu" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Thursday, August 23, 2018 at 4:33 AM
To: 
"wireless-lan@listserv.educause.edu" 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Cisco - Field Notice - 70253 - Wireless Client 
Fails to Associate: AID Error

Come over to the Intelligent Wi-Fi side! :D

We just moved to Aruba 8.2.x this summer and are impressed with the automated 
RF management capabilities. We can now upgrade all or part of our wireless 
network with zero downtime.

We also are in the process from moving from 3 independent systems (campus, 
remote, LPV) to a single unified system, simplifying configuration and adding 
more consistency..

Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Lee H Badman [mailto:lhbad...@syr.edu]
Sent: Wednesday, August 22, 2018 4:20 PM
Subject: Re: Cisco - Field Notice - 70253 - Wireless Client Fails to Associate: 
AID Error

Is crazy- Cisco is up to 8.8.x on support site, but I hesitate to move from 8.2 
MR7 as it actually works. Like hesitate to move, ever. EVER.

-Lee Badman

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Mccormick, Kevin
Sent: Wednesday, August 22, 2018 1:30 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cisco - Field Notice - 70253 - Wireless Client Fails to 
Associate: AID Error

New field notice was published yesterday.

https://www.cisco.com/c/en/us/support/docs/field-notices/702/fn70253.html

You may want to check if you are being affected.

Following versions are affected.

8.0.150.0, 8.0.152.0
8.4.100.0
8.5.103.0

If you are running 8.0, TAC has  8.0MR5esc available.


Kevin 

RE: Cisco - Field Notice - 70253 - Wireless Client Fails to Associate: AID Error

[Osborne, Bruce W (Network Operations)]

Aruba has its problems too, but they try to minimize them. Do not forget that, 
for many years, Aruba was a wireless-only company. Their wireless needed to 
work for them to remain profitable. For Cisco, wireless is just another product 
line in a large portfolio.

The above comments are my personal opinion, not that of my employer.

Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 
 (434) 592-4229
 
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Ian Lyons [mailto:ily...@rollins.edu] 
Sent: Thursday, August 23, 2018 8:25 AM
Subject: Re: Cisco - Field Notice - 70253 - Wireless Client Fails to Associate: 
AID Error

As a result of the lack of QA, we removed all 1000 of our Cisco AP's and moved 
to Aruba.  Since then, we have had zero problems.  

Cisco really needs to get their stuff together, their Wireless has not been an 
Enterprise level product, in my opinion.

Ian

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 On Behalf Of Kenny, Eric
Sent: Thursday, August 23, 2018 8:02 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco - Field Notice - 70253 - Wireless Client 
Fails to Associate: AID Error

We were hit with the AID bug around this time last year on an 8.3 release.  At 
the time the bug was a Sev 2 with Cisco.  They provided an engineering release 
which we ran until the issue was finally resolved in later code.  More proof 
that QA in large environments is lacking, to say the least.

I’m with Bruce on this one, we are running Aruba 8.3.0.1 release and have used 
the live upgrades a few times now.  The only issues we’ve seen with it are our 
mesh deployment, but I hear they are working on that.  Client devices will roam 
as Joachim mentioned, but as long as you have roaming setup correctly, it’s 
almost always transparent to the user.
---
Eric Kenny
Network Architect
Harvard University ITS
---

> On Aug 23, 2018, at 7:33 AM, Osborne, Bruce W (Network Operations) 
>  wrote:
> 
> Come over to the Intelligent Wi-Fi side! :D
>  
> We just moved to Aruba 8.2.x this summer and are impressed with the automated 
> RF management capabilities. We can now upgrade all or part of our wireless 
> network with zero downtime. 
>  
> We also are in the process from moving from 3 independent systems (campus, 
> remote, LPV) to a single unified system, simplifying configuration and adding 
> more consistency..
>  
> Bruce Osborne
> Senior Network Engineer
> Network Operations - Wireless
>  
>  (434) 592-4229
>  
> LIBERTY UNIVERSITY
> Training Champions for Christ since 1971
>  
> From: Lee H Badman [mailto:lhbad...@syr.edu]
> Sent: Wednesday, August 22, 2018 4:20 PM
> Subject: Re: Cisco - Field Notice - 70253 - Wireless Client Fails to
> Associate: AID Error
>  
> Is crazy- Cisco is up to 8.8.x on support site, but I hesitate to move from 
> 8.2 MR7 as it actually works. Like hesitate to move, ever. EVER.
>  
> -Lee Badman
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>  On Behalf Of Mccormick, Kevin
> Sent: Wednesday, August 22, 2018 1:30 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Cisco - Field Notice - 70253 - Wireless Client 
> Fails to Associate: AID Error
>  
> New field notice was published yesterday.
> 
> https://www.cisco.com/c/en/us/support/docs/field-notices/702/fn70253.h
> tml
> 
> You may want to check if you are being affected.
> 
> Following versions are affected.
> 
> 8.0.150.0, 8.0.152.0
> 8.4.100.0
> 8.5.103.0
> 
> If you are running 8.0, TAC has  8.0MR5esc available.
> 
> 
> Kevin McCormick
> Network Administrator
> University Technology - Western Illinois University 
> ke-mccorm...@wiu.edu | (309) 298-1335 | Morgan Hall 106b Connect with
> uTech: Website | Facebook | Twitter
> 
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Cisco - Field Notice - 70253 - Wireless Client Fails to Associate: AID Error

[Osborne, Bruce W (Network Operations)]

We are running the conservative release in the 8.2 series. We are currently 
planning on moving to 8.3 during Christmas break. Hopefully it will have 
reached the stability for a conservative release by then.

Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 
 (434) 592-4229
 
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Kenny, Eric [mailto:eric_ke...@harvard.edu] 
Sent: Thursday, August 23, 2018 8:02 AM
Subject: Re: Cisco - Field Notice - 70253 - Wireless Client Fails to Associate: 
AID Error

We were hit with the AID bug around this time last year on an 8.3 release.  At 
the time the bug was a Sev 2 with Cisco.  They provided an engineering release 
which we ran until the issue was finally resolved in later code.  More proof 
that QA in large environments is lacking, to say the least.

I’m with Bruce on this one, we are running Aruba 8.3.0.1 release and have used 
the live upgrades a few times now.  The only issues we’ve seen with it are our 
mesh deployment, but I hear they are working on that.  Client devices will roam 
as Joachim mentioned, but as long as you have roaming setup correctly, it’s 
almost always transparent to the user.
---
Eric Kenny
Network Architect
Harvard University ITS
---

> On Aug 23, 2018, at 7:33 AM, Osborne, Bruce W (Network Operations) 
>  wrote:
> 
> Come over to the Intelligent Wi-Fi side! :D
>  
> We just moved to Aruba 8.2.x this summer and are impressed with the automated 
> RF management capabilities. We can now upgrade all or part of our wireless 
> network with zero downtime. 
>  
> We also are in the process from moving from 3 independent systems (campus, 
> remote, LPV) to a single unified system, simplifying configuration and adding 
> more consistency..
>  
> Bruce Osborne
> Senior Network Engineer
> Network Operations - Wireless
>  
>  (434) 592-4229
>  
> LIBERTY UNIVERSITY
> Training Champions for Christ since 1971
>  
> From: Lee H Badman [mailto:lhbad...@syr.edu]
> Sent: Wednesday, August 22, 2018 4:20 PM
> Subject: Re: Cisco - Field Notice - 70253 - Wireless Client Fails to 
> Associate: AID Error
>  
> Is crazy- Cisco is up to 8.8.x on support site, but I hesitate to move from 
> 8.2 MR7 as it actually works. Like hesitate to move, ever. EVER.
>  
> -Lee Badman
>  
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>  On Behalf Of Mccormick, Kevin
> Sent: Wednesday, August 22, 2018 1:30 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Cisco - Field Notice - 70253 - Wireless Client 
> Fails to Associate: AID Error
>  
> New field notice was published yesterday.
> 
> https://www.cisco.com/c/en/us/support/docs/field-notices/702/fn70253.h
> tml
> 
> You may want to check if you are being affected.
> 
> Following versions are affected.
> 
> 8.0.150.0, 8.0.152.0
> 8.4.100.0
> 8.5.103.0
> 
> If you are running 8.0, TAC has  8.0MR5esc available.
> 
> 
> Kevin McCormick
> Network Administrator
> University Technology - Western Illinois University 
> ke-mccorm...@wiu.edu | (309) 298-1335 | Morgan Hall 106b Connect with 
> uTech: Website | Facebook | Twitter
> 
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.
> ** Participation and subscription information for this EDUCAUSE 
> Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Cisco - Field Notice - 70253 - Wireless Client Fails to Associate: AID Error

[Osborne, Bruce W (Network Operations)]

18 months ago I experienced a version upgrade on the active system at a 
conference. 

In our initial failover testing here, we had a client set up doing a continuous 
ping to a target. We took our network from4 controllers down to 1. The AP & 
client roamed seamlessly such that not one ping was dropped.

My understanding was that one of Aruba's large clients demanded a system with 
no downtime.

We can also, if desired, run different code versions within the same system.

Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 
 (434) 592-4229
 
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Joachim Tingvold [mailto:joac...@tingvold.com] 
Sent: Thursday, August 23, 2018 7:49 AM
Subject: Re: Cisco - Field Notice - 70253 - Wireless Client Fails to Associate: 
AID Error

On 23 Aug 2018, at 13:33, Osborne, Bruce W (Network Operations) wrote:
> We just moved to Aruba 8.2.x this summer and are impressed with the 
> automated RF management capabilities. We can now upgrade all or part 
> of our wireless network with zero downtime.

You say “zero downtime”. Aruba says “hitless”. None of those are true.

Don’t misunderstand; it’s far better than what Cisco has, but the system 
disconnects the clients from the AP side of things, and hence, from a client 
perspective, it’s not “hitless” or “no downtime”. They just suddenly get 
disconnected, and they have to reconnect. It’s not the clients decision to move 
to a new AP.

Would I like this on Cisco; absolutely. I’m not holding my breath, though.

--
Joachim

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Cisco - Field Notice - 70253 - Wireless Client Fails to Associate: AID Error

[Osborne, Bruce W (Network Operations)]

Come over to the Intelligent Wi-Fi side! :D

We just moved to Aruba 8.2.x this summer and are impressed with the automated 
RF management capabilities. We can now upgrade all or part of our wireless 
network with zero downtime.

We also are in the process from moving from 3 independent systems (campus, 
remote, LPV) to a single unified system, simplifying configuration and adding 
more consistency..

Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Lee H Badman [mailto:lhbad...@syr.edu]
Sent: Wednesday, August 22, 2018 4:20 PM
Subject: Re: Cisco - Field Notice - 70253 - Wireless Client Fails to Associate: 
AID Error

Is crazy- Cisco is up to 8.8.x on support site, but I hesitate to move from 8.2 
MR7 as it actually works. Like hesitate to move, ever. EVER.

-Lee Badman

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Mccormick, Kevin
Sent: Wednesday, August 22, 2018 1:30 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cisco - Field Notice - 70253 - Wireless Client Fails to 
Associate: AID Error

New field notice was published yesterday.

https://www.cisco.com/c/en/us/support/docs/field-notices/702/fn70253.html

You may want to check if you are being affected.

Following versions are affected.

8.0.150.0, 8.0.152.0
8.4.100.0
8.5.103.0

If you are running 8.0, TAC has  8.0MR5esc available.


Kevin McCormick
Network Administrator
University Technology - Western Illinois University
ke-mccorm...@wiu.edu | (309) 
298-1335 | Morgan Hall 106b
Connect with uTech: Website | 
Facebook | 
Twitter
[http://www.wiu.edu/university_technology/images/signatures/currentimage.jpg]
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: eduroam ssid on RTS

[Osborne, Bruce W (Network Operations)]

Our organization was able to negotiate an unlimited plan with AT so we do not 
have that worry any longer.

Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Watson,Nancy A [mailto:nwat...@ufl.edu]
Sent: Friday, August 17, 2018 3:24 PM
Subject: Re: eduroam ssid on RTS


​Thank for your reply.  I do want to know how others are doing this and if it 
was successful.  We are concerned about overage charges and the quality of the 
wireless vs  using their cellphone 4G connection.



Nancy




 Nancy Watson
 Engineer, Network Services - UFIT
 nwat...@ufl.edu<mailto:nwat...@ufl.edu>, (352) 273-1057

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Osborne, Bruce W (Network Operations) 
mailto:bosbo...@liberty.edu>>
Sent: Friday, August 17, 2018 7:27 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] eduroam ssid on RTS

We are an Aruba shop. For several years we have been using Aruba’s remote 
access points on athletic highway coaches with a 4G backhaul through the vendor 
installed cradlepoint router. The APs also support 4G USB sticks though. The 
main issues in our case initially was bandwidth overage charges.

We are not an EDUROAM customer but the APs terminate over an IPsec tunnel to 
our controllers like they are on campus. I know this is not the Cisco solution 
you were looking for.

Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Watson,Nancy A [mailto:nwat...@ufl.edu]
Sent: Thursday, August 16, 2018 8:10 AM
Subject: eduroam ssid on RTS


​I am involved in a joint project with RTS to run eduroam on  the city buses 
that pass through our campus to service the students.  We are currently a Cisco 
Shop and I was curious if anyone has done anything like this with Cisco or any 
other vendor.


Thanks,
Nancy

 Nancy Watson
 Engineer, Network Services - UFIT
 nwat...@ufl.edu<mailto:nwat...@ufl.edu>, (352) 273-1057
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss=DwMGaQ=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM=5m0TS3W2T7dsnU68pTm1ng=-LVTU90EfbLD4a-RmeEq5fh0fMzsqEDRnU_6dwUJEzM=CCWjDf2GvDqbq0QZBzwAlolCPLxgvdprfb0lH_-y82Y=>.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss=DwMGaQ=pZJPUDQ3SB9JplYbifm4nt2lEVG5pWx2KikqINpWlZM=5m0TS3W2T7dsnU68pTm1ng=-LVTU90EfbLD4a-RmeEq5fh0fMzsqEDRnU_6dwUJEzM=CCWjDf2GvDqbq0QZBzwAlolCPLxgvdprfb0lH_-y82Y=>.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: eduroam ssid on RTS

[Osborne, Bruce W (Network Operations)]

We are an Aruba shop. For several years we have been using Aruba’s remote 
access points on athletic highway coaches with a 4G backhaul through the vendor 
installed cradlepoint router. The APs also support 4G USB sticks though. The 
main issues in our case initially was bandwidth overage charges.

We are not an EDUROAM customer but the APs terminate over an IPsec tunnel to 
our controllers like they are on campus. I know this is not the Cisco solution 
you were looking for.

Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Watson,Nancy A [mailto:nwat...@ufl.edu]
Sent: Thursday, August 16, 2018 8:10 AM
Subject: eduroam ssid on RTS


​I am involved in a joint project with RTS to run eduroam on  the city buses 
that pass through our campus to service the students.  We are currently a Cisco 
Shop and I was curious if anyone has done anything like this with Cisco or any 
other vendor.


Thanks,
Nancy

 Nancy Watson
 Engineer, Network Services - UFIT
 nwat...@ufl.edu, (352) 273-1057
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Onboarding Android devices

[Osborne, Bruce W (Network Operations)]

We currently are using PEAP/MSCHAPv2 but plan to move to EAP-TLS We used 
CloudPath / CloudPath Wizard for many years but found the product support wane 
severely as Ruckus transformed Cloudpath from a company to a product brand.

Last summer we started evaluation for onboarding vendors. We ended up with 
SecureW2. Their support philosophy reminds us of the excellent early CloudPath 
support, They are proactive in officially supporting upcoming OS releases too.

After experiencing SecureW2, we could not go back to CloudPath ES or Wizard (We 
evaluated both.)  Although we are heavily invested in Aruba ClearPass, 
ClearPass Onboard licensing at that time made them far too expensive.


The above are my personal experiences and opinions. They may not exactly match 
those of Liberty University.

Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 
 (434) 592-4229
 
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Jason Cook [mailto:jason.c...@adelaide.edu.au] 
Sent: Wednesday, August 8, 2018 7:28 PM
Subject: Re: Onboarding Android devices

We use Cloudpath and are happy, we allow users to stumble through PEAP/MsChap 
if they want but really push onboarding EAP-TLS. It's annoying with most 
androids and all windows to have to download the app but still more 
consistently successful and easier than other methods quite often when dealing 
with cheaper import android devices. The profile install method that IOS/OSX 
has had for ages is awesome,  and now available for newer Droids.

We want to get to a point of forcing EAP-TLS but have other fish to fry for 
now. Without onboarding you can be pretty confident most Windows and Android 
devices are not configured in the most secure way... I think apple is a bit 
better at auto it but might be wrong

--
Jason Cook
Information Technology and Digital Services The University of Adelaide, 
AUSTRALIA 5005
Ph: +61 8 8313 4800

CRICOS Provider Number 00123M
---
This email message is intended only for the addressee(s) and contains 
information which may be confidential and/or copyright.  If you are not the 
intended recipient please do not read, save, forward, disclose, or copy the 
contents of this email. If this email has been sent to you in error, please 
notify the sender by reply email and delete this email and any copies or links 
to this email completely and immediately from your system.  No representation 
is made that this email is free of viruses.  Virus scanning is recommended and 
is the responsibility of the recipient.


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 On Behalf Of Norman Elton
Sent: Wednesday, 8 August 2018 11:09 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Onboarding Android devices

Thanks all. If you're doing PEAP / MSCHAPv2, are you expecting some users to 
stumble through the process? Or do you somehow encourage all users to use the 
onboarding tool? Obviously the tool would be required if you're going down the 
EAP-TLS path.

Norman
On Wed, Aug 8, 2018 at 7:35 AM Osborne, Bruce W (Network Operations) 
 wrote:
>
> We changed onboarding tools for non-AD devices to SecureW2 last September and 
> have been more than happy with their service & support.
>
> They tend to officially support OS versions before official release, which 
> can be useful in a Higher-Ed environment.
>
> Bruce Osborne
> Liberty University
>
> -Original Message-
> From: Norman Elton [mailto:normel...@gmail.com]
> Sent: Tuesday, August 7, 2018 3:25 PM
> Subject: Onboarding Android devices
>
> We've got an encrypted network with the classic PEAP + MSCHAPv2 combo, 
> allowing users to connect with their domain credentials. We've shied away 
> from onboarding tools like SecureW2, especially for student devices, as they 
> seem more cumbersome than just having the user configure the connection 
> properly the first time.
>
> Preparing for the fall, we've noticed that recent versions of Android make 
> the process a little more cumbersome. It appears that 8.1 & 9.0 allow the 
> user to validate the certificate by domain, which is great.
> Although the steps to get this setup are far from intuitive.
>
> 8.0 doesn't give that option, instead displaying a scary warning, "This 
> connection will not be secure". The user is forced to go ahead with "do not 
> validate certificate", leaving them open to leak their credentials to a rogue 
> AP. Far from ideal.
>
> Theoretically, we could ask the user to trust the CA certificate in advance, 
> and (hopefully) the warning message would go away. But I haven't gotten this 
> to work.
>
> Is there a general consensus that these devices are better served with an 
> onboarding tool that can accommodate the vario

RE: Onboarding Android devices

[Osborne, Bruce W (Network Operations)]

We changed onboarding tools for non-AD devices to SecureW2 last September and 
have been more than happy with their service & support.

They tend to officially support OS versions before official release, which can 
be useful in a Higher-Ed environment.

Bruce Osborne
Liberty University

-Original Message-
From: Norman Elton [mailto:normel...@gmail.com] 
Sent: Tuesday, August 7, 2018 3:25 PM
Subject: Onboarding Android devices

We've got an encrypted network with the classic PEAP + MSCHAPv2 combo, allowing 
users to connect with their domain credentials. We've shied away from 
onboarding tools like SecureW2, especially for student devices, as they seem 
more cumbersome than just having the user configure the connection properly the 
first time.

Preparing for the fall, we've noticed that recent versions of Android make the 
process a little more cumbersome. It appears that 8.1 & 9.0 allow the user to 
validate the certificate by domain, which is great.
Although the steps to get this setup are far from intuitive.

8.0 doesn't give that option, instead displaying a scary warning, "This 
connection will not be secure". The user is forced to go ahead with "do not 
validate certificate", leaving them open to leak their credentials to a rogue 
AP. Far from ideal.

Theoretically, we could ask the user to trust the CA certificate in advance, 
and (hopefully) the warning message would go away. But I haven't gotten this to 
work.

Is there a general consensus that these devices are better served with an 
onboarding tool that can accommodate the various flavors of Android? Or is 
there a recipe for a user to setup 802.1x securely (with some sort of 
certificate validation) on Android devices pre-8.1?

Thanks,

Norman Elton

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Wireless Options

[Osborne, Bruce W (Network Operations)]

Lee,

Sorry I missed that detail. I believe your preferred wireless vendor has VLANs 
trunked local to the APs instead of centrally on the controllers.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Lee H Badman [mailto:lhbad...@syr.edu]
Sent: Tuesday, May 22, 2018 8:22 AM
Subject: Re: Wireless Options

You don’t with any lightweight, controller-managed AP. That was my point. Are 
you talking Aruba cloud-managed?

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Osborne, Bruce W (Network Operations)
Sent: Tuesday, May 22, 2018 7:31 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Wireless Options

With Aruba APs you do not trunk VLANs to the APs.

Just sayin’ 


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Lee H Badman [mailto:lhbad...@syr.edu]
Sent: Monday, May 21, 2018 9:43 AM
Subject: Re: Wireless Options

I struggle with this question, too (cloud versus not) as a long-time user of 
both. The need to trunk VLANs to cloud-based APs in a big environment is more 
of an issue to me than code paradigms. Absolutely nothing could be worse than a 
certain vendor’s appliance-based controller code quality track record over the 
last 12 years. A culture of “accepted suck” seems to pervade over that business 
unit and their most loyal customers, while I scratch my head over why there 
hasn’t been a class-action lawsuit over the entire mess. Now add automation to 
the mix and hang on for THAT thrill ride.

I’d love to have no more controllers, but the VLAN thing is tough to swallow.

-Lee Badman

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Osborne, Bruce W (Network Operations)
Sent: Monday, May 21, 2018 8:33 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Wireless Options

With a cloud solution, if they mess up feature addition you are stuck with that 
latest version, correct? With controller-based ot Aruba Instant type scenarios 
you are in charge of when to upgrade, waiting for stable builds.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Enfield III, Charles Albert [mailto:cae...@psu.edu]
Sent: Friday, May 18, 2018 2:54 PM
Subject: Re: Wireless Options

The other thing that’s going to change is the functionality.  Jeff was on the 
right track when he talked about vendors with a global presence being better 
able to identify bugs, security flaws etc. and promptly diagnose and patch 
them.  They’re also better positioned to apply machine learning and AI to the 
problems of network security and Wi-Fi optimization.  If they’re doing things 
right, the cloud product won’t be a hamstrung version of the controller 
product.  It will be a better version of the controller product.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Jeffrey D. Sessler
Sent: Friday, May 18, 2018 1:30 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Wireless Options

One of the difficulties in comparing TCO is around staffing. Both estimating 
how much time staff really spend on the current solution, but also taking into 
account base salary with benefits. At many colleges, benefits can add another 
30%+ to the cost of a person. As such, the elimination (or reallocation) of one 
FTE has a huge impact on on-premise vs cloud comparisons. That single FTE could 
be $100K (salary + benefits) per year, saving (or reallocating) $700K over 
those 7 years.

In a lot of our cloud shift, those FTE’s have been re-allocated into more 
important roles such as security.

Jeff

From: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Thomas Carter 
<tcar...@austincollege.edu<mailto:tcar...@austincollege.edu>>
Reply-To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, May 18, 2018 at 8:43 AM
To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDU

RE: Wireless Options

[Osborne, Bruce W (Network Operations)]

With Aruba APs you do not trunk VLANs to the APs.

Just sayin’ 


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Lee H Badman [mailto:lhbad...@syr.edu]
Sent: Monday, May 21, 2018 9:43 AM
Subject: Re: Wireless Options

I struggle with this question, too (cloud versus not) as a long-time user of 
both. The need to trunk VLANs to cloud-based APs in a big environment is more 
of an issue to me than code paradigms. Absolutely nothing could be worse than a 
certain vendor’s appliance-based controller code quality track record over the 
last 12 years. A culture of “accepted suck” seems to pervade over that business 
unit and their most loyal customers, while I scratch my head over why there 
hasn’t been a class-action lawsuit over the entire mess. Now add automation to 
the mix and hang on for THAT thrill ride.

I’d love to have no more controllers, but the VLAN thing is tough to swallow.

-Lee Badman

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Osborne, Bruce W (Network Operations)
Sent: Monday, May 21, 2018 8:33 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Wireless Options

With a cloud solution, if they mess up feature addition you are stuck with that 
latest version, correct? With controller-based ot Aruba Instant type scenarios 
you are in charge of when to upgrade, waiting for stable builds.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Enfield III, Charles Albert [mailto:cae...@psu.edu]
Sent: Friday, May 18, 2018 2:54 PM
Subject: Re: Wireless Options

The other thing that’s going to change is the functionality.  Jeff was on the 
right track when he talked about vendors with a global presence being better 
able to identify bugs, security flaws etc. and promptly diagnose and patch 
them.  They’re also better positioned to apply machine learning and AI to the 
problems of network security and Wi-Fi optimization.  If they’re doing things 
right, the cloud product won’t be a hamstrung version of the controller 
product.  It will be a better version of the controller product.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
On Behalf Of Jeffrey D. Sessler
Sent: Friday, May 18, 2018 1:30 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Wireless Options

One of the difficulties in comparing TCO is around staffing. Both estimating 
how much time staff really spend on the current solution, but also taking into 
account base salary with benefits. At many colleges, benefits can add another 
30%+ to the cost of a person. As such, the elimination (or reallocation) of one 
FTE has a huge impact on on-premise vs cloud comparisons. That single FTE could 
be $100K (salary + benefits) per year, saving (or reallocating) $700K over 
those 7 years.

In a lot of our cloud shift, those FTE’s have been re-allocated into more 
important roles such as security.

Jeff

From: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Thomas Carter 
<tcar...@austincollege.edu<mailto:tcar...@austincollege.edu>>
Reply-To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, May 18, 2018 at 8:43 AM
To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Wireless Options

For cloud to really take over, the costs need to drop. We just went through a 
similar thing and are of a similar size (~300 APs), and the cloud on-going OpEx 
costs dropped them out of the race. The simplicity of costs budgeting is nice, 
but 7 year TCO is no contest.

Where they currently seem to be the best option is in the >25 to <100 AP market 
(<25 easily fits into Aruba Instant, Ruckus Unleashed, etc) or the small 
business vendor-managed market.

Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.austincollege.edu%2F=02%7C01%7Ccae104%40psu.edu%7C7351014b86a34c8b33d008d5bce50905%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C0%7C63

RE: Wireless Options

[Osborne, Bruce W (Network Operations)]

With a cloud solution, if they mess up feature addition you are stuck with that 
latest version, correct? With controller-based ot Aruba Instant type scenarios 
you are in charge of when to upgrade, waiting for stable builds.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Enfield III, Charles Albert [mailto:cae...@psu.edu]
Sent: Friday, May 18, 2018 2:54 PM
Subject: Re: Wireless Options

The other thing that’s going to change is the functionality.  Jeff was on the 
right track when he talked about vendors with a global presence being better 
able to identify bugs, security flaws etc. and promptly diagnose and patch 
them.  They’re also better positioned to apply machine learning and AI to the 
problems of network security and Wi-Fi optimization.  If they’re doing things 
right, the cloud product won’t be a hamstrung version of the controller 
product.  It will be a better version of the controller product.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
On Behalf Of Jeffrey D. Sessler
Sent: Friday, May 18, 2018 1:30 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Options

One of the difficulties in comparing TCO is around staffing. Both estimating 
how much time staff really spend on the current solution, but also taking into 
account base salary with benefits. At many colleges, benefits can add another 
30%+ to the cost of a person. As such, the elimination (or reallocation) of one 
FTE has a huge impact on on-premise vs cloud comparisons. That single FTE could 
be $100K (salary + benefits) per year, saving (or reallocating) $700K over 
those 7 years.

In a lot of our cloud shift, those FTE’s have been re-allocated into more 
important roles such as security.

Jeff

From: 
"wireless-lan@listserv.educause.edu" 
> 
on behalf of Thomas Carter 
>
Reply-To: 
"wireless-lan@listserv.educause.edu" 
>
Date: Friday, May 18, 2018 at 8:43 AM
To: 
"wireless-lan@listserv.educause.edu" 
>
Subject: Re: [WIRELESS-LAN] Wireless Options

For cloud to really take over, the costs need to drop. We just went through a 
similar thing and are of a similar size (~300 APs), and the cloud on-going OpEx 
costs dropped them out of the race. The simplicity of costs budgeting is nice, 
but 7 year TCO is no contest.

Where they currently seem to be the best option is in the >25 to <100 AP market 
(<25 easily fits into Aruba Instant, Ruckus Unleashed, etc) or the small 
business vendor-managed market.

Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
On Behalf Of Jeffrey D. Sessler
Sent: Friday, May 18, 2018 10:07 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Options

Chuck has the right idea here. Our respective college strategic missions don’t 
mention running servers or wireless controllers as strategic to the mission of 
the college. Cloud/SaaS solutions free up folks from the mundane tasks, 
allowing them to focus on those higher-up technology layers that can benefit 
the strategic mission. I think it’s easy today to see the benefits of moving 
on-premise email systems to GAFE or O365, but that comfort level isn’t there 
yet with some other systems such a Wireless.

From a support standpoint, a vendor like Meraki has global visibility of how 
their product is operating, meaning they can correlate/see/react to issues 
faster including patching. For the controller-based solutions, there is the 
isolation factor, capability of the customer to gather support info, and the 
vendor not knowing if other customers are having the issue.

I suspect both options will be with us for years to come, but as more and more 
of our respective data centers move to the cloud, I predict the wireless cloud 
services will become more popular.

Jeff
From: 

RE: Wireless Options

[Osborne, Bruce W (Network Operations)]

Aruba has one too.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Thomas Carter [mailto:tcar...@austincollege.edu]
Sent: Thursday, May 17, 2018 5:18 PM
Subject: Re: Wireless Options

Ruckus has a cloud-based solution.

Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
On Behalf Of John Rodkey
Sent: Thursday, May 17, 2018 1:10 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Wireless Options

Our college - about 40 buildings, 1200 students, 3500 wireless clients per day, 
currently 310 WAPs - is considering a major upgrade in WAPs, replacing a number 
that are 9 years old and no longer supported.

We could replace with the latest model of our existing vendor, but want to 
consider all the feasible alternatives.  We have a hard requirement that the 
controller be cloud-based, the system deal well with Mac clients, understand 
VLANs and an enterprise quality network, and have a rich set of configuration, 
logging, monitoring, and troubleshooting tools for dealing both with clients 
and access points. Responsive support is also required, and unsurprisingly  
total system cost is a significant issue.

3 vendors come to mind:  Meraki, Ubiquiti, and Aerohive.

Questions:
 1) do other vendors come to mind that play well in this space?
 2) what are your positive experiences with any of the above?
 3) what are your negative experiences?
 4) have you recently gone through this analysis, and if so, what were your 
conclusions?
 5) what issues have you experienced with PoE capacity requirements with these 
devices?

John Rodkey
Director of Servers and Networks
Westmont College
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Wireless Options

[Osborne, Bruce W (Network Operations)]

++1 on Aruba

We hit Matt’s first point and worked with Aruba to rectify the issues. Their QA 
testing at that time said the 125s were OK but we found out they behave 
differently in a real world environment where there is interference. We got an 
official apology from QA along with assurances they were changing their testing 
environment to include interference testing.

This summer we are actually expanding our Aruba deployment to include an LPV 
football stadium as well as introducing HPE Aruba switches into our Cisco 
environment

I am quite surprised someone is moving from Aruba wireless to Cisco, especially 
when comparing features and cost.

Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Matt Freitag [mailto:mlfre...@mtu.edu]
Sent: Thursday, May 17, 2018 2:50 PM
Subject: Re: Wireless Options

Another +1 on Aruba. We've also had varying experiences with their support but 
they are mostly positive experiences. The two negative experiences I had with 
their support went about like this:

  *   AP-125's spontaneously crash and reboot due to a memory management bug 
with no workaround. This went on for months while we were already replacing our 
AP-125's anyway because those went end-of-support a while ago, but their 
engineering group took months to release a fix to us.
  *   One single CPU in our data path module in our 7240s goes to 100% and 
causes authentication timeouts, increased ping times from our network monitor 
to our APs to the point that the network monitor says they're down, and users 
experience terribly slow connectivity. We saw the issue most when people were 
changing classes and increasing the load on the controller a lot with handling 
all the associations and disassociations, and the workaround roughly equated to 
"split the load between our controllers" which just hid the issue, and then 
when that began to fail us our school year ended and we haven't seen the issue 
since. We expect to see this again in the fall if Aruba doesn't release the fix 
to us over the summer. We've had a ticket open with them since October.
Overwhelmingly positive experience I had with their support tho: all APs on our 
campus would spontaneously reboot. Turns out this was due to a very well 
malformed UDP packet reaching the controller over the GRE tunnel between 
controller and AP causing the AP management process on the controller to hang. 
Since it was hung, the process stopped responding to heartbeat requests from 
the APs, APs would think the controller is down and reboot. Fix was enable 
control plane security which enables an IPSec tunnel between the APs and 
controller and IPSec packet validation mechanisms recognized the bad packets 
causing the bug as bad packets and silently discarded them which resolved our 
issue.

Side note for all the Aruba users, I personally recommend enabling cpsec on 
your controllers just to avoid this scenario and encrypt your user traffic on 
its way to the controller. Doing this will cause all your APs to reboot to 
establish tunnels to the controllers. Double check with your SE and/or Aruba 
TAC to check if there are any caveats to doing this in your environment but 
we've got 1,400 APs and are approaching 10k active users during the school year 
and haven't had a problem.

Back to the topic at hand: overall we've found the product itself is very 
stable and works well. We also stick with the conservative release branch 
because, while that branch doesn't have all the latest features, it's got all 
the stability and we're huge fans of stability here. The APs are easy to set 
up, reasonably priced, also solidly stable, the feature set you do have with 
your chosen release works well, etc. etc.


Matt Freitag
Network Engineer
Information Technology
Michigan Technological University
(906) 487-3696
https://www.mtu.edu/
https://www.mtu.edu/it

On Thu, May 17, 2018 at 2:24 PM, Pramod Bhardwaj 
> wrote:
I recommend Aruba as well, we moved to Aruba last year from Meru and very happy 
with it and no complaints for anyone so far. We have about 260 APS on both the 
campuses

Pramod
Principal Manager of IT Infrastructure
MCC
(978) 656-3308

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
On Behalf Of James Moskwa
Sent: Thursday, May 17, 2018 2:22 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Options

You need to include Aruba in your list.

Regards,
-- Jim

Sr. Network Engineer
Information Technology Department
Johnson & Wales University
8 Abbott Park 
Place
Providence, RI 

RE: Rotating 802.1x RADIUS CA certificate

[Osborne, Bruce W (Network Operations)]

While I agree with Ryan and others about user / client certificates, I believe 
the original topic was RADIUS Server certificates, not user.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Turner, Ryan H [mailto:rhtur...@email.unc.edu]
Sent: Wednesday, May 16, 2018 2:56 PM
Subject: Re: Rotating 802.1x RADIUS CA certificate

I definitely echo the comment about private CAs for your RADIUS.  Control your 
own destiny.  If your users are getting onboarded, then private CA chains 
should get installed as part of the process, as well.  We learned this from a 
swap out from a GoDaddy chain that was being deprecated before we made the 
wholesale switch to TLS.   That was one of the major reasons we went to eduroam 
as our primary SSID.  At the time, we were running people through a branded 
SSID called UNC-Secure.  When we realized we were going to need to swap out 
RADIUS certs, we just stopped onboarding folks to UNC-Secure, and instead 
onboarded them to eduroam.  The eduroam backend RADIUS servers were totally 
different than the UNC-Secure RADIUS servers, and it made the change-out non 
disruptive to our folks.  Otherwise there would have been a date where we had 
to tell everyone to ‘enroll again’ because they would not have trusted the new 
chain.  Twas lots of fun…



Ryan Turner
Senior Manager of Networking
ITS Communication Technologies
The University of North Carolina at Chapel Hill

r...@unc.edu
+1 919 445 0113 Office
+1 919 274 7926 Mobile



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
On Behalf Of Oakes, Carl W
Sent: Wednesday, May 16, 2018 2:27 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Rotating 802.1x RADIUS CA certificate

We did similar stuff but went with SHA512, and it bit us, so I'd go with SHA256.
The SHA512 issue was very subtle, but if a Windows box went from v7 -> v8 -> 
v10, or v7 -> v10, there's a chance it would miss a specific update that 
enabled SHA512.  It was a BEAR to find, but now that we know it and why, 
quickly resolved.  Out of about 90,000 overall (all platforms) devices, we 
ended up with less than 50 in that case.

Other than that, long term self-signed CA's and Certs is the way to go for the 
RADIUS server!   No more embarrassing swap outs. :)

Carl Oakes
Information Resources and Technology
California State University Sacramento



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
On Behalf Of Matt Freitag
Sent: Wednesday, May 16, 2018 10:28 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Rotating 802.1x RADIUS CA certificate

We went through this not long ago. The root cert in our chain is valid until 
2028, and the one intermediate is valid until 2024, so we were able to maintain 
the same chain and just swap out our server cert with pretty much zero pain. 
Some warnings about how the cert changed but we told our users well ahead of 
time that they needed to expect this and this time it's OK to ignore and OK 
their way through any warnings.

We just use SHA256 with a key length of 4096 bits. We do not use our own CA on 
the server that I'm looking at, our certificate is a GlobalSign one.


Matt Freitag
Network Engineer
Information Technology
Michigan Technological University
(906) 487-3696
https://www.mtu.edu/
https://www.mtu.edu/it

On Wed, May 16, 2018 at 12:02 PM, Turner, Ryan H 
> wrote:
We still use SHA2 256 bit certificates with a 2048 length.  When I was doing 
research on this a few years ago, I believe there was extra processing power 
required once you went above 256bit (requires an additional computation).  I 
could be completely wrong about that, but we have had mass deployment of user 
certificates for over 5 years with that setup without any issue.  I don't see 
any reason to get cute with hashing algorithms at this point or length at this 
point as it might cause you more grief than it is worth/


Ryan Turner
Senior Manager of Networking
ITS Communication Technologies
The University of North Carolina at Chapel Hill

r...@unc.edu
+1 919 445 0113 Office
+1 919 274 7926 Mobile



-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
On Behalf Of James Andrewartha
Sent: Tuesday, May 15, 2018 11:24 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Rotating 802.1x RADIUS CA certificate

Hi all,

While debugging another problem (Windows 10 

RE: Rotating 802.1x RADIUS CA certificate

[Osborne, Bruce W (Network Operations)]

Unfortunately, for various reasons, we have had to do this too many times. 

Our policy is for the configuration to trust the certificate chain, rather than 
the server certificate. That allows you to update the server certificate 
without breaking trust.

It you know in advance your new certificate chain, add them to the existing 
client trust. You can then update the server certificate pretty cleanly for 
most users. If desired, you can purge the old certificate trust later at your 
convenience.

 
Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: James Andrewartha [mailto:jandrewar...@ccgs.wa.edu.au] 
Sent: Tuesday, May 15, 2018 11:24 PM
Subject: Rotating 802.1x RADIUS CA certificate

Hi all,

While debugging another problem (Windows 10 client that lost its certificates 
and some EAP configuration) I noticed that our private CA used for WPA2 
Enterprise RADIUS auth expires in September next year. The certificate used by 
the RADIUS servers is valid until January 2024, but am I correct in thinking 
that if the CA has expired the cert won't be trusted either?

Has anyone rotated their cert and have any tips for managing the flag day? I'm 
going to create a new private CA, this time with a 30 year lifetime, although I 
imagine it'll be obsolete before then due to increased crypto requirements. 
Speaking of which, what are the best practices for a private CA these days? 
SHA2 (384bit)? SHA3? RSA?
Elliptic Curve?

We are fortunate in that most of our devices are school owned and so we can 
push out wireless configuration. I had a look at the Windows and Mac configs, 
and both of those can trust multiple CAs for a given SSID. On iOS we don't push 
out wireless config, but we were going to reprovision the remaining ones anyway 
at the end of this year so that's fine.

Thanks,

--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: ClearPass - not so clear anymore

[Osborne, Bruce W (Network Operations)]

Guys,

Please keep us updated. Many of us are in the planning stages of moving to CPPM 
6.7.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Cappalli, Tim (Aruba Security) [mailto:t...@hpe.com]
Sent: Wednesday, April 4, 2018 6:16 PM
Subject: Re: ClearPass - not so clear anymore

Hector,

Something definitely seems amiss then. I’ll take a look at the case.

A maximum of 1 access license is consumed per MAC address, regardless of 
multiple sessions or lack of accounting stop.

Thanks for the followup.
tim

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
on behalf of Hector J Rios >
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>
Date: Wednesday, April 4, 2018 at 12:49 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
>
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

Update on my previous statement. We talked to Aruba and they saw our licensing 
count. It appears that the higher numbers we are seeing might be due to a bug. 
We do have accounting enabled everywhere. So not sure exactly what else could 
be causing this. We’ll be working with TAC and hopefully get this resolved. Our 
license count today showed 102K. We are only licensed for 75K and in the past 
we never exceeded 60K.

Hector


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Turner, Ryan H
Sent: Wednesday, April 04, 2018 10:00 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

You should look into pfSense.  It is extremely powerful and open source.  You 
can pay for commercial support.

Ryan

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
On Behalf Of Lee H Badman
Sent: Tuesday, April 3, 2018 8:00 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

This is a hot-button topic for me. The whole guest access thing has gotten 
ridiculously complex in the main players trying to funnel this through a 
behemoth NAC (same could be said for simple RADIUS) or through some other 
convoluted framework. Bluesocket (now Adtran) had a good thing going with a 
gateway that was simple to set up and use on any vendor’s WLAN. They too 
evolved into something chunky and complex. I’d love to see Adtran dust off the 
old code, make it just a wee bit updated on browser friendliness, and 
re-productize it as a cost-effective 3rd party guest solution. The rest of the 
industry has blown it in this regard, says I.

Lee Badman | Network Architect

Certified Wireless Network Expert (#200)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
On Behalf Of Trinklein, Jason R
Sent: Monday, April 02, 2018 5:48 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] ClearPass - not so clear anymore

We are considering clearpass for our guest network captive portal. We have a 
case of sticker shock, however…at a cost of nearly $50K, it seems expensive for 
a captive portal.

What alternative solutions are people using? We are very happy with FreeRADIUS 
for wireless auth, but we need a robust captive portal that allows OAuth/social 
media login or validated email/sms login. We tried packetfence, but in cluster 
mode, it wasn’t reliable.

--
Jason Trinklein
Wireless Engineering Manager
College of Charleston
81 St. Philip Street | Office 311D | Charleston, SC 29403
trinkle...@cofc.edu | (843) 300–8009
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
on behalf of Hector J Rios >
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>
Date: Monday, April 2, 2018 at 5:23 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 
>
Subject: [WIRELESS-LAN] ClearPass 

RE: Atmosphere Conference next week - higher education gathering

[Osborne, Bruce W (Network Operations)]

I will not be making it this year.

Last year there were some informal meetups during meals, at designated tables. 
Perhaps that can work, with a little bit of coordination.

Maybe somebody should spin up a Slack channel to coordinate.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Brian Helman [mailto:bhel...@salemstate.edu]
Sent: Thursday, March 22, 2018 5:09 PM
Subject: Atmosphere Conference next week - higher education gathering

Several of you replied to me directly about possibly putting together a higher 
education gathering sometime next week at the Atmosphere Conference in Las 
Vegas.  I've looked over my schedule as well as the conference's and I don't 
see a time where it's feasible.  I will be at part or all of the Monday and 
Tuesday Innovation Zone receptions.   Given it's the start of the baseball 
season, there's a good chance I'll be in bright orange Mets colors, so 
introduce yourself!

More generically speaking, as many of us go to conferences that may not be 
Higher Education-specific, make sure you introduce yourselves to our peers, and 
make sure they are aware of the Educause Constituency Groups (especially this 
one and the NETMAN group).

If you are going to Atmosphere and want to try to catch up, feel free to direct 
message me on Twitter (@BrianHelman).


-Brian

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: gaming on wireless

[Osborne, Bruce W (Network Operations)]

That may not isolate the NIC. 

I know on Gen 1 PS3s if the wireless NIC heard a packet it could not decode, 
both wireless & wired NICS were affected and inoperative, implying they used a 
common controller for both. Sony may still be doing the same thing with PS4.

 
Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Michael Dickson [mailto:mdick...@nic.umass.edu] 
Sent: Thursday, March 8, 2018 4:47 PM
Subject: Re: gaming on wireless

Excellent advice! I like the idea of eliminating the console's wireless NIC 
while still using the wireless network.

If we were able to I'd also consider running a temporary cable across the hall 
to the eth1 port on the AP.

Mike

Michael Dickson
Network Engineer
Information Technology
University of Massachusetts Amherst
413-545-9639
michael.dick...@umass.edu
PGP: 0x16777D39

On Mar 8, 2018, at 2:10 PM, Hales, David  wrote:

> Another good troubleshooting tool is to connect to the wired interface on the 
> console with a Ethernet to wireless bridge to eliminate the wireless 
> interface on the console without taking your wireless network out of the 
> equation.  With a longer patch cable you can also position the bridge to 
> avoid walls or other obstacles to the nearest AP temporarily.
> 
> David Hales
> Network Systems Administrator
> Information Technology Services
> 1010 N. Peachtree
> Clement Hall 117
> Cookeville, TN 38505
> P 931-372-3983
> F 931-372-6130
> E dha...@tntech.edu
> www.tntech.edu/its
> 
> 
> 
> 
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Kenny, Eric
> Sent: Thursday, March 8, 2018 12:59 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] gaming on wireless
> 
> Hi Mike,
> 
> You might also try putting a temporary AP in the room with the Playstation 
> and see if it still has the same issue.  With those types of walls, across 
> the hall might be on the fringe of service for 5 GHz.
> 
> Thanks,
> Eric
> 
>> On Mar 8, 2018, at 1:46 PM, Michael Dickson  wrote:
>> 
>> Haven't done spectrum analysis yet. The user had an older PS4 that only 
>> supported 2.4GHz but went out and bought a new PS4 Pro and this always 
>> connects at 5GHz.
>> 
>> The predominant AP the device connects to is across the hall which and it's 
>> the closest. In the last four days the device has exclusively connected to 
>> that AP so roaming does not appear to be an issue (user reported issues as 
>> late as yesterday). The walls are cement block.
>> 
>> Mike
>> 
>> Michael Dickson
>> Network Engineer
>> Information Technology
>> University of Massachusetts Amherst
>> 413-545-9639
>> michael.dick...@umass.edu
>> PGP: 0x16777D39
>> 
>> On Mar 8, 2018, at 1:28 PM, Kenny, Eric  wrote:
>> 
>>> Hi Mike,
>>> 
>>> Have you taken any RF readings or spectrum analysis in the vicinity of the 
>>> game console?  How far away are the APs they are jumping between and what 
>>> kinds of physical obstacles are between the AP and the Playstation?  Last 
>>> question, have you noticed if the Playstation is using the 2.4 or 5 GHz 
>>> band?
>>> 
>>> These issues can be tricky to find a conclusive answer, due to the number 
>>> of variables involved.  I'd look into which band the device is using, see 
>>> if there have been any RF "events" that would trigger a channel change, or 
>>> if someone turned on the microwave, etc.
>>> 
>>> Thanks,
>>> ---
>>> Eric Kenny
>>> Network Architect
>>> Harvard University IT
>>> ---
>>> 
 On Mar 8, 2018, at 1:16 PM, Michael Dickson  wrote:
 
 Has anyone received feedback from users about lags or drops while gaming 
 on wireless?
 
 We support gaming consoles on a "devices" SSID  (PSK with MAC auth). We're 
 trying to resolve reports from a user with a new PS4 Pro who is 
 experiencing issues while gaming. For perspective, it was reported that 
 during a 3 hour gaming session the user experiences about 8 lags and 4-5 
 disconnects. Lags are described as freezes for a few seconds which 
 auto-correct. Disconnects are described as the whole console losing 
 connectivity and a "Retest Network Connection" is required to get it 
 working again (though time might also be a factor in getting it back on).  
 Apparently most issues occur right after power up then smooth out (user 
 turns on console just prior to gaming). Logs show the device jumps APs 
 every now and then but we haven't been able to match this up to the user's 
 experience yet.
 
 Our eduroam and open (CP) SSID seem to working fine. Client density is not 
 a factor and the user reports great speeds.
 
 Are reports 

RE: Ruckus?

[Osborne, Bruce W (Network Operations)]

Aruba has virtual controllers supporting 50 to 1000 APs. They have been 
available for about a year, IIRC. They also have their Instant AP line with 
built-in controllers for smaller installations.

http://www.arubanetworks.com/assets/ds/DS_VMC.pdf


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Barros, Jacob [mailto:jkbar...@grace.edu]
Sent: Thursday, March 1, 2018 9:33 AM
Subject: Re: Ruckus?

We are relatively new Ruckus customers, currently split with Meru/Fortinet.  
When Fortinet started releasing firmware for the Meru APs, we started seeing 
major connectivity issues.  We are doing one building at a time and don't 
appear to be having any major conflicts.  Currently around 120 Ruckus APs are 
deployed on a single virtual controller.   If our budget comes through we'll 
get all of the Fortinet ap's out by summer 19.

I demo'd Cloudpath and it didn't work the way we expected cross-platform.  
Ruckus pricing was comparable Meraki (up front, not considering the 5 year 
model), and slightly less than Aerohive.  We didn't really consider Aruba or 
Cisco.  I am still in disbelief that  Aruba doesn't have a virtual controller 
option.  We didn't consider Cisco as, maybe it's my imagination, but I feel 
like every week there's a post on this list about issues with LWAPP or some bug 
in code versions.

Jake







Jacob Barros

Associate Director of IT, Network and Operations

Email: jkbar...@grace.edu<mailto:jkbar...@grace.edu>

Phone: 574.372.5100 ext. 6178

[https://lh4.googleusercontent.com/UL13vM331_cldE--6pe0tmF8xi10XejwQWh_iIo3_WnKqa3GNTj7qfC8zMm-AathAnMQoUG1LNv5GzD35OyxQ_x_V2RG30D4r5ucKFdYJkE1-Z-d98UW1NPWapbWxgOAi68e0c7q]



On Thu, Feb 22, 2018 at 8:54 AM, Harry Rauch 
<rauc...@eckerd.edu<mailto:rauc...@eckerd.edu>> wrote:
That's a good observation. We have had little need for support but when we did 
Ruckus was very persistent in solving the issue. Some may say they bugged us a 
lot to make sure everything was in order.
They have a cloud based solution that we have just started to look at. Having 
just one campus makes it a difficult solution to go to. The philosophy of "if 
it works fine don't fix it"  usually works best unless their is a major upgrade 
or EOL for APs. Even so, we move the older APs to low volume areas and have the 
one controller for the older stuff that can't be upgraded. We try and push ROI 
to the max since we are a private college.

On Thu, Feb 22, 2018 at 7:48 AM, Osborne, Bruce W (Network Operations) 
<bosbo...@liberty.edu<mailto:bosbo...@liberty.edu>> wrote:
One major point to consider is vendor support. We are not a Ruckus Wireless 
customer but we just moved away from one of their prodicts to a different third 
party product.

We just moved away from Cloudpath (we tried Wizard & ES) due to poor support 
experiences and lack of timely updates for new OS challenges.

For us support is almost as large a challenge as product performance. I 
personally would settle for a little less than ideal performance if there is a 
good support structure backing it up.

Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229<tel:(434)%20592-4229>
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Wesley Troy Scott [mailto:tsc...@uwyo.edu<mailto:tsc...@uwyo.edu>]
Sent: Wednesday, February 21, 2018 5:01 PM
Subject: Ruckus?


Hello,



I'm curious about how you are using Ruckus Wireless products on campus. 
Specifically:



  1.  What's the size of your deployment (waps, controllers, users, etc)
  2.  Are you completely Ruckus or do you have a mix of WLAN vendors
  3.  Did you transition to Ruckus from another vendor or was it a greenfield 
deployment
  4.  How does the cost compare to other vendors
  5.  Any concerns about specific use cases
  6.  Anything folks should know when talking about Ruckus


Thanks to anyone that can throw some light on Ruckus and is willing to share 
their experience with me. I'll take responses off list too if that's better for 
you.



Sincerely,



Troy Scott

tsc...@uwyo.edu<mailto:tsc...@uwyo.edu>


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.


--
Harry Rauch
Network Analyst
Eckerd College
4200 - 54th Ave 
So<https://maps.google.com/?q=4200+-+54th+Ave+So+St.+Petersburg,+FL+33711=gmail=g>
St. Petersburg, FL 
33711<https://maps.google.com/?q=4200+-+54th+Ave+So+St.+Petersburg,+FL+33711=gmail=g>
727-864-8318<tel:(727)%20864-8318>
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://

RE: Offline/Spare Gear Inventory Size

[Osborne, Bruce W (Network Operations)]

We have needed to replace very few of our Aruba APs. We keep inventory mainly 
for the following reasons:


  1.  Temporary large event deployments
  2.  Coverage adjustments
  3.  Last minute projects that cannot wait for ordered equipment – We are a 
construction-heavy school.
  4.  Pull backs from areas being remodeled. Those moving in generally purchase 
newer equipment.
  5.  Lab testing for new configuration & troubleshooting.

We try to keep some of our latest recommended model APs.

Regards,

Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Trinklein, Jason R [mailto:trinkle...@cofc.edu]
Sent: Monday, February 26, 2018 1:21 PM
Subject: Offline/Spare Gear Inventory Size

Hi All,

I’m curious to know the size of your spare gear inventories. Do you keep a 
percentage of each model of AP in inventory, and what is your reasoning? 
Storms? Last minute/emergency wireless coverage needs?

What percentage of your live gear do you keep as offline inventory? (100 live 
APs with 1 inventory AP = 1% offline inventory).

With Xirrus, we had an offline inventory of more than 10% of live inventory. We 
kept that inventory to cover the high failure rate of the equipment, the 
incidence of hurricanes and lightning strikes in our area, the broad range of 
AP models on campus, and last minute large events in low coverage areas.

We are evaluating the minimum offline inventory for our new Aruba gear as we 
finish up the vendor switch. I have been thinking 1-2%, but I want to see what 
you guys do first, and why.

Thank you,
--
Jason Trinklein
Wireless Engineering Manager
College of Charleston
81 St. Philip Street | Office 311D | Charleston, SC 29403
trinkle...@cofc.edu | (843) 300–8009

DID YOU KNOW? The Princeton Review selected the College of Charleston as one of 
50 schools focused on providing students with practical experiences that take 
their academics to the next level.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Bandwidth/Throughput/Latency Tester

[Osborne, Bruce W (Network Operations)]

That is what we use.

http://speedtest.liberty.edu


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Adam Forsyth [mailto:forsy...@luther.edu]
Sent: Friday, February 23, 2018 9:53 AM
Subject: Re: Bandwidth/Throughput/Latency Tester

Isn't this: https://www.ookla.com/speedtest-custom what you asked Ookla about 
and were told that it doesn't exist?  I ran a version of that on a local server 
a few years ago.I got the premium subscription for a year but ultimately 
decided I hadn't figured out how to get any advantage from its ability to save 
test results into a database.  I have since moved to using 
https://github.com/adolfintel/speedtest (which Clemson also mentioned) because 
I wanted a speedtest that was HTML5 and didn't use flash, and at the time 
Ookla's speedtest custom required flash.  It looks like maybe its also all 
HTML5 now so maybe I'll take a look at that again.

On Tue, Feb 20, 2018 at 11:56 AM, Fishel Erps 
<0030ecf871d2-dmarc-requ...@listserv.educause.edu>
 wrote:
Hello everyone.

I’m curious to find out what other universities are doing to test throughput, 
internally, to proof their networks.  I’m looking for something that functions 
like Ookla’s Speedtest.net (browser-based, no required 
clients) , but that runs internally (I have already contacted them directly, 
and been told that they only provide products that are alive on the public net).

As we all know, % of utilization and available throughput are not 
one-in-the-same, and I need a way to address and diagnose legitimate 
performance complaints, live.

__
__
Fishel Erps,
Sr. Network & Infrastructure Engineer
School of Visual Arts
136 W 21st St., 8th Floor
New York, NY, 10011
LL: 212-592-2416
F:  646-845-6150
E:  fe...@sva.edu
___

Please excuse any typographical
errors as this e-mail has been sent
from my mobile device
___

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.



--
Adam Forsyth
Director of Network and Systems
Luther College Information Technology Services
700 College Drive
Decorah, IA 52101
563-387-1402
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Getting to the on-boarding Tool

[Osborne, Bruce W (Network Operations)]

Charles.

We currently have 3 main SSIDs.
802.1X
Guest with portal for self-registration & sponsored credentials
Open network serving 2 purposes"

  1.  Captive portal for onboarding either to our 802.1X network or registering 
the mac address for non-802.1X devices
  2.  Network access, bypassing the portal for registered mac addresses.

We plan on combining our 2 open networks to one with a captive portal, 
directing users appropriately. Separately, we are also planning on moving our 
802.1X network from PEAP-MSCHAPv2 to EAP-TLS.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Rumford, Charles [mailto:charl...@isc.upenn.edu]
Sent: Tuesday, February 20, 2018 2:39 PM
Subject: Re: Getting to the on-boarding Tool

We have a solid idea of what tool we are going to be using, but what I'm more 
interested in knowing is how the users get to the tool. What is the process for 
a user to onboard to the network before they reach the tool?

Sent from Nine<http://www.9folders.com/>
____
From: "Osborne, Bruce W (Network Operations)" 
<bosbo...@liberty.edu<mailto:bosbo...@liberty.edu>>
Sent: Tuesday, February 20, 2018 14:27
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Getting to the on-boarding Tool

Charles,

A few months ago we evaluated onboarding solutions to replace our CloudPath 
Wizard onboarding solution. The clear winner for us was the SecureW2 cloud 
solution. They also have a locally hosted solution if that is your preference. 
They are very customer focused. If  you file a support ticket for something 
they cannot currently do, they automatically submit a feature request for 
consideration.

I strongly recommend you look at their product offering. Feel free to contact 
me off-list with any questions.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Charles Rumford [mailto:charl...@isc.upenn.edu]
Sent: Tuesday, February 20, 2018 1:37 PM
Subject: Getting to the on-boarding Tool

We here at Penn are currently looking into different ways of getting our users 
to our wireless on-boarding tool. We run to into a wide array of OS 
limitations,  device inconsistencies, and end user stubbornness.

I was curious on what other schools were doing to get their users to a tool.
On-boarding SSIDs? Captive Portals? Redirections? I'm also curious what have 
been some of your largest road-blocks and how you have gotten over them or at 
least mitigated them.

Thanks!
--
Charles Rumford
Senior Network Engineer
ISC Tech Services
University of Pennsylvania
OpenPGP Key ID: 0xF3D8215A

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Ruckus?

[Osborne, Bruce W (Network Operations)]

One major point to consider is vendor support. We are not a Ruckus Wireless 
customer but we just moved away from one of their prodicts to a different third 
party product.

We just moved away from Cloudpath (we tried Wizard & ES) due to poor support 
experiences and lack of timely updates for new OS challenges.

For us support is almost as large a challenge as product performance. I 
personally would settle for a little less than ideal performance if there is a 
good support structure backing it up.

Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Wesley Troy Scott [mailto:tsc...@uwyo.edu]
Sent: Wednesday, February 21, 2018 5:01 PM
Subject: Ruckus?


Hello,



I'm curious about how you are using Ruckus Wireless products on campus. 
Specifically:



  1.  What's the size of your deployment (waps, controllers, users, etc)
  2.  Are you completely Ruckus or do you have a mix of WLAN vendors
  3.  Did you transition to Ruckus from another vendor or was it a greenfield 
deployment
  4.  How does the cost compare to other vendors
  5.  Any concerns about specific use cases
  6.  Anything folks should know when talking about Ruckus


Thanks to anyone that can throw some light on Ruckus and is willing to share 
their experience with me. I'll take responses off list too if that's better for 
you.



Sincerely,



Troy Scott

tsc...@uwyo.edu


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Getting to the on-boarding Tool

[Osborne, Bruce W (Network Operations)]

Charles,

A few months ago we evaluated onboarding solutions to replace our CloudPath 
Wizard onboarding solution. The clear winner for us was the SecureW2 cloud 
solution. They also have a locally hosted solution if that is your preference. 
They are very customer focused. If  you file a support ticket for something 
they cannot currently do, they automatically submit a feature request for 
consideration.

I strongly recommend you look at their product offering. Feel free to contact 
me off-list with any questions.

 
Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Charles Rumford [mailto:charl...@isc.upenn.edu] 
Sent: Tuesday, February 20, 2018 1:37 PM
Subject: Getting to the on-boarding Tool

We here at Penn are currently looking into different ways of getting our users 
to our wireless on-boarding tool. We run to into a wide array of OS 
limitations,  device inconsistencies, and end user stubbornness.

I was curious on what other schools were doing to get their users to a tool.
On-boarding SSIDs? Captive Portals? Redirections? I'm also curious what have 
been some of your largest road-blocks and how you have gotten over them or at 
least mitigated them.

Thanks!
--
Charles Rumford
Senior Network Engineer
ISC Tech Services
University of Pennsylvania
OpenPGP Key ID: 0xF3D8215A

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Amazon Fire Tablet Line - 802.1x Support Dropped?

[Osborne, Bruce W (Network Operations)]

True, but they required it for MSCHAPv2 too, which was an error.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Turner, Ryan H [mailto:rhtur...@email.unc.edu]
Sent: Friday, February 9, 2018 10:01 AM
Subject: Re: Amazon Fire Tablet Line - 802.1x Support Dropped?

For TLS, Android requires a screen lock, and if you remove it post, it breaks 
the certificate store.  That issue isn’t a bug, but another design decision by 
Google (to make TLS more difficult to use when it isn’t that way with almost 
every other operating system).

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W 
(Network Operations)
Sent: Friday, February 9, 2018 8:23 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Amazon Fire Tablet Line - 802.1x Support Dropped?

I know there was a bug corrected in SecureW2 802.1X onboarding where they were 
requiring a screen lock for Android when using PEAP=MSCHAPv2.
They corrected the issue in a later release.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Mike Atkins [mailto:matk...@nd.edu]
Sent: Thursday, February 8, 2018 5:26 PM
Subject: Re: Amazon Fire Tablet Line - 802.1x Support Dropped?

I have seen dot1x issues with Android tablets that do not have the lock enabled 
or have it removed after Wi-Fi is configured and working.  I know our onboard 
utility notifies the user that Screen Lock/Pin is required.  Does the 802.1x 
option show up if screen lock is enabled?






Mike Atkins
Network Engineer
Office of Information Technology
University of Notre Dame

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>]
 On Behalf Of Johnson, Christopher
Sent: Wednesday, February 07, 2018 10:49 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Amazon Fire Tablet Line - 802.1x Support Dropped?

Good Morning,

I was curious if anyone had any of the newer Amazon Fire tablets and could 
confirm something for me? Our support center contacted me in regards to an 
issue with connecting to our secure network (they were only able to see our 
“open network”) which matches with our some newer devices will not even display 
networks that they are unable to connect to – such as WPA2 Enterprise. I had 
suggested that they attempt to manually create the profile and was disappointed 
when they confirmed that “802.1x” was no longer an option on the list of 
security types.

That’s unfortunate that their earlier generations had support, and it appears 
to have been removed. It’s been a few years since I’ve seen one, so no idea 
which generation this occurred (Fire 7 is their 7th generation). I just know 
the 1st and 2nd generation could connect since I got to be the one to figure it 
out all those years ago.

Christopher Johnson
Wireless Network Engineer
AT Infrastructure Operations & Networking (ION)
Illinois State University
(309) 438-8444
Stay connected with ISU IT news and tips with @ISU IT Help on 
Facebook<https://www.facebook.com/ISUITHelp/> and 
Twitter<https://twitter.com/ISUITHelp>


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Amazon Fire Tablet Line - 802.1x Support Dropped?

[Osborne, Bruce W (Network Operations)]

I know there was a bug corrected in SecureW2 802.1X onboarding where they were 
requiring a screen lock for Android when using PEAP=MSCHAPv2.
They corrected the issue in a later release.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Mike Atkins [mailto:matk...@nd.edu]
Sent: Thursday, February 8, 2018 5:26 PM
Subject: Re: Amazon Fire Tablet Line - 802.1x Support Dropped?

I have seen dot1x issues with Android tablets that do not have the lock enabled 
or have it removed after Wi-Fi is configured and working.  I know our onboard 
utility notifies the user that Screen Lock/Pin is required.  Does the 802.1x 
option show up if screen lock is enabled?






Mike Atkins
Network Engineer
Office of Information Technology
University of Notre Dame

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Johnson, Christopher
Sent: Wednesday, February 07, 2018 10:49 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Amazon Fire Tablet Line - 802.1x Support Dropped?

Good Morning,

I was curious if anyone had any of the newer Amazon Fire tablets and could 
confirm something for me? Our support center contacted me in regards to an 
issue with connecting to our secure network (they were only able to see our 
“open network”) which matches with our some newer devices will not even display 
networks that they are unable to connect to – such as WPA2 Enterprise. I had 
suggested that they attempt to manually create the profile and was disappointed 
when they confirmed that “802.1x” was no longer an option on the list of 
security types.

That’s unfortunate that their earlier generations had support, and it appears 
to have been removed. It’s been a few years since I’ve seen one, so no idea 
which generation this occurred (Fire 7 is their 7th generation). I just know 
the 1st and 2nd generation could connect since I got to be the one to figure it 
out all those years ago.

Christopher Johnson
Wireless Network Engineer
AT Infrastructure Operations & Networking (ION)
Illinois State University
(309) 438-8444
Stay connected with ISU IT news and tips with @ISU IT Help on 
Facebook and 
Twitter


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Cisco Channel Width

[Osborne, Bruce W (Network Operations)]

True.

The Prius design, being simpler has less regular maintenance.

 
Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Kees Pronk [mailto:cl.pr...@avans.nl] 
Sent: Tuesday, January 23, 2018 10:15 AM
Subject: Re: Cisco Channel Width

Certainly good call to throw in maintenance issues in this thread :-O

-Kees

-Oorspronkelijk bericht-
Van: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] Namens Curtis K. Larsen
Verzonden: maandag 22 januari 2018 19:46
Aan: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Onderwerp: Re: [WIRELESS-LAN] Cisco Channel Width

Good Call  haha.  Toyota Prius for the win!

-Curtis


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Osborne, Bruce W (Network 
Operations) <bosbo...@liberty.edu>
Sent: Monday, January 22, 2018 6:05 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco Channel Width


You misspelled Toyota Prius  Why throw away extra fuel and have higher 
maintenance issues?


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Curtis K. Larsen [mailto:curtis.k.lar...@utah.edu]
Sent: Friday, January 19, 2018 11:51 AM
Subject: Re: Cisco Channel Width

In our organization (Cisco) we've seen improvements in reliability and user 
experience after switching from 40's to 20's.  I've seen an overall reduction 
in channel utilization, and CCI.  Everything we do is focused on reliability.  
I can't remember being asked for higher speeds than what we were offering and 
utilization reports indicate 20's are under-utilized.  I agree with Jeff on one 
thing though - the Toyota Corolla would be a more appropriate purchase.

-Curtis


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of GT Hill <g...@gthill.com>
Sent: Friday, January 19, 2018 9:02 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco Channel Width

This is very anecdotal, but I have personally seen a large university go from 
20/40 to all 20 MHz and it have a 30% improvement in end user performance. 
Everyone’s mileage will vary but given the data I’ve seen no way would I run 80 
MHz channels except in VERY limited scenarios.

If I were implementing a network today I would start at 20 MHz and move UP as 
scenarios presented themselves, NOT the other way around.

GT

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Jeffrey D. Sessler" 
<j...@scrippscollege.edu<mailto:j...@scrippscollege.edu>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Friday, January 19, 2018 at 9:14 AM
To: 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] Cisco Channel Width

Been running that option (Best) for a long time. No downside that I’ve found 
and after a few passes it’s very stable with channel width. Even in our dense 
AP deployment residential areas, most all of our WAPs are running at 80Mhz  - 
our students having mostly 11ac devices. The bandwidth use in our residential 
went way up as a result.

As to clients getting kicked off when the width changes, Cisco’s magic sauce 
tries to prevent this from happening (it’s detailed in the white papers). The 
code also makes decisions based on the client mix it sees e.g. if it sees a 
majority of 802.11n clients around a WAP, it won’t run that AP at 80Mhz. If the 
WAP is mostly 11ac, it will.

Running a static 20Mhz plan, in my opinion, is just tossing away performance 
and client experience. You wouldn’t purchase an 800HP supercar only to 
permanently disable half of its cylinders.

Jeff

From: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of Les Ridgley 
<les.ridg...@newcastle.edu.au<mailto:les.ridg...@newcastle.edu.au>>
Reply-To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Thursday, January 18, 2018 at 6:45 PM
To: 
"wireless-lan@listserv.educause.edu<mailto:wireless-lan@listserv.educause.edu>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAU

RE: Cisco Channel Width

[Osborne, Bruce W (Network Operations)]

You misspelled Toyota Prius  Why throw away extra fuel and have higher 
maintenance issues?

 
Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Curtis K. Larsen [mailto:curtis.k.lar...@utah.edu] 
Sent: Friday, January 19, 2018 11:51 AM
Subject: Re: Cisco Channel Width

In our organization (Cisco) we've seen improvements in reliability and user 
experience after switching from 40's to 20's.  I've seen an overall reduction 
in channel utilization, and CCI.  Everything we do is focused on reliability.  
I can't remember being asked for higher speeds than what we were offering and 
utilization reports indicate 20's are under-utilized.  I agree with Jeff on one 
thing though - the Toyota Corolla would be a more appropriate purchase.

-Curtis


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of GT Hill 
Sent: Friday, January 19, 2018 9:02 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cisco Channel Width

This is very anecdotal, but I have personally seen a large university go from 
20/40 to all 20 MHz and it have a 30% improvement in end user performance. 
Everyone’s mileage will vary but given the data I’ve seen no way would I run 80 
MHz channels except in VERY limited scenarios.

If I were implementing a network today I would start at 20 MHz and move UP as 
scenarios presented themselves, NOT the other way around.

GT

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
on behalf of "Jeffrey D. Sessler" 
>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>
Date: Friday, January 19, 2018 at 9:14 AM
To: 
>
Subject: Re: [WIRELESS-LAN] Cisco Channel Width

Been running that option (Best) for a long time. No downside that I’ve found 
and after a few passes it’s very stable with channel width. Even in our dense 
AP deployment residential areas, most all of our WAPs are running at 80Mhz  - 
our students having mostly 11ac devices. The bandwidth use in our residential 
went way up as a result.

As to clients getting kicked off when the width changes, Cisco’s magic sauce 
tries to prevent this from happening (it’s detailed in the white papers). The 
code also makes decisions based on the client mix it sees e.g. if it sees a 
majority of 802.11n clients around a WAP, it won’t run that AP at 80Mhz. If the 
WAP is mostly 11ac, it will.

Running a static 20Mhz plan, in my opinion, is just tossing away performance 
and client experience. You wouldn’t purchase an 800HP supercar only to 
permanently disable half of its cylinders.

Jeff

From: 
"wireless-lan@listserv.educause.edu" 
> 
on behalf of Les Ridgley 
>
Reply-To: 
"wireless-lan@listserv.educause.edu" 
>
Date: Thursday, January 18, 2018 at 6:45 PM
To: 
"wireless-lan@listserv.educause.edu" 
>
Subject: [WIRELESS-LAN] Cisco Channel Width

Hi All,
For those Cisco shops – has anyone configured the “BEST” parameter for channel 
width that would like to share their experiences or thoughts on the benefits or 
otherwise .

We have been advised to use 20Mhz as a campus wide setting, however DBS appears 
to offer significant benefits that would allow us to make better use of our 
802.11ac AP’s.  We are currently running two 8540 WLC’s with around 2,500 
access points with a mix of 3600 – 3700 -3800 and 1810 access points.

Thanks in advance,
Les
--
Les Ridgley
Senior Communications Officer (Network Operations),

IT Services
Resources Division
The University of Newcastle
University Drive, Callaghan NSW 2308
les.ridg...@newcastle.edu.au,
Phone +61 2 4921 6598
Fax: +61 2 4921 6910

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 

RE: devices not connecting to open network

[Osborne, Bruce W (Network Operations)]

Wired ports are not needed for gaming devices, at least for customers with 
Aruba wireless. The experience may be different with Ruckus Wireless, for 
instance.

 We have been successfully running wireless-only dorms for many years.

We are now deploying some wireless computer labs with dedicated APs & SSIDs for 
the computers because wireless is less expensive that wired access in that 
situation.

 
Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Richard Nedwich [mailto:rich.nedw...@brocade.com] 
Sent: Friday, January 12, 2018 11:41 AM
Subject: Re: devices not connecting to open network

Question for the group:

Is gaming station support a good use case for wall-plate access points?  Most 
enterprise vendors offer wall-plate APs with a number of physical ports 
available for gaming stations, or printer, or AppleTV, etc.  Ruckus H510 for 
example.  Ideally, this means you could instruct the student to plug in (and 
get that device off the resnet wireless).

Thoughts?

-Rich

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: devices not connecting to open network

[Osborne, Bruce W (Network Operations)]

They will just tell you to replace your (home) router. They have no clue about 
enterprise.

Sort of like Apple, only worse.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Lee H Badman [mailto:lhbad...@syr.edu]
Sent: Wednesday, January 10, 2018 11:35 AM
Subject: Re: devices not connecting to open network

Boy, I’d love to have a contact at Nintendo to talk about this stuff with.
Lee Badman (mobile)

On Jan 10, 2018, at 11:29 AM, Rob Harris 
> wrote:
Have you modified the rf at all on those SSIDs? Are you advertising and 
supporting the standard rates? I’ve heard that if you limit the lower rates or 
don’t advertise them, some of those devices may have issues.

Good luck!


Robert Harris
Manager – Telecom, Networks, & AV Services
Culinary Institute of America
1946 Campus Drive
Hyde Park, NY
845-451-1681
www.ciachef.edu
Food is Life
Create and Savor Yours.™

Please consider the environment before printing this e-mail.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Tufts, Mark
Sent: Wednesday, January 10, 2018 11:19 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] devices not connecting to open network

Hi,

We have some wireless devices, WiiU, Nintendo Switch, PS4 etc. not connecting 
to our open guest network.  Laptops, phones no issue at all.  The devices above 
will sometime connect first try but then upon additional testing on a reconnect 
just will not pull a DHPC address. We are an Aruba wireless shop AP 225 and 315 
fails on both.

Anyone else experience this issue?

Thanks,

Mark
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Eduroam and Govroam

[Osborne, Bruce W (Network Operations)]

What about Universities that also cooperate with police forces, for example? 
They deploy both?

I know our university police cooperate quite closely with local and state 
forces.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Jonathan Waldrep [mailto:wald...@vt.edu]
Sent: Thursday, January 4, 2018 3:37 PM
Subject: Re: Eduroam and Govroam

> I’m not speaking to my security model.
Fair enough. I should have re-read your email to remember the original context 
of the statements before responding.

> public-sector entities [...] asking that someone else “solve” the problem for 
> them e.g. govroam
My understanding is the primary goal is for public sector entities to work 
better with each other (and optionally, places that frequently work with public 
servants and wish to provide the service). For example, a police officer's 
devices connect at the police station and the court house, the EMT's devices 
connect at the hospital and firehouse, etc. As for the security side, fire my 
previous comment toward the public entities.

--
Jonathan Waldrep
Network Engineer
Network Infrastructure and Services
Virginia Tech

On Thu, Jan 4, 2018 at 3:20 PM, Jeffrey D. Sessler 
> wrote:
I’m not speaking to my security model. I’m speaking of all these public-sector 
entities that can’t seem to support their mobile workforce, and are asking that 
someone else “solve” the problem for them e.g. govroam.

Maybe the solution is to abandon both eduroam and govroam and create a global 
“unsecureroam” that everyone can use, and understands its posture.

Jeff

From: 
"wireless-lan@listserv.educause.edu" 
> 
on behalf of Jonathan Waldrep >
Reply-To: 
"wireless-lan@listserv.educause.edu" 
>
Date: Thursday, January 4, 2018 at 12:13 PM
To: 
"wireless-lan@listserv.educause.edu" 
>
Subject: Re: [WIRELESS-LAN] Eduroam and Govroam

@Jeff - If you are concerned with users accessing sensitive services over an 
inappropriate network (e.g., anything that is not the local campus network), 
then only make the services available on the appropriate networks (e.g., vpn). 
The same false sense of security exists when someone is working from home, and 
that is something that is already happening all the time. If your security 
model doesn't account for this, then it is already broken.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Radius certificate length vs. onboarding opinions

[Osborne, Bruce W (Network Operations)]

We currently use Option 3, but the clients only trust the certificate CHAIN, 
not the server certificate itself. This lets us replace the server certificate 
providing the chain remains the same. This worked fine for us for several years 
with a 1 year server certificate. Unfortunately, we have changed chains twice 
in the past year and will likely change chains again in January. ☹ Some of the 
clients we onboarded at the start of this semester have our “best guess” for 
the new certificate chain too.

We will be moving some clients to Option 4, though.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Craig Simons [mailto:craigsim...@sfu.ca]
Sent: Monday, October 30, 2017 2:22 PM
Subject: Radius certificate length vs. onboarding opinions

All,

I know the subject has been broached on the list a few times before, but I’m 
looking for informal opinions/survey about how you are deploying your Radius 
EAP certificates for PEAP/TTLS users (non-TLS). We use Cloudpath to onboard 
users, but recently went through a difficult renewal period to replace our 
expiring certificate. As we had configured all of our clients to “verify the 
server certificate” (as you should from a security perspective), we found that 
iOS/MacOS and Android clients did not take kindly to a new certificate being 
presented. This resulted in quite a few disgruntled users who couldn’t connect 
to WiFi as well as a shell-shocked Service Desk. To help prevent this in the 
future (and because we are moving to a new Radius infrastructure), what is the 
consensus on the following strategies:

Option 1: Using a self-signed/private PKI and a 10 year cert. Onboard with 
"verify server certificate" enabled

Option 2: Removing all traces of “verify server certificate” from OnBoard 
configuration and use 2-year certs from CAs

Option 3: Use 2-year CA certificates, enable “verify server certificates” and 
educate/prepare every two years for connection issues.

Option 4 (probably the best long-term answer): Move to private PKI and EAP-TLS.

Opinions?

Craig Simons
Network Operations Manager

Simon Fraser University | Strand Hall
 University Dr., Burnaby, B.C. V5A 1S6
T: 778.782.8036 | M: 604.649.7977 | 
www.sfu.ca/itservices

[http://www.sfu.ca/content/dam/sfu/creative-studio/images/email/sfu-horizontal.png]

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Best Wireless Solution for Residence Hall Rooms

[Osborne, Bruce W (Network Operations)]

I sent Chris a wireless design presentation we made a couple of years ago.

We also use the Aruba ASE RF Optimization and Deployment Models 
https://ase.arubanetworks.com/solutions/id/75



Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Johnson, Christopher [mailto:cbjo...@ilstu.edu]
Sent: Tuesday, October 24, 2017 3:20 PM
Subject: Re: Best Wireless Solution for Residence Hall Rooms

I was curious for those that based your deployments on RSSI if anyone had 
“minimum SNR requirements” for Residence Hall locations to help for those 
periods of time where there may be some source of momentary noise due to some 
devices that students may/will bring into their rooms?

Christopher Johnson
Wireless Network Engineer
AT Infrastructure Operations & Networking (ION)
Illinois State University
(309) 438-8444
Stay connected with ISU IT news and tips with @ISU IT Help on 
Facebook and 
Twitter
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Umut Arus
Sent: Thursday, October 12, 2017 3:54 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Best Wireless Solution for Residence Hall Rooms

Hello,

Thank you for your replies. Love it. Great posts with so much valuable 
information.

thanks.

On Thu, Oct 12, 2017 at 4:27 AM, Sweetser, Frank E 
> wrote:

Speaking as yet another site that saw huge improvements going from in-hallway 
to in-room, there's another factor that hasn't been mentioned very much yet - 
the client side radio.  Even if you dump all kinds of special sauce on the AP, 
like Xirrus multi-sector or Ruckus Beamflex, you're still going to be dealing 
with the same low power, crappy antennas and radios in your clients.  That high 
end $2k AP may be able to push a signal through concrete, but your user with an 
iPhone 5 is still going to be out of luck.



You're better off going with even a bottom end AP per room, or every other 
room, than high end ones in hallway.  Check out the hospitality models, like 
the Aruba 203H (or whichever vendor you use - most offer something comparable). 
 They typically feature a few wired ports powered off of the AP uplink, so if 
you already have active ports you can just re-use them rather than having to 
light up new ones in every room.


Frank Sweetser
Director of Network Operations
Worcester Polytechnic Institute
"For every problem, there is a solution that is simple, elegant, and wrong." - 
HL Mencken


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
on behalf of Norton, Thomas (Network Operations) 
>
Sent: Wednesday, October 11, 2017 7:57 PM

To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Best Wireless Solution for Residence Hall Rooms


We run a large Aurba shop at liberty, and have been running an all wireless 
solution in our dorms for some time now which were very happy with.



With that said every dorm environment is different, gathering requirements, 
predictive planning, and design are key especially when dealing with microcell 
deployments.



I would really look into what your trying to accomplish with an ap in every 
room, it really depends on the environment, your functional requirements, bw 
needs, and what your trying to support/accomplish. You should also always 
follow up after the fact to validate your deployment, and tune the rf 
appropriately.



I also highly advise against deploying access points in hallways due to 
multipath, LOS, and roaming issues it poses.



Aruba has some really cool tools and VRDs to help assist you in planning your 
designs. I’ve listed few links for reference below.



https://ase.arubanetworks.com



http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs/page/2





T.J. Norton

Wireless Network Architect

Network Operations



(434) 592-6552



[cid:image001.png@01D34D68.B2ECD780]



Liberty University  |  Training Champions for Christ since 1971





From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
on behalf of Mark Reboli 
>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
>
Date: Wednesday, October 11, 2017 at 2:03 PM
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" 

RE: Wireless printers and other devices in residence halls

[Osborne, Bruce W (Network Operations)]

Here is one of our approaches that may or may not work for you.

We had a delay in funding for upgrading part of our wireless system. When 
students complained, we suggested they complain to the school management. That 
helped us get the funding needed.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Chuck Enfield [mailto:chu...@psu.edu]
Sent: Thursday, October 19, 2017 2:17 PM
Subject: Re: Wireless printers and other devices in residence halls

While I agree with all the justifications offered below, I don’t recommend 
going there if you can avoid it.  If somebody wants to challenge a business 
case based on those things there will be plenty of opportunity to do that.  I 
value a good business case more than most, but a determined bean-counter will 
always get their way if you make it about counting beans.  Remove them from the 
equation if you can.

Instead, it’s pretty easy to convince IT leaders that administrative approaches 
to these problems rarely work and frustrate the user community.  The network 
has to work, and we want our users to be happy, so administrative approaches 
aren’t desirable.  Once the leadership has agreed to that general principle, 
you don’t have to weigh the tradeoffs between technical and administrative 
approaches each time a new challenge emerges.  Challenges with technical 
solutions get the technical solution and the network just costs what it costs.  
Challenges without technical solutions get administrative stop-gaps until a 
technical solution emerges.

Chuck

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Thursday, October 19, 2017 1:39 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless printers and other devices in residence 
halls

The way to present that 30+% increase in capital investment is to talk about 
the FTE resources it frees up, caps, or eliminates i.e. by increasing density 
the need for residential life/IT to police personal devices is significantly 
reduced/eliminated, freeing up or eliminating [x]FTE for other mission-aligned 
activities. There isn’t a CBO/CFO alive that doesn’t react well to proposals 
that cap/reduce FTE investments in exchange for capital investment. Hardware 
doesn’t require 34% benefits, raises, and so on.

Spend $10,000 for 20 more APs, or spend $650,000 in salary/benefits over five 
years to hire an RF engineer to go out and find these problems. Even when 
pitted against a $20/hr user support position, it’s still $10,000 for 20 APs, 
or $265,000 salary/benefits over five years for that person to do policing.

In other words, you have to add a lot of APs before you get close to the cost 
of a single FTE.

Jeff

From: 
"wireless-lan@listserv.educause.edu" 
> 
on behalf of Thomas Carter 
>
Reply-To: 
"wireless-lan@listserv.educause.edu" 
>
Date: Thursday, October 19, 2017 at 10:06 AM
To: 
"wireless-lan@listserv.educause.edu" 
>
Subject: Re: [WIRELESS-LAN] Wireless printers and other devices in residence 
halls

You’re correct, but it just sucks that we now have to justify a 30+% increase 
in capital spent on wireless infrastructure for something that (at least 
according to those who manage the budgets) worked fine 5 years ago, AKA why do 
you need to put 50 APs in a building that once had 30?

Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Thursday, October 19, 2017 11:13 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless printers and other devices in residence 
halls

If you move your design planning toward dense 5GHz and designate 2.4 as a 
legacy wasteland, these devices have little impact. Even if these devices more 
toward 5GHz, the abundance of channels coupled with low signal propagation and 
vendor channel management e.g. DCA in Cisco speak, greatly enhance coexistence. 
Since you mention Cisco, use of CleanAir equipped APs in residence halls (even 
in small quantities) provide significant RF visibility, and you’ll know exactly 
what’s out there and impacting your environment.

That’s a long way 

RE: Wireless printers and other devices in residence halls

[Osborne, Bruce W (Network Operations)]

One easy answer:

More & more devices per person. This increases system load and interference.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Thomas Carter [mailto:tcar...@austincollege.edu]
Sent: Thursday, October 19, 2017 1:06 PM
Subject: Re: Wireless printers and other devices in residence halls

You’re correct, but it just sucks that we now have to justify a 30+% increase 
in capital spent on wireless infrastructure for something that (at least 
according to those who manage the budgets) worked fine 5 years ago, AKA why do 
you need to put 50 APs in a building that once had 30?

Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Thursday, October 19, 2017 11:13 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless printers and other devices in residence 
halls

If you move your design planning toward dense 5GHz and designate 2.4 as a 
legacy wasteland, these devices have little impact. Even if these devices more 
toward 5GHz, the abundance of channels coupled with low signal propagation and 
vendor channel management e.g. DCA in Cisco speak, greatly enhance coexistence. 
Since you mention Cisco, use of CleanAir equipped APs in residence halls (even 
in small quantities) provide significant RF visibility, and you’ll know exactly 
what’s out there and impacting your environment.

That’s a long way of saying you will never legislate these devices out of 
existence, and it’s far better to invest resources in technology that help with 
coexistence vs expending energy on confiscating/banning them.

Jeff

From: 
"wireless-lan@listserv.educause.edu" 
> 
on behalf of "Davis, Steve" >
Reply-To: 
"wireless-lan@listserv.educause.edu" 
>
Date: Thursday, October 19, 2017 at 8:06 AM
To: 
"wireless-lan@listserv.educause.edu" 
>
Subject: [WIRELESS-LAN] Wireless printers and other devices in residence halls

I wanted to get an idea how everyone is handling students bringing in all types 
of wireless devices, which are basically access points.  We have so many 
printers, TVs, Roku devices, game systems and who knows what else out there in 
the student rooms and these devices are causing issues with our campus wireless 
network.

Do you allow these devices on your network?  If not, how do you prevent the 
students from having them?

I have Cisco wireless controllers where I can block rogue APs but that keeps 
the APs which are containing the rogue AP from servicing the clients and I 
don’t have dense enough coverage to be able to do this for every rogue device.

Thanks in advance
-Steve

Steve Davis | Network Manager
Department of Technology Infrastructure

Lock Haven University
519 Robinson Hall
401 North Fairview Street, Lock Haven, PA 17745
Phone: 570-484-2290 | sda...@lockhaven.edu | 
www.lockhaven.edu

Connect with us: Facebook | 
Twitter | 
YouTube

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Big flaw in WPA2

[Osborne, Bruce W (Network Operations)]

The specification, like many, was vague in implementation details and 
practically all vendors chose a poor, insecure design.  The only claw in WPA2 
was vagueness in the specification. I understand the Wi-Fi Alliance is working 
on remedying that as well as specifically testing for KRACK in its 
certification testing.

Since many implementations were likely based off the chipmakers reference 
designs, this is not very surprising.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Marcelo Maraboli [mailto:marcelo.marab...@uc.cl]
Sent: Wednesday, October 18, 2017 11:56 AM
Subject: Re: Big flaw in WPA2

if it were a Design Flaw, no patch can fix it we would need to upgrade to 
WPA3 or something.

the fact that there is patch going on, is that either every implementation is 
wrong (not likely) or
the specification (how to code the Design) did not address boundaries or 
restrictions that should/must
be cared for.

or am I wrong ?


regards,
On 10/16/17 4:32 PM, Hector J Rios wrote:
The short answer is Yes.

Hector Rios
Louisiana State University

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mike Cunningham
Sent: Monday, October 16, 2017 1:58 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2

If this is a flaw in the design of the WPA2 protocol isn't the fix going to 
need to be made on both sides of the communication link?  Access points will 
all need to be updated but also all client wifi drivers are going to need to be 
updated on all wifi enabled devices that support WPA2, right?

Mike Cunningham


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Stephen Belcher
Sent: Monday, October 16, 2017 10:40 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2


>From Cisco:



https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa





/ Stephen Belcher

Assistant Director of Network Operations
WVU Information Technology Services

One Waterfront Place / PO Box 6500

Morgantown, WV  26506



(304) 293-8440 office
(681) 214-3389 mobile
steve.belc...@mail.wvu.edu


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
on behalf of Richard Nedwich 
>
Sent: Monday, October 16, 2017 10:34:43 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Big flaw in WPA2

Ruckus is providing a response today.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.


This email may contain confidential information about a Pennsylvania College of 
Technology student. It is intended solely for the use of the recipient. This 
email may contain information that is considered an "educational record" 
subject to the protections of the Family Educational Rights and Privacy Act 
Regulations. The regulations may be found at 34 C.F.R. Part 99 for your 
reference. The recipient may only use or disclose the information in accordance 
with the requirements of the Federal Educational Rights and Privacy Act 
Regulations. If you have received this transmission in error, please notify the 
sender immediately and permanently delete the email.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

--
Marcelo Maraboli Rosselott
Subdirector de Redes y Seguridad
Dirección de Informática
Pontificia Universidad Católica de Chile
http://informatica.uc.cl/
--
Campus San Joaquín, Av. Vicuña Mackenna 4860, Macul
Santiago, Chile
Teléfono: (56) 22354 1341
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Big flaw in WPA2

[Osborne, Bruce W (Network Operations)]

No, the solution is EAP-TLS with individual device certificates.



Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Tim Tyler [mailto:ty...@beloit.edu]
Sent: Monday, October 16, 2017 9:57 AM
Subject: Re: Big flaw in WPA2

This brings up an issue where I have philosophically wondered if mac address 
authentication isn’t better than 802.11x (wpa2).  The reason isn’t because it 
guards the network better.  But if one does get hacked at the point of 
accessing the network, the consequences are way less.  One isn’t giving a way 
the keys to their other accounts.   I know some institutions do use mac address 
authentication as their primary access method.   It is difficult for 
institutions that can’t afford pricey on-boarding solutions to manage 
certificate lock downs.   Hence, man in the middle attacks become prevalent as 
well.
  We already use mac address authentication for devices that won’t support 
802.1x.  I keep wondering now if I shouldn’t make that our primary solution 
someday.  I am curious as to what others think.

Tim

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Turner, Ryan H
Sent: Monday, October 16, 2017 6:51 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Big flaw in WPA2


https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/

Ryan Turner
Manager of Network Operations, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Best Wireless Solution for Residence Hall Rooms

[Osborne, Bruce W (Network Operations)]

First, get the APs out of the hallways and locate them where the users are. APs 
in hallways can hear each other better than they casn hear clients.

Second, work with your Aruba account team to optimize your RF environment for 
the different building structures. We have based our RF adjustments on this 
Aruba document.
https://ase.arubanetworks.com/solutions/id/75

Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Umut Arus [mailto:um...@sabanciuniv.edu]
Sent: Wednesday, October 11, 2017 11:49 AM
Subject: Best Wireless Solution for Residence Hall Rooms

Hello all,

We have 500 Aruba APs for 3000 students in dorm building hallways however we 
are getting complaint still even if fine tuning because of walls. I think it is 
very contemporary issue for many.

In every room with Aruba solution would be very expensive. We'd like to ask you 
what is your best solution that you have resolved it?

thanks.

--
Umut Arus
System Specialist
Information Technology
Sabancı University

Phone: +90216 483 9172

[https://docs.google.com/uc?export=download=0B5qkmZRroo4EbGxaYWxRY0FkRG8=0B5qkmZRroo4EVzArd21xSDFZbitsNzJ1RmthSWNnREszWklJPQ]
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Clearpass Bug - Posture and Profile Data update

[Osborne, Bruce W (Network Operations)]

Our Aruba SE alerted us but we are running 6.6.5. Out servers already had the 
fixed version anyway.

For RADIUS monitoring we use Nagios and monitor twice. One services uses an 
Active Directory service account, and a second one uses a ClearPass local user 
account. Aruba recommends this to assist is problem isolation if there is a 
failure.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Ferguson, Michael [mailto:mfergu...@chapman.edu]
Sent: Wednesday, October 11, 2017 1:01 PM
Subject: Re: Clearpass Bug - Posture and Profile Data update


Unfortunately, we were hit by the same bug as Chad and possibly a few others on 
the list.  It looks like the problem affects Clearpass customers running 
6.6.7+.  We struggled to find a fix early this morning and finally got services 
up around 7:15 am pacific time once we identified the issue.  But until we were 
noticed the problem and resolved it, we were down for wireless access across 
campus for 6 hours due to this Clearpass bug—the issue started at 1 am for us.

This brings up an obvious need on our part to check our Clearpass servers from 
a 3rd-party tool for authentication successes and failures.  I think we’ll have 
to use a Nagios plugin (or something like it) for radius authentication checks, 
which I didn’t expect we would need to do.  As for monitoring other processes 
on individual Clearpass servers, I don’t have a ready answer on that one.

However, this does bring up a desire on my part related to vendor participation 
on the list.  I know we have some HPE/Aruba employees that participate on the 
list and I think the Wireless-LAN group would be a perfect vehicle for them to 
disseminate information to customers that could be affected by known issues, 
particularly ones that could impact services to your campus.

When we had the issue this morning, one of the places I looked was the 
Wireless-LAN discussions to see if anyone was affected by problems with 
Clearpass.  I didn’t see any (until Chad posted later) and so we thought our 
issue was more isolated.  We wasted 20 minutes of valuable MTTR time collecting 
Server Logs when all we needed to do was start the “Policy server” service.  
However, if I had seen a post from HPE/Aruba to the Wireless-LAN list about a 
possible problem affecting many customers, we could’ve started working on the 
real issue earlier.  Putting in a  TAC case related to a critical 1 issue is 
something we generally wait to do if we can’t find a quick fix on our side.


--
Mike Ferguson
Chapman University
Network Manager
714-744-7873
mfergu...@chapman.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Amel Caldwell
Sent: Wednesday, October 11, 2017 9:05 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Clearpass Bug - Posture and Profile Data update

Fortunately for us, we are still on 6.6.5 and we were not affected by this.  
This did make me think about how fragile the operational state of the ClearPass 
cluster can be.  Looking through my event logs, I see the AV/AS updates 
happening 20 plus time a day and they hit all of our servers simultaneously. 
So, I am curious how others deal with this.

Do you monitor process status on each of your individual servers?
Do you have automated mechanisms to restart stopped processes and notify 
engineers?
If so, what methods do you use?

Amel Caldwell
University of Washington UW-IT
Wi-Fi Network Engineer
Wi-Fi Service Manager

am...@uw.edu
206-543-2915

University of Washington has open positions for Wi-Fi Network Engineers on our 
Network Design and Architecture team.

https://uwhires.admin.washington.edu/ENG/candidates/default.cfm?szCategory=jobprofile=147382=0==1
https://uwhires.admin.washington.edu/ENG/candidates/default.cfm?szCategory=jobprofile=147172=0==1



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
on behalf of Chad Burnham 

RE: Wireless services in your Stadiums and Arenas

[Osborne, Bruce W (Network Operations)]

We are designing our football stadium wireless using HPE/Aruba Networks Large 
Public Venue expertise.

There is some more information here. http://www.arubanetworks.com/solutions/lpv/

Feel free to contact me off-list and I can connect you with our wireless 
network architect.

Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Wesley Troy Scott [mailto:tsc...@uwyo.edu]
Sent: Friday, October 6, 2017 3:26 PM
Subject: Wireless services in your Stadiums and Arenas


Hello,



The University of Wyoming is looking at expanding the wireless services at our 
stadium and arena to cover fans. Today access is limited and focused on 
operations like press, ticketing and concessions. At a big game cell can't take 
the load, fans get nothing, so we're looking at solutions to the problem.



These deployments are different than what we do elsewhere on campus and I know 
some of you can speak from experience on the topic. We have questions on all 
sorts of things but the design consideration that keeps coming up right now is 
how should we provision students, faculty and staff during a game as compared 
to the other fans?



The approaches we've discussed include floating our standard authenticated 
wireless network for their usage during a game, a different authenticated 
network but the same role or a single network for all fans regardless of their 
University affiliation. We're familiar with the design that's out there, an in 
venue authenticated network and an open network and sorting all of the 
different users out behind the scenes. We think all of these approaches have 
pros and cons.



I'm wondering what you chose to do based on your requirements and how has it 
worked for you? If you'd like to chat about wireless in large public venues 
generally I'd be glad to get advice from folks that have been down that road.



Thanks,



Troy
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: CloudPath Xpressconnect - accessibility support?

[Osborne, Bruce W (Network Operations)]

Responded off-list.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Jonathan Oakden [mailto:j.p.oak...@lboro.ac.uk]
Sent: Thursday, October 5, 2017 7:47 AM
Subject: Re: CloudPath Xpressconnect - accessibility support?

Hi Bruce,
What vendor have you moved to?

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> 
on behalf of "Osborne, Bruce W (Network Operations)" 
<bosbo...@liberty.edu<mailto:bosbo...@liberty.edu>>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Date: Thursday, 5 October 2017 at 12:27
To: 
"WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>
Subject: Re: [WIRELESS-LAN] CloudPath Xpressconnect - accessibility support?

We are currently a CloudPath Wizard customer using PEAP-MSCHAPv2, but we 
recently completed a project evaluating onboarding vendors for PRAP-MSCHAPv2 & 
TLS, including CloudPath ES.

CloudPath Wizard & ES were both broken with PEAP-MSCHAPv2 for Windows 10 
Creator Update. It took CloudPath 3 months to fix that. Currently, their PEAP 
is broken for the Fal;l Update to be released this month.

We have decided to move to  a different onboarding vendor and are finalizing 
our internal paperwork. We did not evaluate for accessibility.

Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Wyatt Schill [mailto:wsch...@greenriver.edu]
Sent: Wednesday, October 4, 2017 11:18 AM
Subject: CloudPath Xpressconnect - accessibility support?

Hello all,

To all the CloudPath xpressconnect ES users out there, we recently got a case 
saying the onboarding site does not work with accessibility screen readers, nor 
does the executable that windows devices download to install the wireless 
profile.  We primarily use JAWS (v18) screen reading software so I installed 
and gave it a go, indeed none of the onboarding site was read aloud, and the 
executable just reads “cloudpath cloudpath cloudpath cloudpath”.

I have a case in with the vendor, but was wondering if any other colleges have 
run into this problem.  I haven’t found anything mentioned in documentation, 
forums, google, or noticed any “turn on accessibility” checkbox on the 
management console, but I’m sure lots of other higher-ed must have hit this 
roadblock.

We’ve been happy with the product for several years but this would be a big 
problem.  Anyone else run into this?


-Wyatt

Wyatt Schill
Senior Network Engineer
CCNA-Security, CCNP-R
Green River College
12401 SE 320th St. Auburn, WA 98092
wsch...@greenriver.edu<mailto:wsch...@greenriver.edu>
[Green River new official mascot logoEmail]

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: CloudPath Xpressconnect - accessibility support?

[Osborne, Bruce W (Network Operations)]

We are currently a CloudPath Wizard customer using PEAP-MSCHAPv2, but we 
recently completed a project evaluating onboarding vendors for PRAP-MSCHAPv2 & 
TLS, including CloudPath ES.

CloudPath Wizard & ES were both broken with PEAP-MSCHAPv2 for Windows 10 
Creator Update. It took CloudPath 3 months to fix that. Currently, their PEAP 
is broken for the Fal;l Update to be released this month.

We have decided to move to  a different onboarding vendor and are finalizing 
our internal paperwork. We did not evaluate for accessibility.

Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Wyatt Schill [mailto:wsch...@greenriver.edu]
Sent: Wednesday, October 4, 2017 11:18 AM
Subject: CloudPath Xpressconnect - accessibility support?

Hello all,

To all the CloudPath xpressconnect ES users out there, we recently got a case 
saying the onboarding site does not work with accessibility screen readers, nor 
does the executable that windows devices download to install the wireless 
profile.  We primarily use JAWS (v18) screen reading software so I installed 
and gave it a go, indeed none of the onboarding site was read aloud, and the 
executable just reads "cloudpath cloudpath cloudpath cloudpath".

I have a case in with the vendor, but was wondering if any other colleges have 
run into this problem.  I haven't found anything mentioned in documentation, 
forums, google, or noticed any "turn on accessibility" checkbox on the 
management console, but I'm sure lots of other higher-ed must have hit this 
roadblock.

We've been happy with the product for several years but this would be a big 
problem.  Anyone else run into this?


-Wyatt

Wyatt Schill
Senior Network Engineer
CCNA-Security, CCNP-R
Green River College
12401 SE 320th St. Auburn, WA 98092
wsch...@greenriver.edu
[Green River new official mascot logoEmail]

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Wi-Fi Request for University Conference event

[Osborne, Bruce W (Network Operations)]

With our Aruba ClearPass Guest solution we do mac address caching fir the 
lifetime of the guest account. This means they only log in once per device. 
After that, we authenticate based on the device mac address.

Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Yahya M. Jaber [mailto:yahya.ja...@kaust.edu.sa]
Sent: Wednesday, September 27, 2017 8:18 AM
Subject: Re: Wi-Fi Request for University Conference event

Hi,

We are actually improving our guest experience, and what I thought of is the 
following: “we use Cisco Equipment’s”:

  *   Would give up my guest SSID through ISE. As still there is no feature to 
increase the idle timeout on the WLC “like the sleeping client” which will stop 
users from complaining about the constant login once they go idle “”especially 
iPhone that turns off WiFi after sometime when its on the lock screen!!””…I 
know that I can increase the idle timeout, but that would prevent getting real 
client count from the WLC and PI and might affect the client WLC DB.
  *   Would use simple AUP guest SSID with sleeping client timer of 1-4 days.
  *   Won’t use bandwidth limit…the internet link is good.
  *   802.11ac 80Mhz or 40Mhz based on the location of the event.
  *   Survey..survey..survey..before the event to check everything.


Yahya Jaber.
Sr. Wireless Engineer
IT Network & Communications – Engineering
Building 14, Level 3, Rm 308-WS07
KAUST 23955-6900 Thuwal, KSA

Email yahya.ja...@kaust.edu.sa<mailto:yahya.ja...@kaust.edu.sa>
Office +966 (0) 12 8081237
Mobile +966 (0) 558697555
On Call Rotation Mobile: +966 54 470 1177

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W 
(Network Operations)
Sent: Wednesday, September 27, 2017 3:08 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wi-Fi Request for University Conference event

Our process is not ideal.

Where possible, we try to avoid setting up special SSIDs. Our normal Guest SSID 
allows for self registration for bandwidth-restricted Internet access or 
sponsored registration for faster Internet access.

We utilize our ClearPass Guest management to create an expiring event guest 
username with unlimited devices ending in “@event” instead of a proper email 
address. The original plan was for our IT Communications BRMs to create these 
accounts. Lately, our wireless team has been doing that. Event coordinators 
need to test access ahead of time, especially if it is “critical”. Otherwise, 
they are failing their job, IMHO.

For major events, with special access we sometimes set up a PSK SSID. In our 
experience, an open SSID is not good because you will pick up every roaming 
mobile device, exhausting your DHCP address pool.

Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Williams, Mr. Michael [mailto:mmwilli...@tarleton.edu]
Sent: Monday, September 25, 2017 4:01 PM
Subject: Wi-Fi Request for University Conference event

Hello,

Here recently, we have received numerous requests for guest WI-FI access during 
on campus conference events.  In order to support these events, we normally 
create a special open conference SSID that requires a pre-shared key or 
passcode for authentication.

What we struggling with is how to set the level of expectation for WI-FI 
functionality during these types events.   Conference sponsors inform us that 
Wi-Fi/internet access for conference attendees is critical, or some special app 
must function flawlessly or their conference event will be a bust.

We want to develop a formal conference request process that would detail what 
type of Wi-Fi support we can offer, what level of user experience to expect and 
what the sponsor responsibilities would be during these conference events.

I am curious to hear how other university handle these types of events. Does 
anyone have a formal process, that they are willing to share, that addresses 
some of these concerns?
Thanks

Mike


Michael M. Williams
Senior Network Engineer
Information Technology Services
Tarleton State University
201 St. Felix Str.
Box T-0220
Stephenville, TX 76402
Tel: (254) 968-1850
Fax: (254) 968-9658
mmwilli...@tarleton.edu<mailto:mmwilli...@tarleton.edu>

“ Tarleton Networks – Connecting people with their potential”

Information Technology Services staff will never ask for your password in an 
email.  Don't ever email your password to anyone or share confidential 
information in emails.

Confidentiality Notice:  This electronic message, including any attachments, is 
for the sole use of the intended recipients(s) and may contain confidential and 
privileged information.  Any unauthorized review, use, disclosure or 
distribution is prohibited.  If you are not the intended recipient, please 
contact the s

RE: Wi-Fi Request for University Conference event

[Osborne, Bruce W (Network Operations)]

Our process is not ideal.

Where possible, we try to avoid setting up special SSIDs. Our normal Guest SSID 
allows for self registration for bandwidth-restricted Internet access or 
sponsored registration for faster Internet access.

We utilize our ClearPass Guest management to create an expiring event guest 
username with unlimited devices ending in “@event” instead of a proper email 
address. The original plan was for our IT Communications BRMs to create these 
accounts. Lately, our wireless team has been doing that. Event coordinators 
need to test access ahead of time, especially if it is “critical”. Otherwise, 
they are failing their job, IMHO.

For major events, with special access we sometimes set up a PSK SSID. In our 
experience, an open SSID is not good because you will pick up every roaming 
mobile device, exhausting your DHCP address pool.

Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Williams, Mr. Michael [mailto:mmwilli...@tarleton.edu]
Sent: Monday, September 25, 2017 4:01 PM
Subject: Wi-Fi Request for University Conference event

Hello,

Here recently, we have received numerous requests for guest WI-FI access during 
on campus conference events.  In order to support these events, we normally 
create a special open conference SSID that requires a pre-shared key or 
passcode for authentication.

What we struggling with is how to set the level of expectation for WI-FI 
functionality during these types events.   Conference sponsors inform us that 
Wi-Fi/internet access for conference attendees is critical, or some special app 
must function flawlessly or their conference event will be a bust.

We want to develop a formal conference request process that would detail what 
type of Wi-Fi support we can offer, what level of user experience to expect and 
what the sponsor responsibilities would be during these conference events.

I am curious to hear how other university handle these types of events. Does 
anyone have a formal process, that they are willing to share, that addresses 
some of these concerns?
Thanks

Mike


Michael M. Williams
Senior Network Engineer
Information Technology Services
Tarleton State University
201 St. Felix Str.
Box T-0220
Stephenville, TX 76402
Tel: (254) 968-1850
Fax: (254) 968-9658
mmwilli...@tarleton.edu

“ Tarleton Networks – Connecting people with their potential”

Information Technology Services staff will never ask for your password in an 
email.  Don't ever email your password to anyone or share confidential 
information in emails.

Confidentiality Notice:  This electronic message, including any attachments, is 
for the sole use of the intended recipients(s) and may contain confidential and 
privileged information.  Any unauthorized review, use, disclosure or 
distribution is prohibited.  If you are not the intended recipient, please 
contact the sender by reply e-mail and destroy all copies of the original 
message

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hunter Fuller
Sent: Monday, September 25, 2017 2:36 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Two RF Questions

We currently won't even touch 40MHz as we like having the ability to solve 
problems by throwing more APs at them.

On Mon, Sep 25, 2017 at 2:28 PM Chuck Enfield 
> wrote:

1.  Enable it in places to check for radar events.  If you get few, then 
yes.  Client devices are almost fully capable now.  Hidden SSID’s are the only 
issue.  Some clients don’t probe on DFS channels, and will only respond to 
beacons.  Make sure 2.4 is usable for the small number of incompatible devices.

2.  No.  Don’t even consider 40MHz unless you’re using almost all the DFS 
channels, but even then you’ll probably have to disable it in some high density 
areas.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of David Blahut
Sent: Monday, September 25, 2017 3:17 PM

To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Two RF Questions

Greetings,
I have two hopefully simple RF related questions:
1.  Should I enable the extended UNII-2 channels campus wide?
2.  Should I enable 40Mhz channel width campus wide?
In other words what are you doing on your campus and what is the "best practice?

Our wireless infrastructure:

3 Cisco 5508s running 8.2.141.0

20 - 3800 APs
368 - 3700 APs
414 - 3600 APs
8 - 3500 APs
7 - 1810 APs
32 - 1142 APs

Prime 3.1.0

Thanks for your input.
David
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

RE: Hotpots in the age of unlimited data plans

[Osborne, Bruce W (Network Operations)]

Even worse, it disconnects and re-enables auto-join at 5 AM local time. 
Bluetooth works the same way.

I have heard a theory that they did this because of BLE beacons, but that does 
not explain doing it for Wi-Fi.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Jennifer Francis Wilson [mailto:jfwils...@uclan.ac.uk]
Sent: Wednesday, September 20, 2017 1:58 PM
Subject: Re: Hotpots in the age of unlimited data plans

Doesn't help when iOS 11 doesn't turn it's wifi off in control centre.

https://www.macrumors.com/2017/09/20/bluetooth-wifi-not-disabled-ios-11-control-center/

Jen.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Hall, Rand 
[ha...@merrimack.edu]
Sent: 19 September 2017 19:20
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Hotpots in the age of unlimited data plans
So, is anyone else getting killed by hotspot interference?

Last year was so pleasant! Most clients moved to 5Ghz (away from interfering 
2.4Ghz printers). Now interference is back in the form of iPhone hotspots. I 
bet 2-3% of the iPhones on our campus are hot.

...a bunch of Mrs. O'Leary's cows wandering around. More challenging game than 
printers...

Rand

Rand P. Hall
Director, Network Services askIT!
Merrimack College
978-837-3532
rand.h...@merrimack.edu

If I had an hour to save the world, I would spend 55 minutes defining the 
problem and five minutes finding solutions. - Einstein
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Wireless onboarding and security posturing

[Osborne, Bruce W (Network Operations)]

A few years ago we worked to move away from NAC (Bradford Campus Manager) to 
801.1X authentication without NAC. We ended up purchasing Aruba ClearPass but 
purchased (& did not use) some OnGuard NAC licenses to appease some management 
that we could deploy NAC if needed. He have not needed that.

We have been onboarding with the deprecated CloudPath Wizard product for 
several years. We are now evaluating onboarding (non-NAC) alternatives. So far 
the best choice appears to be SecureW2 when pricing & features are considered.

I asked CloudPath ES, like Wizard has a one-time onboarding NAC-like feature. 
Apparently, SecureW2 had similar features but removed them due to non-use. 
Pricing appeatrs to be much better than Aruba’s offering.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Curtis L. Parish [mailto:curtis.par...@mtsu.edu]
Sent: Tuesday, August 29, 2017 12:08 PM
Subject: Wireless onboarding and security posturing

Greetings

Looking for philosophy (policy?) as well as what products you are using to 
implement your solutions.

Currently we use a NAC agent as a part of our onboarding procedure for windows 
computers connecting via NAC.   Agents of course add a whole layer of support 
woes to the help desk.  As the percentage (not necessarily number) of windows 
devices on wireless networks decreases, the effectiveness of deploying an agent 
seems to have decreasing returns.   At the same time windows has increased 
their security posture over the years  (nagging you to  do updates and to turn 
on the firewall  and virus protection) other devices have been added to the 
mix, like IOT, that  have little or no protection built in.   Spending so  of 
our  time supporting an agent that only protects a decreasing percentage of the 
devices on the network  may not be the best policy.   There is the argument 
that windows devices can cause the most problems,  but do we spend the time 
focused on the single problem solution (windows agent) as opposed to   
implementing and supporting a more holistic solution that can recognize and 
respond to threats  across platforms.


We have talked to universities that run their wireless networks as wide open 
public access networks  and choose  only to defend with firewalls.   We on the 
other end  are more offensive and require  user registration, NAC agents and  
MAC registration,  along with the separation of the wireless network from the 
campus network.

So, how do you provide and protect your wireless networks?


Curtis


Curtis Parish
 615.494.8861
Senior Network Engineer
[wordmark_web]



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Plastered buildings

[Osborne, Bruce W (Network Operations)]

Yeah.

We have a stone mansion used that has the lath. We put an AP per room and just 
upgraded them to Aruba AP-203H APs.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Harris, Robert [mailto:robert.har...@culinary.edu]
Sent: Tuesday, August 29, 2017 8:31 AM
Subject: Re: Plastered buildings

Do you have the option to go into the rooms? Aruba has a series of APs that 
mount to a wall plate over an outlet. AP-303H , if it’s an option.

[The Culinary Institute of America]
Robert Harris
Manager of Network Services
Culinary Institute of America
1946 Campus Drive
Hyde Park, NY
845-451-1681
www.ciachef.edu
Food is Life
Create and Savor Yours.™

Please consider the environment before printing this e-mail.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Rodkey
Sent: Tuesday, August 29, 2017 12:20 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Plastered buildings

How do you deal with buildings that have plaster and fine metal mesh enclosing 
them?  We have placed access points on the exterior of the building, but the 
signal isn't getting through.  The rooms all open onto an outside hallway - 
there is no common internal hallway.

John Rodkey
Director of Servers and Networks
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Android phones having strange issues

[Osborne, Bruce W (Network Operations)]

Richard,

I doubt users would switch that quickly but I expect we will see some later 
this week.

Since we are evaluating onboarding vendors, I must ask. Do your products 
(Wizard & CloudPath ES) already support Android Oreo? I know at least one other 
vendor already gas official support for this.

 
Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Richard Nedwich [mailto:rich.nedw...@brocade.com] 
Sent: Monday, August 21, 2017 5:26 PM
Subject: Re: Android phones having strange issues

FWIW,

http://www.siliconbeat.com/2017/08/21/google-will-launch-new-android-version-solar-eclipse/?doing_wp_cron=1503346654.674446105957031250

Maybe some change had an effect on your users?

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Issues with TCL Roku TVs

[Osborne, Bruce W (Network Operations)]

We have a special SSID deployed to a few areas for devices that require the 
lower rates in order to associate. We use MAC Auth to restrict who can use it.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Mccormick, Kevin [mailto:ke-mccorm...@wiu.edu]
Sent: Sunday, August 20, 2017 10:28 AM
Subject: Re: Issues with TCL Roku TVs

We do have dashes in the names.

That is a thought, and could test that out.

Not sure we would change all the SSIDs just to get one brand of TVs to work.

Kevin 
McCormick
Network Administrator
University Technology - Western Illinois University
ke-mccorm...@wiu.edu | (309) 
298-1335 | Morgan Hall 106b
Connect with uTech: Website | 
Facebook | 
Twitter
[http://www.wiu.edu/university_technology/images/signatures/currentimage.jpg]

On Sun, Aug 20, 2017 at 8:59 AM, Francis Walker 
> wrote:

Hi Kevin, just a shot in the dark here, but would your SSID's contain any 
special characters?  I have had seen problems with certain TV's where they 
won't associate if the SSID had certain special characters in it.


Thanks,
Joe

Joe Walker
Computing and Telecommunication Services
Kansas State University
(785)532-4997
f...@ksu.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> 
on behalf of Mccormick, Kevin 
>
Sent: Saturday, August 19, 2017 9:08:06 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Issues with TCL Roku TVs

We took a test AP from the test network up to the room and connected.

Before I left to go there I set the data rate to the defaults, all the default 
b/g data rates were active on the AP.

None of the test SSIDs would show on the TV when we scanned for networks.

Kevin 
McCormick
Network Administrator
University Technology - Western Illinois University
ke-mccorm...@wiu.edu | (309) 
298-1335 | Morgan Hall 106b
Connect with uTech: Website | 
Facebook | 
Twitter
[http://www.wiu.edu/university_technology/images/signatures/currentimage.jpg]

On Sat, Aug 19, 2017 at 8:40 PM, Norton, Thomas (Network Operations) 
> wrote:
Have you tried enabling 1, or 5.5? I agree with Kelly, if enabled I would def 
disable 802.11r to see if it could be affecting it.  I still highly recommend 
completing a wpcap to understand the client behavior.
T.J. Norton
Wireless Network Architect
Network Operations - Wireless

(434) 592-6552

[http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]

Liberty University  |  Training Champions for Christ since 1971

On Aug 19, 2017, at 9:21 PM, Slone, Kelly 
> wrote:
Do you have 802.11r enabled?  If so test with it disabled.   We've been seeing 
this behavior with other devices when 802.11r is enabled.

Thanks,
Kelly Slone

Sent from my iPhone

On Aug 19, 2017, at 8:29 PM, Mccormick, Kevin 
> wrote:
We have 3 SSIDs.

One for PEAP and EAP-TLS.
One open for onboarding.
One for PSK.

We have 1,2,5.5,6,9,11 disabled, 12,18 supported, 24 mandatory, and 36, 48, 54 
supported.

We tried a test system AP in their room with the Cisco default rates and those 
SSIDs would not show on that TV.

Other TV in the room was a Insignia Roku TV and that TV seen all the SSIDs 
including out test SSIDs.


Kevin 
McCormick
Network Administrator
University Technology - Western Illinois University
ke-mccorm...@wiu.edu | (309) 
298-1335 | Morgan Hall 106b
Connect with uTech: 
Website
 | 

RE: multicast enabled on your wireless network?

[Osborne, Bruce W (Network Operations)]

Tariq,

We have been running multicast on wireless for IPTV for several years on our 
Aruba wireless infrastructure. Since you mentioned "flexconnect" that implies, 
to me, a cisco wireless infrastructure so my experience may not apply to your 
situation.

We helped them test their "Dynamic Multicast Optimization" from early alpha and 
we initially deployed the beta to Production. It has been very good for our 
user experience and we have not noticed appreciable loading. We will be moving 
away from multicast because we will be switching to a vendor that is not using 
multicast.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Tariq Adnan [mailto:tariq.ad...@sydney.edu.au]
Sent: Tuesday, August 15, 2017 8:11 PM
Subject: multicast enabled on your wireless network?

Hello everyone,

Just checking if you guys have multicast enabled on your wireless network and 
if you have come across any performance issues arising after enabling it? Is 
multicast widely used in your network?

I am working on a POC which has requirements that can be fulfilled by either 
enabling multicast or converting few APs to flexconnect mode. I am more in 
favour of later method but again want to know your views.

Thanks,
-
Cheers,

Kind regards,
Tariq Adnan

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: EAP-TLS

[Osborne, Bruce W (Network Operations)]

We are currently evaluating onboarding solutions to move away from Wizard. Be 
sure to check out other vendors such as SecureW2 in addition to ES. You can 
then make the best choice for your situation.

 
Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Richard Nedwich [mailto:rich.nedw...@brocade.com] 
Sent: Tuesday, August 15, 2017 6:24 PM
Subject: Re: EAP-TLS

Hi,

This is in no way a sales pitch, just want to share a few thoughts from Kevin 
Koster, Chief Architect and Founder of Cloudpath, who is still at Ruckus, and 
LB said this would be OK.

Thank you,
Rich Nedwich
Dir of Product Marketing, Education
Ruckus

 Kevin K. =
"To address the ‘open vs secure’ question, I would suggest that this topic be a 
roundtable at EDUCAUSE annual.  This discussion should really start with a 
reevaluation of the value prop of student/guest Wi-Fi to the university’s 
mission.  If the value prop is no greater than coffee shop Wi-Fi, it may be 
time to think of the network as a smart city-type deployment, which may 
possibly benefit from inviting something like LinkNYC onto campus to serve the 
students’ & guests’ Wi-Fi needs.  If the value prop is greater, the HEDU 
community should probably come together to ensure the industry moves in a 
manner that benefits HEDU (similar to service provider’s defining Passpoint).  
 
To clear up the confusion on EOL of the Wizard:
1. “XpressConnect Wizard” is moving toward end-of-support on December 30, 2019. 
 This is the client-side executables managed via xpc.cloudpath.net.  The 
migration path for wizard customers is to move to Cloudpath ES. 2. “Cloudpath 
ES” is the path forward for all Cloudpath functionality, and currently on ver 
5.1.  It contains the wizard’s client functionality as well as server-side 
functionality (like reporting, mac reg, CA, etc).  It is managed either in your 
own VM or via onboard*.cloudpath.net.  
 
Most customers are currently on Cloudpath ES, but if you have questions, please 
contact Trish (sa...@cloudpath.net).

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: EAP-TLS

[Osborne, Bruce W (Network Operations)]

Lee,

If you do that here with our PEAP-MSCHAPv2, you break when the server 
certificate is updated. If you onboard properly you only trust the certificate 
chain and keep on working.

EAP-TLS has the advantage of stopping people from trying to work around the 
system and then complaining when they break later.

 
Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Lee H Badman [mailto:lhbad...@syr.edu] 
Sent: Monday, August 14, 2017 1:29 PM
Subject: Re: EAP-TLS

One interesting trade-off: if I have good AD credentials and pop up a new Mac 
or Windows machine without any kind of onboarding in play, I will get on the 
network quickly one way or the other with PEAP/MS-CHAPv2. . Maybe I'm prompted 
to accept the server, but I'll get on. This is good and bad. I got on, but not 
the way that the Security and Network folks might have wanted me to get on- 
because the cert stuff is optional with PEAP/MS-CHAPv2 on non-AD machines that 
you don't control. That's arguably bad.

But... I got on. And I got authentication and encryption, without IT 
intervention. From the user perspective, this is good. I didn't have to 
onboard, I didn't need IT help. I wasn't stranded if I didn't understand what 
the onboarding SSID is all about, etc.

With TLS- you get properly onboarded, or you're sucking wind until you do. But 
once you do, TLS' advantages kick in as described in this thread. But that 
"easy on" thing is gone... no matter how simple you make TLS onboarding, it 
still requires end users to comprehend it. So, to me, part of going to TLS is 
with the understanding that occasionally someone will be stranded by their own 
lack of understanding the process, that somebody may be someone important 
and/or vocal, the stranding will occur at the worst time of day and in the 
worst circumstance in accordance with Murphey's Law, and there will be some 
increase in related  trouble calls. 

None of this negates TLS' value, but at the same time you have to go into it 
with your eyes open to the perspective of the BYOD crowd on campus versus what 
they are currently accustomed to.

One man's o-pinion.

-Lee

Lee Badman | Network Architect 

Certified Wireless Network Expert (#200) Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w its.syr.edu SYRACUSE 
UNIVERSITY syr.edu


-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis K. Larsen
Sent: Monday, August 14, 2017 1:11 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS

Excellent Point.  We did some testing with LDAP group lookups, etc. vs. 
checking for an attribute in a user certificate for authorization and found the 
performance to be significantly better for the same number of authentications 
when *not* having to wait for LDAP.  Another benefit is not having to worry 
about users that have trouble typing passwords/getting their account locked out 
for failed attempts. 


--
Curtis K. Larsen
Senior Network Engineer
University of Utah IT/CIS



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 on behalf of Curtis, Bruce 

Sent: Monday, August 14, 2017 10:56 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS

> On Aug 11, 2017, at 7:45 AM, Bucklaew, Jerry  wrote:
>
> To ALL:
>
>
>
>
>
>I am going to amend my initial request to "does anyone have any other 
> reasons to switch to eap-tls besides the ones I list below"? I am trying to 
> build a case for switching and want to gather all the benefits.

  One other benefit that I haven't seen mentioned in the thread yet is that 
EAP-TLS removes dependency on Active Directory or other identity box.
  So an outage or slowdown of Active Directory (or other external box) does not 
affect RADIUS and wireless logins.


> From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bucklaew, 
> Jerry
> Sent: Thursday, August 10, 2017 3:36 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] EAP-TLS
>
>
>
> Lee,
>
>
>
>I want to state first that I am not, by any means, an expert on all of the 
> authentication standards and protocols.  I was hoping someone would have a 
> document that would help better articulate the goals and benefits.
>
>
>
> We have been a eap-peap shop for years and I have always been told that 
> eap-tls (cert based authentication) is more secure and you should do that.  I 
> never had the time to deal with it and putting up a cert based infrastructure 
> just seemed daunting.   I finally have some time and have started to play 

RE: EAP-TLS

[Osborne, Bruce W (Network Operations)]

Thanks. 

That is basically machine authentication only. We need to differ access based 
on who is logged in the Login profile can do that but if you typo your password 
it continues to try your old one while prompting for a correct one. This locks 
the user account.

 
Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Curtis, Bruce [mailto:bruce.cur...@ndsu.edu] 
Sent: Monday, August 14, 2017 12:49 PM
Subject: Re: EAP-TLS


> On Aug 11, 2017, at 6:45 AM, Osborne, Bruce W (Network Operations) 
> <bosbo...@liberty.edu> wrote:
> 
> Jerry,
> 
>  
> 
> I find some of your comments interesting. We have many things in common. We 
> are also an Aruba wireless / ClearPass customer using PEAP-MSCHAPv2 & MAC 
> Auth. Although we initially designed for full Cisco wired 802.1X we have been 
> running a strange Cisco config that uses it somewhat but does not restrict 
> unauthenticated devices.
> 
>  
> 
> We have been a CloudPath Wizard customer for years. Since this product has 
> been deprecated, we are evaluating onboarding vendors. We have an engineer 
> from a former government contractor who wants us to move to EAP-TLS. So far, 
> we have found ClearPass Onboard licensing costs to be much higher than the 
> other vendors.
> 
>  
> 
> I have been having a big challenge on how to configure 802.1x (likely 
> PEAP-MSCHAPv2 or EAP-TLS) for Computer Lab computers that can have many new 
> users. We are currently doing User auth for MacOS but that requires an 
> initial logon on wired to get the user profile stored locally. I have tried 
> using MacOS Logon profile but I find if a user typoes their password that 
> although they are prompted for a new password, the system still tries to use 
> the old one during that time and locks the user account ☹
> 
>  
> 
> What are people here doing for 802.1X and MacOS Labs? We are seeing a trend 
> for wireless Labs with dedicated APs & SSID for the machines because the cost 
> is much less than having a network drop per machine. Our current wireless 
> MacOS Lab was implemented last summer with a PSK as a temporary workaround. 
> We definitely need to move away from that. Windows handles 802.1X much 
> better, IMHO.

  We have had MacOS Labs use EAP-TLS in the past.  I haven’t checked with our 
cluster folks to see if we have an instance of that right now with current 
MacOS X versions.

  With the config we used the Macs were connected to the wireless network 
whenever they were powered on.  


  These links seem similar to what I remember we did.

https://www.afp548.com/2012/11/20/802-1x-eaptls-machine-auth-mtlion-adcerts/

https://ntsystems.it/post/joining-wifi-before-login-on-mac-os-x-108

https://discussions.apple.com/thread/6763950?start=0



This link is about a different problem but one of the posts mentions

"No issues here. We have profile-based Wifi logon to accomplish a machine-auth 
type deal on our Macs, so nothing with certs (we're an AD shop).

Upgraded from 10.12.4 to 10.12.5 on test machine”

So it sounds like it is still doable although the quote above doesn’t use 
EAP-TLS.



This info might be helpful

https://kevinbecker.org/blog/2015/03/26/mac-os-x-wpa2-enterprise-authentication-using-a-microsoft-ca-part-2-2

http://help.apple.com/profilemanager/mac/2.1/#apd07AA-30C6-4FD2-B2E0-E0C95658A2C4




> Bruce Osborne
> 
> Senior Network Engineer
> 
> Network Operations - Wireless
> 
>  (434) 592-4229
> 
> LIBERTY UNIVERSITY
> 
> Training Champions for Christ since 1971
> 
>  
> 
> From: Bucklaew, Jerry [mailto:j...@buffalo.edu] 
> Sent: Thursday, August 10, 2017 3:36 PM
> Subject: Re: EAP-TLS
> 
>  
> 
> Lee,
> 
>  
> 
>I want to state first that I am not, by any means, an expert on all of the 
> authentication standards and protocols.  I was hoping someone would have a 
> document that would help better articulate the goals and benefits.
> 
>  
> 
> We have been a eap-peap shop for years and I have always been told that 
> eap-tls (cert based authentication) is more secure and you should do that.  I 
> never had the time to deal with it and putting up a cert based infrastructure 
> just seemed daunting.   I finally have some time and have started to play 
> with it.  We are an Aruba shop and the clearpass Onboard system seems pretty 
> simple to implement and get EAP-TLS working.
> 
>  
> 
> Now to the why.   It seems that the ability to separate username/password 
> from network authentication has some benefits.   If a user changes his 
> username/password it no longer affects his network connectivity.  If we want 
> to blacklist a device it will be easy as each dev

RE: EAP-TLS

[Osborne, Bruce W (Network Operations)]

Cloudpath has asked me to share their information for anybody with additional 
questions about CloudPath Wizard EOL.


Trish Rilling
Cloudpath Sales Program Manager
Desk: 303.872.7127
Mobile: 303.518.0686
Email: patricia.rill...@brocade.com

 
Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Misra, Sapna [mailto:sapna.tripa...@vumc.org] 
Sent: Tuesday, August 15, 2017 11:38 AM
Subject: Re: EAP-TLS

Hi Bruce,

I am curious about your statement "We have been a CloudPath Wizard customer for 
years. Since this product has been deprecated, we are evaluating onboarding 
vendors." 
Is Ruckus not going to support it anymore? 

Best,

Sapna Misra | Senior Network Engineer | Information Technology | Vanderbilt 
University Medical Center sapna.tripa...@vanderbilt.edu | Phone 615-875-8876 



-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis, Bruce
Sent: Monday, August 14, 2017 11:49 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS


> On Aug 11, 2017, at 6:45 AM, Osborne, Bruce W (Network Operations) 
> <bosbo...@liberty.edu> wrote:
> 
> Jerry,
> 
>  
> 
> I find some of your comments interesting. We have many things in common. We 
> are also an Aruba wireless / ClearPass customer using PEAP-MSCHAPv2 & MAC 
> Auth. Although we initially designed for full Cisco wired 802.1X we have been 
> running a strange Cisco config that uses it somewhat but does not restrict 
> unauthenticated devices.
> 
>  
> 
> We have been a CloudPath Wizard customer for years. Since this product has 
> been deprecated, we are evaluating onboarding vendors. We have an engineer 
> from a former government contractor who wants us to move to EAP-TLS. So far, 
> we have found ClearPass Onboard licensing costs to be much higher than the 
> other vendors.
> 
>  
> 
> I have been having a big challenge on how to configure 802.1x (likely 
> PEAP-MSCHAPv2 or EAP-TLS) for Computer Lab computers that can have 
> many new users. We are currently doing User auth for MacOS but that 
> requires an initial logon on wired to get the user profile stored 
> locally. I have tried using MacOS Logon profile but I find if a user 
> typoes their password that although they are prompted for a new 
> password, the system still tries to use the old one during that time 
> and locks the user account ☹
> 
>  
> 
> What are people here doing for 802.1X and MacOS Labs? We are seeing a trend 
> for wireless Labs with dedicated APs & SSID for the machines because the cost 
> is much less than having a network drop per machine. Our current wireless 
> MacOS Lab was implemented last summer with a PSK as a temporary workaround. 
> We definitely need to move away from that. Windows handles 802.1X much 
> better, IMHO.

  We have had MacOS Labs use EAP-TLS in the past.  I haven’t checked with our 
cluster folks to see if we have an instance of that right now with current 
MacOS X versions.

  With the config we used the Macs were connected to the wireless network 
whenever they were powered on.  


  These links seem similar to what I remember we did.

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.afp548.com%2F2012%2F11%2F20%2F802-1x-eaptls-machine-auth-mtlion-adcerts%2F=02%7C01%7Csapna.tripathi%40VANDERBILT.EDU%7C16298ed1b63b42cb7f3008d4e3346f0c%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636383261754402659=4pQ1zfJ6W19Pwwo3%2B5NjpyICXIefw2thgK6RGOL5wf8%3D=0

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fntsystems.it%2Fpost%2Fjoining-wifi-before-login-on-mac-os-x-108=02%7C01%7Csapna.tripathi%40VANDERBILT.EDU%7C16298ed1b63b42cb7f3008d4e3346f0c%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636383261754402659=YSfAxEw8gU%2FrD6%2B%2Fs1jOYRj0qmU%2BZQngjTsMUw4wN3I%3D=0

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdiscussions.apple.com%2Fthread%2F6763950%3Fstart%3D0=02%7C01%7Csapna.tripathi%40VANDERBILT.EDU%7C16298ed1b63b42cb7f3008d4e3346f0c%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636383261754402659=IkakfmYPXS5W9qIh0FVj7Gd%2Fcl2M3T3fWFCHm22JDbc%3D=0



This link is about a different problem but one of the posts mentions

"No issues here. We have profile-based Wifi logon to accomplish a machine-auth 
type deal on our Macs, so nothing with certs (we're an AD shop).

Upgraded from 10.12.4 to 10.12.5 on test machine”

So it sounds like it is still doable although the quote above doesn’t use 
EAP-TLS.



This info might be helpful

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fkevinbecker.org%2Fblog%2F2015%2F03%2F26%2Fmac-os-x-wpa2-enterprise-authentication-using-a-microsoft-ca-

RE: EAP-TLS

[Osborne, Bruce W (Network Operations)]

Sapna,

CloudPath Wizard has been deprecated and you cam migrate to CloudPath ES (now 
known as just CloudPath). Your sales rep will be able to give you incredible 
pricing. They also have great pricing for you if you wish to use their full 
RADIUS server / CA functionality.

Currently, there are only 2 support people I know of that know the Wizard 
product.  The EOL letter was sent out in 2016. End of support is December 2019.

 
Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Misra, Sapna [mailto:sapna.tripa...@vumc.org] 
Sent: Tuesday, August 15, 2017 11:38 AM
Subject: Re: EAP-TLS

Hi Bruce,

I am curious about your statement "We have been a CloudPath Wizard customer for 
years. Since this product has been deprecated, we are evaluating onboarding 
vendors." 
Is Ruckus not going to support it anymore? 

Best,

Sapna Misra | Senior Network Engineer | Information Technology | Vanderbilt 
University Medical Center sapna.tripa...@vanderbilt.edu | Phone 615-875-8876 



-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis, Bruce
Sent: Monday, August 14, 2017 11:49 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS


> On Aug 11, 2017, at 6:45 AM, Osborne, Bruce W (Network Operations) 
> <bosbo...@liberty.edu> wrote:
> 
> Jerry,
> 
>  
> 
> I find some of your comments interesting. We have many things in common. We 
> are also an Aruba wireless / ClearPass customer using PEAP-MSCHAPv2 & MAC 
> Auth. Although we initially designed for full Cisco wired 802.1X we have been 
> running a strange Cisco config that uses it somewhat but does not restrict 
> unauthenticated devices.
> 
>  
> 
> We have been a CloudPath Wizard customer for years. Since this product has 
> been deprecated, we are evaluating onboarding vendors. We have an engineer 
> from a former government contractor who wants us to move to EAP-TLS. So far, 
> we have found ClearPass Onboard licensing costs to be much higher than the 
> other vendors.
> 
>  
> 
> I have been having a big challenge on how to configure 802.1x (likely 
> PEAP-MSCHAPv2 or EAP-TLS) for Computer Lab computers that can have 
> many new users. We are currently doing User auth for MacOS but that 
> requires an initial logon on wired to get the user profile stored 
> locally. I have tried using MacOS Logon profile but I find if a user 
> typoes their password that although they are prompted for a new 
> password, the system still tries to use the old one during that time 
> and locks the user account ☹
> 
>  
> 
> What are people here doing for 802.1X and MacOS Labs? We are seeing a trend 
> for wireless Labs with dedicated APs & SSID for the machines because the cost 
> is much less than having a network drop per machine. Our current wireless 
> MacOS Lab was implemented last summer with a PSK as a temporary workaround. 
> We definitely need to move away from that. Windows handles 802.1X much 
> better, IMHO.

  We have had MacOS Labs use EAP-TLS in the past.  I haven’t checked with our 
cluster folks to see if we have an instance of that right now with current 
MacOS X versions.

  With the config we used the Macs were connected to the wireless network 
whenever they were powered on.  


  These links seem similar to what I remember we did.

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.afp548.com%2F2012%2F11%2F20%2F802-1x-eaptls-machine-auth-mtlion-adcerts%2F=02%7C01%7Csapna.tripathi%40VANDERBILT.EDU%7C16298ed1b63b42cb7f3008d4e3346f0c%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636383261754402659=4pQ1zfJ6W19Pwwo3%2B5NjpyICXIefw2thgK6RGOL5wf8%3D=0

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fntsystems.it%2Fpost%2Fjoining-wifi-before-login-on-mac-os-x-108=02%7C01%7Csapna.tripathi%40VANDERBILT.EDU%7C16298ed1b63b42cb7f3008d4e3346f0c%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636383261754402659=YSfAxEw8gU%2FrD6%2B%2Fs1jOYRj0qmU%2BZQngjTsMUw4wN3I%3D=0

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdiscussions.apple.com%2Fthread%2F6763950%3Fstart%3D0=02%7C01%7Csapna.tripathi%40VANDERBILT.EDU%7C16298ed1b63b42cb7f3008d4e3346f0c%7Cba5a7f39e3be4ab3b45067fa80faecad%7C0%7C0%7C636383261754402659=IkakfmYPXS5W9qIh0FVj7Gd%2Fcl2M3T3fWFCHm22JDbc%3D=0



This link is about a different problem but one of the posts mentions

"No issues here. We have profile-based Wifi logon to accomplish a machine-auth 
type deal on our Macs, so nothing with certs (we're an AD shop).

Upgraded from 10.12.4 to 10.12.5 on test machine”

So it sounds like it is still doable although the quote above doesn’t use 
EAP-TLS.



This info might be helpfu

RE: EAP-TLS

[Osborne, Bruce W (Network Operations)]

We have door locks in our newer residences running PEAP-MSCHAPv2 with a service 
account per building,


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Chuck Enfield [mailto:chu...@psu.edu]
Sent: Friday, August 11, 2017 8:52 AM
Subject: Re: EAP-TLS

For certain types of devices (lab and loaner laptops, for example) there is 
support value in having network connectivity without the need for a user to log 
on.

EAP-TLS is the only enterprise auth method supported for some IoT devices.  We 
have quite a few door locks in this category.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bucklaew, Jerry
Sent: Friday, August 11, 2017 8:45 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS

To ALL:


   I am going to amend my initial request to "does anyone have any other 
reasons to switch to eap-tls besides the ones I list below"? I am trying to 
build a case for switching and want to gather all the benefits.



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bucklaew, Jerry
Sent: Thursday, August 10, 2017 3:36 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS

Lee,

   I want to state first that I am not, by any means, an expert on all of the 
authentication standards and protocols.  I was hoping someone would have a 
document that would help better articulate the goals and benefits.

We have been a eap-peap shop for years and I have always been told that eap-tls 
(cert based authentication) is more secure and you should do that.  I never had 
the time to deal with it and putting up a cert based infrastructure just seemed 
daunting.   I finally have some time and have started to play with it.  We are 
an Aruba shop and the clearpass Onboard system seems pretty simple to implement 
and get EAP-TLS working.

Now to the why.   It seems that the ability to separate username/password from 
network authentication has some benefits.   If a user changes his 
username/password it no longer affects his network connectivity.  If we want to 
blacklist a device it will be easy as each device will have its own cert. So we 
can blacklist one device and let the rest still on.  We could do those things 
today but it is just a little harder to do with eap-peap.   We can also get 
users out of storing their usernames and passwords, because everyone does it 
with eap-peap. The thought process went, if you are going to run an on-board 
process anyway, why not onboard with eap-tls.  On the wireless side that is 
really all I have.  I have always been told it is more secure so have always 
thought I should try and get there.

Now, we are also moving to wired authentication on every port.   We are 
supporting both mac auth and 802.1x (eap-peap).  We did this to get the project 
moving and get all ports to some type of authentication.  Now 802.1x on the 
wired side is just plain difficult.  Nothing except macs are setup for it out 
of the box.   You need admin rights on the machine to set it up (which many 
people on the wired side don't have) and you almost have to run through some 
type of onboard process to do it in mass.   You have to deal with stuff like 
network logons and mounting drives before authentication. We also don't want 
the users storing usernames and password and everyone will because no one wants 
to type it in every time.   I am back to the if you are going to run through an 
onboard process anyway, will certs make it a little easier.   It gives you the 
username/password separation.   The ability to revoke per device, and once 
onboarded, never have to be bothered again (until the cert expires).

I am not really concerned about peap being deprecated, it will be around 
forever.   I am not really concerned about usernames and passwords being stolen 
because of eap-peap, there are so many easier ways to do that.  It guess it is 
really the username/password separation and the "thought" that it is the most 
secure method.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Thursday, August 10, 2017 3:00 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS

Jerry,

Am curious your reasons for TLS, like if anything beyond "it's better". Concern 
for PEAP being deprecated, etc?

Lee

-Original Message-
From: Bucklaew, Jerry [j...@buffalo.edu]
Received: Thursday, 10 Aug 2017, 14:42
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
Subject: Re: [WIRELESS-LAN] EAP-TLS
To ALL:


  We currently do mac auth and 

RE: EAP-TLS

[Osborne, Bruce W (Network Operations)]

Jerry,

I find some of your comments interesting. We have many things in common. We are 
also an Aruba wireless / ClearPass customer using PEAP-MSCHAPv2 & MAC Auth. 
Although we initially designed for full Cisco wired 802.1X we have been running 
a strange Cisco config that uses it somewhat but does not restrict 
unauthenticated devices.

We have been a CloudPath Wizard customer for years. Since this product has been 
deprecated, we are evaluating onboarding vendors. We have an engineer from a 
former government contractor who wants us to move to EAP-TLS. So far, we have 
found ClearPass Onboard licensing costs to be much higher than the other 
vendors.

I have been having a big challenge on how to configure 802.1x (likely 
PEAP-MSCHAPv2 or EAP-TLS) for Computer Lab computers that can have many new 
users. We are currently doing User auth for MacOS but that requires an initial 
logon on wired to get the user profile stored locally. I have tried using MacOS 
Logon profile but I find if a user typoes their password that although they are 
prompted for a new password, the system still tries to use the old one during 
that time and locks the user account ☹

What are people here doing for 802.1X and MacOS Labs? We are seeing a trend for 
wireless Labs with dedicated APs & SSID for the machines because the cost is 
much less than having a network drop per machine. Our current wireless MacOS 
Lab was implemented last summer with a PSK as a temporary workaround. We 
definitely need to move away from that. Windows handles 802.1X much better, 
IMHO.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Bucklaew, Jerry [mailto:j...@buffalo.edu]
Sent: Thursday, August 10, 2017 3:36 PM
Subject: Re: EAP-TLS

Lee,

   I want to state first that I am not, by any means, an expert on all of the 
authentication standards and protocols.  I was hoping someone would have a 
document that would help better articulate the goals and benefits.

We have been a eap-peap shop for years and I have always been told that eap-tls 
(cert based authentication) is more secure and you should do that.  I never had 
the time to deal with it and putting up a cert based infrastructure just seemed 
daunting.   I finally have some time and have started to play with it.  We are 
an Aruba shop and the clearpass Onboard system seems pretty simple to implement 
and get EAP-TLS working.

Now to the why.   It seems that the ability to separate username/password from 
network authentication has some benefits.   If a user changes his 
username/password it no longer affects his network connectivity.  If we want to 
blacklist a device it will be easy as each device will have its own cert. So we 
can blacklist one device and let the rest still on.  We could do those things 
today but it is just a little harder to do with eap-peap.   We can also get 
users out of storing their usernames and passwords, because everyone does it 
with eap-peap. The thought process went, if you are going to run an on-board 
process anyway, why not onboard with eap-tls.  On the wireless side that is 
really all I have.  I have always been told it is more secure so have always 
thought I should try and get there.

Now, we are also moving to wired authentication on every port.   We are 
supporting both mac auth and 802.1x (eap-peap).  We did this to get the project 
moving and get all ports to some type of authentication.  Now 802.1x on the 
wired side is just plain difficult.  Nothing except macs are setup for it out 
of the box.   You need admin rights on the machine to set it up (which many 
people on the wired side don’t have) and you almost have to run through some 
type of onboard process to do it in mass.   You have to deal with stuff like 
network logons and mounting drives before authentication. We also don’t want 
the users storing usernames and password and everyone will because no one wants 
to type it in every time.   I am back to the if you are going to run through an 
onboard process anyway, will certs make it a little easier.   It gives you the 
username/password separation.   The ability to revoke per device, and once 
onboarded, never have to be bothered again (until the cert expires).

I am not really concerned about peap being deprecated, it will be around 
forever.   I am not really concerned about usernames and passwords being stolen 
because of eap-peap, there are so many easier ways to do that.  It guess it is 
really the username/password separation and the “thought” that it is the most 
secure method.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
Sent: Thursday, August 10, 2017 3:00 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] EAP-TLS

Jerry,

Am curious your reasons for TLS, like if anything beyond "it's 

RE: New Crazy Wireless Devices

[Osborne, Bruce W (Network Operations)]

Our students are wireless only, though. Any idea what protocols they use for 
discovery? It probably could be added to Aruba AirGroup.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Hunter Fuller [mailto:hf0...@uah.edu]
Sent: Monday, July 31, 2017 6:04 PM
Subject: Re: New Crazy Wireless Devices

We saw a surge of these after the 2015 holiday season. Like other gaming 
devices, we MAC whitelist, and recommend that the users use wired if possible. 
Haven't seen much trouble out of them.

On Mon, Jul 31, 2017 at 3:39 PM Peter P Morrissey 
> wrote:
Wondering if anyone has noticed any new trends in popular wireless devices that 
we might expect returning students to want to connect in their residences when 
they return?

Not being a gamer, this one was new to me. It apparently streams games on 
running on your laptop to your TV over a WiFi connection and also provides 
input for controllers. Seems like something that could use up a bit of 
bandwidth. The good news is that it appears to support 11ac.

http://store.steampowered.com/app/353380/Steam_Link/

Pete Morrissey


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
--

--
Hunter Fuller
Network Engineer
VBH Annex B-5
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: 802.1x expired certificate (Eduroam)

[Osborne, Bruce W (Network Operations)]

We do not use EDUROAM.
We configure our current PEAP-MSCHAPv2 clients to trust the certificate chain 
and a specific server name in the certificate. We can update the server 
certificate so long as the certificate chain is the same.

 
Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Cappalli, Tim (Aruba Security) [mailto:t...@hpe.com] 
Sent: Tuesday, July 4, 2017 2:13 PM
Subject: Re: 802.1x expired certificate (Eduroam)

It really depends on how the supplicant is configured. If a configuration tool 
was used, it may have locked the supplicant to a specific cert and disallowed 
the user to approve exceptions.

 

On 7/4/17, 11:34 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv 
on behalf of Julian Y Koh"  wrote:

> On Jul 3, 2017, at 17:38, Marcelo Maraboli  wrote:
> 
> What happens on the supplicant side of the 802.1x (User) when the
> Radius certificate expires ?
> 
> I am interested in what the user will face and HAVE to do.
> 
> We have found 2 possibilities:
> a) The user is prompted to "trust" the new certificate and that's it.

This has been our experience.  Some clients behave differently here and 
there due to bugs and/or config differences, but generally the worst that 
happens is that people need to trust the new certificate.

-- 
Julian Y. Koh
Associate Director, Telecommunications and Network Services
Northwestern Information Technology

2001 Sheridan Road #G-166
Evanston, IL 60208
+1-847-467-5780
Northwestern IT Web Site: 
PGP Public Key: 

**
Participation and subscription information for this EDUCAUSE Constituent 
Group discussion list can be found at http://www.educause.edu/discuss.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: mDNS Containment with Meraki or WLC

[Osborne, Bruce W (Network Operations)]

You asked about better ways of containing this. The Aruba AirGroup has provided 
this functionality for years on the Aruba wireless system. 
You will likely find it less expensive than the Cisco alternative too.

Our users connect to our 802.1X secure SSID while the devices connect to our 
device SSID. You can restrict by username, AP, AP Group, firewall User Role, or 
any combination.

 
Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Christina Klam [mailto:ck...@ias.edu] 
Sent: Wednesday, May 31, 2017 9:36 AM
Subject: mDNS Containment with Meraki or WLC

All,

We are building housing for our emeritus faculty members.  These will be 
private townhouses on our campus that will be networked by us. We are now 
discussing whether the switches and AP should be Cisco or Meraki (I realize 
Meraki is now Cisco).  The decision point lies in how the two product lines 
handle BonJour/mDNS.  

GOAL:   Residents in one townhouse can only connect to the mDNS devices located 
in their homes or devices associated with their userid.  Ideally, we want to 
broadcast the same SSIDs as on campus to reduce confusion. 

Proposed Way of Doing This:  One way we are thinking this can be done is to use 
the info already in our self-registeration portal.  In that database, we have 
user name and mac address; so we will know which devices belong to whom.  Using 
this information, we hope to limit mDNS access to devices within the private 
homes to just the devices registered to that home.    


Questions:  Are there better ways of accomplishing the goal? Can this be done 
by either product?  I will be testing mDNS Service Groups on our WLC running 
8.2.121.0 this week.  Should we just create a SSID per home (thus containing 
the mDNS to each home.  Note:  This doesn't work on the WLCs as you are forced 
to use a single multicast VLAN used by ALL SSIDs) and broadcast a shared 
"guest" SSID among the townhouses so that people can visit each other?  How 
have you addressed this issue on your Residence Halls?

Thank you,
Christina Klam
Network Engineer
Institute for Advanced Study
609-734-8154
ck...@ias.edu

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: WLC P2P traffic drop

[Osborne, Bruce W (Network Operations)]

I do not know if you have Cisco Wi-Fi phones (7821, 7925) or use Cisco 
softphones, but they use peer to peer connections for calls after the initial 
Call Manager setup.
Microsoft Lync / Skype for Business uses peer to peer for calls on your local 
network rather than have both parties use an Internet server.

Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Tariq Adnan [mailto:tariq.ad...@sydney.edu.au]
Sent: Tuesday, May 23, 2017 1:54 AM
Subject: WLC P2P traffic drop

Hello everyone,

In regards to recent ransomware attacks, we have been planning to take few 
steps to secure our wireless networks.

I am thinking about dropping P2P traffic for a main WLAN on WLC but I am not 
sure if that could break any application like zoom, remote desktop, 
file-sharing, wireless printers, Apple TV etc.

Can anyone, who have implemented this, shed some light on this topic? Were 
applications similar to mentioned above affected after P2P traffic blocking ?

Thanks,
-
Cheers,
Tariq
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Apple TV/Apple Configurator

[Osborne, Bruce W (Network Operations)]

The Apple Configurator requires an OS X computer and we are primarily Windows. 
We use ClearPass mac address authentication on our open Aruba Networks gaming 
SSID for Apple TVs. Even though the clients are on our secure SSID, the 
AirGroup software-defined networking connects the devices so they can 
communicate.

Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Entwistle, Bruce [mailto:bruce_entwis...@redlands.edu]
Sent: Friday, May 19, 2017 1:32 PM
Subject: Apple TV/Apple Configurator

I am currently attempting to use the Apple configurator to build a wireless 
profile to be loaded to an Apple TV which will then make an authenticated 
connection to our wireless network.  We are currently using our ClearPass 
server to authenticate this connection.   I have utilized many different 
combinations of WPA/WPA2 authentication options along with different 
combinations of trusted certificates.  These included the certificate from the 
authentication server(ClearPass) along with the associated root and 
intermediate certs.  However the connection still fails with the following 
error message,  Radius EAP: Client doesn't support configured EAP methods.  I 
was looking to see if anyone has been successful using the Apple configurator 
to build such a profile which contains the SSID, username, password, security 
type and certificates then pushing it to the Apple TV so it can connect to the 
wireless network.

Thank you
Bruce Entwistle
Network Manager
University of Redlands



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Use of Airtame on school environment

[Osborne, Bruce W (Network Operations)]

I am confused. Did you use Airtame or Apple TV?


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Ian Lyons [mailto:ily...@rollins.edu]
Sent: Thursday, May 18, 2017 3:00 PM
Subject: Re: Use of Airtame on school environment

I rolled this out at my old school. Over 150.  It worked well.

The advancements that Apple made have made a difference.  Aruba/Clearpass etc, 
MDNS  -rock solid.

The only caveat is that, like most Apple Products, are intended for consumers.  
There isnt a great product (I know one exists) that really manages a deployment 
of Apple Tv’s that well.

Updating them was a challenge.  Aside from that, a flatscreen and ~$150 you are 
in business!

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeremy Mooney
Sent: Thursday, May 18, 2017 2:53 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Use of Airtame on school environment

I attended a peer presentation a few weeks ago where a school had switched to 
that and found it significantly better than everything else they had tested. 
They had the devices wired where possible, and placed in specific subnets 
reachable from the clients but also with a predictable IP pattern which 
displayed on screen. They then documented "look for the address starting with 
10.x. on the screen" for people wanting to connect. The clients could remember 
the device name once connected to allow easy reconnect. The presenter actually 
demoed it live on the conference guest wifi (did his presentation via it) and 
then allowed people in the room to try it out. It's definitely on my shortlist 
for trying in our environment.


On Thu, May 18, 2017 at 10:51 AM, Luiz Zicarelli 
> wrote:
Dear all,

we are exploring replacing our 130+ apple tvs with Airtame 
(www.airtame.com). Has anyone tested this so far? Seems 
to be very straight forward bu we are concerned about its performance within a 
segmented network environment. We are an Aruba shop, with Airgroup.

Appreciate any comments.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.



--
Jeremy Mooney
ITS - Bethel University
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Issues with Aruba bracket JY706A AP-220-MNT-W3

[Osborne, Bruce W (Network Operations)]

I just received an official answer from Onno Harms, Product Manager for Indoor 
WLAN at HPE/Aruba.

We had some issues with early production units of this mount:
o   RJ45 Ethernet cable connectors are not low-profile enough, making it 
difficult to fit the AP on the mount (need to push hard..)
o   The slider that is used to lock the AP in place does not always fully 
return to its original location (“sticky slider”)
The issues have been resolved in rev 2 of the mount. It looks like the customer 
is using revision 1.

Revision 2 is shipping and can be identified by info on the box label (but only 
by DOM, 11/1/2016 or later) and on the plastic slider itself (“Rev 2”)

Using W1 or W1W is always an option, but those are fairly basic mounts without 
security. The W3 mount (when fixed) delivers a cleaner, lower profile end 
result.

Thanks,
/Onno Harms

If you have some of the early production mounts that need to be exchanged, I 
recommend talking with your Aruba account/sales team or VAR.

 
Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Amel Caldwell [mailto:am...@uw.edu] 
Sent: Tuesday, May 9, 2017 11:41 AM
Subject: Re: Issues with Aruba bracket JY706A AP-220-MNT-W3

Hi Jethro--

When the AP-220-MNT-W3 was first released, we got some and they were nothing 
but trouble; the jumper that came with them was too tall for the mount and the 
button would stick.   We worked with Aruba on the jumper design that comes with 
them and also the button issue.  Aruba fixed both issues and the newer 
AP-220-MNT-W3 are much easier to use now.

The easiest way to tell is by the jumper.  The jumper should have a low-profile 
connector and is a flat cable; the older one looks like a standard CAT5e cable. 
  If you have the older one, I would follow up with your local SE and try to 
get them swapped for the “fixed” version.

Regards

Amel Caldwell

On 5/9/17, 1:12 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv on 
behalf of Jethro R Binks"  wrote:

Hello all,

We are relatively new to the Aruba world, but for our first major 
deployment (replacing other APs) we're going for JW797A AP-315 with the 
JY706A AP-220-MNT-W3 White Low Profile Box Style Secure Large AP Flat 
Surface Mount Kit.

We'd originally done some testing with (I)AP-225 and bracket 
AP-220-MNT-W2W.

AP-220-MNT-W2W was discontined in favour of AP-220-MNT-W3.


https://community.arubanetworks.com/t5/Wireless-Access/What-is-the-difference-between-the-AP-220-MNT-W2-and-AP-220-MNT/td-p/274771

Now, as we did a rehearsal for the replacement, we discovered that the 
AP-315 would not fit the AP-220-MNT-W3 bracket.  The slots for the 
mounting lugs of the AP are slightly narrower in width, and so the lugs do 
not fit.

Is this a common problem, or perhaps do we have a bad batch?  Can anyone 
corroborate?

It is possible to make it fit by some juducious shaving of the plastic, 
but that's clearly not desirable.

The AP-315 fits fine on the AP-220-MNT-W2W, although because it is a 
smaller AP it looks a bit odd.  And AP-220-MNT-W2W is EoS regardless.

Jethro.

.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
Jethro R Binks, Network Manager,
Information Services Directorate, University Of Strathclyde, Glasgow, UK

The University of Strathclyde is a charitable body, registered in
Scotland, number SC015263.

**
Participation and subscription information for this EDUCAUSE Constituent 
Group discussion list can be found at http://www.educause.edu/discuss.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Issues with Aruba bracket JY706A AP-220-MNT-W3

[Osborne, Bruce W (Network Operations)]

If I were you, I would also try posting in the thread you linked to. Onno, who 
last posted in the thread, in in charge of the AP team, I believe. Regardless, 
he should be able to direct you appropriately.

Contacting your Aruba account team is a good idea but usually a multi-pronged 
approach does not hurt.

 
Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Jethro R Binks [mailto:jethro.bi...@strath.ac.uk] 
Sent: Tuesday, May 9, 2017 4:12 AM
Subject: Issues with Aruba bracket JY706A AP-220-MNT-W3

Hello all,

We are relatively new to the Aruba world, but for our first major deployment 
(replacing other APs) we're going for JW797A AP-315 with the JY706A 
AP-220-MNT-W3 White Low Profile Box Style Secure Large AP Flat Surface Mount 
Kit.

We'd originally done some testing with (I)AP-225 and bracket AP-220-MNT-W2W.

AP-220-MNT-W2W was discontined in favour of AP-220-MNT-W3.

https://community.arubanetworks.com/t5/Wireless-Access/What-is-the-difference-between-the-AP-220-MNT-W2-and-AP-220-MNT/td-p/274771

Now, as we did a rehearsal for the replacement, we discovered that the
AP-315 would not fit the AP-220-MNT-W3 bracket.  The slots for the mounting 
lugs of the AP are slightly narrower in width, and so the lugs do not fit.

Is this a common problem, or perhaps do we have a bad batch?  Can anyone 
corroborate?

It is possible to make it fit by some juducious shaving of the plastic, but 
that's clearly not desirable.

The AP-315 fits fine on the AP-220-MNT-W2W, although because it is a smaller AP 
it looks a bit odd.  And AP-220-MNT-W2W is EoS regardless.

Jethro.

.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
Jethro R Binks, Network Manager,
Information Services Directorate, University Of Strathclyde, Glasgow, UK

The University of Strathclyde is a charitable body, registered in Scotland, 
number SC015263.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Aruba AP Models - 315 vs 325

[Osborne, Bruce W (Network Operations)]

http://www.arubanetworks.com/products/networking/access-points/

Checking quickly, the 330 series is 4x4 MU-MIMO and has HP SmartRate, their 
multi-gigabit solution. You can get 5Gps on Cat 5e or 10Gps on Cat6A, according 
to their data sheet.

http://www.arubanetworks.com/assets/so/SO_SmartRate.pdf

320 Series is 4x4 MU-MIMO

310 Series is 2x2 MU-MIMO

Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Chuck Enfield [mailto:chu...@psu.edu]
Sent: Monday, May 1, 2017 12:46 PM
Subject: Re: Aruba AP Models - 315 vs 325

The differences that I know of are:

-330 series supports VHT160.  I can’t see using it, but if you can than this is 
the AP for you.
-330 has switchable antenna polarization, which should allow better H-plane 
coverage when wall-mounting the AP. I haven’t tested this to see how well it 
works, but a bracket to wall-mount an AP while maintaining its horizontal 
orientation is pretty inexpensive.

Traditionally, each higher Aruba AP series also has more memory, and often a 
better processor, to ensure adequate performance in the densest users 
environment.  I recently asked my VAR about how the 320’s and 330’s compare in 
this way, but haven’t heard back from them yet.  Anybody know?

Chuck Enfield
Manager, Wireless Engineering
Enterprise Networking & Communication Services
The Pennsylvania State University
110H, USB2, UP, PA 16802
ph: 814.863.8715
fx: 814.865.3988

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Steve Hess
Sent: Monday, May 01, 2017 12:07 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Aruba AP Models - 315 vs 325

Aruba folks,
Looking for opinions on whether the price premium of the 325 
over the 315 is worth it.


Thanks,

Steve


[https://wheatoncollege.edu/tools/email-signature/img/email_r1_c1.gif]

[https://wheatoncollege.edu/tools/email-signature/img/email_r2_c1.gif]

Steve Hess

Manager of Networking and Telecommunications

26 E. Main St Norton, MA 02766

t. 508-286-3413

f. 508-286-8270

[https://wheatoncollege.edu/tools/email-signature/img/wheaton-college.gif][Wheaton
 College on Facebook][Wheaton College 
on Twitter][Wheaton College on 
LinkedIn]



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: IPTV deployment

[Osborne, Bruce W (Network Operations)]

Craig,

Are you looking at this from a wireless perspective, worried, or both?

What is your wireless platform?

We implemented multicast IPTV on Aruba wireless using our existing Haivision 
wired IPTV services. In fact, we helped Aruba test their "Dynamic Multicast 
Optimization" solution.

Generally, for 802.11 networks, multicast is transmitted at the lowest 
transmitted rate. That is bad for multicast video. Since our video streams are 
encrypted, we cannot apply QoS separately to prioritize key frames.

If you wish, I can reach out to our IPTV team to get more information on our 
Haivision (formerly Video Furnace) system.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Baugh, Craig [mailto:c.ba...@tcu.edu]
Sent: Wednesday, April 26, 2017 11:18 AM
Subject: IPTV deployment

Good morning,
I am looking for any advice from colleges that have implemented IPTV services.
Would like to know of any challenges, limitations, or problems that have come 
up during implementation.


Thank you for your help.

//Craig Baugh
//Network Engineer
//Texas Christian University.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: 5 GHz Only Admin WLAN

[Osborne, Bruce W (Network Operations)]

Here at Liberty University, we generally do not use DFS channels. We are using 
them in a couple of areas where we have APs with a dedicated SSID for wireless 
computer labs, We know the NICs on those computers support the DFS channels. 
Thos areas also have light coverage from our normal APs with no DFS.

Management realized it was less expensive to but dedicated APs for a wireless 
lab than to buy switches for a wired lab.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Jason Cook [mailto:jason.c...@adelaide.edu.au]
Sent: Wednesday, April 19, 2017 7:49 PM
Subject: Re: 5 GHz Only Admin WLAN

A Good point.

Are all DFS channels a problem for  some  clients or is it primarily in the 
UNII2e spectrum and the UNII2 is ok? I was understand  the issue was with 
UNII2e only but don’t actually know

--
Jason Cook
Technology Services
The University of Adelaide, AUSTRALIA 5005
Ph: +61 8 8313 4800

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Chuck Enfield
Sent: Tuesday, 18 April 2017 10:26 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] 5 GHz Only Admin WLAN

In response to, “2.4 GHz is seeming less and less like a thing to worry about, 
as most devices are already using 5GHz.” I’d caution that 5GHz is a big band, 
and few devices support every channel in it.  If you want to get the most out 
of 5GHz by enabling DFS channels, you have to give clients that don’t support a 
particular channel something to connect to.  I can think of two ways to do 
that.  1) You can provide overlapping 5GHz coverage, but that’s only reliable 
if your radio management is smart enough to ensure there’s a non-DFS channels 
available everywhere.  I’m not sure any do that yet.  2) Dual-band clients in 
an area covered by a 5GHz channel they don’t support can use 2.4GHz if the SSID 
supports it.

My recommendation is to leave 2.4GHz enabled if you use DFS channels.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Steve Bohrer
Sent: Friday, 14 April 2017 2:00 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] 5 GHz Only Admin WLAN

Seems fine, but what's the big deal with having the 2.4 available? Are you 
trying to minimize the amount of (limited) 2.4 GHz bandwidth taken by beacons? 
Or do you just want to assure that the devices you care about don't 
inadvertently grab a slow 2.4 connection?

We are way smaller than you guys, but just with Aruba doing its standard ARM 
stuff, typically less than 10 percent of our connected devices are on 2.4 GHz. 
The majority of these are are "registered" student devices that can't do 802.1x 
or 5GHz, mostly game machines. Of the rest, many seem to things that have 
hopped on our "guest" network but then not actually signed in at the portal. My 
assumption has been that these are phones in the pockets of the many 
non-Emerson people who walk by our buildings.

So, 2.4 GHz is seeming less and less like a thing to worry about, as most 
devices are already using 5GHz.

Steve

On Thu, Mar 23, 2017 at 9:11 PM, Jason Cook 
> wrote:
We run 3 SSID”s essentially doing the same thing but with one 5ghz only. It 
wasn’t targeted for  devices where we have more control but as workaround to 
devices connecting at 2.4 when there’s a perfectly good 5ghz there.

UofA
UofA 5ghz
eduroam

However I don’t like the extra SSID. So the pencilled plan at this point is to 
disable 2.4Ghz on UofA, and remove the UofA 5ghz network. Anyone needing 2.4 
can use eduroam. That would be end of year, so we’ll see if it actually happens.

We don’t advertise on our website anything about the 5ghz only network, so 
there’s no huge take-up which is ok as it wasn’t meant to be permanent. However 
it’s certainly done its job with users on it no longer having the issue of 
jumping back to 2.4 (including me).

--
Jason Cook
Technology Services
The University of Adelaide, AUSTRALIA 5005
Ph: +61 8 8313 4800

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Lee H Badman
Sent: Friday, 24 March 2017 11:21 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] 5 GHz Only Admin WLAN

Existing SSID, turn off 2.4.

Lee Badman (mobile)

On Mar 23, 2017, at 10:17 AM, Jeffrey D. Sessler 
> wrote:
Are you speaking about a separately named SSID, or looking to use an existing 
SSID and radius to steer those clients into a different “admin” network?

Jeff

From: 

RE: Shared iPads

[Osborne, Bruce W (Network Operations)]

We currently use PEAP=MSCHAPv2.

For department-owned devices, we create a service account per department.
We also have iPads used in out elementary & high school. The students are 
divided into 3 groups based on academic grade. We have a service account per 
group and different web filtering policies for each of those groups.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Benedick, Jason [mailto:bened...@stevenscollege.edu]
Sent: Monday, April 17, 2017 4:17 PM
Subject: Shared iPads

How do you deal with shared iPads for students authenticating to the WiFi 
network? We currently use an 802.1x enabled SSID using RADIUS back to our 
Microsoft NPS server.

My initial thought is to create an AD account for each iPad, but if we start 
getting a lot of them I can see that becoming very tedious managing usernames 
and passwords for each device.

Thanks,
Jason R. Benedick
IT Generalist
Thaddeus Stevens College of Technology
Office: (717) 391-6957 Cell: (717) 587-9065

*This electronic communication from TSCT is confidential and intended 
solely for use by the individual to whom it is addressed. If you are not the 
named recipient do not forward, propagate or replicate this e-mail. Please 
notify the sender immediately by e-mail if you have received this message by 
mistake and remove from your system. If you are not the intended recipient you 
are notified that disclosing, copying, distributing or taking any action 
dependent upon the contents of this email or attachment is strictly 
prohibited.*
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Basic design question

[Osborne, Bruce W (Network Operations)]

Actually, I was referring to the section of Airwave, but there is an older 
standalone version of VisualRF available to Aruba customers.
https://support.arubanetworks.com/DownloadSoftware/tabid/75/DMXModule/510/EntryId/4830/Default.aspx



Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Smith, Todd [mailto:todd.sm...@camc.org]
Sent: Wednesday, April 5, 2017 10:14 AM
Subject: Re: Basic design question

Is there a link to the app?

Todd Smith
Charleston Area Medical Center

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ian Lyons
Sent: Wednesday, April 05, 2017 08:45
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Basic design question

As Bruce mentioned, use the freebie app from Airwave and it works well.  Plug 
in the floor plan that the architect gave you and it should be pretty dang 
close.

Ian

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W 
(Network Operations)
Sent: Wednesday, April 5, 2017 7:52 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Basic design question

Brian,

I know the best advice is to survey, but I know for new construction projects 
that is not possible. We used to use the VisualRF component of Airwave. We now 
use Ekahau to simulate and plan out deployments. It is always good to survey 
and adjust afterwards to verify your planning.

I assume you already have the AP135s ?  They were end of sale in August 2015. 
End of support is August 2020. We have seen much better coverage results with 
the newer AP225s


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Brian Helman [mailto:bhel...@salemstate.edu]
Sent: Tuesday, April 4, 2017 4:41 PM
Subject: Basic design question

My installation will be Aruba AP315's, but anyone feel free to chime in ..

In an open air area (e.g a large cube farm), what is your general rule of thumb 
for how apart you place your AP's?  One of the spaces I'm looking at is 88' x 
24' and will be filled with 8x8' (48" high) cubes.  I already have an initial 
placement, I just want to keep the engineer honest.  We're still new to Aruba.  
My previous vendor used a different radio structure, so it's not an apples to 
apples comparison on the layout for me.

Thanks.

-Brian

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss=DwMFAg=2GaipCMI-4CXTl0y2l8grQS3faC7QKiDQZYpyUtD00M=uvxIRDMxwssmr2VjVNRe6I_MeNT0SmtowN9dpqcMAFc=rEfjTK2jm-WE2Lwss_O9K9H-HqehUw2kuOBaPRCKOzg=dfe_GROE90yDp7JHde_hJ6TdKqH7JooWuHsphzHcYR4=>.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss=DwMFAg=2GaipCMI-4CXTl0y2l8grQS3faC7QKiDQZYpyUtD00M=uvxIRDMxwssmr2VjVNRe6I_MeNT0SmtowN9dpqcMAFc=rEfjTK2jm-WE2Lwss_O9K9H-HqehUw2kuOBaPRCKOzg=dfe_GROE90yDp7JHde_hJ6TdKqH7JooWuHsphzHcYR4=>.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.educause.edu_discuss=DwMFAg=2GaipCMI-4CXTl0y2l8grQS3faC7QKiDQZYpyUtD00M=uvxIRDMxwssmr2VjVNRe6I_MeNT0SmtowN9dpqcMAFc=rEfjTK2jm-WE2Lwss_O9K9H-HqehUw2kuOBaPRCKOzg=dfe_GROE90yDp7JHde_hJ6TdKqH7JooWuHsphzHcYR4=>.

CONFIDENTIALITY NOTICE: The information contained in this message may 
be privileged and confidential. If this e-mail contains protected health 
information, you are hereby notified that any dissemination, distribution or 
copying of this communication is strictly prohibited, except as permitted by 
law. If you have received this communication in error, please notify the sender 
immediately by replying to this message and deleting it from your computer. 
Thank you.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Basic design question

[Osborne, Bruce W (Network Operations)]

Yeah, sorry about that. Some colleagues here gave me grief about that.

Have you talked to your Aruba SE? The SE and ACE team are excellent at 
assisting in planning and adjustment afterward.

Since you are an Aruba customer, have you looked at the Aruba Solutions 
Exchange?  We have found the RF Optimization solution especially useful. 
https://ase.arubanetworks.com/solutions/id/75


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Brian Helman [mailto:bhel...@salemstate.edu]
Sent: Wednesday, April 5, 2017 1:33 PM
Subject: Re: Basic design question

Hey Bruce,

AP315's, not AP135's.

The building construction is steel-frame, concrete (4") on metal deck, brick 
façade with drywall interior.  Low-E glass, so I hopefully won't see signals 
from the houses that are 40' from the structure.

So here is the concern that I didn't really voice - I know that Aruba does a 
good job auto-provisioning, but what is "too much' in an open-air office farm?  
This is really supplemental wireless, since each desk will have a hard-wired 
computer, laptop or thin client.  Under my previous wireless vendor, in a space 
that is 24 x 88, I'd probably put two 4-radio and one 2-radio unit in the 
space, configured with 7 of those 10 radios on 5GHz.

I'm sure we all do this, but I was at another University a few weeks ago for a 
basketball game.  Of course, I looked at their wireless installation and it was 
about what I would have done in an arena .. a high-end AP about every 30'.  
Obviously I'm not talking about the seating densities in an office space like 
what would be in a basketball arena, but it's what started me thinking about 
these open spaces.  Is 25-30' a proper predictive distance .. using lower end 
AP's in the office space.

Just to go off on a tangent, is anyone using hospitality units (e.g the Aruba 
AP303H) in meeting rooms?  The conference rooms range in size from 2 - 16 
seats.  The larger meeting rooms (12 and 16 seats) I'd probably lean toward an 
AP315, but the 2-6 seat spaces I'd consider the 303's.  The 303's are about 
half the cost, but I also may need more (one in each room instead of 
every-other).

-Brian

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W 
(Network Operations)
Sent: Wednesday, April 05, 2017 7:52 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Basic design question

Brian,

I know the best advice is to survey, but I know for new construction projects 
that is not possible. We used to use the VisualRF component of Airwave. We now 
use Ekahau to simulate and plan out deployments. It is always good to survey 
and adjust afterwards to verify your planning.

I assume you already have the AP135s ?  They were end of sale in August 2015. 
End of support is August 2020. We have seen much better coverage results with 
the newer AP225s


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Brian Helman [mailto:bhel...@salemstate.edu]
Sent: Tuesday, April 4, 2017 4:41 PM
Subject: Basic design question

My installation will be Aruba AP315's, but anyone feel free to chime in ..

In an open air area (e.g a large cube farm), what is your general rule of thumb 
for how apart you place your AP's?  One of the spaces I'm looking at is 88' x 
24' and will be filled with 8x8' (48" high) cubes.  I already have an initial 
placement, I just want to keep the engineer honest.  We're still new to Aruba.  
My previous vendor used a different radio structure, so it's not an apples to 
apples comparison on the layout for me.

Thanks.

-Brian

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Basic design question

[Osborne, Bruce W (Network Operations)]

Brian,

I know the best advice is to survey, but I know for new construction projects 
that is not possible. We used to use the VisualRF component of Airwave. We now 
use Ekahau to simulate and plan out deployments. It is always good to survey 
and adjust afterwards to verify your planning.

I assume you already have the AP135s ?  They were end of sale in August 2015. 
End of support is August 2020. We have seen much better coverage results with 
the newer AP225s


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Brian Helman [mailto:bhel...@salemstate.edu]
Sent: Tuesday, April 4, 2017 4:41 PM
Subject: Basic design question

My installation will be Aruba AP315's, but anyone feel free to chime in ..

In an open air area (e.g a large cube farm), what is your general rule of thumb 
for how apart you place your AP's?  One of the spaces I'm looking at is 88' x 
24' and will be filled with 8x8' (48" high) cubes.  I already have an initial 
placement, I just want to keep the engineer honest.  We're still new to Aruba.  
My previous vendor used a different radio structure, so it's not an apples to 
apples comparison on the layout for me.

Thanks.

-Brian

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Dorm Wireless Authentication

[Osborne, Bruce W (Network Operations)]

Here is another vote for ClearPass with Aruba wireless.

When an Apple TV is registered, it is also registered as an AirGroup personal 
device so the owner’s 802.1X Apple device can use AirPlay to display content on 
the device. We also use Aruba’s Dynamic Multicast Optimization to provide 
multicast IPTV over wireless.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless
 (434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Robert Spellman [mailto:rsp...@bates.edu]
Sent: Monday, March 27, 2017 9:33 AM
Subject: Re: Dorm Wireless Authentication

We use Aruba Clearpass, and have two SSID's on campus, one which is 802.1X, and 
the other open, doing MAC based authentication.  Clearpass allows users to 
register their own devices for MAC authentication by logging into the Clearpass 
guest portal.  Students can register devices for a year, while guests can 
register devices for 2 days.

Rob

Robert Spellman
Bates College
Information and Library Services

On Mon, Mar 27, 2017 at 9:16 AM, Chris Brezil 
> wrote:
Good morning everyone,

We are planning a larger scale roll out of wireless in our dorms. Currently we 
mainly just cover some of the common areas and students for the most part bring 
in their own routers. As most folks can appreciate, this has caused years of 
technical problems and is also not seen as great customer service.

On our main campus wifi, we have people authenticate using 802.1x radius 
authentication using their university username and password. We have some 
concerns about doing this in the dormitories however. We know that students 
bring all sorts of consumer grade devices that require network access into 
their rooms, such as Apple TV, Amazon Echos, etc. Many of these devices will 
not work with username and password authentication and we are not looking to 
Mac exclude these devices on the network, given the overhead of setting this 
up. So we are looking possibly at doing WPA Personal with a passphrase that 
would be given to students.

What are others doing? Has this come up as an issue for any of you?
Best,
Chris

--

CHRIS BREZIL
ASSISTANT VICE PRESIDENT, ENTERPRISE OPERATIONS
INFORMATION TECHNOLOGY

71 FIFTH AVENUE, 9th FLOOR, NEW YORK, NY 10003
brez...@newschool.edu
  |  212.229.5300 x4512

[https://docs.google.com/uc?export=download=0Bz9BzY1rvKW_bDQ4SU1RUmpfMTQ=0Bz9BzY1rvKW_cWtOekJTQ2RIdFFhQ3h1T0h3a3p3Vk9KT2pVPQ]
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: Certificate for 802.1x

[Osborne, Bruce W (Network Operations)]

Then onboarding, we just have the client trust our certificate chain, not the 
server certificate directly, except by server name. This permits us to renew 
our server certificate without causing client trust issues.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971




From: Oakes, Carl W 
Sent: Monday, March 13, 2017 3:42 PM
Subject: Re: Certificate for 802.1x


This one hits home for me, going through this now on a certificate expiring and 
battling on what to do next.



Most clients don't trust any certificate, even if the device is set to trust 
them OS wide (web browser, etc).  The wireless / supplicant configuration needs 
to be setup to trust specific certs or CA's.



Onboarding tools can be used like SecureW2, Aruba , Cloudpath, eduroam CAT 
to load and enable the RADIUS cert and set it active/trusted.



If clients onboard themselves, just by manually attaching to the network, they 
trust the immediate certificate, and I think in some cases, just the digest of 
the cert, making future cert updates "eventful".



Clients when authenticating can't check the CRL or OCSP for certificate 
revocation, since they aren't on the network yet while trying to authenticate.



So, with all that, I really don't want to get another 3 or 4 year cert and deal 
with the expiring cert again.Not a pretty scenario.

Last time this happened, it hit us by surprise since we couldn't get a new cert 
based on the previously trusted CA.  E



I'm tempted to create a self-signed local CA just for the RADIUS server 
validation, and a then generate a single cert off that CA.   Then have SecureW2 
(what we have) provide that CA and mark it as trusted.

Since it's our own CA, was going to make it good for 20 years (just shy of the 
2038 unix time clock issue).Avoids the problem until after I retire. :)



In testing, so far this seems to work great.But test is very different than 
thousands of random student devices.



In theory it could be just a single self-signed cert, but I liked have the 
added bonus / flexibility / futures of the self-signed CA just in case.



Either way, if the private key of the RAIDUS cert gets compromised (commercial 
or self-signed), it's a world of hurt to get folks moved over in a secure way.



Has anyone done this?  Good or bad? Am I missing anything key?



Next up will be client based certs, but that doesn't fix/resolve the above 
issue.



Carl Oakes

California State University Sacramento









From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Eric Glinsky
Sent: Monday, March 13, 2017 12:11 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Certificate for 802.1x



Hi everyone,



I’m looking for thoughts/opinions/experiences on 802.1x and security 
certificates. I dug through the archives from a few years ago, and from what I 
gather it isn’t even possible to use a 3rd-party cert so devices (iOS, OS X, 
Windows, Android) trust it automatically, but maybe someone has succeeded with 
this by now? If so, which CA would you recommend?



For us, our GoDaddy wildcard cert failed to authenticate clients, so we went 
with DigiCert. That isn’t trusted by clients by default, offering no benefit 
over our domain-generated cert, with which all Apple and Windows 8/10 devices 
must be told to “trust,” Windows 7 fails to authenticate entirely, and Android 
just works. We have a Cisco WLC and Windows NPS.



Thanks for any pointers you can give!



- Eric

This e-mail message is intended only for the person or entity to which it is 
addressed and may contain CONFIDENTIAL or PRIVILEGED material. Any unauthorized 
review, use, disclosure or distribution is prohibited. If you are not the 
intended recipient, please contact the sender and destroy all copies of the 
original message. If you are the intended recipient but do not wish to receive 
communications through this medium, please so advise the sender immediately.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: Wireless Door lock systems

[Osborne, Bruce W (Network Operations)]

We have found no issues but are just using them on the rooms and that is where 
we are targeting our wireless usage..


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971




From: Brian J David <davi...@bc.edu>
Sent: Monday, March 13, 2017 9:22 AM
Subject: Re: Wireless Door lock systems


Thanks for the information Bruce. We have the same locks. about 1800 of them. 
Some of the batteries are dying quickly. Mostly Bathrooms because they get the 
most use. Do you find the Lock antenna to be very powerful?

Brian

On 3/13/17 7:55 AM, Osborne, Bruce W (Network Operations) wrote:

We have been using Assa Abloy wireless locks in our newest residences on our 
802.1X SSID. The AA batteries do not last as long as advertised. We place Aps 
in rooms and the lock wireless antenna is on the insode of the door. Obviously, 
rekeying maintenance is reduced. The locks update once a day. If they see an 
unknown badge, they check toe server to get a new badge list.

Other than that, be sure to stagger the regular lock scanning times. When we 
first deployed, they has 600+ locks all trying to hit our management VM-based 
server at the same time. The server was overwhelmed. With times staggered, the 
server now handles the load.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Brian David [mailto:davi...@bc.edu]
Sent: Saturday, March 11, 2017 6:59 AM
Subject: Wireless Door lock systems

All,

I was wondering what other Universities experience with wireless door locks?

How have the door locks been working? Is there a lot of maintenance with your 
systems?

For example battery life, wifi connection problems, broken locks.


Brian

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.



--
Brian J David
Senior Network Systems Engineer
Boston College
[X]
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Wireless Door lock systems

[Osborne, Bruce W (Network Operations)]

We have been using Assa Abloy wireless locks in our newest residences on our 
802.1X SSID. The AA batteries do not last as long as advertised. We place Aps 
in rooms and the lock wireless antenna is on the insode of the door. Obviously, 
rekeying maintenance is reduced. The locks update once a day. If they see an 
unknown badge, they check toe server to get a new badge list.

Other than that, be sure to stagger the regular lock scanning times. When we 
first deployed, they has 600+ locks all trying to hit our management VM-based 
server at the same time. The server was overwhelmed. With times staggered, the 
server now handles the load.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229
 
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Brian David [mailto:davi...@bc.edu] 
Sent: Saturday, March 11, 2017 6:59 AM
Subject: Wireless Door lock systems

All,

I was wondering what other Universities experience with wireless door locks?

How have the door locks been working? Is there a lot of maintenance with your 
systems?

For example battery life, wifi connection problems, broken locks.


Brian

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: SSID names

[Osborne, Bruce W (Network Operations)]

With the captive portal removed, how do you stop roaming mobile devices from 
sucking up all your dhcp addresses? We have found that a captive portal helps 
reduce usage by roaming devices.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Tony Skalski [mailto:a...@stolaf.edu]
Sent: Tuesday, February 21, 2017 4:48 PM
Subject: Re: SSID names

Up until this past summer, we had three SSIDs: a guest SSID, an open SSID for 
college users and a 1x protected SSID for college users. There was considerable 
overlap between the open and guest SSIDs, so we collapsed them into one. We now 
have: eduroam and 'St. Olaf Guest'. We decided we were OK with 1x-incapable 
devices using the guest network and removed the captive portal we had on the 
old guest SSID.


On Tue, Feb 21, 2017 at 3:06 PM, Adam T Ferrero 
> wrote:

  These have served us pretty well.  We only have a mac auth SSID in our 
residence halls.  Occasionally it would be useful to have it everywhere but we 
don't currently.

TUsecurewirelessWPA2 enterprise which gives different access levels 
(staff, student, guest)
TUguestwireless Open for onboarding (SMS text credentials)
eduroam Guest like access for anyone

  Adam

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Michael Dickson
Sent: Tuesday, February 21, 2017 4:02 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] SSID names
eduroam  (our only 802.1x offering)
UMASS  (open, CP, primarily for guests)
UMASS-DEVICES  (MAC auth'd device support for non-802.1x capable devices, as 
allowed by policy)

Mike

Michael Dickson
Network Analyst
Information Technology
University of Massachusetts Amherst
413-545-9639
michael.dick...@umass.edu
PGP: 0x16777D39


On 2017-02-21 15:36, Jim Stasik wrote:
> Hello, I have been encouraged by one of our governance bodies to
> consider renaming our wireless SSIDs to better match the network names
> to the function of the networks behind them.  I don’t get it, but
> maybe I am a little too close to it.  We don’t have any residential on
> our campuses so have just two primary SSIDs in use on our campus (as
> well as eduRoam).  One is named Public and is our onboarding/guest
> network.  The other is our authenticated/secure network which we call
> MC3Waves and is for all students, staff, faculty and administrators,
> with 802.1x on the back end to steer the end user to the appropriate
> role.  We have had these network around for as long as I can remember
> (15 years maybe).  I am curious how others are naming and separating
> the SSIDs in their environment?
>
> Thanks in advance,
>
> Jim Stasik
>
> Director of Enterprise Infrastructure Services
>
> Montgomery County Community College
>
> jsta...@mc3.edu
>
> 215.641.6678
>
> -
>
> Montgomery County Community College is proud to be designated as an
> Achieving the Dream Leader College for its commitment to student
> access and success.
>  ** Participation and subscription information for this
> EDUCAUSE Constituent Group discussion list can be found at
> http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.



--
Tony Skalski
Systems Administrator
a...@stolaf.edu
507-786-3227
St. Olaf College
Information Technology
1510 St. Olaf Avenue
Northfield, MN55057-1097

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: SSID names

[Osborne, Bruce W (Network Operations)]

How are users onboarding? Manual configuration?


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229
 
LIBERTY UNIVERSITY
Training Champions for Christ since 1971

-Original Message-
From: Michael Dickson [mailto:mdick...@nic.umass.edu] 
Sent: Tuesday, February 21, 2017 4:02 PM
Subject: Re: SSID names

eduroam  (our only 802.1x offering)
UMASS  (open, CP, primarily for guests)
UMASS-DEVICES  (MAC auth'd device support for non-802.1x capable devices, as 
allowed by policy)

Mike

Michael Dickson
Network Analyst
Information Technology
University of Massachusetts Amherst
413-545-9639
michael.dick...@umass.edu
PGP: 0x16777D39


On 2017-02-21 15:36, Jim Stasik wrote:
> Hello, I have been encouraged by one of our governance bodies to 
> consider renaming our wireless SSIDs to better match the network names 
> to the function of the networks behind them.  I don’t get it, but 
> maybe I am a little too close to it.  We don’t have any residential on 
> our campuses so have just two primary SSIDs in use on our campus (as 
> well as eduRoam).  One is named Public and is our onboarding/guest 
> network.  The other is our authenticated/secure network which we call 
> MC3Waves and is for all students, staff, faculty and administrators, 
> with 802.1x on the back end to steer the end user to the appropriate 
> role.  We have had these network around for as long as I can remember
> (15 years maybe).  I am curious how others are naming and separating 
> the SSIDs in their environment?
> 
> Thanks in advance,
> 
> Jim Stasik
> 
> Director of Enterprise Infrastructure Services
> 
> Montgomery County Community College
> 
> jsta...@mc3.edu
> 
> 215.641.6678
> 
> -
> 
> Montgomery County Community College is proud to be designated as an 
> Achieving the Dream Leader College for its commitment to student 
> access and success.
>  ** Participation and subscription information for this 
> EDUCAUSE Constituent Group discussion list can be found at 
> http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: SSID names

[Osborne, Bruce W (Network Operations)]

A few years ago there was a push to refer to our university as Liberty instead 
of LU Our major SSID names are:

Liberty-Guest – open --self registered & sponsored guest & event access
Liberty-Wireless – open – 802.1X onboarding & mac auth for non-802.1X devices
Liberty-Secure – WPA2 Enterprise PEAP MSCHAPv2 – Secure access for staff, 
students, & vendors.

We will likely be moving to EAP-TLS at least for some devices. We have other 
SSIDs for special purposes or for some of our external related organizations.

Self-registered guest access is bandwidth limited. Sponsored guest & event 
access is less limited.
For events, we currently setup a time-limited guest account with a password. 
This functions much like a PSK but without the encryption.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Jim Stasik [mailto:jsta...@mc3.edu]
Sent: Tuesday, February 21, 2017 3:36 PM
Subject: SSID names

Hello, I have been encouraged by one of our governance bodies to consider 
renaming our wireless SSIDs to better match the network names to the function 
of the networks behind them.  I don’t get it, but maybe I am a little too close 
to it.  We don’t have any residential on our campuses so have just two primary 
SSIDs in use on our campus (as well as eduRoam).  One is named Public and is 
our onboarding/guest network.  The other is our authenticated/secure network 
which we call MC3Waves and is for all students, staff, faculty and 
administrators, with 802.1x on the back end to steer the end user to the 
appropriate role.  We have had these network around for as long as I can 
remember (15 years maybe).  I am curious how others are naming and separating 
the SSIDs in their environment?

Thanks in advance,

Jim Stasik
Director of Enterprise Infrastructure Services
Montgomery County Community College
jsta...@mc3.edu
215.641.6678





Montgomery County Community College is proud to be designated as an Achieving 
the Dream Leader College for its commitment to student access and success.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: In room WIFI - second example

[Osborne, Bruce W (Network Operations)]

That is what we do with Aruba Aps. They have a mixture of higher feature & 
lower feature models.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Thomas Carter [mailto:tcar...@austincollege.edu]
Sent: Tuesday, February 21, 2017 10:48 AM
Subject: Re: In room WIFI - second example

Sorry for the comment spam. I think my ideal is for someone like Aruba, Cisco, 
etc to have lower cost options that can be mixed in with the better APs.  I 
want those for the high capacity locations like classrooms, etc and the lower 
cost options for low usage areas, better density for dorms, etc.

Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu
[http://www.austincollege.edu/images/AusColl_Logo_Email.gif]

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Philippe Hanset
Sent: Tuesday, February 21, 2017 9:21 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] In room WIFI - second example

Thomas et al.,

For people looking for creative/more affordable systems (not discussing all the 
drawbacks etc ;-), you could also look at Benu Networks.
http://benu.net/solutions/

It seems to be based on White Label APs with Open Source code and centrally 
managed offering.
(I met their CTO at a conference and it seemed pretty interesting, but I have 
never tested)

Has anyone on the list investigated this system?

Philippe

Philippe Hanset, CEO
www.anyroam.net
www.eduroam.us
+1 (865) 236-0770



On Feb 21, 2017, at 10:12 AM, Thomas Carter 
> wrote:

Yes, or in some cases, no budget cuts but increased requirements/demands for 
wireless.
Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ian Lyons
Sent: Tuesday, February 21, 2017 8:53 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] In room WIFI - second example

A better way to ask the question (perhaps?):

Your budget was cut in half but your requirements of installing/having AC 
Wireless was not changed?

Simple answer is something has to give.   I understand your pain.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Thomas Carter
Sent: Tuesday, February 21, 2017 9:50 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] In room WIFI - second example

In the example I used below, there wasn’t an FTE to eliminate. There is no way 
that Meraki, Aerohive, and Ruckus can be cheaper, especially when TCO is 
concerned. That annual license/controller cost for Meraki and Aerohive wouldn’t 
be there.

I guess I’m not making my point well. It seems like most of the responses 
assume there is enough budget for a top tier solution and this is just about 
not spending all of it. Imagine your budget for wireless was cut in half. What 
would you do?
Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Monday, February 20, 2017 3:52 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] In room WIFI - second example

In the k-12 space, Cisco Meraki, Aerohive, and Ruckus continue to be the big 
players even in small districts, with others, including Ubiquiti, not making 
much of a dent. Those solutions also tend to come in at or lower than Ubiquiti.

One of the drivers for solutions such as Meraki is that from management’s 
perspective, the cloud-based platform and extensive support channel means you 
don’t need all those expensive FTE’s to run it, while at the same time gaining 
many of the enterprise features you care most about. The reduction of even a 
single FTE costing say $100K per year including benefits purchases a whole lot 
of additional wireless hardware.

Jeff

From: 

RE: In room WIFI - second example

[Osborne, Bruce W (Network Operations)]

What we do (and have done when our replacement AP budget was eliminated) was 
this. Our group provides our best service and documents problems in the areas 
where the budget was cut.

When the students complain loud enough, the budget money suddenly appears.

Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Thomas Carter [mailto:tcar...@austincollege.edu]
Sent: Tuesday, February 21, 2017 9:50 AM
Subject: Re: In room WIFI - second example

In the example I used below, there wasn’t an FTE to eliminate. There is no way 
that Meraki, Aerohive, and Ruckus can be cheaper, especially when TCO is 
concerned. That annual license/controller cost for Meraki and Aerohive wouldn’t 
be there.

I guess I’m not making my point well. It seems like most of the responses 
assume there is enough budget for a top tier solution and this is just about 
not spending all of it. Imagine your budget for wireless was cut in half. What 
would you do?
Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu
[http://www.austincollege.edu/images/AusColl_Logo_Email.gif]

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Monday, February 20, 2017 3:52 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] In room WIFI - second example

In the k-12 space, Cisco Meraki, Aerohive, and Ruckus continue to be the big 
players even in small districts, with others, including Ubiquiti, not making 
much of a dent. Those solutions also tend to come in at or lower than Ubiquiti.

One of the drivers for solutions such as Meraki is that from management’s 
perspective, the cloud-based platform and extensive support channel means you 
don’t need all those expensive FTE’s to run it, while at the same time gaining 
many of the enterprise features you care most about. The reduction of even a 
single FTE costing say $100K per year including benefits purchases a whole lot 
of additional wireless hardware.

Jeff

From: 
"wireless-lan@listserv.educause.edu" 
> 
on behalf of Thomas Carter 
>
Reply-To: 
"wireless-lan@listserv.educause.edu" 
>
Date: Monday, February 20, 2017 at 12:08 PM
To: 
"wireless-lan@listserv.educause.edu" 
>
Subject: Re: [WIRELESS-LAN] In room WIFI - second example

I’m not questioning the cost, just the available options. I feel like I 
sometimes want to tow a 15’ travel trailer and my options from the established 
vendors are a Peterbuilt, Mack, and Freightligner at 4x the cost of an F-150 
that is adequate to the task. Because of that, there are a lot of small 
schools, businesses, etc, that are now turning to Ubiquiti, Open Mesh, 
Mikrotik, etc for their good-enough.

I do believe you get what you pay for, but there are limits on what you can 
afford. Here’s the story of a friend; a campus of APs between 5-10 years old. 
Over the next 5 years he could only get the budget to replace only ½ of them 
with a Cisco/Aruba/Ruckus/etc. Over the next 3 years, he could replace all of 
them with Ubiquiti. What choice do you make?
Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu
[ttp://www.austincollege.edu/images/AusColl_Logo_Email.gif]

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Monday, February 20, 2017 1:44 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] In room WIFI - second example

On the cost of devices.

Some enterprise vendor solutions may be nothing more than the same 
off-the-shelf design that the consumer models use, including using the same 
radio code.  When there are radio code issues, the vendor goes back to 
Broadcom, Marvell, or Qualcomm for a fix. Other enterprise vendors go as far as 
to license the radio source code, where you get unique features not otherwise 
available with off-the-shelf designs.

That said, the enterprise WAP vendor does write the code that does all the rest 
of the magic in the WAP e.g. interface, controller connectivity, and so on. In 
general, the cost you are paying for the enterprise WAPs involves a lot more 
than just the 

RE: In room WIFI - second example

[Osborne, Bruce W (Network Operations)]

1are they really happy or do they know they have nobody to blame but themselves 
for poor choices?

Just another thought.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Hunter Fuller [mailto:hf0...@uah.edu]
Sent: Monday, February 20, 2017 1:53 PM
Subject: Re: In room WIFI - second example

Bruce,

I have had this mindset for a long time, but I've been questioning it recently.
Due to a political situation I won't bother going into, our dorm residents are 
able to purchase internet connections from wideopenwest or Comcast. They set up 
their own APs and some of our dorms are rogue nightmares. We've made a heavy 
push to 5GHz to combat this.

But it made me wonder... what is up with this? These students set up the 
cheapest APs they can find at Best Buy, blasting at 10 watts of power on 
2GHz, right next to 3 other students doing the same thing. All students are 
happy with their comcast connection and wireless performance. Meanwhile UAH 
invests thousands upon thousands into enterprise wireless and it simply cannot 
operate under those conditions...?
It just makes me wonder, is all...

On Mon, Feb 20, 2017 at 07:06 Osborne, Bruce W (Network Operations) 
<bosbo...@liberty.edu<mailto:bosbo...@liberty.edu>> wrote:
My first thought is this.

Are these boxes centrally managed? It appears you are using WPA2-Personal. If 
so, it would be a pain to need to revisit each box every year to change the PSK.
How is channel coordination happening to minimize interference?
How will you handle misbehaving devices DOSing the network while minimizing the 
impact to roommates?
How are you steering clients to use 5GHz for better performance?

There are reasons there are Enterprise wireless systems with enterprise 
encryption options.

-Original Message-
From: Michael Blaisdell 
[mailto:mblaisd...@francis.edu<mailto:mblaisd...@francis.edu>]
Sent: Sunday, February 19, 2017 8:52 PM
Subject: In room WIFI - second example

I had posted to the group a few months ago about WAPs in each dorm room.  I 
received a number of comments that were very insightful.  Most agreed that 
channel plan in the 2.4 would be next to impossible and the best plan would be 
to turn off maybe every other radio and turn back the power. As for 5.8 I 
believe we agreed that channel width should be a minimum because we are not 
going for speed, we are going to coverage.

I am back at the table with another twist.  I have been testing Microtik HAP AC 
lite boxes with 4 10/100 ports and both 2.4 and 5.8 radios.  I also have the 
box setup as a router for their room.  I think we can call it a DAN.  Dorm Area 
Network.  The students in the room share a common DHCP server and have NAT 
access to the campus LAN.  This allows the students to add devices in their 
rooms as they need to without affecting the network.  The HAP also has two way 
firewall config so I can block all the ports and services I would normally but 
I can do it at the end point.  I guess the dorms are running like an individual 
household and I am the ISP.

Each room has a unique SSID and authentication.

This is just a test in a few locations at this point but it has worked great.

I am looking for feedback like last time.   Please feel free to cut hard and 
deep if necessary.  Security issues could be my biggest issues.

Thanks



Michael Blaisdell
Director of Network Services
IT Services
Learning Commons/Library
Saint Francis University
117 Evergreen Drive
Loretto, PA  15940
814-472-3242
http://www.francis.edu
The best way to predict the future is to invent it. Alan Kay

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.
--

--
Hunter Fuller
Network Engineer
VBRH Annex B-1
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: In room WIFI - second example

[Osborne, Bruce W (Network Operations)]

My first thought is this.  

Are these boxes centrally managed? It appears you are using WPA2-Personal. If 
so, it would be a pain to need to revisit each box every year to change the PSK.
How is channel coordination happening to minimize interference?
How will you handle misbehaving devices DOSing the network while minimizing the 
impact to roommates?
How are you steering clients to use 5GHz for better performance?

There are reasons there are Enterprise wireless systems with enterprise 
encryption options.

-Original Message-
From: Michael Blaisdell [mailto:mblaisd...@francis.edu] 
Sent: Sunday, February 19, 2017 8:52 PM
Subject: In room WIFI - second example

I had posted to the group a few months ago about WAPs in each dorm room.  I 
received a number of comments that were very insightful.  Most agreed that 
channel plan in the 2.4 would be next to impossible and the best plan would be 
to turn off maybe every other radio and turn back the power. As for 5.8 I 
believe we agreed that channel width should be a minimum because we are not 
going for speed, we are going to coverage.

I am back at the table with another twist.  I have been testing Microtik HAP AC 
lite boxes with 4 10/100 ports and both 2.4 and 5.8 radios.  I also have the 
box setup as a router for their room.  I think we can call it a DAN.  Dorm Area 
Network.  The students in the room share a common DHCP server and have NAT 
access to the campus LAN.  This allows the students to add devices in their 
rooms as they need to without affecting the network.  The HAP also has two way 
firewall config so I can block all the ports and services I would normally but 
I can do it at the end point.  I guess the dorms are running like an individual 
household and I am the ISP.

Each room has a unique SSID and authentication.

This is just a test in a few locations at this point but it has worked great.

I am looking for feedback like last time.   Please feel free to cut hard and 
deep if necessary.  Security issues could be my biggest issues.

Thanks



Michael Blaisdell
Director of Network Services
IT Services
Learning Commons/Library
Saint Francis University
117 Evergreen Drive
Loretto, PA  15940
814-472-3242
http://www.francis.edu
The best way to predict the future is to invent it. Alan Kay

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: wild card certs and PEAP

[Osborne, Bruce W (Network Operations)]

Now that you mention it, even for a single server, our provider is now 
requiring a SAN.
That is a provider requirement and not technically needed for RADIUS or any 
single server certificate.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Hunter Fuller [mailto:hf0...@uah.edu]
Sent: Monday, February 6, 2017 2:19 PM
Subject: Re: wild card certs and PEAP

Are you sure you have no SAN? In my experience, it is almost impossible to get 
a cert issued by one of the big issuers that has zero SANs. If you request a 
single domain cert, you get a cert with one SAN, which is the same as the 
domain you requested. (There is also, of course, a CN containing that domain.) 
To see an example of this, you can look at https://sso.uah.edu/ - we have a 
single-domain cert here, and then one SAN that is the same as the CN: 
http://i.imgur.com/2d2CqUu.png

During our testing we discovered that some Windows platforms required this SAN 
to be there, but we had somehow gotten a cert issued without that SAN present, 
and this was not acceptable. (I wish I remembered which Windows version.)

I think this is only likely to trip people up if they ask for a cert with CN 
"domain0" and SANs "domain1, domain2, domain3". Our issuer did not provide one 
with that implicit "domain0" SAN, and that's what Windows balked at. But of 
course that doesn't affect people who are requesting single-domain certs.

On Mon, Feb 6, 2017 at 7:00 AM Osborne, Bruce W (Network Operations) 
<bosbo...@liberty.edu<mailto:bosbo...@liberty.edu>> wrote:
We use SANs on our RADIUS certificate so we can use the same certificate for 
https on those servers.
I agree with Tim, though. SANs are not needed and we have run our RADIUS 
certificate for several years on multiple servers without any SANs.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Cappalli, Tim (Aruba) [mailto:t...@hpe.com<mailto:t...@hpe.com>]
Sent: Friday, February 3, 2017 4:46 PM
Subject: Re: wild card certs and PEAP

For an EAP server certficiate, you do not need SANs for every server. You can 
do something generic like 
“network-login.domain.edu<http://network-login.domain.edu>” and put that cert 
on every box.

The SANs will never be referenced and will just add significant cost.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hunter Fuller
Sent: Friday, February 3, 2017 16:38
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] wild card certs and PEAP

Yes. Ours is a cert with CN eduroam.uah.edu<http://eduroam.uah.edu> and SANs 
eduroam.uah.edu<http://eduroam.uah.edu>, acs01.uah.edu<http://acs01.uah.edu>, 
acs02.uah.edu<http://acs02.uah.edu>, etc... All servers present the same cert.

On Fri, Feb 3, 2017 at 15:19 Mike Atkins 
<matk...@nd.edu<mailto:matk...@nd.edu>> wrote:
Our identity management group runs our Microsoft NPS servers and I recall them 
calling it a multi-domain certificate.  So NPS1.nd.edu<http://NPS1.nd.edu>, 
NPS2.nd.edu<http://NPS2.nd.edu>, NPS3.dn.edu<http://NPS3.dn.edu>…. and so on 
all present common name as NPS1.nd.edu<http://NPS1.nd.edu>.   This keeps your 
client from having to trust each NPS server.







From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>]
 On Behalf Of Brian Helman
Sent: Friday, February 03, 2017 3:32 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>

Subject: [WIRELESS-LAN] wild card certs and PEAP

I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our 
configurations in place to join eduroam.  Yes, I can get a temporary cert (or 
beg digicert for one, since I don’t think they have an option), but we tried to 
use a wildcard cert that we usually use for testing of services.  It 
generates/imports correctly and Android doesn’t appear to have an issue with 
it, but Win7 and Win10 don’t care for it when we try to authenticate to the 
wireless network.  It looks like Android may be ignoring the validation or 
generally fine with the wildcard.

The easier question is – will a wildcard cert work here?
The tougher question is – if yes, um .. any good references to configure it 
with S2012R2?

-Brian


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
--

--
Hunter Full

RE: wild card certs and PEAP

[Osborne, Bruce W (Network Operations)]

We use SANs on our RADIUS certificate so we can use the same certificate for 
https on those servers.
I agree with Tim, though. SANs are not needed and we have run our RADIUS 
certificate for several years on multiple servers without any SANs.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Cappalli, Tim (Aruba) [mailto:t...@hpe.com]
Sent: Friday, February 3, 2017 4:46 PM
Subject: Re: wild card certs and PEAP

For an EAP server certficiate, you do not need SANs for every server. You can 
do something generic like “network-login.domain.edu” and put that cert on every 
box.

The SANs will never be referenced and will just add significant cost.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hunter Fuller
Sent: Friday, February 3, 2017 16:38
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] wild card certs and PEAP

Yes. Ours is a cert with CN eduroam.uah.edu and SANs 
eduroam.uah.edu, acs01.uah.edu, 
acs02.uah.edu, etc... All servers present the same cert.

On Fri, Feb 3, 2017 at 15:19 Mike Atkins 
> wrote:
Our identity management group runs our Microsoft NPS servers and I recall them 
calling it a multi-domain certificate.  So NPS1.nd.edu, 
NPS2.nd.edu, NPS3.dn.edu…. and so on 
all present common name as NPS1.nd.edu.   This keeps your 
client from having to trust each NPS server.







From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Brian Helman
Sent: Friday, February 03, 2017 3:32 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU

Subject: [WIRELESS-LAN] wild card certs and PEAP

I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our 
configurations in place to join eduroam.  Yes, I can get a temporary cert (or 
beg digicert for one, since I don’t think they have an option), but we tried to 
use a wildcard cert that we usually use for testing of services.  It 
generates/imports correctly and Android doesn’t appear to have an issue with 
it, but Win7 and Win10 don’t care for it when we try to authenticate to the 
wireless network.  It looks like Android may be ignoring the validation or 
generally fine with the wildcard.

The easier question is – will a wildcard cert work here?
The tougher question is – if yes, um .. any good references to configure it 
with S2012R2?

-Brian


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
--

--
Hunter Fuller
Network Engineer
VBRH Annex B-1
+1 256 824 5331

Office of Information Technology
The University of Alabama in Huntsville
Systems and Infrastructure
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Windows 10 eduroam EAP/TLS adding "host/" before username in RADIUS request?

[Osborne, Bruce W (Network Operations)]

Oops.
I stand corrected. I did not pay close attention because it just works in our 
ClearPass environment.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Toivo Voll [mailto:to...@mail.usf.edu]
Sent: Thursday, February 2, 2017 9:23 AM
Subject: Re: Windows 10 eduroam EAP/TLS adding "host/" before username in 
RADIUS request?

Not EDUROAM, but in my environment the "username" from EAP-TLS gets pulled as a 
configurable field from the certificate, so other than selecting whether using 
the machine or user certificate on the client (user vs. machine auth), nothing 
is prepended or modified. We use SAN-DNS as the "username" field, and there the 
machine cert (assigned by AD) does not have a "host/" prefix, just the FQDN of 
the machine.

When using EAP PEAP, if machine authentication is allowed, host/ is prepended 
to the username with machine auth, but not for user auth once the user logs in.

This is using Windows 10, Cisco WLC 8.0.132, ISE 2.1

--
Toivo Voll

On Wed, Feb 1, 2017 at 6:55 PM, Scot Colburn 
> wrote:
Is anybody else seeing Windows 10 prepending "host/" to eduroam usernames in 
EAP/TLS auth?

We've had trouble getting our Windows 10 machines authenticating onto our 
eduroam SSID using EAP/TLS. We seem to have two outcomes, neither of which work:
1) if we create a "Manual Profile" then no authentication traffic ever hits the 
RADIUS server.
2) if we do NOT create a manual profile then an authentication request does hit 
the RADIUS server, but with "host/" prepended to the hostname. Our RADIUS 
server rejects the authentication with "host/" prepended; I imagine a roaming 
user would have often have the same issue.

I have a theory: The eduroam auth requires a "realm" to be appended to the 
username so eduroam service-providers and federated RADIUS servers know to 
proxy a roaming RADIUS auth to the correct server. In our case, we append 
"@ucar.edu" to the username. Maybe that 
"@ucar.edu"  is provoking Windows10 to prepend the "host/" 
prefix.  Authentication to our internal SSID without the 
"@ucar.edu" is working normally.

Any clues?

I think we can build a workaround to rewrite the username on the RADIUS server, 
but that won't help our roaming eduroam EAP/TLS users if other eduroam 
service-providers are having the same issue.

Scot Colburn
Network Engineer NCAR/UCAR/NETS/FRGP

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Windows 10 eduroam EAP/TLS adding "host/" before username in RADIUS request?

[Osborne, Bruce W (Network Operations)]

Andmost of our FTE are distance students that would likely never use EDUROAM.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Lee H Badman [mailto:lhbad...@syr.edu]
Sent: Thursday, February 2, 2017 8:22 AM
Subject: Re: Windows 10 eduroam EAP/TLS adding "host/" before username in 
RADIUS request?

Ah- the I2 freebie had me confused, as I assume everyone is one I2. Never had 
to think about the non I2 costs. Thanks for the information/reminder.

-Lee

Lee Badman | Network Architect

Adjunct Instructor | CWNE #200
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Philippe Hanset
Sent: Thursday, February 02, 2017 8:03 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Windows 10 eduroam EAP/TLS adding "host/" before 
username in RADIUS request?

Lee,

Let me give the official cost of eduroam:

The cost of eduroam in the US is 10 cents per student per year with a minimum 
of $400 (Number of students reported at National Center for Education 
Statistics, under IPEDS, total student).
The amount is charged to the institution.
https://nces.ed.gov/ipeds/Home/UseTheData

For Internet2 members, eduroam is included with the Internet2 membership 
(different than Internet2 connectors!)
http://www.internet2.edu/communities-groups/members/higher-education/


Philippe


Philippe Hanset, CEO
www.anyroam.net<http://www.anyroam.net>
www.eduroam.us<http://www.eduroam.us>
GPG key id: 0xF2636F9C




On Feb 2, 2017, at 7:52 AM, Lee H Badman 
<lhbad...@syr.edu<mailto:lhbad...@syr.edu>> wrote:

Got me curious, Bruce. What costs are associated with Eduroam?

Lee

Lee Badman
Network Architect/Wireless TME
Syracuse University
315.443.3003

-----Original Message-
From: Osborne, Bruce W (Network Operations) 
[bosbo...@liberty.edu<mailto:bosbo...@liberty.edu>]
Received: Thursday, 02 Feb 2017, 7:41
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@listserv.educause.edu> 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@listserv.educause.edu>]
Subject: Re: [WIRELESS-LAN] Windows 10 eduroam EAP/TLS adding "host/" before 
username in RADIUS request?

We do not use Eduroam (too expensive) but we use RADIUS EAP/PEAP MSCHAPv2 for 
both machine & user authentication.

I have only seen the host/  prefix from our OSX clients, not Windows. Perhaps 
EAP/TLS is different?


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Cappalli, Tim (Aruba) [mailto:t...@hpe.com]
Sent: Wednesday, February 1, 2017 8:17 PM
Subject: Re: Windows 10 eduroam EAP/TLS adding "host/" before username in 
RADIUS request?

Sounds like the client is configured for computer authentication, not user. You 
can change this in the supplicant configuration.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Watters, John
Sent: Wednesday, February 1, 2017 16:51
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Windows 10 eduroam EAP/TLS adding "host/" before 
username in RADIUS request?

Let me ask our RADIUS folks about this tomorrow. I'll post whatever I find out.


==
-jcw

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@listserv.educause.edu>] 
on behalf of Scot Colburn [colb...@ucar.edu<mailto:colb...@ucar.edu>]
Sent: Wednesday, February 01, 2017 5:55 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Windows 10 eduroam EAP/TLS adding "host/" before 
username in RADIUS request?
Is anybody else seeing Windows 10 prepending "host/" to eduroam usernames in 
EAP/TLS auth?

We've had trouble getting our Windows 10 machines authenticating onto our 
eduroam SSID using EAP/TLS. We seem to have two outcomes, neither of which work:
1) if we create a "Manual Profile" then no authentication traffic ever hits the 
RADIUS server.
2) if we do NOT create a manual profile then an authentication request does hit 
the RADIUS server, but with "host/" prepended to the hostname. Our RADIUS 
server rejects the authentication with "host/" prepended; I imagine a roaming 
user would have often have the same issue.

I have a theory: The eduroam aut

RE: Windows 10 eduroam EAP/TLS adding "host/" before username in RADIUS request?

[Osborne, Bruce W (Network Operations)]

We do not use Eduroam (too expensive) but we use RADIUS EAP/PEAP MSCHAPv2 for 
both machine & user authentication.

I have only seen the host/  prefix from our OSX clients, not Windows. Perhaps 
EAP/TLS is different?


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Cappalli, Tim (Aruba) [mailto:t...@hpe.com]
Sent: Wednesday, February 1, 2017 8:17 PM
Subject: Re: Windows 10 eduroam EAP/TLS adding "host/" before username in 
RADIUS request?

Sounds like the client is configured for computer authentication, not user. You 
can change this in the supplicant configuration.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Watters, John
Sent: Wednesday, February 1, 2017 16:51
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Windows 10 eduroam EAP/TLS adding "host/" before 
username in RADIUS request?

Let me ask our RADIUS folks about this tomorrow. I'll post whatever I find out.


==
-jcw

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Scot Colburn 
[colb...@ucar.edu]
Sent: Wednesday, February 01, 2017 5:55 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Windows 10 eduroam EAP/TLS adding "host/" before 
username in RADIUS request?
Is anybody else seeing Windows 10 prepending "host/" to eduroam usernames in 
EAP/TLS auth?

We've had trouble getting our Windows 10 machines authenticating onto our 
eduroam SSID using EAP/TLS. We seem to have two outcomes, neither of which work:
1) if we create a "Manual Profile" then no authentication traffic ever hits the 
RADIUS server.
2) if we do NOT create a manual profile then an authentication request does hit 
the RADIUS server, but with "host/" prepended to the hostname. Our RADIUS 
server rejects the authentication with "host/" prepended; I imagine a roaming 
user would have often have the same issue.

I have a theory: The eduroam auth requires a "realm" to be appended to the 
username so eduroam service-providers and federated RADIUS servers know to 
proxy a roaming RADIUS auth to the correct server. In our case, we append 
"@ucar.edu" to the username. Maybe that 
"@ucar.edu"  is provoking Windows10 to prepend the "host/" 
prefix.  Authentication to our internal SSID without the 
"@ucar.edu" is working normally.

Any clues?

I think we can build a workaround to rewrite the username on the RADIUS server, 
but that won't help our roaming eduroam EAP/TLS users if other eduroam 
service-providers are having the same issue.

Scot Colburn
Network Engineer NCAR/UCAR/NETS/FRGP

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Cloud managed infrastructure

[Osborne, Bruce W (Network Operations)]

Lee,
You mention

If the premise versions weren’t too-frequently bug-ridden, it may be a 
different story

Please do not assume all wireless vendors are equal. We changed due to the 
obviously abysmal wireless support from Cisco in 2008.

For reference, look at this vendor-neutral list and you will see more 
references to Cisco than all other vendors combined. Cisco wireless is not 
larger than all competitors combined, or at least not by that extent.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Lee H Badman [mailto:lhbad...@syr.edu]
Sent: Tuesday, January 17, 2017 4:10 PM
Subject: Re: Cloud managed infrastructure

Not to quibble, but Smartnet, etc really no different here. Everyone’s “a 
software company!” now, which has lifted the floodgates on licensing for all 
the major players- lots of time-limited examples of recurring revenue in the 
form of licensing for cloud and not. Is getting to the point where we rent WLAN 
systems, we really don’t own them.

Just my opinion as someone living in both worlds.

-Lee

Lee Badman | CWNE #200 | Network Architect

Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Spurgeon, Charles E
Sent: Tuesday, January 17, 2017 4:04 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cloud managed infrastructure

Another consideration is what happens if you run out of budget for license 
renewals for any reason.

Unlike equipment you own with a perpetual license, the cloud-based networking 
gear will stop functioning unless you feed it licensing money on regular 
intervals as evidenced by the email below.

-Charles

--
Date: Sun, 1 May 2016 16:02:49 +
From: Meraki >
Subject: Warning: Your Meraki networks will stop working tomorrow

   Dear Charles Spurgeon,

   Thank you for being a valued Meraki customer. Our records show that your
   Meraki Cloud license has expired.

   If you wish to continue using your Meraki networks, you must renew your
   license immediately. If you choose not to renew, your Meraki systems will
   cease to provide network access on May 2, 2016. If you have recently made
   a Meraki purchase, please add your license key to your Dashboard account.

   Licensing information can be viewed here: [removed]

   To purchase additional licenses, please contact Meraki Sales or your
   authorized Meraki reseller. You can find contact information at
   [2]meraki.cisco.com.

   Please let us know if you have any questions. A [3]license expiration FAQ
   is also available on our website.

   Regards,

   The Cisco Meraki Team

1.https://n77.meraki.com/o/04Drhc/manage/dashboard/license_info
   2. http://meraki.cisco.com/form/contact
   3. 
https://documentation.meraki.com/zGeneral_Administration/Licensing/Licensing_FAQ
   4. https://n77.meraki.com/login/license_warning_opt_out?key=347875_04Drhc
---

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Chuck Enfield
Sent: Tuesday, January 17, 2017 9:00 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cloud managed infrastructure

One important consideration that was missed in regard to cloud services is what 
happens if your provider goes out of business.  I don’t mean to suggest it’s a 
show stopper, but you should ask yourself what the odds are that it will happen 
and what the consequences are if it does.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hall, Rand
Sent: Tuesday, January 17, 2017 9:02 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Cloud managed infrastructure

Lee's is about as good an analysis as you can get:

"Put another less cynical way, the cloud stuff works well when IT resources (or 
patience) are thin as it takes a few major headaches out of the equation. But 
there is no free lunch- the hidden costs of cloud managed is less features 
(this is good and bad IMO), less visibility down deep in the individual pieces, 
and as you are hinting at… a leap of faith on trusting the cloud."

We've run a 700 AP cloud-based deployment for 5 years with just one minor cloud 
problem early on that lasted a couple of hours with minimal practical impact. 
This is much better uptime than I can provide botching maintenance now and then.



Rand

Rand P. Hall
Director, Network Services askIT!
Merrimack 

RE: Xbox 360 connection issues? - Aruba

[Osborne, Bruce W (Network Operations)]

Correction:

We run 20 MHz channels with HT & VHT modes enabled.

Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Osborne, Bruce W (Network Operations)
Sent: Friday, January 13, 2017 8:07 AM
To: 'The EDUCAUSE Wireless Issues Constituent Group Listserv' 
<WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: RE: Xbox 360 connection issues? - Aruba

Curious. We are running 80 MHz channels in our dorms with game systems and no 
issues except for that one case with the Xbox 360s and we were able to resolve 
that one.

We disable all rates below 12 Mbit too.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Entwistle, Bruce [mailto:bruce_entwis...@redlands.edu]
Sent: Thursday, January 12, 2017 11:23 AM
Subject: Re: Xbox 360 connection issues? - Aruba

We are a mix of Cisco and Aruba wireless and when working on connecting these 
gaming devices to the Aruba side we had to disable 40MHz wide channels(HT) to 
get any sort of useful connection.

Bruce Entwistle
Network Manager
University of Redlands


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W 
(Network Operations)
Sent: Thursday, January 12, 2017 4:34 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Xbox 360 connection issues? - Aruba

Hey, Jon!

We saw an issue with the newer 360s & AP-225 where we needed to enable some 
lower data rates to get a reliable connection.  We had 12mbit minimum rates for 
2.4GHz & 5GHz.

We saw issues when we performed packet captures during attempts to associate. 
We had Aruba evaluate our issue on Case 1940381.

It looks like we needed to permit 2.4 basic rate of 5.5 even though we do not 
transmit at that rate. Partial configs below (wmm information missing since 
that is network dependent).

Not working:

wlan ssid-profile "Liberty-Wireless"
   essid "Liberty-Wireless"
   a-basic-rates 12
   a-tx-rates 12 18 24 36 48 54
   g-basic-rates 5 12
   g-tx-rates 12 18 24 36 48 54
   g-beacon-rate 12
   a-beacon-rate 12

Working:
wlan ssid-profile "Liberty-Wireless"
   essid "Liberty-Wireless"
   a-basic-rates 12
   a-tx-rates 12 18 24 36 48 54
   g-basic-rates 5 12<--   Note the difference here
   g-tx-rates 12 18 24 36 48 54
   g-beacon-rate 12
   a-beacon-rate 12



Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Jonathan Waldrep [mailto:wald...@vt.edu]
Sent: Wednesday, January 11, 2017 9:34 AM
Subject: Re: Xbox 360 connection issues? - Aruba

 We've seen where 1st gen 360s (with a USB wireless adapter) will not connect. 
The error message and research indicated that it will not connect if there is 
more than one BSSID to choose from. It is definitely one of the more absurd 
things I've run across.

 We don't have any history with trying to connect to older models to know if 
this made any difference (we're using 225/224s and 215/214s in the residential 
halls). Newer 360s seem to connect just fine.

--
Jonathan Waldrep
Network Engineer
Network Infrastructure and Services
Virginia Tech

On Wed, Jan 11, 2017 at 9:26 AM, Williams, Jess 
<jess-willi...@utc.edu<mailto:jess-willi...@utc.edu>> wrote:

I'm reaching out to see if anyone has experienced issues with Xbox 360s not 
connecting to Aruba AP 215s or 225s?  There aren't any issues with the 360s 
connecting to AP 105s.



Jess Williams

University of Tennessee at Chattanooga
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Xbox 360 connection issues? - Aruba

[Osborne, Bruce W (Network Operations)]

Curious. We are running 80 MHz channels in our dorms with game systems and no 
issues except for that one case with the Xbox 360s and we were able to resolve 
that one.

We disable all rates below 12 Mbit too.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Entwistle, Bruce [mailto:bruce_entwis...@redlands.edu]
Sent: Thursday, January 12, 2017 11:23 AM
Subject: Re: Xbox 360 connection issues? - Aruba

We are a mix of Cisco and Aruba wireless and when working on connecting these 
gaming devices to the Aruba side we had to disable 40MHz wide channels(HT) to 
get any sort of useful connection.

Bruce Entwistle
Network Manager
University of Redlands


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W 
(Network Operations)
Sent: Thursday, January 12, 2017 4:34 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Xbox 360 connection issues? - Aruba

Hey, Jon!

We saw an issue with the newer 360s & AP-225 where we needed to enable some 
lower data rates to get a reliable connection.  We had 12mbit minimum rates for 
2.4GHz & 5GHz.

We saw issues when we performed packet captures during attempts to associate. 
We had Aruba evaluate our issue on Case 1940381.

It looks like we needed to permit 2.4 basic rate of 5.5 even though we do not 
transmit at that rate. Partial configs below (wmm information missing since 
that is network dependent).

Not working:

wlan ssid-profile "Liberty-Wireless"
   essid "Liberty-Wireless"
   a-basic-rates 12
   a-tx-rates 12 18 24 36 48 54
   g-basic-rates 5 12
   g-tx-rates 12 18 24 36 48 54
   g-beacon-rate 12
   a-beacon-rate 12

Working:
wlan ssid-profile "Liberty-Wireless"
   essid "Liberty-Wireless"
   a-basic-rates 12
   a-tx-rates 12 18 24 36 48 54
   g-basic-rates 5 12<--   Note the difference here
   g-tx-rates 12 18 24 36 48 54
   g-beacon-rate 12
   a-beacon-rate 12



Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Jonathan Waldrep [mailto:wald...@vt.edu]
Sent: Wednesday, January 11, 2017 9:34 AM
Subject: Re: Xbox 360 connection issues? - Aruba

 We've seen where 1st gen 360s (with a USB wireless adapter) will not connect. 
The error message and research indicated that it will not connect if there is 
more than one BSSID to choose from. It is definitely one of the more absurd 
things I've run across.

 We don't have any history with trying to connect to older models to know if 
this made any difference (we're using 225/224s and 215/214s in the residential 
halls). Newer 360s seem to connect just fine.

--
Jonathan Waldrep
Network Engineer
Network Infrastructure and Services
Virginia Tech

On Wed, Jan 11, 2017 at 9:26 AM, Williams, Jess 
<jess-willi...@utc.edu<mailto:jess-willi...@utc.edu>> wrote:

I'm reaching out to see if anyone has experienced issues with Xbox 360s not 
connecting to Aruba AP 215s or 225s?  There aren't any issues with the 360s 
connecting to AP 105s.



Jess Williams

University of Tennessee at Chattanooga
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Xbox 360 connection issues? - Aruba

[Osborne, Bruce W (Network Operations)]

This particular case was a newer XBox 360s that is still current.


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Dan Lauing [mailto:lau...@mc.edu]
Sent: Thursday, January 12, 2017 9:41 AM
Subject: Re: Xbox 360 connection issues? - Aruba

For what it's worth, we no longer accommodate those particular xbox 360 models 
(it's not all 360s). Also, we run Aerohive.

I tell them to plug in and in dorms where we don't have ethernet, I suggest 
running through their laptops.

On Thu, Jan 12, 2017 at 6:33 AM, Osborne, Bruce W (Network Operations) 
<bosbo...@liberty.edu<mailto:bosbo...@liberty.edu>> wrote:
Hey, Jon!

We saw an issue with the newer 360s & AP-225 where we needed to enable some 
lower data rates to get a reliable connection.  We had 12mbit minimum rates for 
2.4GHz & 5GHz.

We saw issues when we performed packet captures during attempts to associate. 
We had Aruba evaluate our issue on Case 1940381.

It looks like we needed to permit 2.4 basic rate of 5.5 even though we do not 
transmit at that rate. Partial configs below (wmm information missing since 
that is network dependent).

Not working:

wlan ssid-profile "Liberty-Wireless"
   essid "Liberty-Wireless"
   a-basic-rates 12
   a-tx-rates 12 18 24 36 48 54
   g-basic-rates 5 12
   g-tx-rates 12 18 24 36 48 54
   g-beacon-rate 12
   a-beacon-rate 12

Working:
wlan ssid-profile "Liberty-Wireless"
   essid "Liberty-Wireless"
   a-basic-rates 12
   a-tx-rates 12 18 24 36 48 54
   g-basic-rates 5 12<--   Note the difference here
   g-tx-rates 12 18 24 36 48 54
   g-beacon-rate 12
   a-beacon-rate 12



Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Jonathan Waldrep [mailto:wald...@vt.edu<mailto:wald...@vt.edu>]
Sent: Wednesday, January 11, 2017 9:34 AM
Subject: Re: Xbox 360 connection issues? - Aruba

 We've seen where 1st gen 360s (with a USB wireless adapter) will not connect. 
The error message and research indicated that it will not connect if there is 
more than one BSSID to choose from. It is definitely one of the more absurd 
things I've run across.

 We don't have any history with trying to connect to older models to know if 
this made any difference (we're using 225/224s and 215/214s in the residential 
halls). Newer 360s seem to connect just fine.

--
Jonathan Waldrep
Network Engineer
Network Infrastructure and Services
Virginia Tech

On Wed, Jan 11, 2017 at 9:26 AM, Williams, Jess 
<jess-willi...@utc.edu<mailto:jess-willi...@utc.edu>> wrote:

I'm reaching out to see if anyone has experienced issues with Xbox 360s not 
connecting to Aruba AP 215s or 225s?  There aren't any issues with the 360s 
connecting to AP 105s.



Jess Williams

University of Tennessee at Chattanooga
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.



--
[http://www.mc.edu/signature/logo.gif]

dan b. lauing ii
Wireless Network Administrator
Mississippi College





CONFIDENTIALITY STATEMENT:

This communication may contain confidential information.  If you are not the 
intended recipient or if you are not authorized to receive this communication, 
please notify and return the message to the sender, then delete this 
communication including any attachments.  Unauthorized reviewing, forwarding, 
copying, distributing or using this information is strictly prohibited.








** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

RE: Prime Infrastructure Validated Alternatives

[Osborne, Bruce W (Network Operations)]

The once I had dedicated myself to using it, they had upgraded WLSE with 
changes that were not yet deployed in the APS and was not backward compatible ☹


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Lee H Badman [mailto:lhbad...@syr.edu]
Sent: Wednesday, January 11, 2017 8:32 AM
Subject: Re: Prime Infrastructure Validated Alternatives

I was a fan of WLSE, actually.

Lee Badman | CWNE #200 | Network Architect

Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W 
(Network Operations)
Sent: Wednesday, January 11, 2017 8:23 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Prime Infrastructure Validated Alternatives

So it is better than Cisco WLSE was for their fat APs?


Bruce Osborne
Senior Network Engineer
Network Operations - Wireless

 (434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: Ian Lyons [mailto:ily...@rollins.edu]
Sent: Tuesday, January 10, 2017 11:23 AM
Subject: Re: Prime Infrastructure Validated Alternatives

Using it yes. Happily, no.

Much better than it was (I am told), but leaves a lot to be desired.   “A work 
in Progress” would be my summation.

Ian Lyons
Network Engineer
Rollins College

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Oliver Elliott
Sent: Tuesday, January 10, 2017 10:49 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] Prime Infrastructure Validated Alternatives

Is anyone even happily using PI?

On 10 January 2017 at 15:33, Lee H Badman 
<lhbad...@syr.edu<mailto:lhbad...@syr.edu>> wrote:

This comes up on occasion, and I'm hoping to hear actual cases of users, versus 
"have you heard about blah blah blah?"



For large Cisco WLAN environments on the list, is anyone happily and 
effectively using non-homegrown wireless management other than Prime 
Infrastructure?



Regards,



Lee






Lee Badman | Network Architect | CWNE #200
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu<mailto:lhbad...@syr.edu> w 
its.syr.edu<http://its.syr.edu>
SYRACUSE UNIVERSITY
syr.edu<http://syr.edu>
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.



--
Oliver Elliott
Senior Network Specialist
IT Services, University of Bristol
t: 0117 39 (41131)
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.