RE: [WIRELESS-LAN] Vendors contacting list's participants...
Jeff, That's a good idea. I usually find that if a vendor know that the issue is published on a list, they sometimes allocate higher level resources to get the issue resolved. Bruce -Original Message- From: Jeffrey Sessler [mailto:j...@scrippscollege.edu] Sent: Friday, August 27, 2010 11:23 AM To: Osborne, Bruce W. (NS); WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Vendors contacting list's participants... Bruce, I take the approach that if I see someone posting here about an issue with a vendor's equipment, and I have a vendor resource that may be of help, I'll contact the person posting here and ask permission before passing it on. Jeff Osborne, Bruce W. (NS) 08/27/10 1:57 AM Philippe I assume that it's OK for a vendor to contact an existing customer to resolve an issue that is mentioned on the list. (Primarily for support, not sales) I know that, from time to time, I have alerted vendors about customers who expressed issues with the vendor's products on the list. Bruce Osborne Liberty University From: Philippe Hanset [phan...@utk.edu] Sent: Thursday, August 26, 2010 5:26 PM Subject: Vendors contacting list's participants... All, I just received a complaint from a participant that has been contacted directly by a vendor as a result of a posting on this list. Besides the fact that it violates Educause's policy on list usage this kind of behavior could progressively mute this list. Participants from educational institutions should be able to ask questions freely on this list without the fear of receiving unsolicited emails or phone calls. Please respect these basic requirements, Thank you for your understanding, Philippe Hanset Constituent Group Leader wireless-...@educause.edu p.s. you can report unsolicited communication directly to me, I will make sure to inform Educause ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Campus WLAN Design Question
Anthony, Justin Hao mentioned secondary interfaces on the vlan. This sound much like Aruba's vlan pooling. With Aruba's solution, the client is assigned a vlan based on a hash of their mac address. They could then roam to any of your areas and keep their same ip address. Just another thought... Bruce Osborne Liberty University From: Anthony Grevich [mailto:anthony.grev...@tun.touro.edu] Sent: Friday, August 27, 2010 1:47 PM Subject: Re: Campus WLAN Design Question Here is a quick diagram of the original WLAN layout for Floor 1. 3 Different subnets / interfaces. Now Floor 2 has only 1 10.0.x.0 /23 as Well as a single AP Group, for instance AP GROUP 4, which includes all APs installed upstairs. All AP Groups broadcast the student WLAN. If a student currently in the area of AP Group 3, gets an IP of 10.0.3.50 and then roams to any other AP GROUP, their IP must change and it is my assumption that any applications that maintain some sort of session would break. Am I correct. The changes I made are: Create 1 /23 and add both 1st floor and 2nd floor APs to one AP Group, broadcasting the student WLAN. I really appreciate the help, if I am not including enough info or jumping around a bit, I've had like 3 cups of coffee. Anthony Grevich | Network Administrator | Touro University Nevada o: 702.777.3054 m: 702.371.9957 e: anthony.grevich[at]tun.touro.edumailto:anthony.grev...@tun.touro.edu :.: :.: :.: :.: :.: :.: :.: :.: :.: :.: :.: :.: :.: :.: :.: :.: :.: :.: :.: :.: :.: :.: :.: :.: :.: :.: :.: :.: :.: :.: CCNA | MCSE | CSCS | CHP ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: XBox 360 S
In this case. the dashboard interface lists wired wireless mac addresses. The wireless one is apparently not used. They probably should list the wired mac address in both places. Bruce Osborne Network Engineer - Wireless NAC Liberty University From: Barber, Matt [barbe...@morrisville.edu] Sent: Sunday, August 22, 2010 11:13 AM Subject: Re: XBox 360 S As far as I can tell, this is by design and happens with the older Xbox 360 as well. Students have to register those devices here, so I always have them get the MAC address from the Dashboard interface, because the one printed on the wireless adapter is not used. Matt Barber Network and Systems Manager Morrisville State College 315-684-6053 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Osborne, Bruce W. (NS) Sent: Sunday, August 22, 2010 11:05 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] XBox 360 S We have tested the new Xbox 360’s and they are connecting to wireless with the mac address of the wired. Originally this was a cause for concern as if users were connected to wireless and wired at the same time there was a potential for a problem. After further investigation the Xbox360’s turn off wireless if a wired connection is available even if it does not get an IP address from the wired connection. Hopefully this is not a bug in the new Xboxes and it is what Microsoft intended. The wireless mac address belongs to Hon Hai Precision, but the wired mac address belongs to Microsoft. This issue can affect any system that registers or filters based on mac address. Bruce Osborne Network Engineer - Wireless NAC Liberty University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Band Steering?
Here is a response I received from Aruba Engineering: Bruce, I have heard this from some of my other customers as well. The basic issue comes down to the physical properties of the 5GHz wave vs. the 2.4GHz. The lower frequency (2.4) will be able to travel through air and walls and even bend around corners better than the higher frequency 5GHz wave. For this reason at the edge of an AP's coverage area the 2.4 signal will be better quality than the 5GHz. With band-steering enabled we will keep the client on the 5GHz radio despite a better performing 2.4 signal being available. I would prefer to keep band steering enabled and design the RF coverage based on the 5GHz coverage. You can add an AP 105 and set the b/g radio as a full time air monitor or you can consider a single radio AP (the AP-93) to provide 5GHz coverage only to these areas where the 2.4GHz can reach but the 5GHz does not. Thank you, Bruce Osborne Liberty University -Original Message- From: Ethan Sommer [mailto:somm...@gac.edu] Sent: Wednesday, August 11, 2010 3:30 PM Subject: Band Steering? We are upgrading part of our network using Aruba AP-105s and a pair of 3600 controllers. We've found an annoying problem when we have band steering turned on. We've create two SSIDs. Lets call them BandSteering and NoBandSteering. When users are relatively close to an access point, they can connect to either. My MacBook will usually connect using 2.4 Ghz on NoBandSteering and will always connect using 5ghz to BandSteering. When a user is further away from the access point, however, they can connect fine to NoBandSteering (obviously it is slower than when they were closer) but can't connect at all to the BandSteering SSID. It doesn't fail back to 2.4ghz, and the clients don't recognize that they can't connect and connect to NoBandSteering if that's lower in their preferred networks list. The effect is that, understandably, users will select the NoBandSteering SSID because it is more reliable. (Even though it is slower in most cases.) Aruba suggested that I try setting the 5ghz ARM profile to always max out the 5ghz radio, which helps some but does not eliminate the areas where 2.4ghz works and 5ghz doesn't. So, my questions are: 1. Are people using band steering? 2. Have you found the same problem? 3. Is there a way to fix it? (Other than turning off bandsteering.) 4. I suppose a related question is, is there a way to make client computers prefer 5ghz more? I guess we'll probably just not use band steering if we can't find a solution, but it would be a shame not to better utilize the 5ghz spectrum better. Thanks for any suggestions! Ethan -- Ethan Sommer Associate Director of Core Services Gustavus Technology Services somm...@gustavus.edu 507-933-7042 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Band Steering?
Here is an explanation from Aruba Engineering: Bruce, Both the 125 and the 105 have 2 spatial streams. The 2x2 vs 3x3 is the MIMO antenna configuration. #of transit antennas (Tx) by the # of receive (Rx) antennas. There is also a 3rd metric (the spatial stream) it is represented by 3x3x2 or 3x3:2. This would be the spec of the 125. The AP-105 is 2x2:2. Future WiFi technologies will be using 3 and 4 spatial streams but these are not written into the IEEE 802.11n standard today. We find in most environments there is minimal impact of 2x2:2 vs 3x3:2 as most clients only have 2x2 MIMO hardware. The 3x3 helps in high multipath (difficult RF) environments. Bruce Osborne Liberty University From: Ryan Holland [mailto:holland@osu.edu] Sent: Wednesday, August 11, 2010 4:14 PM Subject: Re: Band Steering? Just to add clarification, both the AP-120 series and AP-105s only support two (2) spatial streams, despite the additional antenna on the AP-120 series. FYI. == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland@osu.edumailto:holland@osu.edu On Aug 11, 2010, at 4:01 PM, Greg Williams wrote: Ethan, sorry to not be of much help, but we've never had a problem with Band Steering. We have a pretty dense deployment so maybe that's why. But one thing you mentioned is you are using AP 105's. I can't remember 100% but I did see a degradation in signal using the 105's on 5ghz vs 2.4ghz vs. AP 125 when in a classroom, walled type environment. The AP 105's only have a 2X2 spatial stream not a 3X3. We are using the AP 105's in more open areas for that reason and 125's in the classroom type environments. Greg Williams IT Security Principal University of Colorado at Colorado Springs -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Ethan Sommer Sent: Wednesday, August 11, 2010 1:30 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Band Steering? We are upgrading part of our network using Aruba AP-105s and a pair of 3600 controllers. We've found an annoying problem when we have band steering turned on. We've create two SSIDs. Lets call them BandSteering and NoBandSteering. When users are relatively close to an access point, they can connect to either. My MacBook will usually connect using 2.4 Ghz on NoBandSteering and will always connect using 5ghz to BandSteering. When a user is further away from the access point, however, they can connect fine to NoBandSteering (obviously it is slower than when they were closer) but can't connect at all to the BandSteering SSID. It doesn't fail back to 2.4ghz, and the clients don't recognize that they can't connect and connect to NoBandSteering if that's lower in their preferred networks list. The effect is that, understandably, users will select the NoBandSteering SSID because it is more reliable. (Even though it is slower in most cases.) Aruba suggested that I try setting the 5ghz ARM profile to always max out the 5ghz radio, which helps some but does not eliminate the areas where 2.4ghz works and 5ghz doesn't. So, my questions are: 1. Are people using band steering? 2. Have you found the same problem? 3. Is there a way to fix it? (Other than turning off bandsteering.) 4. I suppose a related question is, is there a way to make client computers prefer 5ghz more? I guess we'll probably just not use band steering if we can't find a solution, but it would be a shame not to better utilize the 5ghz spectrum better. Thanks for any suggestions! Ethan -- Ethan Sommer Associate Director of Core Services Gustavus Technology Services somm...@gustavus.edumailto:somm...@gustavus.edu 507-933-7042 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- BEGIN-ANTISPAM-VOTING-LINKS -- Teach CanIt if this mail (ID 1073089699) is spam: Spam:https://antispam.osu.edu/b.php?i=1073089699m=6beced56b784c=s Not spam:https://antispam.osu.edu/b.php?i=1073089699m=6beced56b784c=n Forget vote: https://antispam.osu.edu/b.php?i=1073089699m=6beced56b784c=f -- END-ANTISPAM-VOTING-LINKS ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Cisco Wireless Controller Software Advisory
I am curious. What issue were you seeing with the 7925g phones? Thanks, Bruce Osborne Liberty University -Original Message- From: Mike King [mailto:m...@mpking.com] Sent: Tuesday, August 03, 2010 7:41 AM Subject: Re: Cisco Wireless Controller Software Advisory For all those playing at home, http://www.cisco.com/web/software/Wireless/Deferral/Software_Advisory_6_0_196_0-4.html was updated last night. I'm guessing 6.0.199.0 came out, because it says to move to it immediatly to resolve these bugs. For myself, we moved to the 7.0.98.0 code, and we haven't had any issues. In fact, besides resolving those two catastrophic bugs, it's solved another minor bug that's been plaguing me with the Cisco 7925g Phones. Mike On Mon, Jun 21, 2010 at 6:31 PM, Mike King m...@mpking.com wrote: - Original Message - From: Mike King m...@mpking.com To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Sunday, June 20, 2010 8:29 PM Subject: [WIRELESS-LAN] Cisco Wireless Controller Software Advisory Got this in my email last night. I think I've been personally hitting CSCtf34858, and not realizing it. (Well, realizing it but not being able to catch/diagnose it, I've known something was wrong since I went to 6.0.196.0) Looks like I'll be upgrading to 7.0.98.0 within the next few days. https://supportforums.cisco.com/docs/DOC-11722 This Software Advisory Notice is issued against all the above Wireless LAN Controller software versions due to the following bugs: (as a side note, the are marked Severity 1 - catastrophic ) CSCtf34858 Client can't transmit traffic if it reassociates to an AP within 20 sec CSCte89891 Radio may stop transmitting beacons periodically Base Code: 6.0.182.0, 6.0.188.0, 6.0.196.0 Special Build: Following options are available: 1. Move to 7.0.98.0 Release posted on CCO. Please note, 7.0 is a new feature release. 2. Contact TAC to get a 6.0 Special or Beta release with fixes for the bugs below. 3. Wait for the CCO release of 6.0 MR3 (Maintenance Release), which is planned for July/August 2010 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: blocking broadcast/multicast?
similar setup. I was thinking of doing what you described on the second paragraph of your reply. Marcelo Lew Wireless Network Specialist University Technology Services University of Denver Desk: (303) 871-6523 Cell: (303) 669-4217 Fax: (303) 871-5900 Email: m...@du.edumailto:m...@du.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Osborne, Bruce W. (NS) Sent: Wednesday, June 30, 2010 5:31 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] blocking broadcast/multicast? Marcelo, You need to be careful blocking broadcasts, or you may need to statically set ip addresses on all your clients. DHCP uses broadcast. We are an Aruba shop. On our normal data SSIDs we set “Drop Broadcast and Multicast” and “Convert Broadcast ARP requests to unicast” On our high speed (5GHz 802.11n only, 24mbit lowest transmit rate) we allow multicast to the students can watch IPTV video on wireless. To accomplish this, we have “Dynamic Multicast Optimization” enabled, which converts the multicast streams to unicast. Without “Dynamic Multicast” Optimization” multicast data is limited to the rate of the slowest 802.11 client. Blocking multicast is a good way to reduce unnecessary airtime. We use a VLAN pool of /23 networks to reduce the local broadcast domain for each client too. This helps reduce unnecessary traffic. Bruce Osborne Network Engineer Liberty University From: Marcelo Lew [mailto:m...@du.edu] Sent: Tuesday, June 29, 2010 1:10 PM Subject: blocking broadcast/multicast? Wondering how many of you are blocking broadcast/ multicast on the wifi network? If so, do you allow it on certain SSIDs? Do you get a lot of user complains about this? I would like to reduce unnecessary use of airtime, however, “unnecessary” can mean many different things depending who you ask… Marcelo Lew Wireless Network Specialist University Technology Services University of Denver Desk: (303) 871-6523 Cell: (303) 669-4217 Fax: (303) 871-5900 Email: m...@du.edumailto:m...@du.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. Not spamabout:blank Forget previous voteabout:blank ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. Spamhttps://antispam.osu.edu/b.php?i=1057754690m=1c945ada071cc=s Not spamhttps://antispam.osu.edu/b.php?i=1057754690m=1c945ada071cc=n Forget previous votehttps://antispam.osu.edu/b.php?i=1057754690m=1c945ada071cc=f ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: blocking broadcast/multicast?
Marcelo, You need to be careful blocking broadcasts, or you may need to statically set ip addresses on all your clients. DHCP uses broadcast. We are an Aruba shop. On our normal data SSIDs we set Drop Broadcast and Multicast and Convert Broadcast ARP requests to unicast On our high speed (5GHz 802.11n only, 24mbit lowest transmit rate) we allow multicast to the students can watch IPTV video on wireless. To accomplish this, we have Dynamic Multicast Optimization enabled, which converts the multicast streams to unicast. Without Dynamic Multicast Optimization multicast data is limited to the rate of the slowest 802.11 client. Blocking multicast is a good way to reduce unnecessary airtime. We use a VLAN pool of /23 networks to reduce the local broadcast domain for each client too. This helps reduce unnecessary traffic. Bruce Osborne Network Engineer Liberty University From: Marcelo Lew [mailto:m...@du.edu] Sent: Tuesday, June 29, 2010 1:10 PM Subject: blocking broadcast/multicast? Wondering how many of you are blocking broadcast/ multicast on the wifi network? If so, do you allow it on certain SSIDs? Do you get a lot of user complains about this? I would like to reduce unnecessary use of airtime, however, unnecessary can mean many different things depending who you ask... Marcelo Lew Wireless Network Specialist University Technology Services University of Denver Desk: (303) 871-6523 Cell: (303) 669-4217 Fax: (303) 871-5900 Email: m...@du.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Mobile devices and NAC
Michael, I just had a similar question off-list. Bradford does not solely rely on the user agent. They also use DHCP fingerprinting. Once the client is registered and the persistent agent is installed (Windows or Macintosh, the vast majority of our users) then they have other methods. Once a client is registered, the system would detect if the agent is not installed and force them into remediation. Bruce Osborne Liberty Iniversity From: Michael Simpson [michael.simp...@uvu.edu] Sent: Monday, June 28, 2010 8:46 AM Subject: Re: Mobile devices and NAC Bruce, Out of curiosity, how do you prevent a client from gaining access via MAC spoofing? With Cisco NAC we have the option of putting users in the Filter list with Check selected. This will bypass user authentication and will only perform client remediation. We looked into this option with a registration portal that would automatically create these filters for us but our security team put the kibosh on this as they were concerned unauthorized users could gain access by spoofing a MAC of a previously registered machine. Michael Simpson Network Engineer Utah Valley University On Jun 26, 2010, at 3:09 AM, Osborne, Bruce W. (NS) wrote: Dennis, We moved from Cisco NAC to Bradford a couple of years ago. We set up our system based on MAC address authentication. The client only needs to register once per semester. Our main user complaint with Cisco NAC was the need to login to NAC every time the connected to the network. If desired, Bradford can be setup to require this too. For mobile devices specifically, the Bradford system generally allows them to register only, rather than requiring the agent download. The Device and OS recognition are either updated through the regular definition updates or through patch updates to the system. Sometimes we need to register new devices manually until we patch our systems. Until recently we needed to manually register iPads and Android phones, for example. Our current version supports both. Our registration records expire after 60 days of inactivity so we can reclaim NAC licenses for reuse. I understand that Perfigo originally designed what became Cisco NAC as an authentication system for wireless networks. The NAC features were added later. That may be why authentication is generally required on every connection. Cisco makes some great products. We are generally a Cisco shop for networking and telephony, but we found wireless NAC solutions from other vendors better meet our needs. Bruce Osborne Network Engineer Liberty University -Original Message- From: Dennis Xu [mailto:d...@uoguelph.ca] Sent: Friday, June 25, 2010 10:09 AM Subject: Mobile devices and NAC Just want to check how other people deal with mobile device with NAC? We use Cisco NAC and configured not require agent for mobile devices, but the problem is they have to open the browser first (even they have already been authenticated using 802.1X) to become online users in NAC before they can use any other applications(email clients, calendar, etc). Cisco NAC detects the user O/S after user opens the browser. So no browser open, no other network connectives. This has caused many frustrations. How do you make the mobile devices work with NAC without these pains? If you use MAC filter to bypass NAC, how do you manage and maintain the filter list? Any suggestions are appreciated! Dennis Xu Network Analyst Computing and Communication Services University of Guelph 5198244120 x 56217 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Mobile devices and NAC
Dennis, I believe they use DHCP finngerprinting in addition to the user agent. Except for game consoles, the user does not enter the mac address into the web page. For game consoles, the server must have seen the mac address on the network. The mac address vendor mac prefix also must have been identified as a gaming device. For users who actually have a system that uses a generic manufacturer prefix, they bring it in to our HelpDesk and we register it manually. Bruce Osborne Network Engineer Liberty University From: Dennis Xu [...@uoguelph.ca] Sent: Monday, June 28, 2010 9:14 AM Subject: Re: Mobile devices and NAC Hi Bruce, That is interesting. So Bradford has a build-in portal for users to register their MAC address? How does Bradford know the MAC address they entered is a mobile device, not a Windows computer? Thanks! Dennis Xu Network Analyst Computing and Communication Services University of Guelph 5198244120 x 56217 - Original Message - From: Bruce W. Osborne (NS) bosbo...@liberty.edu To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Saturday, June 26, 2010 5:09:25 AM GMT -05:00 US/Canada Eastern Subject: Re: [WIRELESS-LAN] Mobile devices and NAC Dennis, We moved from Cisco NAC to Bradford a couple of years ago. We set up our system based on MAC address authentication. The client only needs to register once per semester. Our main user complaint with Cisco NAC was the need to login to NAC every time the connected to the network. If desired, Bradford can be setup to require this too. For mobile devices specifically, the Bradford system generally allows them to register only, rather than requiring the agent download. The Device and OS recognition are either updated through the regular definition updates or through patch updates to the system. Sometimes we need to register new devices manually until we patch our systems. Until recently we needed to manually register iPads and Android phones, for example. Our current version supports both. Our registration records expire after 60 days of inactivity so we can reclaim NAC licenses for reuse. I understand that Perfigo originally designed what became Cisco NAC as an authentication system for wireless networks. The NAC features were added later. That may be why authentication is generally required on every connection. Cisco makes some great products. We are generally a Cisco shop for networking and telephony, but we found wireless NAC solutions from other vendors better meet our needs. Bruce Osborne Network Engineer Liberty University -Original Message- From: Dennis Xu [mailto:d...@uoguelph.ca] Sent: Friday, June 25, 2010 10:09 AM Subject: Mobile devices and NAC Just want to check how other people deal with mobile device with NAC? We use Cisco NAC and configured not require agent for mobile devices, but the problem is they have to open the browser first (even they have already been authenticated using 802.1X) to become online users in NAC before they can use any other applications(email clients, calendar, etc). Cisco NAC detects the user O/S after user opens the browser. So no browser open, no other network connectives. This has caused many frustrations. How do you make the mobile devices work with NAC without these pains? If you use MAC filter to bypass NAC, how do you manage and maintain the filter list? Any suggestions are appreciated! Dennis Xu Network Analyst Computing and Communication Services University of Guelph 5198244120 x 56217 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Mobile devices and NAC
Dennis, We moved from Cisco NAC to Bradford a couple of years ago. We set up our system based on MAC address authentication. The client only needs to register once per semester. Our main user complaint with Cisco NAC was the need to login to NAC every time the connected to the network. If desired, Bradford can be setup to require this too. For mobile devices specifically, the Bradford system generally allows them to register only, rather than requiring the agent download. The Device and OS recognition are either updated through the regular definition updates or through patch updates to the system. Sometimes we need to register new devices manually until we patch our systems. Until recently we needed to manually register iPads and Android phones, for example. Our current version supports both. Our registration records expire after 60 days of inactivity so we can reclaim NAC licenses for reuse. I understand that Perfigo originally designed what became Cisco NAC as an authentication system for wireless networks. The NAC features were added later. That may be why authentication is generally required on every connection. Cisco makes some great products. We are generally a Cisco shop for networking and telephony, but we found wireless NAC solutions from other vendors better meet our needs. Bruce Osborne Network Engineer Liberty University -Original Message- From: Dennis Xu [mailto:d...@uoguelph.ca] Sent: Friday, June 25, 2010 10:09 AM Subject: Mobile devices and NAC Just want to check how other people deal with mobile device with NAC? We use Cisco NAC and configured not require agent for mobile devices, but the problem is they have to open the browser first (even they have already been authenticated using 802.1X) to become online users in NAC before they can use any other applications(email clients, calendar, etc). Cisco NAC detects the user O/S after user opens the browser. So no browser open, no other network connectives. This has caused many frustrations. How do you make the mobile devices work with NAC without these pains? If you use MAC filter to bypass NAC, how do you manage and maintain the filter list? Any suggestions are appreciated! Dennis Xu Network Analyst Computing and Communication Services University of Guelph 5198244120 x 56217 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: 11n adapter for AD Desktops (not laptops)?
Lee, We here at Liberty University have found the Dell wireless kit here works best for us: http://accessories.us.dell.com/sna/products/VoIP_Telephony/productdetail.aspx?c=usl=ens=dhscs=19sku=430-2757 Bruce Osborne Network Engineer Liberty University From: Lee H Badman [mailto:lhbad...@syr.edu] Sent: Monday, May 17, 2010 1:03 PM Subject: 11n adapter for AD Desktops (not laptops)? One more question, then I've met my quota for the day... I need to find an 11n adapter suitable for use with AD workstations- not laptops. Ideally it would be as chock full of that tasty 11n stuff as possible- dual-band, multiple streams, yada yada (nothing cheap). And... be AD-friendly, as drivers need to be part of the AD build. An external antenna option would be all the better. Then there are wireless workgroup bridges that may help... Anyone played this game yet? Thanks- Lee Badman ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Aruba vs HP vs Meraki
Philippe, Actually that looks like it could be an explosive environment. The Aruba AP-85 is designed to function in explosive environments. Bruce Osborne Liberty University -Original Message- From: Philippe Hanset [mailto:phan...@utk.edu] Sent: Monday, April 12, 2010 3:57 PM Subject: Re: Aruba vs HP vs Meraki I always wondered what that WarDriving was all about. I get it now! Philippe, don't bother me or I rotate a Xirrus Array at you, and non of your porcupine will make it, Hanset p.s. This calls for a youtube video! On Apr 12, 2010, at 3:10 PM, Lee H Badman wrote: I did pick up a 1252 off of eBay, and filed it down so it fits my hand just right. I keep it under the seat of my truck... just in case things heat up. The only guy I worry about is someone who shows up with one of them big honkin' BelAir keg lookin' things. -Lee the Redneck -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU ] On Behalf Of Patrick Goggins Sent: Monday, April 12, 2010 2:56 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aruba vs HP vs Meraki I believe this would fall under the built-in theft deterrent feature. Patrick Goggins Network Administrator Carroll University -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU ] On Behalf Of Johnson, Bruce T. Sent: Monday, April 12, 2010 8:04 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aruba vs HP vs Meraki I'd bring the 1250 to a bar fight. It's more Medieval. Bruce T. Johnson | Partners Healthcare | Network Engineering 617.726.9662 | Pager: 31633 | bjohns...@partners.org -Original Message- From: Jeffrey Sessler [j...@scrippscollege.edu] Received: 4/11/10 10:27 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU [wireless-...@listserv.educause.edu ] Subject: Re: [WIRELESS-LAN] Aruba vs HP vs Meraki And as Lee is swinging the 1142s, the song Eye of the Tiger would be playing, along with a slow-motion montage of various IT highlights from his career. :) Jeff Mike King m...@mpking.com 4/11/2010 5:46 PM On Sun, Apr 11, 2010 at 8:30 PM, Lee H Badman lhbad...@syr.edu wrote: If I have to take an AP to a bar fight, I'd want a Cisco to swing around, simply based on heft. Based on that line, I had two images pop in my mind: The first one was Lee Swinging two 1142n (one in each hand) like a ninja. Two was Cisco new Marketing campaign. If I have to take an AP to a bar fight, I'd want a Cisco ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . The information in this e-mail is intended only for the person to whom it is addressed. If you believe this e-mail was sent to you in error and the e-mail contains patient information, please contact the Partners Compliance HelpLine at http://www.partners.org/complianceline . If the e-mail was sent to you in error but does not contain patient information, please contact the sender and properly dispose of the e-mail. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Aruba vs HP vs Meraki
Although you may be tempted to skip some licensing, I find Aruba's Policy Enforcement Firewall indispensible for the features control you get as an administrator. Bruce Osborne Liberty University -Original Message- From: Patrick Goggins [mailto:pgogg...@carrollu.edu] Sent: Friday, April 02, 2010 7:09 PM Subject: Re: Aruba vs HP vs Meraki HP can be decentralized (depending on the model) or controller-based but requires a large number of controllers to scale well. While Aruba does have extra licensing fees some of them can be skipped with the newer licensing model and others passed on if you have an existing NAC/NPS solution which works well for you environment. How is your organization with regards to cloud services in general? If per policy other services were turned down by the organization Meraki might not be an option as wireless configuration is in the cloud. What features are you looking to implement on the access points? For example, we are using ethertype filters at the AP level to block IPv6 which during tests earlier this year HP would not offer but Cisco and 3Com did. When running encryption on your network if certain encrypted SSID's are available campus-wide is this installation a forklift replaced? If not, the new equipment may need to support whatever the existing encryption settings are as different vendors have slight variation on implementation of the standards. If using 802.1x and it is a mixed vendor environment thoroughly test the functionality, we have seen some limitation when running cross-vendor with multiple MAC addresses on a single switch port or access points tying in correctly with different NAC solutions. ~Patrick From: The EDUCAUSE Wireless Issues Constituent Group Listserv [wireless-...@listserv.educause.edu] On Behalf Of Mike Hydra [mhy...@2fast4wireless.com] Sent: Friday, April 02, 2010 4:01 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aruba vs HP vs Meraki What I personally find interesting is the wide choice not from a manufacturing point of view but more from a Wi-Fi technology point of view. Aruba - Controller based (aka controller based) All data goes through the controller, centralized architecture. HP - decentralized (Controller in not directly essential) Data path is separated from the management path. Meraki - Cloud computing Centralized Cloud, not having to own controller hardware inside your own network. All three very different solutions. I'm looking forward to follow this email threat with the comments, thanks for sharing. I would recommend writing down a proof of concept and invite the vendors of your choice. In this way you've tested your requirement (out of your proof on concept) therefore convinced around the solution you buy is the right one. Good luck... Mike Hydra Cell: +31 6 29 07 18 96 Tel: +31 252 62 61 20 Fax: +31 252 68 88 37 E-mail: mhy...@2fast4wireless.comUrlBlockedError.aspx Skype: Flying-Wireless-Dutchman Web: www.2fast4wireless.com From: Peter P Morrissey ppmor...@syr.eduUrlBlockedError.aspx Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUUrlBlockedError.aspx Date: Fri, 2 Apr 2010 22:47:26 +0200 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUUrlBlockedError.aspx Subject: Re: Aruba vs HP vs Meraki OK, so I'll ask. Why did you eliminate Cisco already? Pete M. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Ethan Sommer Sent: Friday, April 02, 2010 2:21 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUUrlBlockedError.aspx Subject: [WIRELESS-LAN] Aruba vs HP vs Meraki We are considering replacing our 200+ AP wireless infrastructure with a controller based 802.11n system. I believe we have narrowed it down to Aruba, HP Procurve (we use HP switch gear), and Meraki. I have two questions: 1. Are there any hidden costs we should watch out for with any of these (particularly Aruba.) Will we hit major costs other than the up front cost for the APs and the controllers? 2. I know a lot of schools are very happily using Aruba, but I haven't heard of any schools using HP and very few using Meraki. Are there any schools who have gone with Aruba and regretted it? If so, why? Are there any schools out there using HP Procurve (formerly Colubrius) or Merkai? What do you think of them? Did you have any surprises after you deployed? Ethan -- Ethan Sommer Associate Director of Core Services 507-933-7042 somm...@gustavus.eduUrlBlockedError.aspx ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at
RE: Encryption and Authentication
My understanding is that WEP TKIP are not allowed in the 802.11n standard. Only open or AES. Bruce Osborne Liberty University -Original Message- From: Cortes, Diana [mailto:dcor...@miami.edu] Sent: Wednesday, December 30, 2009 11:06 AM Subject: Re: Encryption and Authentication If I am not mistaken, the 802.11n standard requires CCMP/AES if encryption is to be used at all. Hence, users are being bumped off the 11n rates when they use TKIP. We are also exploring our options for deploying 802.1X/EAP in our current wireless environment and we considered using EAP-PEAP so that Windows users could use the native supplicant. The problem with this is that the Windows supplicant sends the username in the clear in the outer tunnel during the first stages of authentication. Because of this we are now considering using EAP-TTLS with a third-party supplicant in order to provide that extra layer of security. Diana Cortes, CISSP, CWNA University of Miami IT - Telecommunications -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Voll, Toivo Sent: Wednesday, December 23, 2009 6:37 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Encryption and Authentication Your choices may be limited if you plan to run 802.11n. At least Cisco reads the specs as mandating that you must do WPA2 / AES on 802.11n, other types (TKIP, WPA) will bump you off 802.11n rates. Also consider what your user population is. XP may need a hotfix applied to do WPA2. A lot of older systems, WVoIP phones, barcode scanners, Crestron-type room controls etc. may be limited to WEP or WPA. -- Toivo Voll Network Administrator Information Technology Communications University of South Florida -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of David Blahut Sent: Wednesday, December 23, 2009 14:25 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Encryption and Authentication Greetings, We are beginning to deploy encrypted wireless and I am looking for some words of wisdom. Mainly what method you used and what reasons as to why you chose said method or any reason you wish you had not. We have looked at many of the different flavors of EAP but are unsure of any clear advantage of one over the other. We are a Cisco LWAPP shop with Cisco ACS playing the role of RADIUS with open LDAP in the back-end. Any advice would be helpful; any thing to look out for, any gotchas, any show stoppers, and any success stories. Thanks, David ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: 802.11n Solutions
Frank, We have running Aruba's centralized 802.11n solution here at Liberty University for the past year. Early on, there were some stability scalability issues, but they have been resolved. I know that this summer, during our testing for Video over wireless, we had 20 clients simultaneously receiving unicast streaming 3 megabit video, all on a single access point. At the time, this was on unreleased code that has since been released. Our wireless technician may have more information, but he is currently away on holiday break, Bruce Osborne Network Engineer Liberty University -Original Message- From: Frank Bulk [mailto:frnk...@iname.com] Sent: Saturday, December 19, 2009 4:18 PM Subject: Re: 802.11n Solutions The feature gaps you mention suggest that despite all the years that this solution has had to bake, it does not have feature parity with its competitors. It appears to be more than just a difference in architecture. I find it interesting that 2+ years after the introduction of 802.11n APs and ensuing debate regarding of centralized versus distributed, that the debate has simmered down and the throughput of the controllers has met everyone's needs or the vendor has a reasonable method for scalability. Has anyone seen a dual-radio 802.11n AP with a sustained throughput of even 20 Mbps over a 5-minute polling period? From what I read on this list, client/AP interoperability and AP/controller software stability are the top two technical issues that wireless administrators face. Frank -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jason Mueller Sent: Wednesday, December 16, 2009 11:25 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] 802.11n Solutions Pablo, Our experience with the HP MSM765 controller is mixed. It has a conceptually different architecture than most of the other controller models out there. One key difference is that the controller works much better in an environment where you forward traffic from wireless users directly at the AP rather than tunneling user traffic back to the controller (distributed rather than centralized model). There are both pros and cons to this approach. The HP support engineers have encouraged us to use the distributed approach with this product for our primary SSID (WPA2-enterprise/AES). There is no *simple* association of an SSID to a VLAN, if you tunnel traffic to the controller. You can assign VLANs to an SSID at the controller, but there are two ways to do it and caveats that go along with both. There are a couple of roadmap features that might be very powerful in terms of fixing this issue, but nothing that has been realized in current production code. An SSID - VLAN relationship is easy to construct, if you bridge traffic at the AP rather than the controller. In fact, if you are using a distributed model, you can set the VLAN - SSID relationship for all APs, a group of APs, or individually at a single AP (and you can have a mix based on simple inheritance rules). In our testing case, we have a different VLAN for our primary SSID per building. We have had several issues with their web-based captive portal, but I don't think there is a perfect captive portal in any controller-based solution. You should note that you must forward traffic to the controller, if you want to use the captive portal. We have also had some performance issues when tunneling traffic to the controller. We would really like to see user load balancing across both APs and bands rolled into the product (no band steering and no active user balancing across APs). You can set the maximum number of users you want per radio, but that value is set across an entire SSID on a controller rather than being applied per a group of APs (i.e., there is no way to vary this setting by geographic region or AP type other than adding an additional controller). The RF management is fairly rudimentary, but I am sure this is being worked on diligently. There is currently no N+1 redundancy, but you might well imagine that this is also an issue they are diligently working on. You can get some redundancy now by simply assigning multiple controller addresses to the APs. The MSM422 itself has done well in our pilot and testing (~100 APs). We have been supporting about 800 simultaneous users in our library during the busiest two weeks of the year. We have had a reasonable response on the engineering and support side. I think this is a great fit for small to medium sized deployments. But you will need to consider whether the product scales appropriately for your environment. I encourage you to contact an HP sales representative that might be able to give you more detailed information about the product roadmap and future features. If you want to know some more specifics about our
RE: 802.11n Solutions
Pablo, We here at Liberty University recently migrated to Aruba's 802.11n solution. I am sure that we have a larger, more complex deployment than you have, but Aruba has solutions for various sized deployments. Aruba's technical support is dedicated, thorough, and very customer focused. If a customer not satisfied, they have all the contact information to contact their global director of support directly. Feel free to contact me offline for more information. Bruce Osborne Network Engineer Liberty University -Original Message- From: Pablo J. Rebollo-Sosa [mailto:pablo.rebo...@upr.edu] Sent: Wednesday, December 16, 2009 6:55 AM Subject: 802.11n Solutions Hi, We are looking for 802.11n solutions. I would like know more about Enterasys and HP solutions experience. Best regards, Pablo J. Rebollo ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Stolen Wireless Device Tracking?
Liberty University has been primarily using Airwave too. If there is only one MAC address missing, Aruba ECS / Bradford Campus Manager cam alert too. Bruce Osborne Liberty University From: Justin Hao [mailto:j...@tamu.edu] Sent: Tuesday, December 08, 2009 12:17 PM Subject: Re: Stolen Wireless Device Tracking? We've actually used airwave to solve this issue. It has the capability to flag and email/alert when the stolen MAC address appears anywhere on the wireless network. Also it can physically locate the device within VisualRF (mapping/location services). We located a stolen library laptop when it was plugged back into it's charging cart after being lost for weeks. -- Justin Hao Network Engineer Texas AM University Networking and Information Security j...@tamu.edumailto:j...@tamu.edu Lee H Badman wrote: Unfortunately, we experience the occasional theft of University-owned or personal laptops. Using Cisco WCS, we can certainly find the last place a device was, if the wireless adapter was on, before it egressed campus. What is missing is a mechanism to flag a MAC address to alert on a client device if it pops back up on the network so there may be an opportunity to react. Has anyone else faced and conquered alerting on specific clients (for whatever reason)? Thanks- Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Adjunct Instructor, iSchool Syracuse University 315 443-3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Justin Hao Network Engineer Texas AM University Networking and Information Security j...@tamu.edumailto:j...@tamu.edu (979)862-2162 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Upgrade to N
Bruce, We here at Liberty University have just finished moving our wireless ^ NAC. Our old system used Cisco 1231 802.11b/g autonomous APs, WLSE (attempted) Cisco Clean Access. We evaluated tested our options for more than a year. The major vendor offerings that we evaluated in depth were from Cisco and Aruba Networks. We chose Aruba ECS (based on Bradford Campus Manager) for NAC, Aruba's AP-125 N APs, and Aruba's Airwave product for wireless management. We are now starting to deploy their new AP-105 N APs in select locations. We did a one for one replacement in some of our dorm areas. In other areas, we deployed APs based on a survey since our old coverage was a nightmare. We primarily used simulation / planning software for the surveys. Follow-up spot checks helped verify our service. We monitor AP usage and reclaim some under used APs and augment coverage in areas with over-used APs. We now tunnel our Guest SSID to a DMZ on our network edge. This provides a firewall between guests our internal network. This summer, we deployed multicast IPTV over wireless using Video Furnace (A press release is at http://www.marketwire.com/press-release/Aruba-Networks-Inc-NASDAQ-ARUN-1069662.html). Aruba's support has been great. Due to the density of APs per controller (They handle up to 512 APS) and other issues, there have been some technical challenges, but Aruba has patched these issues very quickly. They are very customer focused. All customers have the information to directly contact their Global Director of Support, if needed. He also reads responds to the feedback surveys after a ticket is completed. It has been a hectic year. We now have almost 12000 resident students and over 700 APs deployed. We still have a couple of pockets of our old wireless that we will eliminate as time budget permit. Feel free to contact me off-line for further details. Bruce Osborne Network Engineer Liberty University From: Entwistle, Bruce [mailto:bruce_entwis...@redlands.edu] Sent: Thursday, December 03, 2009 3:04 PM Subject: Upgrade to N We are currently looking at upgrading our current Cisco 1200 autonomous APs, with WLSE management to a new wireless N network. The new vendor has yet to be determined. I was looking to learn from others who have made a similar migration how the move to N changed AP deployment? Was it a simple one for one replacement where you were able to install the new APs in the same location as the previous APs, eliminating the need for additional cabling? Was a new wireless survey conducted, requiring different AP locations? Please let me know what your experience has been. Thank you Bruce Entwistle Network Manager University of Redlands ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Cisco WISM - what do you think?
Mike, I am not sure what capabilities are available there. I will check and get back to you with an answer. Bruce From: Whitlow, Michael [mailto:mwhit...@bumail.bradley.edu] Sent: Thursday, November 12, 2009 12:14 PM To: Osborne, Bruce W. (NS); WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: RE: Cisco WISM - what do you think? Thank you for the link. I did go to a presentation about Aruba last week. We have about 300 access points now and are projecting another 200 within the next few years if the money becomes available. I can't see us going all Aruba at one time, but I could see us possibly getting an Aruba controller and using it on our Cisco APs, for starters at least... Aruba said that was possible.. Is anyone on here doing that? From: Osborne, Bruce W. (NS) [mailto:bosbo...@liberty.edu] Sent: Thursday, November 12, 2009 4:00 AM To: Whitlow, Michael Cc: Osborne, Bruce W. (NS) Subject: RE: Cisco WISM - what do you think? I trust you have also investigated offerings from vendors other than Cisco. We are an all-Cisco shop. After much study, we moved from Cisco WLSE, fat 1231 b/g APs, and Clean Access to Aruba Networks 802.11n offering with Aruba ECS (Bradford Campus Manager) for NAC. You may have seen a recent press release on our latest partnership effort with Aruba . If not, here is a link. http://www.marketwire.com/press-release/Aruba-Networks-Inc-NASDAQ-ARUN-1069662.html Bruce Osborne Network Engineer Liberty University From: Whitlow, Michael [mailto:mwhit...@bumail.bradley.edu] Sent: Wednesday, November 11, 2009 2:31 PM Subject: Re: Cisco WISM - what do you think? I wanted to thank everybody who responded to this post of mine. I read every reply multiple times and your information was really really appreciated. Mike From: Whitlow, Michael Sent: Wednesday, November 04, 2009 1:07 PM To: 'WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU' Subject: Cisco WISM - what do you think? Hello, I am curious to hear about your experiences and thoughts on the Cisco WISM technology, good or bad? I am a pretty big fan of WLSE but it's life is coming to an end soon. I am trying to find someone other than my sales rep or Cisco themselves tell me something good about the WISM technology. From what I have heard and read online so far, the WISM technology has a lot of good benefits regarding management. However, I also hear that along with those benefits you get lots of new bugs and glitches to deal with. Is that true? Thanks much Mike Whitlow Network Analyst Bradley University Peoria, Illinois ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Cisco WISM - what do you think?
Mike, Here is what I sent Aruba: What are the capabilities of using an Aruba controller to manage Cisco APs. I expect they could be made fat APs if needed. Here is the response I received from one of their engineers: (Aruba now owns sells Airwave AWMS) In brief, The Airwave system can manage the APs, while the Aruba controller can be used in two ways: Wired authentication, such as captive portal, or a mode known as stateful dot1x, where we essentially sniff the Cisco AP's RADIUS transaction and authenticate the clients if accepted by RADIUS. Either way, the cisco APs would need to connect through the Aruba controllers. If you can expand a bit on what you need, we can offer some suggestions - I'm sure our sales team can offer a trade-in program, too ;) In short, it can be done. I expect you would be able to take advantage of Aruba's integrated firewall too. Bruce Osborne Liberty University From: Osborne, Bruce W. (NS) Sent: Thursday, November 12, 2009 12:39 PM To: Whitlow, Michael; WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Cc: Osborne, Bruce W. (NS) Subject: RE: Cisco WISM - what do you think? Mike, I am not sure what capabilities are available there. I will check and get back to you with an answer. Bruce From: Whitlow, Michael [mailto:mwhit...@bumail.bradley.edu] Sent: Thursday, November 12, 2009 12:14 PM To: Osborne, Bruce W. (NS); WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: RE: Cisco WISM - what do you think? Thank you for the link. I did go to a presentation about Aruba last week. We have about 300 access points now and are projecting another 200 within the next few years if the money becomes available. I can't see us going all Aruba at one time, but I could see us possibly getting an Aruba controller and using it on our Cisco APs, for starters at least... Aruba said that was possible.. Is anyone on here doing that? From: Osborne, Bruce W. (NS) [mailto:bosbo...@liberty.edu] Sent: Thursday, November 12, 2009 4:00 AM To: Whitlow, Michael Cc: Osborne, Bruce W. (NS) Subject: RE: Cisco WISM - what do you think? I trust you have also investigated offerings from vendors other than Cisco. We are an all-Cisco shop. After much study, we moved from Cisco WLSE, fat 1231 b/g APs, and Clean Access to Aruba Networks 802.11n offering with Aruba ECS (Bradford Campus Manager) for NAC. You may have seen a recent press release on our latest partnership effort with Aruba . If not, here is a link. http://www.marketwire.com/press-release/Aruba-Networks-Inc-NASDAQ-ARUN-1069662.html Bruce Osborne Network Engineer Liberty University From: Whitlow, Michael [mailto:mwhit...@bumail.bradley.edu] Sent: Wednesday, November 11, 2009 2:31 PM Subject: Re: Cisco WISM - what do you think? I wanted to thank everybody who responded to this post of mine. I read every reply multiple times and your information was really really appreciated. Mike From: Whitlow, Michael Sent: Wednesday, November 04, 2009 1:07 PM To: 'WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU' Subject: Cisco WISM - what do you think? Hello, I am curious to hear about your experiences and thoughts on the Cisco WISM technology, good or bad? I am a pretty big fan of WLSE but it's life is coming to an end soon. I am trying to find someone other than my sales rep or Cisco themselves tell me something good about the WISM technology. From what I have heard and read online so far, the WISM technology has a lot of good benefits regarding management. However, I also hear that along with those benefits you get lots of new bugs and glitches to deal with. Is that true? Thanks much Mike Whitlow Network Analyst Bradley University Peoria, Illinois ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: BW capping
Jason, We here at Liberty University were also looking for a scalable bandwidth management solution. We needed integration swith our Aruba ECS / Bradford Campus Manager NAC solution. We evaluated both the Allot NetEnforcer and the Procera PacketLogic solutions. The Allot solution was almost twice the price of the Procera solution. We liked the Procera solution so much that we have decided to replace our external PacketShaper packet shaping appliances with Procera PacketLogic. We have two Internet edges and we designed a highly available solution that handles our 2-Gigabit PortChannels to each edge switch. Feel free to contact me off-list for further details. Thanks, Bruce Osborne Network Engineer Liberty University -Original Message- From: Jason Appah [mailto:jason.ap...@oit.edu] Sent: Monday, September 28, 2009 5:02 PM Subject: Re: BW capping I probably should have been more specific, we have a packeteer 7500 for shaping applications, the dorms need to be able to shut off internet for specific users after hey have reached their BW limit for the month. sort of like metered usage? Jason Appah Systems Administrator Oregon Institute of Technology office 541-885-1719 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [wireless-...@listserv.educause.edu] On Behalf Of Jason Appah [jason.ap...@oit.edu] Sent: Monday, September 28, 2009 12:54 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] BW capping Also on the subject, do you all cap per user bandwidth? We recently reconstructed our dorms, and began support of the resnet (before the recession they had their own foot soldiers taking care of it ).The old resnet had a hodge podge of homegrown bandwidth caps tools that they used to limit people from excessive downloading (essentially anyone who downloaded more that 10 Gig a month). We are currently looking into continuing to do this but were split as to whether or not it is an antiquated process. We would like to purchase a standards based tool but have been unable to located one that works on a large scale. 1) What do people use who do bandwith cap? 2) Do you Bandwith Cap? Why or Why Not? ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: separating 'types' of users
Jamie, Here at Liberty University, currently separate Guest users to their own, bandwidth-limited SSID that is tunneled out to a DMA on our firewall. Our primary user SSIDs are 802.11a/b/g 2.4GHz. 802.11n. We also have a high speed 5GHz 802.11n SSID. We have eliminated the base rates below 24Mb on this SSID to speed up the beaconing. In the future, we plan on offering VideoFurnace television video on this SSID. Bruce Osborne Network Engineer Liberty University From: Jamie Savage [mailto:jsav...@yorku.ca] Sent: Tuesday, September 22, 2009 3:37 PM Subject: Re: separating 'types' of users Thanks to all who responded.food for thought. One area that I was looking for a comment on (and no one did which is an answer in it's self). I was wondering if anyone segregates users types in the RF. egkeep students in the 2.4 and admin in 5.0 or with channel overlays (with virtual cell or multiple APs with micro-cell) with a particular channel for admin only and students on anotherthings like that. I assume by the lack of commentary on this type of thing, that we're not concerned about one group impacting the other when using multiple SSIDs on the same radio. Presumably, 11n speeds make this a non issue? ...thx.J James Savage York University Senior Communications Tech. 108 Steacie Building jsav...@yorku.ca4700 Keele Street ph: 416-736-2100 ext. 22605Toronto, Ontario fax: 416-736-5830M3J 1P3, CANADA ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Large numbers of clients in one room
Unfortunately, at least here in the US, many consumer level laptops are using 802.11b/g/n wireless NICs. They still only have the 2,4GHz radio, so no 300Mbit speeds :( So, unfortunately the 2.4GHz 802.11b/g mess will be around for a while. We have a separate SSID for high speed users that is just 5GHz 802.11n. The 802.11a users can see the SSID, but not associate. On that SSID, our minimum transmitted rate is 24 Mbit (6 18 are disabled). Bruce Osborne Liberty University From: Methven, Peter J [mailto:p.j.meth...@hw.ac.uk] Sent: Tuesday, August 11, 2009 11:56 AM Subject: Re: Large numbers of clients in one room I understand that reducing the transmit power reduces the range that devices can connect at particular data rates, what I was saying was that in practical terms, where I've had a requirement for a high density of users, I've generally found the distances from user to AP are not that big; i.e. a classroom or lecture hall. And turning transmit power down has very little effect unless the user density is spread across more than one room. I hadn't thought of removing some of the lower data rates though. Perhaps I've just not been brave enough in how low I've turned the transmit power! 5 Ghz is a bit of an issue for us as Air Traffic Control cuts across a big swathe of the 5 Ghz range, also a lot of devices ship with 802.11a disabled in the driver, or just with 802.11b/g radios, hopefully as our student population refreshes they'll have newer devices which are 802.11n and therefore inherently 2.4 Ghz and 5 Ghz capable :). Many Thanks Peter Peter Methven. MBCS, BENG (Hons) Network Specialist Computer Centre (The Allen McTernan Building) Heriot-Watt University Edinburgh EH14 4AS Telephone: +44 (0)131 4513516 / 07774 427548 Email p.j.meth...@hw.ac.ukmailto:p.j.meth...@hw.ac.uk From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Ryan Holland Sent: 11 August 2009 16:42 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Large numbers of clients in one room Reducing transmit power should reduce the range devices can connect at particular data rates. You can remove support of some of the lower data rates so that as devices throttle down, they'll look for better APs more quickly instead of holding onto APs at 12, 9, 6mbps, etc. Keep in mind that it should be each channel, not AP/radio, that should be designed to support a particular number of devices. == Ryan Holland Network Engineer, Wireless CIO - Infrastructure The Ohio State University 614-292-9906 holland@osu.edumailto:holland@osu.edu On Aug 11, 2009, at 11:31 AM, Methven, Peter J wrote: Out of interest what level of transmission did you lower your APs to? I've found changing transmit power has very little effect within a single open-plan room, it only really seems to have much effect when the signal hits obstacles such as walls, and shelves of books etc. Many Thanks Peter Peter Methven. MBCS, BENG (Hons) Network Specialist Computer Centre (The Allen McTernan Building) Heriot-Watt University Edinburgh EH14 4AS Telephone: +44 (0)131 4513516 / 07774 427548 Email p.j.meth...@hw.ac.ukmailto:p.j.meth...@hw.ac.uk -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Greg Gardner Sent: 11 August 2009 16:21 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Large numbers of clients in one room Our team designed our system to accommodate large numbers of people in one area by installing a greater density of AP's, lowering the AP transmit power, turning off the slower B transmit rates, and encouraging users to utilize 5Ghz N. Thanks, Greg Gardner Manager, Network Communications Information and Technology Services Rochester Institute of Technology greg.gard...@rit.edumailto:greg.gard...@rit.edu -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of John York Sent: Tuesday, August 11, 2009 11:05 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Large numbers of clients in one room Hi We have a small installation with about 40 Cisco lwap's (b/g) running on a Cisco 4402. I've just gotten a request from a group that wants to run 50+ clients in one room. The last time we tried that about 4 years ago, it was a disaster. We had fat AP's at the time. There were a lot of Mac's, and they kept grabbing each other instead of the AP's. Ugh. How do folks handle this now? With my current system can I just throw a couple more AP's in the room and let them have at it? Thanks John John York Blue Ridge Community College, VA ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Single Channel vs Multi-Channel Architecture
Jason, I wholeheartedly agree. We here at Liberty University spent a year evaluating wireless NAC solutions. We chose to move from Cisco fat APs Clean Access to Aruba's wireless ECS NAC solutions. The real challenge is in dense environments. Meru's single channel becomes channel stacking aka multi-channel to provide additional bandwidth. You then have the client roaming issues again. Also, you cannot steer clients to load balance the clients across available resources. Aruba's ARM 2.0 has many options in this situation and solves many of the issues that Meru's architecture solves. With a single channel architecture, you are stuck if some interference appears in that RF range. The system may be able to change to another channel, but that WOULD CAUDE *all* the clients to roam. In a multi-channel architecture, only a small number of clients would be affected. There is obviously a reason why Meru is the _only_ vendor with single channel. All the others (including the largest players) use a multi-channel solution. If Meru's solution is so great, you would see others with single-channel too, even if they needed to license technology from Meru. Bruce Osborne Liberty University From: Jason Appah [mailto:jason.ap...@oit.edu] Sent: Wednesday, July 29, 2009 1:44 PM Subject: Re: Single Channel vs Multi-Channel Architecture I agree wholeheartedly, the Aruba ARM works quite nicely, recently the neighboring hospital turned up its radios, and ARM switched us out without missing a beat. We reviewed Merus's devices and liked the approach, but were less than wowed with the completeness of the feature set. In the end we choose Aruba for four reasons: Price - pretty self explanatory Performance/deployment - (this was identical in most and in many of our use cases better than Meru) Feature Set - Aruba has obviously spent many hours actually listening to and implementing user centric changes, I don't know of a more feature rich wireless solution Support - Aruba has in many occasions been proactive, where I have posted a question to this forum and others to actually go out of their way to contact me to help me fix a problem, in some instances where the problem wasn't even Aruba's at all... We haven't looked back. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Ken Connell Sent: Wednesday, July 29, 2009 9:15 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Single Channel vs Multi-Channel Architecture I don't have much experience with a single channel deployment, but without even getting into vendor preferences or specifics I can't see how a single channel can gain any perfomance in such an unpreditctable and dynamically changing environment as far as other devices, and wireless networks that will come and go probably a daily basis with little or no control. The channel you decide on today, may not be the best suited channel tomorrow, and if you then need to make a change at that point, then you've jsut come full circle and are right back where you started. In my opinion it just makes sense to go with an automated RF type deployment (Aruba ARM for us) and be able to sleep at night ;) Ken Connell Intermediate Network Engineer Computer Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 From: Ryan Holland Date: Wed, 29 Jul 2009 09:04:34 -0400 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Single Channel vs Multi-Channel Architecture ...interesting thread... When we were making our decision 3+ years ago, we discounted Meru primarily on scalability information in their RFP response. So unfortunately, we did not get a chance to bring them in for a demo. I am still quite skeptical about a single-channel architecture but believe I understand why it is promoted: to assist devices in roaming by creating a seemingly single BSSID. However, once we see more devices supporting standards such as 802.11k and 802.11r, such efforts, to me, are negated. Again, however, I have not had the opportunity to play with this gear, so [disclaimer]. We have been deploying Aruba for sometime and have learned a great deal about their technology, so I will caution the trusting of intelligent radio management solutions. Instead, I would suggest one utilize this technology while maintaining a tight supervision of it. Using Aruba with whom I am most experienced, their adaptive radio management (ARM) is quite powerful, as it allows for dynamic remodeling for channel and power based on the environment. This means that as other building tenants bring in their own wireless systems, our network can modify its channel configuration accordingly. Also, in the event of an AP failure, adjacent APs will likely perceive a lower aggregate signal strength of neighboring APs, boost their power, and thus help alleviate
RE: Replacing Bluesocket with Cisco NAC (formerly known as Clean Access)
Wim, I am not sure what you mean by auto RF. I assume that you mean that the central controller controls the AP radio channel power settings. Aruba calls this Adaptive Radio Management (ARM). We use many of Aruba's ARM features here at Liberty University with no issues using Cisco phones. Bruce Osborne Liberty University From: Wim Bos [mailto:w...@lumiad.nl] Sent: Saturday, July 25, 2009 11:50 AM Subject: Re: Replacing Bluesocket with Cisco NAC (formerly known as Clean Access) I have a completely different question. Is any of you using auto RF. We are not in favor of it after using it for a while on several customer sites. The main issue is that with voip it tends to get instable and in a lot of cases it creates blackspots. I was curious on the experience with auto rf from this group. It is basically brand independent. Most systems work the same way. Thanks Kind Regards, Wim Bos [cid:image001.jpg@01CA0E19.56A7F6E0] Strijkviertel 61 Phone +31 30 711 5685 3454 PK De Meern Fax +31 30 293 5711 Netherlands Mobile +31 6 246 45 713 www.lumiad.nl w...@lumiad.nl Lumiad, when it comes to wireless... This communication contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any distribution, copying or use of the communication or the information in it is strictly prohibited. If you have received this communication in error, please notify the sender immediately and then destroy any copies of it. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Osborne, Bruce W. (NS) Sent: zaterdag 25 juli 2009 11:49 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Replacing Bluesocket with Cisco NAC (formerly known as Clean Access) Kevin, Unfortunately I must agree with Manoj. Liberty University has historically been a Cisco shop. We are completing our move away from CCA. CCA is primarily designed as a Layer-2 solution, although it may be deployed as a Layer-3 solution if VRF ( Virtual Routing Forwarding) and PBR (Policy Based Routing) are added to the network. We deployed CCA as a high availability solution for in-band wireless (with Cisco fat APs) out-of-band wired. Actually out-of-band users are in-band until they are authenticated. The out-of-band solution for wireless is a relatively new offering that requires the Cisco lightweight wireless solution. I doubt you will find many that currently have this deployed. Our new solution is a Layer-3 totally Out-of-Band solution. We had over 30 physical servers for CCA on out network. The new solution has 4 for high availability. We primarily used LDAP authentication against Active Directory for our students. For University machines, we used single sign on, eliminating the CCA login screen. We used RADIUS accounting to our Cisco ACS server. We considered CCA and Cisco's lightweight wireless solution. We chose another vendor for wireless NAC. Our new solution is not perfect, but it seems to meet our needs better than the Cisco solutions. Feel free to contact me offline for more information. Bruce Osborne Network Engineer Liberty University From: Kevin Fitzgerald [mailto:kwfitzger...@ualr.edu] Sent: Friday, July 24, 2009 10:59 AM Subject: Re: Replacing Bluesocket with Cisco NAC (formerly known as Clean Access) Well that's encouraging :) I am curious about the dealbreaker issues that you had. Did you uncover some important 'gotchas?' K. Fitzgerald UALR Networks On Fri, Jul 24, 2009 at 9:47 AM, Manoj Abeysekera ma...@american.edumailto:ma...@american.edu wrote: We do have a similar setup although we are fast changing. We do OOB for wired with Cisco NAC (CCA). For wireless it still in-band with CCA. No offense but CCA seems to be a (and have been) very problematic product for us and we are hoping to change that soon. Thanks Manoj -- P. Manoj Abeysekera, CWNA Network Engineer American University 4200 Wisconsin Ave, NW Washington DC. 20016 Kevin Fitzgerald kwfitzger...@ualr.edumailto:kwfitzger...@ualr.edu Sent by: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 07/24/2009 10:21 AM Please respond to The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU To WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU cc Subject [WIRELESS-LAN] Replacing Bluesocket with Cisco NAC (formerly known as Clean Access) Hello all, We are currently in the process of replacing our Bluesocket Secured Controller appliances with Cisco's NAC. The Bluesockets are only used for LDAP auth (user login). In our environment we will be doing
RE: Replacing Bluesocket with Cisco NAC (formerly known as Clean Access)
Kevin, Unfortunately I must agree with Manoj. Liberty University has historically been a Cisco shop. We are completing our move away from CCA. CCA is primarily designed as a Layer-2 solution, although it may be deployed as a Layer-3 solution if VRF ( Virtual Routing Forwarding) and PBR (Policy Based Routing) are added to the network. We deployed CCA as a high availability solution for in-band wireless (with Cisco fat APs) out-of-band wired. Actually out-of-band users are in-band until they are authenticated. The out-of-band solution for wireless is a relatively new offering that requires the Cisco lightweight wireless solution. I doubt you will find many that currently have this deployed. Our new solution is a Layer-3 totally Out-of-Band solution. We had over 30 physical servers for CCA on out network. The new solution has 4 for high availability. We primarily used LDAP authentication against Active Directory for our students. For University machines, we used single sign on, eliminating the CCA login screen. We used RADIUS accounting to our Cisco ACS server. We considered CCA and Cisco's lightweight wireless solution. We chose another vendor for wireless NAC. Our new solution is not perfect, but it seems to meet our needs better than the Cisco solutions. Feel free to contact me offline for more information. Bruce Osborne Network Engineer Liberty University From: Kevin Fitzgerald [mailto:kwfitzger...@ualr.edu] Sent: Friday, July 24, 2009 10:59 AM Subject: Re: Replacing Bluesocket with Cisco NAC (formerly known as Clean Access) Well that's encouraging :) I am curious about the dealbreaker issues that you had. Did you uncover some important 'gotchas?' K. Fitzgerald UALR Networks On Fri, Jul 24, 2009 at 9:47 AM, Manoj Abeysekera ma...@american.edumailto:ma...@american.edu wrote: We do have a similar setup although we are fast changing. We do OOB for wired with Cisco NAC (CCA). For wireless it still in-band with CCA. No offense but CCA seems to be a (and have been) very problematic product for us and we are hoping to change that soon. Thanks Manoj -- P. Manoj Abeysekera, CWNA Network Engineer American University 4200 Wisconsin Ave, NW Washington DC. 20016 Kevin Fitzgerald kwfitzger...@ualr.edumailto:kwfitzger...@ualr.edu Sent by: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 07/24/2009 10:21 AM Please respond to The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU To WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU cc Subject [WIRELESS-LAN] Replacing Bluesocket with Cisco NAC (formerly known as Clean Access) Hello all, We are currently in the process of replacing our Bluesocket Secured Controller appliances with Cisco's NAC. The Bluesockets are only used for LDAP auth (user login). In our environment we will be doing wireless and wired out-of-band (OOB) in virtual gateway mode, and our NAC is centrally deployed. Our wireless access points operate in lightweight mode using Cisco Wireless Lan Controllers. All of our WAPS are Cisco 1231 (LWAPP) running off of Cisco WLCs. We are moving to a Cisco end-to-end solution composed of the NAC, WLCs, and WAPs. I'd love to hear from some folks who have already gone down this road. The documentation that I've read often refers to RADIUS accounting records. Has anyone implemented a wireless OOB solution with LDAP? Kindest regards, K. Fitzgerald Computing Services Networks University of Arkansas at Little Rock ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. http://www.educause.edu/groups/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Cisco Aironet without WEP and DHCP Problem
If you are using 802.1q trunks, for the PA ports, the data vlan needs to be allowed on the trunk. Switchport port security may limit the number of connecting mac addresses. I do not think that spanning-tree bpduguard affects these APs Just a few more areas to check. Bruce Osborne Liberty University From: Lee H Badman [mailto:lhbad...@syr.edu] Sent: Thursday, June 04, 2009 9:24 AM Subject: Re: Cisco Aironet without WEP and DHCP Problem Hola Alexandre, Are you using DHCP snooping on your switchports anywhere? This could be a factor. -Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Alexandre Bastos Sent: Thursday, June 04, 2009 9:04 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Cisco Aironet without WEP and DHCP Problem I'm Sysadmin on University of Fortaleza, a medium-sized university (around 25,000 students), located on Northeast of Brazil. Our Lan e Wlan are based on Cisco devices. But now, we are experiencing some strange behavior on our Wireless network. Here, we deployed a simple wireless environment, since our needed are very simple: just permit internet access to academic community from all places in the campus. So, we bought AP Aironet 1100 and 1200 series and put it on strategic places on each build. Ok, it was simple. Coverage area Ok! :). But now, I'm investigating a strange situation: the client connect on the wlan (without WEP/WPA, etc), but it cannot receive a IP Address from DHCP Server. I checked my core switch, edge switches, my dhcp server (a linux box), re-certified the cables that connect AP to edge switch, change DHCP Server from Linux box to MS DHCP Server, and back to linux again.. etc etc ... without successful The problem don't have a specific period, or specific location or any relation with some event. Just the clients cannot connect on WLan (in fact, they connect, but don't receive a ip address). On my dhcp server log, I saw the DHCP DISCOVER packet from client, and the DHCP OFFER, from my DhcpServer to client. If I restart access-point, the problem is temporary solved. (Look, this strange behavior occurs with all 1100 and 1200 AP's, on different time, on different days, without a logical order). Did anyone experienced any problem like this during the deployment of Wlan environment ? Unfortunately our Cisco partner just limited to sell and deliver the equipment Sorry about my bad English, and my long post Best Regards -- Alexandre Bastos -- Fundação Edson Queiroz Universidade de Fortaleza Gerência em Tecnologia da Informação - GTI ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Meru and Broadcast Suppression
We here at Liberty University also use Aruba's VLAN pooling with /23 subnets. In our legacy fat AP system we used /20 subnets and performance was poor. Bruce Osborne Liberty University From: Brooks, Stan [mailto:stan.bro...@emory.edu] Sent: Wednesday, May 27, 2009 7:00 PM Subject: Re: Meru and Broadcast Suppression Aruba's VLAN pooling ROCKS We use 4 VLANs/controller (all /24's) and pool them. Users are load-balanced across the 4 VLANs/subnets automagically. - Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.commailto:wlans...@hotmail.com GoogleTalk: wlans...@gmail.commailto:wlans...@gmail.com From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Philippe Hanset Sent: Wednesday, May 27, 2009 4:16 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Meru and Broadcast Suppression At the moment: /20 but with a lot of controls on Broadcast and Multicast (I would advise against it!) We lived well with a /21 though Our new Aruba install is planned with a bunch of /23 and /24, using VLAN pooling. Philippe Univ. of TN On May 27, 2009, at 3:50 PM, Scott Irey wrote: Hello, Anyone that is using Meru know how well Meru does broadcast suppression to WLAN clients. Looking at some of my packet captures the broadcast traffic seems to be limited but I do see some broadcasted DHCP packets. I know they claim to do some suppression according to the config guide. It doesn't seem as cut and dry though as compared to how Cisco's WLC's do it. We are looking to possibly expand the size of our subnets for wireless and this plays into that. What are some of the subnet sizes that some of you are using for WLAN? Thanks! Scott Irey Network Telecom Systems Engineer Oakland University Office: 248.370.2808 Mobile: 248.505.9827 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. This e-mail message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message (including any attachments) is strictly prohibited. If you have received this message in error, please contact the sender by reply e-mail message and destroy all copies of the original message (including attachments). ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Wireless-only in residence halls
Matt, We are looking into selling dual band 11n adapters. Whish ones did you choose? What about desktop computers? Do you provide any solution for wireless? There do not seem to be any dual band 11n desktop cards. You can buy adapters and use some of the laptop cards, though. Thanks, Bruce Osborne Liberty University -Original Message- From: Barber, Matt [mailto:barbe...@morrisville.edu] Sent: Saturday, April 25, 2009 1:21 PM Subject: Re: Wireless-only in residence halls This is similar to our approach. We push the 5 GHz as much as possible. Between the microwaves, Xbox 360 controllers, Bluetooth, and everything else, the 2.4 GHz in the dorms is a tad unpredictable. We sell dual-band 11n adapters in our bookstore, educate helpdesk visitors, and I am always testing how things look in the field. The great majority of the time, things work perfectly fine. When it doesn't, I will typically work directly with students to figure out why. Flipping some adapters to prefer 5 GHz (or only use 5 GHz even), or even suggesting that the microwave not be sitting 6 inches from a laptop typically takes care of things :) Matt Barber Network Analyst Morrisville State College 315-684-6053 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Hector J Rios Sent: Friday, April 24, 2009 7:19 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless-only in residence halls I forgot to mention that as well. In almost all of the rooms that we went into when we were doing our surveys we saw a microwave oven and an occasional 2.4GHz cordless phone. We spoke to Res Life and explained to them the impact that such devices could have on the wireless network. Having a dual solution is great because the 5GHz band is less crowded. But unfortunately many wireless adapters tend to prefer the 2.4GHz band. Disabling the 2.4GHz would be wonderful, but the reality is that there are still a lot of legacy devices out there, so you have to support them. We even considered offering 2.4GHz at 2Mbps only, hoping that this would discourage users from using 2.4GHz altogether and opt for 5GHz. The issue here is how to get users to adjust settings on their end so that they only use 5GHz. Currently we have opted to attempt to educate our users on how wireless works, how certain devices can have detrimental effects on the network, and how small modifications to their adapter settings can make a huge difference. Utopian, I know. I'll let you guys how that idea goes. Hector ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Wireless-only in residence halls
Matt, We are fast growing always changing. Moving to wireless-only in some areas allows you to remove switches and reuse them in new housing areas, etc. Bruce Osborne Liberty University -Original Message- From: Barber, Matt [mailto:barbe...@morrisville.edu] Sent: Saturday, April 25, 2009 1:09 PM Subject: Re: Wireless-only in residence halls Hi Bruce, We are not currently doing any IPTV. Our current cable TV system is working okay for us at the moment. I imagine we will evaluate that in the next couple years. I am interested to see what happens with what the wireless vendors are doing to optimize multicast video streams over wireless. But I see so many students streaming video online through Hulu already, that I wonder what the real future of video distribution is going to look like. I totally hear you on the cost savings. Our auxiliary corporation just built a new housing complex and chose to put wired ports in there in addition to the wireless. The wireless APs need ~60 gigabit ports, the student ports, which end up being more than one per student because of common areas and such, are 400+. Matt Barber Network Analyst Morrisville State College 315-684-6053 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Osborne, Bruce W. (NS) Sent: Saturday, April 25, 2009 5:55 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless-only in residence halls Matt, Are you doing any IPTV? We currently use the VideoFurnace product. For us to move to wireless-only dorms, IPTV is a must. We are working with our vendor's advanced engineering team to have a partial solution working by this fall. There can be serious cost savings moving to wireless-only, especially when you are using gigabit PoE switches. Bruce Osborne Network Engineer Liberty University -Original Message- From: Barber, Matt [mailto:barbe...@morrisville.edu] Sent: Friday, April 24, 2009 1:27 PM Subject: Re: Wireless-only in residence halls Hey Mike, The majority of our dorms have been wireless only since 1999. The campus decided to put up wireless back then instead of wire a drop for each pillow. We have continued with that and now have pervasive 11n everywhere. For the gaming consoles, all of the modern ones have a built-in wireless adapter except for the Xbox 360, which has a separate USB one you can buy. We currently have over 200 gaming consoles setup and running over the wireless. I would be happy to talk to you more if you have any specific questions. Take care, Matt Barber Network Analyst Morrisville State College 315-684-6053 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Michael Dickson Sent: Friday, April 24, 2009 11:42 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wireless-only in residence halls Wondering if anyone has successfully implemented a wireless-only network in their residence halls. If so, how is it working out? Was this a planned migration away from an aging wired jack infrastructure or was it new construction? Are you doing this with 802.11n, b/g, a or everything? Any pitfalls? Did you still leave some client jacks around or were you able to go full-blown wireless? We have older (Cat 3 or worse) horizontal and are starting discussions around abandoning the wires and just installing home runs for APs. Any fresh advice would be greatly appreciated (saw an old thread from 2005). Regards, Mike -- Michael Dickson Network Analyst University of Massachusetts Amherst ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Wireless-only in residence halls
Matt, Are you doing any IPTV? We currently use the VideoFurnace product. For us to move to wireless-only dorms, IPTV is a must. We are working with our vendor's advanced engineering team to have a partial solution working by this fall. There can be serious cost savings moving to wireless-only, especially when you are using gigabit PoE switches. Bruce Osborne Network Engineer Liberty University -Original Message- From: Barber, Matt [mailto:barbe...@morrisville.edu] Sent: Friday, April 24, 2009 1:27 PM Subject: Re: Wireless-only in residence halls Hey Mike, The majority of our dorms have been wireless only since 1999. The campus decided to put up wireless back then instead of wire a drop for each pillow. We have continued with that and now have pervasive 11n everywhere. For the gaming consoles, all of the modern ones have a built-in wireless adapter except for the Xbox 360, which has a separate USB one you can buy. We currently have over 200 gaming consoles setup and running over the wireless. I would be happy to talk to you more if you have any specific questions. Take care, Matt Barber Network Analyst Morrisville State College 315-684-6053 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Michael Dickson Sent: Friday, April 24, 2009 11:42 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wireless-only in residence halls Wondering if anyone has successfully implemented a wireless-only network in their residence halls. If so, how is it working out? Was this a planned migration away from an aging wired jack infrastructure or was it new construction? Are you doing this with 802.11n, b/g, a or everything? Any pitfalls? Did you still leave some client jacks around or were you able to go full-blown wireless? We have older (Cat 3 or worse) horizontal and are starting discussions around abandoning the wires and just installing home runs for APs. Any fresh advice would be greatly appreciated (saw an old thread from 2005). Regards, Mike -- Michael Dickson Network Analyst University of Massachusetts Amherst ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Spectrum load balancing/Band steering
We tried it here at Liberty University, but turned it off. We found that some clients that insisted on preferring 802.11g were flapping between 2.4 GHz 5 GHz. I think that was with ArubaOS 3.3.2.10. The current version is 3.3.2.13. What version are you guys using? All our APs are AP-125 too. Perhaps that is another difference. Thanks, Bruce Osborne Liberty University -Original Message- From: Brian J David [mailto:davi...@bc.edu] Sent: Wednesday, April 22, 2009 10:33 AM Subject: Spectrum load balancing/Band steering This question is for those Aruba deployments. Has anybody tried the spectrum load balancing feature yet, if so, how have your results been? We are using the Band steering feature and have found that it works very well and was wondering what others have been experiencing? -Brian Brian J David Network Systems Engineer Boston College ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: wish list for next generation vendor selection
I would add the following: A built-in stateful firewall. Does the proposed solution interoperate with your existing NAC solution? QoS for VoIP streaming video. It is always a very good idea to talk with existing customers for the good, the bad the ugly. Bruce Osborne Network Engineer Liberty University From: Jamie Savage [mailto:jsav...@yorku.ca] Sent: Wednesday, April 15, 2009 1:36 PM Subject: wish list for next generation vendor selection Hi, We're starting to look at the different vendors to move forward into the 11n business. We have a standard list (working towards an RFP) of needs/it'd-be-nice/wants dealing with WIFI compliancy, POE, authentication, management etc. etc. but I was wondering if anyone who has gone through this might be able to offer other not-so-obvious things to look for. Ideally, if someone had a list of what they looked for and wish to sharethat would be excellent. ..thanks in advanceJ James Savage York University Senior Communications Tech. 108 Steacie Building jsav...@yorku.ca4700 Keele Street ph: 416-736-2100 ext. 22605Toronto, Ontario fax: 416-736-5701M3J 1P3, CANADA ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Wireless network names
Frank, Politics (read those controlling the money) deem otherwise. :( Perhaps now that we have tunneled Guest access we can upgrade our data wireless network security, but it needs to be approached very carefully from a political perspective. Bruce From: Frank Bulk [mailto:frnk...@iname.com] Sent: Saturday, April 04, 2009 9:32 AM Subject: Re: Wireless network names Here, too - open Wi-Fi for the masses? Cringe It's 2009 now - time to lock it down. Frank From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Osborne, Bruce W. (NS) Sent: Wednesday, April 01, 2009 6:35 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless network names Nathan, We here at Liberty University have recently upgraded our wireless network and changed SSIDs. We likely need to consolidate things more, but we have been on a fast upgrade schedule. As echoed by others, branding is an important consideration, especially when in areas that border outside businesses. Here is our current structure: Liberty - 802.11 a/b/g 2.4 GHz 802.11n - open / Bradford mac authentication, no multicast allowed LU-HiSpeed - 5GHz 802.11n only - open / Bradford mac authentication, iptv multicast (future) LU-Guest - 802.11a/b/g/n - open / policy portal, secure tunnel to DMZ, 256K bandwidth per user, Internet access only LU-Phone - 802.11a/b/g - WEP for Cisco 7920 / 7921 wireless phones only. (7920 phones will not do more than WEP) LU-Staff - 802.11a/b/g/n - WPA2-PSK encrypted desktops on a remote location shared with other businesses. We do not currently have a PKI, so we use PSK in some places. We also have some other specialized SSIDs on small areas. Bruce Osborne Network Engineer Liberty University From: Nathan Hay [mailto:np...@cedarville.edu] Sent: Tuesday, March 31, 2009 3:12 PM Subject: Wireless network names We are trying to decide on some network names for our various networks and we are looking for input from other schools. Would anyone mind sharing their SSID names and a brief description of their target audience of devices/users? We are specifically interested in choosing a new name for our SSID that is primarily for smartphone/PDA/iPhone/iPod touch devices. Here's what we have currently: cedarwireless-guest: coffee shop type wireless with limited access, only in academic buildings cedarwireless-special: non-broadcast SSID for smartphone/PDA/iPhone/iPod touch and game consoles cedarwireless-unsecure: clear network with captive portal for laptops (students and others) cedarwireless-secure: WPA2-Enterprise network for laptops (students and others) Thanks, Nathan Nathan P. Hay Network Engineer Computer Services Cedarville University www.cedarville.eduhttp://www.cedarville.edu/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Wireless network names
Frank, I agree, but we are very marketing focused. There was a time last year when I thought we would have to remove *all* NAC from our network. Now we have a secure Guest wireless setup, perhaps we can secure things better once we make it through our current NAC / Wireless upgrade from Cisco fat 802.11b/g Clean Access to Aruba 802.11n Aruba Endpoint Compliance System (ECS). Bruce From: Frank Bulk [mailto:frnk...@iname.com] Sent: Saturday, April 04, 2009 9:32 AM Subject: Re: Wireless network names Here, too - open Wi-Fi for the masses? Cringe It's 2009 now - time to lock it down. Frank From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Osborne, Bruce W. (NS) Sent: Wednesday, April 01, 2009 6:35 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless network names Nathan, We here at Liberty University have recently upgraded our wireless network and changed SSIDs. We likely need to consolidate things more, but we have been on a fast upgrade schedule. As echoed by others, branding is an important consideration, especially when in areas that border outside businesses. Here is our current structure: Liberty - 802.11 a/b/g 2.4 GHz 802.11n - open / Bradford mac authentication, no multicast allowed LU-HiSpeed - 5GHz 802.11n only - open / Bradford mac authentication, iptv multicast (future) LU-Guest - 802.11a/b/g/n - open / policy portal, secure tunnel to DMZ, 256K bandwidth per user, Internet access only LU-Phone - 802.11a/b/g - WEP for Cisco 7920 / 7921 wireless phones only. (7920 phones will not do more than WEP) LU-Staff - 802.11a/b/g/n - WPA2-PSK encrypted desktops on a remote location shared with other businesses. We do not currently have a PKI, so we use PSK in some places. We also have some other specialized SSIDs on small areas. Bruce Osborne Network Engineer Liberty University From: Nathan Hay [mailto:np...@cedarville.edu] Sent: Tuesday, March 31, 2009 3:12 PM Subject: Wireless network names We are trying to decide on some network names for our various networks and we are looking for input from other schools. Would anyone mind sharing their SSID names and a brief description of their target audience of devices/users? We are specifically interested in choosing a new name for our SSID that is primarily for smartphone/PDA/iPhone/iPod touch devices. Here's what we have currently: cedarwireless-guest: coffee shop type wireless with limited access, only in academic buildings cedarwireless-special: non-broadcast SSID for smartphone/PDA/iPhone/iPod touch and game consoles cedarwireless-unsecure: clear network with captive portal for laptops (students and others) cedarwireless-secure: WPA2-Enterprise network for laptops (students and others) Thanks, Nathan Nathan P. Hay Network Engineer Computer Services Cedarville University www.cedarville.eduhttp://www.cedarville.edu/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Big Aruba Environments- Management of multiple controllers
Manoj, We upgraded to 6.2.2 last week. The old data statistics were retained. There is a bug in the bandwidth graph, though. Airwave now has a separate patch for that problem. The bandwidth graph may report unusually high data. The patch corrected that problem. Bruce Osborne Network Engineer Liberty University From: Manoj Abeysekera [mailto:ma...@american.edu] Sent: Monday, March 16, 2009 5:12 PM Subject: Re: Big Aruba Environments- Management of multiple controllers Hi Jason, Did the upgrade retain old data and statistics? I had problems last time when i did the upgrade. Thanks Manoj x2702 --- P. Manoj Abeysekera Network Engineer American University 4200 Wisconsin Ave, NW Washington DC. 20016 Jason Appah jason.ap...@oit.edu Sent by: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 03/16/2009 05:07 PM Please respond to The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU To WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU cc Subject Re: [WIRELESS-LAN] Big Aruba Environments- Management of multiple controllers I just upgraded to 6.2 airwave and all is well with the world... I have noticed that a few of the access points are showing duplicate names, even though they arent... Re-provisioning fixed the problem, but it was still strange, apart from that, 3.3.2.11 is much faster IMHO than 3.3.2.8... (of course there my whole deploy is smaller than probably one of your buildings) On 3/16/09 1:33 PM, Travis Schick trsch...@ucdavis.edu wrote: Just FYI - airwave just released their 6.2 update - and I believe there was mention of specifically supporting 3.3.2.x ArubaOS versions. had the pdf open: 2. Enhancements/Changes 2.1 Aruba Enhancements * Support for firmware version 3.3.2.x So appears something has changed in the 3.3.2.x arubaos that impacts how airwave gather's its stats... I've got a few building worth of AP's doing an advance test of 3.3.2.11 - before upgrading our entire aruba infrastructure - so far no issues. Would like to hear that your migration 3.3.2.11 is going well... Travis Schick UCDavis From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jason Appah Sent: Friday, March 06, 2009 9:31 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Big Aruba Environments- Management of multiple controllers On that note, when we moved to 3.3.2.11 the other week, Airwave stopped reporting bandwidth, was there a change to the MIB from 3.3.2.8 to 11 that would have affected this? Airwave still reportes users connected fine, but no bandwidth? On 3/6/09 8:11 AM, Philippe Hanset phan...@utk.edu wrote: We gave up on MMS (or MMS gave up on us, I forgot) and went straight to Airwave that we use in monitoring mode. For configs: the web is ok but the command line is preferred. Philippe Hanset Univ. of TN p.s. I believe that Aruba is pulling MMS out of their price list (to be confirmed) On Mar 6, 2009, at 8:11 AM, Steely, John wrote: I am curious if we have any Aruba shops on the list who have Airwave, but also had experience with the Aruba MMS appliance and would be willing to share your thoughts on comparing the two? Thanks in advance, John John Steely Associate Director Infrastructure Systems Department Library and Information Services Dickinson College P.O. Box 1773 Carlisle, PA 17013 717-245-1613 (Voice) 717-245-1690 (Fax) ste...@dickinson.edu mailto:ste...@dickinson.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Thursday, March 05, 2009 9:55 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Big Aruba Environments- Management of multiple controllers Wondering how bigger Aruba shops are centrally managing multiple controllers? From what I can tell right now, AirWave is pretty much an effective graphical monitoring tool, but is pretty anemic at configuration of Aruba. Am I missing something? -Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE
RE: Big Aruba Environments- Management of multiplecontrollers
Lee, I understand from Airwave support that they expect to have improved Aruba management capabilities later this year. A multi-vendor management solution cannot be expected to manage all vendor platforms equally. The perform the easy things first and then add more capabilities. Bruce Osborne Liberty University -Original Message- From: Lee H Badman [mailto:lhbad...@syr.edu] Sent: Sunday, March 15, 2009 1:28 PM Subject: Re: Big Aruba Environments- Management of multiplecontrollers Hi John- It does not do config now, but really I'm not sure you want it to. How often do you change your WLAN network? we change some of ours on occasion, both in prod and for development- to meet different transient circumstances while our prod main WLANs roll along largely undisturbed. And when you want to make changes, to me it's important to be able to do what you want, when you want with no management system impediments, forced practices, or jumping between systems to do a little hereand a little there. ...do you really want to set up your QOS or multicast outside the Aruba interface? If ANY product (not picking on any vendor with this comment) touts themselves as a WLAN management solution, then yes, I'd expect to set up QoS, client security, WLANs, or any system parameter in a single pane of glass. Or if a vendor is better at monitoring, I'd like to see a monitoring only version at a reasonable price marketed rather than be expected to pay top dollar for a complete solution but only have it be practical for half my team's needs. That being said... everyone has their own needs and ways of solving those needs. It's nice to see a growing number of viable options and healthy competition making for better solutions. Respectfully, Lee Badman From: The EDUCAUSE Wireless Issues Constituent Group Listserv [wireless-...@listserv.educause.edu] On Behalf Of John W Turner [tur...@brandeis.edu] Sent: Saturday, March 14, 2009 7:56 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Big Aruba Environments- Management of multiplecontrollers We have 6 controllers (though that is really immaterial since you only config the WLAN on the master) and have been deployed with 900 AP's for over 3 years. We went with Airwave about 6 months ago and are EXTREMELY happy with it. It provides an invaluable amount of visibility into the network and is a huge help in diagnosing client problems. We see this as a business intelligence tool to assist us in strategically tweaking/upgrading our WLAN network. It does not do config now, but really I'm not sure you want it to. How often do you change your WLAN network? I can see some features getting into Airwave (black listing, key rotation, guest provisioning) but do you really want to set up your QOS or multicast outside the Aruba interface? I see the Airwave and Aruba controller interfaces serving two distinct purposes: Airwave for operations and Aruba for management. -- John W. Turner Director of Networks Systems Brandeis University - Original Message - From: Ken Connell kconn...@ryerson.ca To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Friday, March 6, 2009 8:39:15 AM GMT -05:00 US/Canada Eastern Subject: Re: [WIRELESS-LAN] Big Aruba Environments- Management of multiplecontrollers We did a trial on both... For us the MMS was unreliable and some of the tools (like finding users) just didn't work. We were constantly rebooting and tweaking, but I must note we had the software version not the appliance. The airwave product for us was great with stats, finding users and what not, but the config for Aruba just isn't there yet, and for that reason we haven't committed. Ken Connell Intermediate Network Engineer Computer Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 From: Steely, John Date: Fri, 06 Mar 2009 08:11:18 -0500 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Big Aruba Environments- Management of multiple controllers I am curious if we have any Aruba shops on the list who have Airwave, but also had experience with the Aruba MMS appliance and would be willing to share your thoughts on comparing the two? Thanks in advance, John John Steely Associate Director Infrastructure Systems Department Library and Information Services Dickinson College P.O. Box 1773 Carlisle, PA 17013 717-245-1613 (Voice) 717-245-1690 (Fax) ste...@dickinson.edumailto:ste...@dickinson.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Thursday, March 05, 2009 9:55 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Big Aruba Environments- Management of multiple controllers Wondering how bigger Aruba shops are centrally managing multiple controllers?
RE: Big Aruba Environments- Management of multiple controllers
Lee, Liberty University also uses Airwave in monitor-only mode for our Aruba controllers. In the Aruba controller architecture, there is typically one master controller several local controllers. The master (This can be an HA pair) allows you to control most of the configuration from a central location. This controller also collects the RF information from the local controllers performs the AP radio management decisions. Some of this database can be offloaded to Airwave. Vlan interface ip addresses, etc. need to be setup on each local controller. If you have too many controllers for one master,( I don't remember the number, but I can check if you wish) I believe Aruba has an appliance that can centralize the configuration for multiple masters. In our environment, the vast majority of toe configuration AP provisioning is performed on the master controller. When you save the configuration, it is pushed out to the local controllers. Bruce Osborne Liberty University From: Lee H Badman [mailto:lhbad...@syr.edu] Sent: Thursday, March 05, 2009 9:55 AM Subject: Big Aruba Environments- Management of multiple controllers Wondering how bigger Aruba shops are centrally managing multiple controllers? From what I can tell right now, AirWave is pretty much an effective graphical monitoring tool, but is pretty anemic at configuration of Aruba. Am I missing something? -Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Aerohive 340AP
Todd, You can check my other thread, bit my controllers have 2 10-Gig interfaces and 8 1-Gig interfaces. Also, my vendor has smaller controllers with 4 1-Gig interfaces that would let you distribute the controllers while managing then from the master controller (or a pair of controllers). We considered a distributed model but our network architect had no worries about the added traffic across our cores with the centralized model. We have a 10-Gig backbone, 2-Gig portchannel to the access switch, 1-Gig ports on our access switches. The 802.11n APs have Gig interfaces. Bruce Osborne Liberty University From: Smith, Todd [mailto:todd.sm...@camc.org] Sent: Monday, March 02, 2009 4:37 PM Subject: Re: Aerohive 340AP Hello Bruce, Like I said, this is a personal opinion and not hard engineering fact. My issue is that you are trunking everything from the edge to the network core to process and then switch to available resources. Unless you are installing 10G at the core or many, many 1G ports then I feel that you run the risk of network saturation from traffic from the AP at 802.11n speeds. This is vendor agnostic as far as I can see since oversubscription is a component of all of the centralized controller environments that I know of. I like the edge switching architecture that several vendors are promoting, Trapeze, Hi-Path Wireless and Aerohive are at least three vendors that have edge switching in the product line. Of course, Aerohive is completely edge switched and the others offer that for certain classes of traffic. GB edge switches are generally cheaper then core switches but maybe that is our enevimrnt and not typical in other places. Todd Smith Charleston Area Medical Center From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Osborne, Bruce W. (NS) Sent: Saturday, February 28, 2009 10:09 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aerohive 340AP Todd, I'm not sure why you would say that. We now have almost 600 802.11n APs on 3 controllers that are managed centrally from the master controller. We can handle up to 500 APs per controller (2000 per chassis). This allows you to standardize configurations OS versions. We are supplementing this with Airwave Wireless Management Suite for monitoring. We moved from 450 Cisco 1231G fat APs. The centralized solution scales much better for us. From: Smith, Todd [mailto:todd.sm...@camc.org] Sent: Friday, February 27, 2009 4:28 PM Subject: Re: Aerohive 340AP I reviewed their product in our environment and it worked pretty well. I don't think that we are going to be purchasing anything this year due to the economic downturn but they are on my short list as well as Xirrus and Meru simply because they use non-standard architectures. My personal opinion is that centralized controller environments don't scale very well when you are considering large 802.11n rollouts. Todd Smith Charleston Area Medical Center From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Frank Bulk Sent: Friday, February 27, 2009 15:34 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aerohive 340AP I've have had several opportunities to talk to AeroHive. Competitors like to poke holes at their product, but my (un-tested) impression is that it's pretty solid. If you ask for references, they do have some small to medium-sized build outs, but I'm not sure if they have any 500+ AP installations, yet. Frank From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Friday, February 27, 2009 2:31 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aerohive 340AP I have been contacted by Aerohive recently (www.aerohive.comhttp://www.aerohive.com/) and had never heard of them before. Is interesting- they are a controller-less model, that *seems* to scale and compete with controller-based functionality based on the glossy. No idea how they are on the likes of fast roaming, etc. But part of my brain yearns for the days when there were no controllers, and wireless life was a lot simpler. (You never see WLAN controllers in Norman Rockwell paintings). Is anyone using Aerohive, even on a small scale? Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Joseph Clark Sent: Friday, February 27, 2009 2:32 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Aerohive 340AP Is anyone currently using Aerohive AP's in a classroom deployment? In particular their 802.11N 340AP. I am interested
RE: Aerohive 340AP
firewall gives us. Bruce From: Frank Bulk [mailto:frnk...@iname.com] Sent: Saturday, February 28, 2009 10:43 AM Subject: Re: Aerohive 340AP Bruce, and perhaps others: If you do 5-minute polling of your APs, what's the highest throughput you've seen on your APs? And looking at your controllers, what's the highest average bandwidth/AP you've seen (i.e. if you saw 250 Mbps on a controller that serves 500 APS, that would be 0.5 Mbps)? It's my personal bias that even peak product throughputs don't touch close to what a properly sized controller theoretically could handle. Frank From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Osborne, Bruce W. (NS) Sent: Saturday, February 28, 2009 9:09 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aerohive 340AP Todd, I'm not sure why you would say that. We now have almost 600 802.11n APs on 3 controllers that are managed centrally from the master controller. We can handle up to 500 APs per controller (2000 per chassis). This allows you to standardize configurations OS versions. We are supplementing this with Airwave Wireless Management Suite for monitoring. We moved from 450 Cisco 1231G fat APs. The centralized solution scales much better for us. From: Smith, Todd [mailto:todd.sm...@camc.org] Sent: Friday, February 27, 2009 4:28 PM Subject: Re: Aerohive 340AP I reviewed their product in our environment and it worked pretty well. I don't think that we are going to be purchasing anything this year due to the economic downturn but they are on my short list as well as Xirrus and Meru simply because they use non-standard architectures. My personal opinion is that centralized controller environments don't scale very well when you are considering large 802.11n rollouts. Todd Smith Charleston Area Medical Center From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Frank Bulk Sent: Friday, February 27, 2009 15:34 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aerohive 340AP I've have had several opportunities to talk to AeroHive. Competitors like to poke holes at their product, but my (un-tested) impression is that it's pretty solid. If you ask for references, they do have some small to medium-sized build outs, but I'm not sure if they have any 500+ AP installations, yet. Frank From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Friday, February 27, 2009 2:31 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aerohive 340AP I have been contacted by Aerohive recently (www.aerohive.comhttp://www.aerohive.com/) and had never heard of them before. Is interesting- they are a controller-less model, that *seems* to scale and compete with controller-based functionality based on the glossy. No idea how they are on the likes of fast roaming, etc. But part of my brain yearns for the days when there were no controllers, and wireless life was a lot simpler. (You never see WLAN controllers in Norman Rockwell paintings). Is anyone using Aerohive, even on a small scale? Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Joseph Clark Sent: Friday, February 27, 2009 2:32 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Aerohive 340AP Is anyone currently using Aerohive AP's in a classroom deployment? In particular their 802.11N 340AP. I am interested in how they handle a large number of users in a large auditorium style classroom. Thanks, Joseph Clark ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. Confidentiality Note: The information contained in this message may be privileged and confidential. If this e-mail contains protected health information, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited,except as permitted by law. If you have received this communication in error, please notify the sender immediately by replying to this message and deleting it from your computer. Thank you. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http
RE: Aerohive 340AP
Todd, I'm not sure why you would say that. We now have almost 600 802.11n APs on 3 controllers that are managed centrally from the master controller. We can handle up to 500 APs per controller (2000 per chassis). This allows you to standardize configurations OS versions. We are supplementing this with Airwave Wireless Management Suite for monitoring. We moved from 450 Cisco 1231G fat APs. The centralized solution scales much better for us. From: Smith, Todd [mailto:todd.sm...@camc.org] Sent: Friday, February 27, 2009 4:28 PM Subject: Re: Aerohive 340AP I reviewed their product in our environment and it worked pretty well. I don't think that we are going to be purchasing anything this year due to the economic downturn but they are on my short list as well as Xirrus and Meru simply because they use non-standard architectures. My personal opinion is that centralized controller environments don't scale very well when you are considering large 802.11n rollouts. Todd Smith Charleston Area Medical Center From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Frank Bulk Sent: Friday, February 27, 2009 15:34 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aerohive 340AP I've have had several opportunities to talk to AeroHive. Competitors like to poke holes at their product, but my (un-tested) impression is that it's pretty solid. If you ask for references, they do have some small to medium-sized build outs, but I'm not sure if they have any 500+ AP installations, yet. Frank From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Friday, February 27, 2009 2:31 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Aerohive 340AP I have been contacted by Aerohive recently (www.aerohive.comhttp://www.aerohive.com/) and had never heard of them before. Is interesting- they are a controller-less model, that *seems* to scale and compete with controller-based functionality based on the glossy. No idea how they are on the likes of fast roaming, etc. But part of my brain yearns for the days when there were no controllers, and wireless life was a lot simpler. (You never see WLAN controllers in Norman Rockwell paintings). Is anyone using Aerohive, even on a small scale? Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Syracuse University 315 443-3003 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Joseph Clark Sent: Friday, February 27, 2009 2:32 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Aerohive 340AP Is anyone currently using Aerohive AP's in a classroom deployment? In particular their 802.11N 340AP. I am interested in how they handle a large number of users in a large auditorium style classroom. Thanks, Joseph Clark ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. Confidentiality Note: The information contained in this message may be privileged and confidential. If this e-mail contains protected health information, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited,except as permitted by law. If you have received this communication in error, please notify the sender immediately by replying to this message and deleting it from your computer. Thank you. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Broadcast Flood
I believe the command is: wlan virtual-ap Liberty broadcast-filter arp Notice this is per virtual-ap Bruce Osborne Liberty University -Original Message- From: Jason Appah [mailto:jason.ap...@oit.edu] Sent: Thursday, February 19, 2009 3:43 PM Subject: Re: Broadcast Flood Does anyone have this command for aruba mc2400? I'm too lazy to look it up :) On 2/19/09 11:46 AM, Tupker, Mike mtup...@mtmercy.edu wrote: :) Just had to ask. Sometimes the solution is an easy one. The only other way I know of to control broadcasts on the AP420s is bc-mc-limiting command from the command line for the Ethernet interface. Actually I may try this for our issue as well. The release notes for firmware version 2.1.2 has some documentation on the bc-mc-limiting feature. ftp://ftp.hp.com/pub/networking/software/Release-Note-v2-1-2-59906007-1105.pdf Mike Tupker Systems Administrator Mount Mercy College Office: (319) 363-1323 x1401 Mobile: (319) 538-1644 If you need assistance with an computer issue please contact the helpdesk at x4357 or http://help.mtmercy.edu. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Martin Jr., D. Michael Sent: Thursday, February 19, 2009 12:27 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Broadcast Flood Thanks for the reply. Yes, we do have VLAN tagging enabled and, in fact, that is how the placement of the computers in the correct VLAN typically works and has worked for the last several years. It has only become a problem, and the problem is intermittent, in the last 3 or 4 months. HP has stated it looks, possibly, like a flaw in the firmware but when we attempt to control the ARP and other broadcast traffic on our student wireless VLAN the problem goes away for everyone on campus. Anyone have any suggestions on controlling broadcast (and ARP) traffic on wireless using HP Procurve access points and/or switches? Thanks again, Michael Martin University of Montevallo -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Tupker, Mike Sent: Thursday, February 19, 2009 12:13 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Broadcast Flood We also have AP420s setup with radius auth using 802.1x, however our RADIUS server is a 2008 network policy server. The only thing I can think of is in the web config on the wireless interfaces page on the APs do you have the VLAN tagging enabled on for the SSID? The only issue we've had with the AP420s is sometimes the wired port will lock up and won't pass or respond to traffic. The only fix I've been able to find is to yank the power on the AP and reboot it. We are actually considering and upgrade to HPs newly acquired colubris line because of that issue. Mike Tupker Systems Administrator Mount Mercy College Office: (319) 363-1323 x1401 Mobile: (319) 538-1644 If you need assistance with an computer issue please contact the helpdesk at x4357 or http://help.mtmercy.edu. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Martin Jr., D. Michael Sent: Thursday, February 19, 2009 10:03 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Broadcast Flood We have currently expanded our wireless coverage on our campus to include most of our residence halls. Our wireless network infrastructure consists of HP Procurve 420 access points throughout most of our campus and we are using RADIUS MAC authentication (no additional encryption) to place wireless users (academic and students) in the proper VLAN when they connect to our University wireless SSID (UMNET). Problem: Our student wireless network VLAN is being flooded with broadcast traffic (mostly ARP requests). Because of this, we suspect, we are starting to experience intermittent connectivity with other wireless users. In particular, what is happening is that when a user attempts to connect to our HP 420 access points, MAC authentication ensues and our RADIUS server (FreeRADIUS) gives the proper information to the access point to place the wireless client into the proper VLAN. Unfortunately, the HP 420 is not placing the client into the proper VLAN and instead is placing the client into the default VLAN for the SSID. We are not experiencing this problem with our older Cisco access points on campus. We have been working with HP about this issue but they do not believe that the flooding broadcast traffic on the student wireless VLAN is causing the problem. Questions: 1. Does anyone else out there believe that the flood of broadcast traffic on our student wireless VLAN could be causing the intermittent connection problem described above? 2. Are
