RE: [WIRELESS-LAN] iPads, Labs/classroom use, 802.1x - Take Two

[Randall C Grimshaw]

I do not know how difficult it is to manage the users, teaching them to 
navigate the iOS settings to delete the 802.1x profile as they return the 
iPad... but on the loaning side, autoconfig, cloudpath or even a mobileconfig 
profile should get users onboard quickly.
I can tell you that in cisco land with a current controller revision it is 
possible to syslog the Radius authentication logging. We use Splunk, but 
rsyslog should also be useful if scrubbing the text logs for attribution data 
is not sufficient. I suspect Aruba and others might be similar.

Randall Grimshaw rgrim...@syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Luke Jenkins 
[ljenk...@weber.edu]
Sent: Tuesday, October 02, 2012 11:46 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] iPads, Labs/classroom use, 802.1x - Take Two

This question was asked 18 months ago by William from UTA, but without much in 
the way of an answer. The replies immediately went down a cloudpath rabbit 
hole, never to be seen again.

Here is what William asked, and exactly the situation my team was put in today:

"Does anyone have experience managing iPads for classrooms (where an iPad is 
given to each user and returned at the end of the course, only for the next 
class to pick them up)?  I'm interested in how to manage credentials in an 
802.1x environment (to ensure actions on the network are attributable to the 
user at that time).   If someone has resolved this, I'd like to speak with 
them, we have instructors working on proposals."

We have a 'no generic account' policy on our campus, and if it is possible we 
want all of our students to use their own credentials at the start of the class 
period with the iPads getting amnesia at the end. It seems that re-syncing them 
using the Apple Configurator or iTunes is the only way, but I wanted to check 
with the hive mind to see if anyone had some neat trick. Ideally it is a 
setting/template to be used, and not some MDM/onboarding solution.


-Luke

=-=-=-=-=-=-=-=-=-=-=-=
Luke Jenkins
Network Engineer
Weber State University

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Aruba DHCP fingerprinting

[Randall C Grimshaw]

Apple TVs do have the same fingerprint as iOS... but you can pretty much guess 
that if you see that fingerprint on the wire it is an apple TV. Also if you get 
a chance to run java script you will geta different screen dimension.



Randall Grimshaw rgrim...@syr.edu<mailto:rgrim...@syr.edu>


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Cappalli, Tim G @ LSC-OIT 
[tim.cappa...@lsc.vsc.edu]
Sent: Friday, August 31, 2012 9:23 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Aruba DHCP fingerprinting

Anyone find a unique fingerprint for AppleTV’s? I did a capture with our test 
ATV and option 55 was the same as iOS.

Thanks

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Randall C Grimshaw
Sent: Friday, August 24, 2012 1:52 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Aruba DHCP fingerprinting

VendClassId: PS Vita
Fingerprint: 1-3-15-6

I do not know how to translate that into the Aruba encryption.

Randall Grimshaw rgrim...@syr.edu<mailto:rgrim...@syr.edu>


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Kellogg, Brian D. 
[bkell...@sbu.edu]
Sent: Friday, August 24, 2012 1:42 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Aruba DHCP fingerprinting
Does anyone out there using Aruba gear have the DHCP fingerprints for the 
following that they would be willing to share?  I don’t have any to do a 
capture with.

Kindles
PS Vita

Any other would be welcome as well.  Below are some I’ve been able to gather.

aaa derivation-rules user Auth_Pass
  set role condition dhcp-option equals "370103060F77FC" set-value guest 
description "iOS"
  set role condition dhcp-option equals "37011c02030f06770c2c2f1a792a" 
set-value guest description "iPad"
  set role condition dhcp-option starts-with "0c616E64726F69645F" set-value 
guest description "Android 2.3.X"
  set role condition dhcp-option starts-with "3c6468637063642034" set-value 
guest description "Android 2.X"
  set role condition dhcp-option starts-with "37017921030" set-value guest 
description "Android 2.X"
  set role condition dhcp-option equals "3701792103061c333a3b" set-value guest 
description "Android 2(2)"
  set role condition dhcp-option equals "3C426C61636B426572727" set-value guest 
description "Blackberry"
  set role condition dhcp-option equals "370103060f2c2e2" set-value guest 
description "Win7 Phones"
  set role condition dhcp-option equals 
"3c4d6963726f736f66742057696e646f77732043450" set-value guest description 
"Windows Mobile"
  set role condition dhcp-option equals "3C426C61636B4265727279" set-value 
guest description "Blackberry2"
  set role condition dhcp-option equals "37012103060f1c333a3b" set-value guest 
description "Android 4.0.X"
  set role condition dhcp-option equals "37012103061c333a3b" set-value guest 
description "Android 4.0.X(2)"
  set role condition dhcp-option equals "3C58626F7820333630" set-value guest 
description "XBox360"
  set role condition dhcp-option starts-with "3701030f06" set-value guest 
description "PS3"
  set role condition dhcp-option equals "3701031c060f" set-value guest 
description "PS3"
  set role condition dhcp-option equals "0C576969" set-value guest description 
"Wii"
  set role condition dhcp-option equals "37010306" set-value guest description 
"Nintendo DS"
  set role condition dhcp-option equals "370103060f0c" set-value guest 
description "Roku"
  set role condition dhcp-option equals "3c64686370636420342e302e3135" 
set-value guest description "Android"
  set role condition dhcp-option equals "370103060F" set-value guest 
description "BlackBerry"
  set role condition dhcp-option equals "370C060F01031C78" set-value guest 
description "Symbian OS"
  set role condition dhcp-option equals "370103060f2c2e2f" set-value guest 
description "Win Mobile 6.X"
!

Thanks,
Brian
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] DHCP losing its mind..

[Randall C Grimshaw]

I have continued pondering this thread (my site is quite large also), and I 
wanted to toss out a question: has anyone compared the performance of an SSD 
(or an SSD Raid-0+) under a DHCPD server?

Randall Grimshaw rgrim...@syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Hanset, Philippe C 
[phan...@utk.edu]
Sent: Monday, August 27, 2012 11:55 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] DHCP losing its mind..

Thank you all for the great suggestions.

I have forwarded all to our system group.

Thank you again,

Philippe

On Aug 27, 2012, at 10:17 PM, Frank Bulk 
 wrote:

> I assume you have ping-ahead turned off?
>
> Frank
>
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanset, Philippe C
> Sent: Monday, August 27, 2012 1:20 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] DHCP losing its mind..
>
> All,
>
> (trying to help our systems group by asking this list)
>
> Have any of you experienced DHCP issues due to too many machines requesting
> leases?
>
> We run two ISC DHCP servers (in Active-Active mode) with 30 minutes lease
> time
> Running on SUN V440, no unusual I/O load, no unusual CPU load and ethernet
> is fine.
>
> DHCP is literally not responding to lease requests, on wired and on
> wireless.
>
> We were fine during the summer (with 5000 concurrent users), but we are not
> now with 14,000 concurrent users.
>
> Thanks,
>
> Philippe
>
> Philippe Hanset
> University of Tennessee, Knoxville
> www.eduroamus.org
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.
>
> **
> Participation and subscription information for this EDUCAUSE Constituent 
> Group discussion list can be found at http://www.educause.edu/groups/.
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] SSID Supression

[Randall C Grimshaw]

No. we do not suppress the SSID.

Randall Grimshaw rgrim...@syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of John Kaftan 
[jkaf...@utica.edu]
Sent: Monday, August 27, 2012 4:47 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] SSID Supression

Thank you for your help everyone.

Is anyone Suppressing your SSID for 802.1x like we are?

Thanks

John

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@listserv.educause.edu] On Behalf Of Randall C Grimshaw
Sent: Monday, August 27, 2012 4:42 PM
To: WIRELESS-LAN@listserv.educause.edu
Subject: Re: [WIRELESS-LAN] SSID Supression

In the Define Networks console, Select your Server. Right there in the
intial page is the Visual Setting section, Edit that and change the Mac
MobileConfig Behavior to "Use only Java. Do not allow MobileConfig." - If
java is not installed, it will provide an alternative.
I also suggest using an explicit list of SSIDs to remove (semicolon
delimited).


Randall Grimshaw rgrim...@syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Matt Pendleton
[ma...@housing.ufl.edu]
Sent: Monday, August 27, 2012 4:34 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] SSID Supression

Randall,

Can you send me the path to getting to this setting?  I haven't seen it yet
and I'm running the latest.

Matt

Matt Pendleton | Network & Systems Administrator University of Florida
Department of Housing and Residence Education PO Box 112100 | Gainesville,
FL 32611-2100 office 352.392.2171 x10107 | fax 352.392.6819 |
ma...@housing.ufl.edu<mailto:ma...@housing.ufl.edu>
StrengthsQuest Top 5: Competition, Significance, Individualization,
Restorative, Relator - Find Out
More<http://www.strengthsquest.com/content/141728/index.aspx>
Please consider the environment before printing this email.


From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Randall C Grimshaw
[rgrim...@syr.edu]
Sent: Monday, August 27, 2012 4:27 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] SSID Supression


We experienced this last year also on macs. We use XpressConnect which has
the ability to remove the profiles for the open networks. If you are an
Xpressconnect user, there is a setting for the latest build which activates
this solution even in the absence of Java. We just completed our opening and
it worked very smoothly.



Randall Grimshaw rgrim...@syr.edu<mailto:rgrim...@syr.edu>


From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Cappalli, Tim G @ LSC-OIT
[tim.cappa...@lsc.vsc.edu]
Sent: Monday, August 27, 2012 4:20 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] SSID Supression

We notice that Mac OS always seems to jump back to our open network unless
you manually remove it. On Windows, our connection utility removes the open
network so that the students do not continue to use it.


Tim Cappalli, ACMP CCNA | (802) 626-6456 Office of Information Technology
(OIT) | Lyndon > cappa...@lyndonstate.edu<mailto:cappa...@lyndonstate.edu> |
oit.lyndonstate.edu<http://oit.lyndonstate.edu/>

[cid:image001.png@01CD7CA8.ADB45900]

Sent from Windows 8 and Outlook 2013

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Kaftan
Sent: Monday, August 27, 2012 3:53 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] SSID Supression

We suppress our 802.1x SSID to prevent people from connecting to it before
they are properly configured.  I have noticed 802.1x clients dropping back
to our open network on a regular basis.  I am wondering if it is because of
the SSID broadcast suppression.  Perhaps the broadcasted networks look
better for some reason and the clients choose to jump.  Has anyone else
noticed this?

John
** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discu

RE: [WIRELESS-LAN] SSID Supression

[Randall C Grimshaw]

click into the network definition for your server. In the summary section is 
the setting for conflicting SSID's
This setting affects all OS. I list two semicolon delimited.
In the MacOS section under network settings, you also want to enable "The SSID 
needs to be first in the preferred SSID list.


Randall Grimshaw rgrim...@syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Matt Pendleton 
[ma...@housing.ufl.edu]
Sent: Monday, August 27, 2012 4:46 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] SSID Supression

Randall,

Sorry for the confusion.  I know of that setting (it was one we requested and 
needed).  I meant the removal of SSIDs in Macs.  I haven't been able to find it 
for Macs.

Matt


Matt Pendleton | Network & Systems Administrator

University of Florida Department of Housing and Residence Education

PO Box 112100 | Gainesville, FL 32611-2100

office 352.392.2171 x10107 | fax 352.392.6819 | ma...@housing.ufl.edu

StrengthsQuest Top 5: Competition, Significance, Individualization, 
Restorative, Relator - Find out more - 
http://www.strengthsquest.com/content/141728/index.aspx

Please consider the environment before printing this email.


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Randall C Grimshaw 
[rgrim...@syr.edu]
Sent: Monday, August 27, 2012 4:41 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] SSID Supression

In the Define Networks console, Select your Server. Right there in the intial 
page is the Visual Setting section, Edit that and change the Mac MobileConfig 
Behavior to "Use only Java. Do not allow MobileConfig." - If java is not 
installed, it will provide an alternative.
I also suggest using an explicit list of SSIDs to remove (semicolon delimited).


Randall Grimshaw rgrim...@syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Matt Pendleton 
[ma...@housing.ufl.edu]
Sent: Monday, August 27, 2012 4:34 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] SSID Supression

Randall,

Can you send me the path to getting to this setting?  I haven't seen it yet and 
I'm running the latest.

Matt

Matt Pendleton | Network & Systems Administrator
University of Florida Department of Housing and Residence Education
PO Box 112100 | Gainesville, FL 32611-2100
office 352.392.2171 x10107 | fax 352.392.6819 | 
ma...@housing.ufl.edu<mailto:ma...@housing.ufl.edu>
StrengthsQuest Top 5: Competition, Significance, Individualization, 
Restorative, Relator - Find Out 
More<http://www.strengthsquest.com/content/141728/index.aspx>
Please consider the environment before printing this email.


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Randall C Grimshaw 
[rgrim...@syr.edu]
Sent: Monday, August 27, 2012 4:27 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] SSID Supression


We experienced this last year also on macs. We use XpressConnect which has the 
ability to remove the profiles for the open networks. If you are an 
Xpressconnect user, there is a setting for the latest build which activates 
this solution even in the absence of Java. We just completed our opening and it 
worked very smoothly.



Randall Grimshaw rgrim...@syr.edu<mailto:rgrim...@syr.edu>


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Cappalli, Tim G @ LSC-OIT 
[tim.cappa...@lsc.vsc.edu]
Sent: Monday, August 27, 2012 4:20 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] SSID Supression

We notice that Mac OS always seems to jump back to our open network unless you 
manually remove it. On Windows, our connection utility removes the open network 
so that the students do not continue to use it.


Tim Cappalli, ACMP CCNA | (802) 626-6456
Office of Information Technology (OIT) | Lyndon
» cappa...@lyndonstate.edu<mailto:cappa...@lyndonstate.edu> | 
oit.lyndonstate.edu<http://oit.lyndonstate.edu/>

[cid:image001.png@01CD7CA8.ADB45900]

Sent from Windows 8 and Outlook 2013

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Kaftan
Sent: Monday, August 27, 2012 3:53 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] SSID Supression

We suppress our 802.1x SSID to prevent people from connecting to it before they 
are properly configured.  I have noticed 802.1x clients dropping back to our 
open network on a regular basis.  I am wondering if it is because of the S

RE: [WIRELESS-LAN] SSID Supression

[Randall C Grimshaw]

In the Define Networks console, Select your Server. Right there in the intial 
page is the Visual Setting section, Edit that and change the Mac MobileConfig 
Behavior to "Use only Java. Do not allow MobileConfig." - If java is not 
installed, it will provide an alternative.
I also suggest using an explicit list of SSIDs to remove (semicolon delimited).


Randall Grimshaw rgrim...@syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Matt Pendleton 
[ma...@housing.ufl.edu]
Sent: Monday, August 27, 2012 4:34 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] SSID Supression

Randall,

Can you send me the path to getting to this setting?  I haven't seen it yet and 
I'm running the latest.

Matt

Matt Pendleton | Network & Systems Administrator
University of Florida Department of Housing and Residence Education
PO Box 112100 | Gainesville, FL 32611-2100
office 352.392.2171 x10107 | fax 352.392.6819 | 
ma...@housing.ufl.edu<mailto:ma...@housing.ufl.edu>
StrengthsQuest Top 5: Competition, Significance, Individualization, 
Restorative, Relator - Find Out 
More<http://www.strengthsquest.com/content/141728/index.aspx>
Please consider the environment before printing this email.


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Randall C Grimshaw 
[rgrim...@syr.edu]
Sent: Monday, August 27, 2012 4:27 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] SSID Supression


We experienced this last year also on macs. We use XpressConnect which has the 
ability to remove the profiles for the open networks. If you are an 
Xpressconnect user, there is a setting for the latest build which activates 
this solution even in the absence of Java. We just completed our opening and it 
worked very smoothly.



Randall Grimshaw rgrim...@syr.edu<mailto:rgrim...@syr.edu>


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Cappalli, Tim G @ LSC-OIT 
[tim.cappa...@lsc.vsc.edu]
Sent: Monday, August 27, 2012 4:20 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] SSID Supression

We notice that Mac OS always seems to jump back to our open network unless you 
manually remove it. On Windows, our connection utility removes the open network 
so that the students do not continue to use it.


Tim Cappalli, ACMP CCNA | (802) 626-6456
Office of Information Technology (OIT) | Lyndon
» cappa...@lyndonstate.edu<mailto:cappa...@lyndonstate.edu> | 
oit.lyndonstate.edu<http://oit.lyndonstate.edu/>

[cid:image001.png@01CD7CA8.ADB45900]

Sent from Windows 8 and Outlook 2013

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Kaftan
Sent: Monday, August 27, 2012 3:53 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] SSID Supression

We suppress our 802.1x SSID to prevent people from connecting to it before they 
are properly configured.  I have noticed 802.1x clients dropping back to our 
open network on a regular basis.  I am wondering if it is because of the SSID 
broadcast suppression.  Perhaps the broadcasted networks look better for some 
reason and the clients choose to jump.  Has anyone else noticed this?

John
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] SSID Supression

[Randall C Grimshaw]

We experienced this last year also on macs. We use XpressConnect which has the 
ability to remove the profiles for the open networks. If you are an 
Xpressconnect user, there is a setting for the latest build which activates 
this solution even in the absence of Java. We just completed our opening and it 
worked very smoothly.



Randall Grimshaw rgrim...@syr.edu


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Cappalli, Tim G @ LSC-OIT 
[tim.cappa...@lsc.vsc.edu]
Sent: Monday, August 27, 2012 4:20 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] SSID Supression

We notice that Mac OS always seems to jump back to our open network unless you 
manually remove it. On Windows, our connection utility removes the open network 
so that the students do not continue to use it.


Tim Cappalli, ACMP CCNA | (802) 626-6456
Office of Information Technology (OIT) | Lyndon
» cappa...@lyndonstate.edu | 
oit.lyndonstate.edu

[cid:image001.png@01CD7CA8.ADB45900]

Sent from Windows 8 and Outlook 2013

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Kaftan
Sent: Monday, August 27, 2012 3:53 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] SSID Supression

We suppress our 802.1x SSID to prevent people from connecting to it before they 
are properly configured.  I have noticed 802.1x clients dropping back to our 
open network on a regular basis.  I am wondering if it is because of the SSID 
broadcast suppression.  Perhaps the broadcasted networks look better for some 
reason and the clients choose to jump.  Has anyone else noticed this?

John
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

<>

RE: Aruba DHCP fingerprinting

[Randall C Grimshaw]

VendClassId: PS Vita
Fingerprint: 1-3-15-6

I do not know how to translate that into the Aruba encryption.

Randall Grimshaw rgrim...@syr.edu


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Kellogg, Brian D. 
[bkell...@sbu.edu]
Sent: Friday, August 24, 2012 1:42 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Aruba DHCP fingerprinting

Does anyone out there using Aruba gear have the DHCP fingerprints for the 
following that they would be willing to share?  I don’t have any to do a 
capture with.

Kindles
PS Vita

Any other would be welcome as well.  Below are some I’ve been able to gather.

aaa derivation-rules user Auth_Pass
  set role condition dhcp-option equals "370103060F77FC" set-value guest 
description "iOS"
  set role condition dhcp-option equals "37011c02030f06770c2c2f1a792a" 
set-value guest description "iPad"
  set role condition dhcp-option starts-with "0c616E64726F69645F" set-value 
guest description "Android 2.3.X"
  set role condition dhcp-option starts-with "3c6468637063642034" set-value 
guest description "Android 2.X"
  set role condition dhcp-option starts-with "37017921030" set-value guest 
description "Android 2.X"
  set role condition dhcp-option equals "3701792103061c333a3b" set-value guest 
description "Android 2(2)"
  set role condition dhcp-option equals "3C426C61636B426572727" set-value guest 
description "Blackberry"
  set role condition dhcp-option equals "370103060f2c2e2" set-value guest 
description "Win7 Phones"
  set role condition dhcp-option equals 
"3c4d6963726f736f66742057696e646f77732043450" set-value guest description 
"Windows Mobile"
  set role condition dhcp-option equals "3C426C61636B4265727279" set-value 
guest description "Blackberry2"
  set role condition dhcp-option equals "37012103060f1c333a3b" set-value guest 
description "Android 4.0.X"
  set role condition dhcp-option equals "37012103061c333a3b" set-value guest 
description "Android 4.0.X(2)"
  set role condition dhcp-option equals "3C58626F7820333630" set-value guest 
description "XBox360"
  set role condition dhcp-option starts-with "3701030f06" set-value guest 
description "PS3"
  set role condition dhcp-option equals "3701031c060f" set-value guest 
description "PS3"
  set role condition dhcp-option equals "0C576969" set-value guest description 
"Wii"
  set role condition dhcp-option equals "37010306" set-value guest description 
"Nintendo DS"
  set role condition dhcp-option equals "370103060f0c" set-value guest 
description "Roku"
  set role condition dhcp-option equals "3c64686370636420342e302e3135" 
set-value guest description "Android"
  set role condition dhcp-option equals "370103060F" set-value guest 
description "BlackBerry"
  set role condition dhcp-option equals "370C060F01031C78" set-value guest 
description "Symbian OS"
  set role condition dhcp-option equals "370103060f2c2e2f" set-value guest 
description "Win Mobile 6.X"
!

Thanks,
Brian
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Domain Logon Over Wireless

[Randall C Grimshaw]

It is possible (we do it)
We elected to do it with a dedicated SSID to simplify administration and 
enhance security.
The trick is to enable machine authentication on your radius server (and send 
machine auth from the clients - a default we typically turned off).
Machine auth only succeeds for domain joined machines and completes the auth 
soon enough for policy scripts to engage. user based access and accounting is 
then handled by AD.
The dedicated SSID is configured to vlan steer non-machine-authenticated 
clients to a radius user authenticated network only permitting advanced admins 
by group (with the ability to join systems to the domain). the secondary 
purpose is security - we don't want these admins using their credentials to 
access the general network.
If this does not get you started I will dig up some old documentation. It has 
been a while.


Randall Grimshaw rgrim...@syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Case, Brandon J 
[ca...@purdue.edu]
Sent: Monday, July 30, 2012 3:54 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Domain Logon Over Wireless

Has anyone out there tried doing domain logons over a 1x-enabled network? We 
have a request in from one department (and potentially others) to offer such a 
service. Their goal is to create learning lab environments where students can 
use laptops that are dedicated just for the room the lab is in. However, they 
also want to be able to join these laptops to their departmental domain in 
order to do patching etc. so the machines have to be able to log on to the 
network while no user is logged on to the machine.

Google searches until my eyes are bloodshot all say it can only be done with 
EAP-TLS and machine certificates, which always leads to using Microsoft 
Certificate Services. I'm no Windows Server buff so all the magic that happens 
between laptop and domain controllers is smoke and mirrors to me. Even if that 
can be side-stepped somehow, the thought of private PKI management isn't one I 
relish. Any hints anyone can offer would be wonderful.

Thanks,
--
Brandon Case
Network Engineer, ITaP
Purdue University
ca...@purdue.edu
Office: (765) 49-67096
Mobile: (765) 421-6259
Fax:(765) 49-46620

PGP Fingerprint:
99CB 02D6 983C 1E2A 015F  205C C7AA E985 A11A 1251

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] School blocks Wi-Fi access to smartphones to address IP usage issues

[Randall C Grimshaw]

 It is possible to use dhcp fingerprints to provide device category specific 
settings including lease times. This is not vendor specific, but a dhcp 
configuration.

 Our observation is that many many many of our wireless devices are 'mobile 
appliances'. Mostly Apple today with android numbers increasing. The number of 
distinct android fingerprints is legion.

 The current trend toward common platforms may someday muddy the waters, but 
for the moment it is easier to reliably fingerprint Mac and Windows Notebook 
devices than any other category ... so I would propose a general reduction in 
wireless lease times with fingerprint based extensions for Notebooks.

 That said there are risks with shorter lease times. Specifically DHCP server 
load, increased network broadcast traffic, incompatible NAC attribution 
systems. increased log sizes (watch your siem license). I hesitate to suggest 
this if you do not have a functional system and network monitoring tool.

 I disagree with creating separate SSID / pools for device class because it is 
wasteful in an already fragile IP economy.

 Tested but unproven and without warrantee: If someone has their back against 
the wall and is interested in giving it a go... show this to your dhcp admin: 
If it works for you, let us all know the stats, send a donation to a food 
pantry.

class "EXCEPTION" {
  match concat(pick-first-value(option 
vendor-class-identifier,"no-identifier"),"=",binary-to-ascii(10, 8, "-", option 
dhcp-parameter-request-list));
}
subclass "EXCEPTION" "MSFT 5.0=1-15-3-6-44-46-47-31-33-121-249-43" {
default-lease-time 7200;
max-lease-time 7200;
}

also subclass
MSFT 5.0=1-15-3-6-44-46-47-31-33-43
MSFT 5.0=1-15-3-6-44-46-47-31-33-121-249-43
MSFT 5.0=1-15-3-6-44-46-47-31-33-121-249-252-43
MSFT 5.0=1-15-3-6-44-46-47-31-33-121-249-43-4-0-2-21-20-232-25-48-24
MSFT 5.0=1-3-6-15-33-43-44-46-47-121-249
no-identifier=1-3-6-15-112-113-78-79-95-252
no-identifier=1-3-6-15-112-113-78-79-95
no-identifier=1-3-6-15-119-95-252-44-46
no-identifier=1-3-6-15-119-95-252-44-46-47
(there are a few more obscure entries but this will get you started)



Randall Grimshaw rgrim...@syr.edu

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Very high number of wireless devices returning from break

[Randall C Grimshaw]

please let me clarify... I think of these as the 'lts' messages... but the free 
and backup numbers are what you would actualy reference. My apologies.

Randall Grimshaw rgrim...@syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Randall C Grimshaw 
[rgrim...@syr.edu]
Sent: Thursday, January 26, 2012 1:45 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Very high number of wireless devices returning from 
break

a.) our peak is in the late lunch until dinner
b.) a trick that I use to measure pool utilization is to watch the 'lts' 
numbers in local3.log as my peered DHCP servers balance the pools. (I also 
monitor leases and calculate pool fluxuations - but that takes longer to 
explain).

Randall Grimshaw rgrim...@syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Laird, Sara M 
[la...@msmary.edu]
Sent: Thursday, January 26, 2012 1:33 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Very high number of wireless devices returning from 
break

While I have not looked at any hard numbers yet, we have had complaints about 
poor wireless in areas that have never been a problem in the past.  We have 
checked all the hardware and everything is running, I think we may be over 
saturating.  What do you find to be your peak hours for wireless?  I checked 
from 10 to 1 today we had approx. 1500 wireless connections.  Last night from 8 
to 10pm we had 6500.  Is this what everyone else is finding?

Sara M. Laird
Network Administrator
Mount Saint Mary's University
301.447.5014
Faith   Discovery   Leadership   Community

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.
**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.
**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Very high number of wireless devices returning from break

[Randall C Grimshaw]

a.) our peak is in the late lunch until dinner
b.) a trick that I use to measure pool utilization is to watch the 'lts' 
numbers in local3.log as my peered DHCP servers balance the pools. (I also 
monitor leases and calculate pool fluxuations - but that takes longer to 
explain).

Randall Grimshaw rgrim...@syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Laird, Sara M 
[la...@msmary.edu]
Sent: Thursday, January 26, 2012 1:33 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Very high number of wireless devices returning from 
break

While I have not looked at any hard numbers yet, we have had complaints about 
poor wireless in areas that have never been a problem in the past.  We have 
checked all the hardware and everything is running, I think we may be over 
saturating.  What do you find to be your peak hours for wireless?  I checked 
from 10 to 1 today we had approx. 1500 wireless connections.  Last night from 8 
to 10pm we had 6500.  Is this what everyone else is finding?

Sara M. Laird
Network Administrator
Mount Saint Mary's University
301.447.5014
Faith   Discovery   Leadership   Community

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.
**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Very high number of wireless devices returning from break

[Randall C Grimshaw]

I disagree slightly with the conclusion below. I suggest we need to focus on 
how these devices translate into DHCP leases... which unfortunately does 
translate into concurrent use. A student may not be gazing into their 
smartphone while writing that big paper on their notebook... but they did just 
obtain leases for both. They may also have a third device watching hulu in the 
background.



Randy

>> Either way, I wouldn't worry so much about the number of devices,

>> as it's still the same number of students using them.
>> If the same student has a laptop, wifi smartphone, iPad, and wifi gaming 
>> console,
>> they're only likely to be using one of those at a time. So instead,
>> focus on how these devices translate into air time use.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] [Spam:6.1 SpamScore] Re: [WIRELESS-LAN] Very high number of wireless devices returning from break

[Randall C Grimshaw]

For us, the swell in mobile devices started after Black Friday this season. I 
have tracking that covers four years. There was a slight adoption of mobile 
devices following Christmas 2 years ago, last years significant growth began 
just before the holiday but peaked afterward. Mobile has roughly doubled again 
this year - but almost entirely before the holiday. An interesting trend that 
we need to track is concurrent use. So far this semester we are seeing general 
computing devices less frequently so our pool utilization after the break thus 
far is equal to before the break totals... but, the peak is expected to hit 
around mid term when students have both devices active at the same time.



Randall Grimshaw rgrim...@syr.edu


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Robertson, Joshua A. 
[j2rob...@odu.edu]
Sent: Thursday, January 26, 2012 11:32 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] [Spam:6.1 SpamScore] Re: [WIRELESS-LAN] Very high 
number of wireless devices returning from break

Same here, I’ve had to expand subnets for 15 buildings since the semester 
started (we give each building a subnet), and looking at the logs I’ve got 
another 5 or so that will need it in the near future.  More buildings that used 
to be good on a /24 are requiring a /23, and buildings that had /23s are 
starting to need /22s.

Josh Robertson
Network Systems Senior Engineer
Old Dominion University
Office of Computing & Communications Services
(757)683-5046
j2rob...@odu.edu
http://occs.odu.edu/
[Description: wifilogoside-small]

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Marcelo Lew
Sent: Thursday, January 26, 2012 11:16 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [Spam:6.1 SpamScore] Re: [WIRELESS-LAN] Very high number of wireless 
devices returning from break

Yes, same here.  We just added a few more subnets to our pool, have been 
running out of addresses since classes started January 3rd.

Marcelo Lew
Wireless Enterprise Administrator
University Technology Services
University of Denver
Desk: (303) 871-6523
Cell: (303) 669-4217
Fax:  (303) 871-5900
Email: m...@du.edu

[DU_WiFi-Logo]

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Wright, Don
Sent: Thursday, January 26, 2012 9:10 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Very high number of wireless devices returning from 
break

All,
 It seems an alarmingly high number of wireless devices have returned to 
our campus this week.  After at least of year of steadily increasing numbers, 
we are now seeing a roughly 40% increase since last December.  At first I 
didn't believe what I was seeing and opened a case with the vendor to confirm 
reporting was accurate.  Tied into this, we upgraded by a major version earlier 
this month and I thought this could be related.  Apparently not the case, 
everything we've looked at tells us that the numbers are accurate.  I'm still 
looking a stats, but haven't been able to come up with anything yet.
Is anyone else seeing this magnitude of increase in devices over winter 
break ?

Don Wright
Brown University
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.


Spam
Not 
spam
Forget previous 
vote

. ** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

<><>

RE: Authentication methods

[Randall C Grimshaw]

Bob:

   I should complete the thought. What we do today for domain devices is a 
separate SSID which vlan steers non-domain-joined machines into a vlan that 
will only permit certain admins 802.1x access. This is for the purpose of 
joining the machines to the domain if appropriate. What I proposed below would 
be for the non domain system users.



Randall Grimshaw rgrim...@syr.edu<mailto:rgrim...@syr.edu>


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Randall C Grimshaw 
[rgrim...@syr.edu]
Sent: Thursday, December 29, 2011 12:40 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Authentication methods


Bob:

  I have built or helped implement a few systems over the years... what I am 
lately pondering as the direction of choice is a system based on 802.1x user 
based authentication AND MACaddress based vlan steering. 802.1x PEAP MSCHAPv2 
WPA2 will use Radius that backends to your domain servers. The machines do not 
need to be in the domain, just the user accounts. Call it a quarantine vlan but 
this would be the way messages could inform the user that they are in curfew or 
whatever. How the list of MACaddress get into your Radius Server to drive vlan 
policy is the trick here. Anyone have experience with this?



Randall Grimshaw rgrim...@syr.edu<mailto:rgrim...@syr.edu>


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Bob Williamson 
[bob_william...@aw.org]
Sent: Wednesday, December 28, 2011 9:36 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Authentication methods

I am working on a new wireless system and would like to hear some suggestions 
on authentication methods for our situation.  For a smallish environment, we 
have some complications which make it more complex than normal.   Example:  We 
have boarding students, some of which need limited hours of access and will 
devices of different types.

Domain Devices:  Windows and OS/X both have computer (and user) accounts in AD. 
 Need both domain and internet access.
School owned, non domain devices:  Ipad/Ipod (can they be bound to a domain?)
Private Devices:  Boarders bring in private laptops, devices, etc not bound to 
the domain. (Internet Only)
Guests:  Short term devices/laptops for guest usage,

Hours of usage:  One significant issue is the majority of devices need to be 
locked out of internet usage after midnight.  BUT there is a subset of the 
above devices/users who get internet access after midnight.  Maybe this should 
be handled at the firewall?

We are using a Ruckus ZD3000 as our controller.  Seems like Radius would fit 
the “domain Devices” and handle the hours of usage?  Separate SSIDs with MAC 
authentication?  DPSK per device? Etc.

Any suggestions would be appreciated,
Bob Williamson
Network Administrator
Annie Wright Schools | 827 N Tacoma Ave, Tacoma, WA 98403 | 
www.aw.org<https://exchange.syr.edu/owa/UrlBlockedError.aspx>
D: +1.253.284.5465 | F: +1.253.572.3616 | bob_william...@aw.org

Annie Wright's strong community cultivates individual learners to become
well-educated, creative, and responsible citizens for a global society.

[Description: AWS Seal 2]<http://www.aw.org/>  [Description: Facebook] 
<http://www.facebook.com/AnneWrighSchool>   [Description: Twitter] 
<http://twitter.com/#!/AnnieWright1884>
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

<><><>

RE: Authentication methods

[Randall C Grimshaw]

Bob:

  I have built or helped implement a few systems over the years... what I am 
lately pondering as the direction of choice is a system based on 802.1x user 
based authentication AND MACaddress based vlan steering. 802.1x PEAP MSCHAPv2 
WPA2 will use Radius that backends to your domain servers. The machines do not 
need to be in the domain, just the user accounts. Call it a quarantine vlan but 
this would be the way messages could inform the user that they are in curfew or 
whatever. How the list of MACaddress get into your Radius Server to drive vlan 
policy is the trick here. Anyone have experience with this?



Randall Grimshaw rgrim...@syr.edu


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Bob Williamson 
[bob_william...@aw.org]
Sent: Wednesday, December 28, 2011 9:36 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Authentication methods

I am working on a new wireless system and would like to hear some suggestions 
on authentication methods for our situation.  For a smallish environment, we 
have some complications which make it more complex than normal.   Example:  We 
have boarding students, some of which need limited hours of access and will 
devices of different types.

Domain Devices:  Windows and OS/X both have computer (and user) accounts in AD. 
 Need both domain and internet access.
School owned, non domain devices:  Ipad/Ipod (can they be bound to a domain?)
Private Devices:  Boarders bring in private laptops, devices, etc not bound to 
the domain. (Internet Only)
Guests:  Short term devices/laptops for guest usage,

Hours of usage:  One significant issue is the majority of devices need to be 
locked out of internet usage after midnight.  BUT there is a subset of the 
above devices/users who get internet access after midnight.  Maybe this should 
be handled at the firewall?

We are using a Ruckus ZD3000 as our controller.  Seems like Radius would fit 
the “domain Devices” and handle the hours of usage?  Separate SSIDs with MAC 
authentication?  DPSK per device? Etc.

Any suggestions would be appreciated,
Bob Williamson
Network Administrator
Annie Wright Schools | 827 N Tacoma Ave, Tacoma, WA 98403 | 
www.aw.org
D: +1.253.284.5465 | F: +1.253.572.3616 | bob_william...@aw.org

Annie Wright's strong community cultivates individual learners to become
well-educated, creative, and responsible citizens for a global society.

[Description: AWS Seal 2]  [Description: Facebook] 
   [Description: Twitter] 

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

<><><>

RE: [WIRELESS-LAN] valid 3rd party certificates?

[Randall C Grimshaw]

I wanted to fork the second part of this thread.
We are just preparing to use updated ssl certs using godaddy. There are three 
chained certs that must be present on the device at the time of connection if 
you want to do any radius server verification. To manage the configuration and 
deliver the certs, we use Cloudpath XpressConnect.
I would however be very interested to hear more from Swansea and other 
universities who are using self-signed certs. 

Randall Grimshaw rgrim...@syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ayres G.J. 
[g.j.ay...@swansea.ac.uk]
Sent: Friday, July 22, 2011 5:37 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA2 / PEAP / EAP-TTLS / etc - valid 3rd party 
certificates?

Hi,

> I'm aware of the XpressConnect option to "plug-and-play" a connection
> configuration, but
> they are really beyond our budget at this point in time.

At Swansea University (UK) we use the SU1X tool to distribute and
install a self-signed cert for our windows users as well as configure
their wap2-ent (eduroam) profile and set the EAP credentials correctly
etc...

SU1X is open source and distributed under an education community
licence. Its worth pointing out it currently only configures native
windows eap methods such as PEAP:

See https://su1x.swan.ac.uk/ for download link and info.

The latest code im working on is at: https://github.com/GarethAyres/SU1X

Gareth.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Active Directory authentication for loaned out laptops over wireless

[Randall C Grimshaw]

We were able to get AD machine to authenticate to our wireless network using 
settings as you describe, but this was too late in the process for AD 
management and policy group maintenance. We have created a separate secured 
SSID for AD machines that uses AD machine authentication. We went a little 
further after that to provide a VLAN steering effect so that if machine auth 
fails, the systems may provide a special supplicant credential and are 
connected to a configuration network that supports joining the domain. Normal 
user authentication does not work on this secured SSID.


Randall Grimshaw rgrim...@syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Danner, Mearl 
[jmdan...@samford.edu]
Sent: Wednesday, July 20, 2011 3:30 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Active Directory authentication for loaned out 
laptops over wireless

Is “Always wait for the network at computer startup and logon” set as shown in 
the link below?

http://support.microsoft.com/kb/305293


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Craig Simons
Sent: Wednesday, July 20, 2011 1:34 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Active Directory authentication for loaned out laptops 
over wireless

All,

Our library signs out XP laptops for student use. These laptops are set for 
"authenticate as computer when computer information is available" and should 
reauthenticate with the user's credentials once they log into the machine. 
However, we've had frequent complaints that AD is not reachable over wireless, 
rendering the laptop unusable (it's a loaned laptop that has not been used 
previously by the user and thus does not have any cached credentials). If the 
machine is shelved for 10 minutes or so and rebooted, it seems to clear the 
problem. Our library is a very dense and challenging area to cover with 
wireless, and while there is adequate area coverage, there are density issues 
that are no doubt present.

That being said, I'm not convinced that this is entirely a wireless problem, 
but more a Windows/AD problem with a wireless component to it.

Does anyone have any experience with this type of situation and could offer 
some advice?

Regards,
 Craig

--
Craig Simons
Network Operations
Simon Fraser University
Burnaby BC, Canada
em. craigsim...@sfu.ca
ph. 778-782-8036
ce. 604-649-7977
tw. twitter.com/simonscraig
--

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Self Signed Certs for Radius Authentication Servers

[Randall C Grimshaw]

Greetings all:
   I would like to request some feedback please on the topic of using self 
signed certs for radius authentication servers.
   The complexity of Root and Intermediate certificate chains of trust when the 
computer does not yet have network access seems to be a configuration burden, 
especially when we are facing our certificate expiration. it makes me 
wonder if it might be acceptable to offer a simpler and non-expiring self 
signed cert for this purpose.
   Can any of the schools using self signed certs please chime in?
   Thank you.

Randall Grimshaw rgrim...@syr.edu

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

changing of the guards

[Randall C Grimshaw]

We are preparing to change the authentication server certificates on our 802.1x 
network. Can anyone please share their experience? Corner cases, OS 
mis-behavior, Client experience any other helpful tips.
Thank you in advance.

Randall Grimshaw rgrim...@syr.edu

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] GPO Software Deployment 802.1x

[Randall C Grimshaw]

I am not sure this answers your question directly but I will extend the 
explanation.

To use Machine authentication required that we enable this feature on our 
wireless controllers. Radius here is already back-ended by AD. Only AD machines 
joined to the domain can access that network. Start with that.

After that was set up we extended the SSID to accommodate (vlan steering) a 
second deployment vlan when Machine Auth fails. This deployment network is a 
non-routed private address space that only accepts AD admin authentication with 
the ability to join machines to the domain. The process begins with a 
supplicant configuration tool that does not store admin credentials and ends 
with a GPO that ensures knowledge of that vlan get wiped.

Randy

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Ding, Shiling
Sent: Wednesday, April 06, 2011 3:27 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] GPO Software Deployment 802.1x

How does the machine authentication work with the separate SSID?


Shiling


Shiling Ding, CCIE
sd...@fsu.edu<mailto:sd...@fsu.edu>
Network Specialist
Information Technology Services
Florida State University


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Randall C Grimshaw
Sent: Wednesday, April 06, 2011 2:11 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] GPO Software Deployment 802.1x

In order to get AD GPO deployment to work, we built a separate SSID that does 
machine authentication (not the same as MAC authentication) the machine must be 
joined to an AD domain to gain access to this SSID. But the GPO happens 
independently and prior to user authentication as you would expect on a wired 
connection. User authentication is required to gain access to the machine and 
satisfies both Network and Machine access control.

Randy

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Kaftan
Sent: Wednesday, April 06, 2011 1:33 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] GPO Software Deployment 802.1x

I've been researching this too because we have Lab computers that are wireless 
only.  The issue is that the machine has to be on the network before the user 
logs in.  Since they have never been on the machine before there are no cached 
credentials.  Seems like we have different problems for the same reason.

What I found is that I can solve this two ways.  I can have the computer 
authenticate via a cert before the user authenticates.  I can assign certs via 
GPO so that would be pretty straight forward.

I ran it by our Wireless vendor and they have a mac-auth option for the 
computer so I do not have to build out the certificate infrastructure.  If I 
enable mac-auth on my 802.1x network the computer will authenticate via its 
mac-address so it will be on the network when the user goes to log on.  Then 
when the user logs on they will have to present their credentials to 802.1x to 
actually access the network.  I have not tried it yet so I do not know how that 
works.

My guess is that with the MAC auth I will set a policy that only allows the 
computer to get an IP address and talk to AD for Authentication.  Once 802.1x 
auth happens the user gets another policy that lets them do more.


John Kaftan
Infrastructure Manager
Utica College
315.792.3102

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mike King
Sent: Wednesday, April 06, 2011 1:03 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] GPO Software Deployment 802.1x

There are a couple of ways to proceed.

I've seen many people say they need to enable the following GPO:
Computer Configuration>Addministrative Templates>System>Logon>Always wait for 
the network at start up and logon
Note this will slow down your network login, and I'm not sure if you can login 
if no network is available.  Test in your environment.

Other times, I've seen people put some kind of delay in the boot process (I'm 
not sure how, but it was using a GPO, maybe third party)

Mike
On Wed, Apr 6, 2011 at 12:22 PM, Benjamin Stewart 
mailto:bstew...@salemstate.edu>> wrote:
No, there is no connectivity until the user logs on.

We assign dynamic VLANs through Radius on our Xirrus wireless arrays.  I'm not 
sure we'd want to assign VLANs based on computer - we'd like to keep control 
user based.

Ben

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>]
 On Behalf Of Mike King

Sent: Wednesday, April 06, 201

RE: [WIRELESS-LAN] GPO Software Deployment 802.1x

[Randall C Grimshaw]

In 802.1x, the AD machine authentication is used as the machine boots. Now you 
have an AD machine on the network with valid GPO -- locked down and unable to 
be accessed without valid user authentication to the machine - which gets 
logged it the usual AD way...

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Kaftan
Sent: Wednesday, April 06, 2011 3:02 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] GPO Software Deployment 802.1x

Randy:

Is the user authentication piece 802.1x?

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Randall C Grimshaw
Sent: Wednesday, April 06, 2011 2:11 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] GPO Software Deployment 802.1x

In order to get AD GPO deployment to work, we built a separate SSID that does 
machine authentication (not the same as MAC authentication) the machine must be 
joined to an AD domain to gain access to this SSID. But the GPO happens 
independently and prior to user authentication as you would expect on a wired 
connection. User authentication is required to gain access to the machine and 
satisfies both Network and Machine access control.

Randy

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Kaftan
Sent: Wednesday, April 06, 2011 1:33 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] GPO Software Deployment 802.1x

I've been researching this too because we have Lab computers that are wireless 
only.  The issue is that the machine has to be on the network before the user 
logs in.  Since they have never been on the machine before there are no cached 
credentials.  Seems like we have different problems for the same reason.

What I found is that I can solve this two ways.  I can have the computer 
authenticate via a cert before the user authenticates.  I can assign certs via 
GPO so that would be pretty straight forward.

I ran it by our Wireless vendor and they have a mac-auth option for the 
computer so I do not have to build out the certificate infrastructure.  If I 
enable mac-auth on my 802.1x network the computer will authenticate via its 
mac-address so it will be on the network when the user goes to log on.  Then 
when the user logs on they will have to present their credentials to 802.1x to 
actually access the network.  I have not tried it yet so I do not know how that 
works.

My guess is that with the MAC auth I will set a policy that only allows the 
computer to get an IP address and talk to AD for Authentication.  Once 802.1x 
auth happens the user gets another policy that lets them do more.


John Kaftan
Infrastructure Manager
Utica College
315.792.3102

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mike King
Sent: Wednesday, April 06, 2011 1:03 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] GPO Software Deployment 802.1x

There are a couple of ways to proceed.

I've seen many people say they need to enable the following GPO:
Computer Configuration>Addministrative Templates>System>Logon>Always wait for 
the network at start up and logon
Note this will slow down your network login, and I'm not sure if you can login 
if no network is available.  Test in your environment.

Other times, I've seen people put some kind of delay in the boot process (I'm 
not sure how, but it was using a GPO, maybe third party)

Mike
On Wed, Apr 6, 2011 at 12:22 PM, Benjamin Stewart 
mailto:bstew...@salemstate.edu>> wrote:
No, there is no connectivity until the user logs on.

We assign dynamic VLANs through Radius on our Xirrus wireless arrays.  I'm not 
sure we'd want to assign VLANs based on computer - we'd like to keep control 
user based.

Ben

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>]
 On Behalf Of Mike King

Sent: Wednesday, April 06, 2011 11:56 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] GPO Software Deployment 802.1x

Ben,

Do you have your workstations configured to allow Computer Account logon's to 
wireless?  (I.E., does the machine have connectivity while it's sitting at the 
CTRL-ALT-DEL prompt)

Mike
On Wed, Apr 6, 2011 at 10:24 AM, Benjamin Stewart 
mailto:bstew...@salemstate.edu>> wrote:
Hi-
I'm wondering if anyone has had any luck pushing an msi software deployment 
with Group Policy on wireless stations with 802.1x authentication - WPA2 
Enterprise.

Problem seems to be that the supplicant is not processed until after the user 
logs in to Windows.  I'm assuming the delay in proces

RE: [WIRELESS-LAN] GPO Software Deployment 802.1x

[Randall C Grimshaw]

In order to get AD GPO deployment to work, we built a separate SSID that does 
machine authentication (not the same as MAC authentication) the machine must be 
joined to an AD domain to gain access to this SSID. But the GPO happens 
independently and prior to user authentication as you would expect on a wired 
connection. User authentication is required to gain access to the machine and 
satisfies both Network and Machine access control.

Randy

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Kaftan
Sent: Wednesday, April 06, 2011 1:33 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] GPO Software Deployment 802.1x

I've been researching this too because we have Lab computers that are wireless 
only.  The issue is that the machine has to be on the network before the user 
logs in.  Since they have never been on the machine before there are no cached 
credentials.  Seems like we have different problems for the same reason.

What I found is that I can solve this two ways.  I can have the computer 
authenticate via a cert before the user authenticates.  I can assign certs via 
GPO so that would be pretty straight forward.

I ran it by our Wireless vendor and they have a mac-auth option for the 
computer so I do not have to build out the certificate infrastructure.  If I 
enable mac-auth on my 802.1x network the computer will authenticate via its 
mac-address so it will be on the network when the user goes to log on.  Then 
when the user logs on they will have to present their credentials to 802.1x to 
actually access the network.  I have not tried it yet so I do not know how that 
works.

My guess is that with the MAC auth I will set a policy that only allows the 
computer to get an IP address and talk to AD for Authentication.  Once 802.1x 
auth happens the user gets another policy that lets them do more.


John Kaftan
Infrastructure Manager
Utica College
315.792.3102

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Mike King
Sent: Wednesday, April 06, 2011 1:03 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] GPO Software Deployment 802.1x

There are a couple of ways to proceed.

I've seen many people say they need to enable the following GPO:
Computer Configuration>Addministrative Templates>System>Logon>Always wait for 
the network at start up and logon
Note this will slow down your network login, and I'm not sure if you can login 
if no network is available.  Test in your environment.

Other times, I've seen people put some kind of delay in the boot process (I'm 
not sure how, but it was using a GPO, maybe third party)

Mike
On Wed, Apr 6, 2011 at 12:22 PM, Benjamin Stewart 
mailto:bstew...@salemstate.edu>> wrote:
No, there is no connectivity until the user logs on.

We assign dynamic VLANs through Radius on our Xirrus wireless arrays.  I'm not 
sure we'd want to assign VLANs based on computer - we'd like to keep control 
user based.

Ben

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
 On Behalf Of Mike King

Sent: Wednesday, April 06, 2011 11:56 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] GPO Software Deployment 802.1x

Ben,

Do you have your workstations configured to allow Computer Account logon's to 
wireless?  (I.E., does the machine have connectivity while it's sitting at the 
CTRL-ALT-DEL prompt)

Mike
On Wed, Apr 6, 2011 at 10:24 AM, Benjamin Stewart 
mailto:bstew...@salemstate.edu>> wrote:
Hi-
I'm wondering if anyone has had any luck pushing an msi software deployment 
with Group Policy on wireless stations with 802.1x authentication - WPA2 
Enterprise.

Problem seems to be that the supplicant is not processed until after the user 
logs in to Windows.  I'm assuming the delay in processing the authentication 
and assigning the IP address is too long, and the Group Policy Software 
Installation is not processed at login.  Any help would be greatly appreciated.

Ben


==
Benjamin Stewart
ITS - Networking Services
Salem State University
71 Loring Ave
Salem, MA 01970

Phone: 978-542-7142
Fax: 978-542-6557


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

RE: iPads, Labs/classroom use, 802.1x

[Randall C Grimshaw]

Not in this specific example, but we do use cloudpath.net xpressconnect to 
configure iPads and it works well. perhaps the solution is as simple as 
teaching the students how to clear their credentials at the end of class?

Randall Grimshaw rgrim...@syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Green, William C 
[gr...@austin.utexas.edu]
Sent: Friday, April 01, 2011 6:11 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] iPads, Labs/classroom use, 802.1x

Does anyone have experience managing iPads for classrooms (where an iPad is 
given to each user and returned at the end of the course, only for the next 
class to pick them up)?  I'm interested in how to manage credentials in an 
802.1x environment (to ensure actions on the network are attributable to the 
user at that time).   If someone has resolved this, I'd like to speak with 
them, we have instructors working on proposals.


--
-William

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] WiFi on campus buses

[Randall C Grimshaw]

There was a similar thread some time ago regarding wi-fi on the busses for 
sports teams. I was hoping that someone would chime in... but the gist was that 
there are cellular routers with more than one usb/card slot that provide 
automatic failover - and you have two (or three) carriers. I would think that 
you sort the carriers in the queue in some reasonable way to reduce 
costs/risk/load.

Randy

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hector J Rios
Sent: Friday, March 18, 2011 9:07 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WiFi on campus buses

We were asked to look into it but never did it. I don't know of any other way 
to provide the service but to do WiFi router with a cellular back-haul, like 
you said. And just specify it is best effort.  I think that's the best you can 
do. Unless you want to beef up the cell coverage with DAS, but then your costs 
start increasing.

Hector Rios
Louisiana State University

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jamie Savage
Sent: Thursday, March 17, 2011 9:44 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] WiFi on campus buses

Hi,
   We have two main campuses with a regularly scheduled shuttle bus running 
between the two.  We've been asked to look into providing WiFi service on this 
bus.  It appears the solution is a WiFi router with a cellular back-haul (3G?). 
 If anyone is doing this I'd appreciate any comments as I see a number of 
issues..spotty cellular along the route (ie. service disclaimer required),, 
user density vs. available bandwidth (Netflix!!)etc.

thanks in advance...J

James Savage   York University
Senior Communications Tech.   108 Steacie Building
jsav...@yorku.ca4700 Keele 
Street
ph: 416-736-2100 ext. 22605Toronto, Ontario
fax: 416-736-5830M3J 1P3, CANADA ** 
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: 802.1x and password change policy...

[Randall C Grimshaw]

It is true that there is no permanent agent, but users are pretty much trained 
to go to an open SSID called '--Help' to configure the supplicant when there is 
a problem like this. That is where we host ExpressConnect and other 
documentation.

Randy

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanset, Philippe C
Sent: Monday, February 14, 2011 1:28 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] 802.1x and password change policy...

All,

I have asked this question in the past, but things change, someone out there
might have a better answer!

We run two 802.1x SSIDs with WPA2 (ut-wpa2 and eduroam).
All goes well on these two SSIDs until users are asked to change their password 
(every 6 months)
(would love to get rid of that password change but that's not an option)

Iphone and Ipad prompt users for new credentials, no problems there.
OSX and Windows, not so seamless. Windows 7 seems to require you to join and 
fail twice,
Mac won't even prompt (the user has to go in settings, network, 802.1x... by 
that time our helpdesk is involved!)

Has anyone found something "smart" to counter this problem?
(using native clients, no SecureW2 or Odyssey)

It doesn't seem that Xpressconnect (Cloudpath) can address this issue since it 
doesn't have
a permanent agent.

Thank you in advance for your answers,

Best,


Philippe

Philippe Hanset
Univ. of TN, Knoxville
www.eduroamus.org

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Android OS 2.2

[Randall C Grimshaw]

I am thinking that I missed something. Android 2.1 didn't have this behavior ( 
as far as I know it worked OK). So why are we all jumping to fix something we 
didn't break. Do we all really want to drop our layer two defenses to literally 
enable the misbehavior of these devices?

Randall Grimshaw rgrim...@syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[wireless-...@listserv.educause.edu] On Behalf Of Russ Leathe 
[russ.lea...@gordon.edu]
Sent: Saturday, October 23, 2010 10:42 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android OS 2.2

we have a 6000 controller running 5.x

1.) enable
2.) configure terminal
3>) config)> firewall  prohibit-arp-spoofing




From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[wireless-...@listserv.educause.edu] on behalf of Osborne, Bruce W 
[bosbo...@liberty.edu]
Sent: Saturday, October 23, 2010 7:25 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Android OS 2.2

Jay,

Many Aruba customers have been watching this thread. Where id you disable ARP 
spoofing?

Is Aruba planning a patch to allow these clienst, even with "Prohibit ARP 
Spoofing" enabled?


Thanks,
Bruce Osborne
Liberty University

From: McNealy, Justin S [mcne...@musc.edu]
Sent: Friday, October 22, 2010 7:17 AM
Subject: Re: Android OS 2.2

We experienced a similar issue where we have Aruba installed. When I did some 
debugs on the controller it looked like the controller thought the devices were 
spoofing there mac address. I don't know much about Meru,  but Aruba has a 
feature, " Prohibit ARP Spoofing", that we disabled and we have not had an 
issue since.


Jay McNealy
Network engineer II
Medical University Of South Carolina
mcne...@musc.edu

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Caroline Owens
Sent: Wednesday, October 20, 2010 11:27 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Android OS 2.2

Hi folks,

This message will be a repeat for anyone on the Meru listserv, but I wanted to 
see if anyone had anything to add on an issue I'm having with Droids running OS 
2.2.

I've seen a lot of reports online about issues after upgrading to 2.2 from 2.1. 
 We are just getting these new (We happen to have the X and the 2) and they are 
coming installed with 2.2 so I'm not sure what the performance would be at 2.1. 
 The issue is that they may or may not connect at all and then, once connected, 
will drop and then not be able to connect again.  They do seem to work better 
on an open security network, but we use WPA2/Enterprise here and they are 
unusable on our primary WLAN.

Has anyone had any experiences with this or even (crossing my fingers here), a 
work around?  I've gotten in touch with our Verizon rep but I don't know how 
much he'll be able to do if the problem is in the OS.
I've seen some reports that setting your APs to G-only or putting the droids in 
Airplane mode (i know, i know - so you trade getting wifi with not getting 
phone calls - too funny!) will give you a stable connection but neither of 
those options are practical for us.

thanks for any input!
Caroline Owens
Networking and Telecommunications
Saint Joseph's University
(610) 660-1613

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.
**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.
**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: share 802.1x experience?

[Randall C Grimshaw]

The early adopters will remember that insecure protocols were widely used and 
in some cases still are (excuse me for not listing them). So you need an 
encrypted transport while the packets are in the air. 802.1x provides the 
foundation for this if correctly implemented using WPA2 AES (note recent hack). 
It also provides the opportunity to authenticate machines (note common 
practice) or users before granting access to the network.
But now you need a supplicant piece of software on the client to create the 
tunnel. Microsoft includes one if you choose their AD backend as the ultimate 
source of authentication. Apple also can use this as do many PDA/phones so it 
is most convenient. The complete architecture is commonly referred to as 802.1x 
PEAP MSCHAPv2 WPA2 AES. Microsoft and Apple have gotten better at auto 
configuring for these networks with the exception of specifying the local 
certificates needed to avoid possible man-in-the-middle attacks, so we continue 
to use configuration tools such as cloudpath.net xpressconnect on a separate 
open network to make this task easier (note SSID or VLAN steered by NAC) (note 
preferably the open network used by guests and incompatible devices) (note NAC 
considerations drive many authentication decisions - we use impulse.com 
safeconnect)

Randy

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Kay Sandacz
Sent: Thursday, August 19, 2010 8:56 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] share 802.1x experience?

Hey folks.

Anyone care to share experience in rolling out 802.1x?  We're looking only at 
wireless just now.  Support issues or user experience would be particularly 
helpful.

And did anyone attempt to run 802.1x on a previously existing SSID?

Thanks,
-kay-

Kay Sandacz, Assistant Director
Data Networking, IT Services
The University of Chicago

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Are we the only ones with logon issues and complexity?

[Randall C Grimshaw]

We have three essential SSID's BrandXguest, BrandXhelp, and BrandXX
Both the BrandXguest SSID and the BrandXHelp landing pages contain text and 
links to Cloudpath.net XpressConnect which is a fine value and easy tool for 
configuring 802.1x supplicants for BrandXX
Once the supplicant is configured users rarely (if ever) need to enter their 
password again.I mark all other profiles as manual during the config step so 
that any SSIDs connected to initially never show up again.
Yes, we use safeconnect also, but the radius authenrication logs are sent in 
real-time to the enforcers and satisfy the auth as a single sign-on. For the 
most part you open the lid and your on.
As for safe connect not working right I will share some tips offline, but I am 
sure the support team at impulse would like a chance to answer your questions 
also.

Randall Grimshaw rgrim...@syr.edu


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[wireless-...@listserv.educause.edu] On Behalf Of Maurice Volaski 
[maurice.vola...@einstein.yu.edu]
Sent: Thursday, June 24, 2010 7:37 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Are we the only ones with logon issues and complexity?

I'm speaking on behalf of our users. At our institution, we are using a typical 
architecture for wireless with two SSIDs, one for internal use and the other, 
in addition to guest access, is required for users to bootstrap their initial 
802.1x PEAP/TTLS logon. In addition, we also have SafeConnect.
Many of our users have trouble with this arrangement. They find that login is a 
chore and that it sometimes doesn't work. For example, we have had many 
problems with SafeConnect not working right. As a result, some users avoid the 
internal network and just use the guest network.

Anyway, I'm wondering if you have ever experienced issues with your users being 
confused over having two SSIDs, dealing with a broken SafeConnect or a 
multi-level authentication mechanism and how you've dealt with it.

--


Maurice Volaski, maurice.vola...@einstein.yu.edu
Computing Support, Rose F. Kennedy Center
Albert Einstein College of Medicine of Yeshiva University
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Princeton determines cause of an iPad problem

[Randall C Grimshaw]

>> Even with multiple smaller subnets, you can prevent IP address hogging as 
>> long as
>> the DHCP server provides a mechanism to remove client leases from the other 
>> pool
>> at the point it hands out a lease to the same device in the new one.
These two options are available in the ISC dhcp servers. I think it is the deny 
duplicates; keyword that you suggest.
Randy
 The one-lease-per-client statement
   one-lease-per-client flag;
   If this flag is enabled, whenever a client sends a DHCPRE-
   QUEST  for  a  particular lease, the server will automati-
   cally free any  other  leases  the  client  holds.This
   presumes  that when the client sends a DHCPREQUEST, it has
   forgotten any lease not mentioned  in  the  DHCPREQUEST  -
   i.e.,  the  client has only a single network interface and
   it does not remember leases it's holding  on  networks  to
   which  it  is  not  currently attached.   Neither of these
   assumptions are guaranteed or provable, so we urge caution
   in the use of this statement.

 The duplicates keyword

  allow duplicates;
  deny duplicates;

 Host declarations can match client  messages  based  on  the
 DHCP  Client Identifier option or based on the client's net-
 work hardware type and MAC address.   If the MAC address  is
 used,  the  host declaration will match any client with that
 MAC address - even clients with  different  client  identif-
 iers.This  doesn't normally happen, but is possible when
 one computer has more than one operating system installed on
 it - for example, Microsoft Windows and NetBSD or Linux.
   The duplicates flag tells the DHCP server that if a  request
 is  received from a client that matches the MAC address of a
 host declaration, any other leases matching that MAC address
 should  be  discarded  by the server, even if the UID is not
 the same.   This is a violation of the  DHCP  protocol,  but
 can  prevent  clients  whose client identifiers change regu-
 larly from  holding  many  leases  at  the  same  time.   By
 default, duplicates are allowed.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Jeffrey Sessler
Sent: Monday, April 19, 2010 1:15 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Princeton determines cause of an iPad problem

Even with multiple smaller subnets, you can prevent IP address hogging as long 
as the DHCP server provides a mechanism to remove client leases from the other 
pool at the point it hands out a lease to the same device in the new one.

Jeff

>>> Caroline Owens  4/19/2010 9:45 AM >>>
They could create longer lease times and not have an issue if they have only 
one flat wireless subnet.

But if they have several smaller subnets, these longer leases could really add 
up if a device acquires an IP address from each subnet within a small window of 
time.  You wouldn't want a device hogging two or three other IP addresses on 
subnets that it's not currently using.  On a college campus with students that 
roam all over and have iPhones, this situation isn't out of the realm of the 
possible.

Caroline Owens
Networking and Telecommunications
Saint Joseph's University

On 4/19/2010 11:27 AM, Jeffrey Sessler wrote:

It would seem that Princeton could temporarily (or permanently) avoid the 
problem, and thus all the media hype and blocking of the iPads, by simply 
increasing their DHCP lease time from their stated 1-3 hour time to something 
more reasonable. Unless your base of devices include a large number of 
drive-bys (devices seen only once and never again), I'm not sure that a lease 
time of 1-3 hours will result in better DHCP IP address pool use than say a 
lease time of 24 hours.





We toyed with extremely short leases years ago but found they resulted it 
various device anomalies. We now run with lease times of at least 24 hours and 
our average IP address consumption changed very little.





Jeff





"Zeller, Tom S"  04/18/10 8:54 PM >>>



http://www.net.princeton.edu/announcements/ipad-iphoneos32-stops-renewing-le

ase-keeps-using-IP-address.html



iPad gets DHCP lease.  If iPad happens to be sleeping during the renewal

time it awakens and uses the IP number forever (until shut down of unit or

WiFi or going out of range)



Tom Zeller

Indiana University



**

Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.



**

Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.






** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription infor

RE: [WIRELESS-LAN] Hacking Cisco WLC - macfilters

[Randall C Grimshaw]

I would be interested in the code from a curiosity perspective, but I also 
wanted to ask how this is received from a user perspective.

Is this a feature that you use as a last resort?

We have always bent over backwards to attempt (as much as practical) to steer 
the user into a web page that tells them what the problem is. We have legacy 
stories of kids asking dad for a new computer because theirs was quarantined.

Randy

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Garry Peirce
Sent: Thursday, April 15, 2010 2:06 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Hacking Cisco WLC - macfilters

Mike,
I manage Cisco controller exclusions via SNMP.

We have a homegrown IPAM system which includes a checkbox to be able to disable 
a machine.
Doing so for a wireless host causes this to create an exclusion entry which is 
then distributed system-wide preventing the host from associating.
When this box is unchecked, the entry gets removed (database change, cron 
process, script runs...)

In a nutshell... I've scraped some parts of a script I wrote depicting the 
insert/removal operation.
So as not to include here as an attachment, I'll send it to you directly - if 
other's would like it,  just send me a note.

As I scraped from different sections of the script, it may require some 
re-working to make it run.
This might give you something to work with to create a script to purge your 
entries, but you'll need a way to determine the entries age.
I actually include the date of the exclusion in the description field.  Then 
you just have to run it once a month.

Btw - you may want to increase the size of the WLC database should you have a 
large number of excluded addresses.
'config database size <512-2048>'


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Schomer, Michael J.
Sent: Thursday, April 15, 2010 10:45 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Hacking Cisco WLC - macfilters

Although we encourage all wireless devices to connect via WPA/WPA2 802.1x, not 
all wireless devices support these standards.  To accommodate consumer level 
wireless devices, such as game consoles, we created a separate WPA PSK network. 
 We manually approve each request by adding a mac filter exclusion to that 
particular network.

In the beginning we did all these requests manually, either by entering them 
directly into each WLC or by using templates in WCS.  Eventually, the number of 
requests necessitated the need to semi-automate the process.  We created a web 
form to gather the information; on the administrator side we could approve or 
deny each request.  Approving the request would run a scripted telnet session 
to each WLC adding the macfilter.

For security and stability reasons we didn't want to continue using scripted 
telnet sessions.  We figured out how to script an https session on the 
controllers using HTTP GET.  This solution is working much better; however we 
have not found a good way of removing macfilters from the controllers, using 
this method. (The way the web interface works for removing macfilters is pretty 
convoluted and would be difficult to script.) We want to run a script once a 
month that will remove all macfilters a year or more old.

So, long story short, has anyone done anything like this?  Any suggestions for 
removing old macfilters?

Thanks.

-Mike Schomer
-ResNet Coordinator
-St. Cloud State University
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] NAC -Posture Assessment

[Randall C Grimshaw]

Reponse inline, would you please share the results of this survey.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Manoj Abeysekera
Sent: Friday, April 09, 2010 10:35 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] NAC -Posture Assessment

Hello Everyone,

I think we may have discussed this before but I want to do a quick poll and see 
where is everyone with their NAC implementation and specifically Posture 
Assessment in your university. So, my questions are;

1. Have you implemented the Posture Assessment in your campus including all 
Dorms and Administrative buildings?
Almost. All Dorms and wireless campuswide, not for administrative buildings 
which are largely managed by AD policy.

2. Do you think the investment is worthy and provide enough value for your 
investment?
Yes. NAC limitations are somewhat mitigated by compliance with safe practices, 
AV, Firewall, Patches etc.

3. Do you think complications involved with Posture Assessment and collateral  
risk it bring (as a campus wide outage thanks to NAC hardware) outweigh the 
individual virus or malware problems that your support staff have to deal with?
Yes. our NAC implementation will generally fail open out of band. Using agents 
and continuous assessment has allowed us to relax in the good times to allow a 
day or so of posture non-compliance for remediation purposes. (purchase and 
install AV etc). IDS violations are enforced more quickly.


Thanks again for your help.




Manoj


--

P. Manoj Abeysekera, CWNA, ACMA
Network Engineer
American University
4200 Wisconsin Ave, NW
Washington DC. 20016
202-885-2702
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] PEAP/MSCHAPv2 + Active Directory recommendations

[Randall C Grimshaw]

We use a radius with an AD agent component... speaking AD... an ldap bind is 
not necessary. surely SBR can do this also.

Randall Grimshaw rgrim...@syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[wireless-...@listserv.educause.edu] On Behalf Of Manoj Abeysekera 
[ma...@american.edu]
Sent: Thursday, March 04, 2010 2:00 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] PEAP/MSCHAPv2 + Active Directory recommendations

I'm interested too..

Manoj


---

P. Manoj Abeysekera, CWNA
Network Engineer
American University
4200 Wisconsin Ave, NW
Washington DC. 20016
202-885-2702






From:Ryan Holland 
To:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Date:03/04/2010 01:56 PM
Subject:[WIRELESS-LAN] PEAP/MSCHAPv2 + Active Directory recommendations
Sent by:The EDUCAUSE Wireless Issues Constituent Group Listserv 





We currently have an 802.1X environment using PEAP/MSCHAPv2 to Steel-Belted 
radius. SBR queries SQL for user credential validation. We are (thankfully) 
migrating away from SQL to an Active Directory solution. I have been told by 
Juniper that we will be unable to search/query for additional attributes in AD 
since we are using MSCHAPv2; I'm told that PAP (clear text passwords) must be 
used in order to use the ldap auth to BIND to AD.

Being that we need to be able to query for additional attributes, I am 
inquiring what other institutions are doing.

If you are using both PEAP/MSCHAPv2 and Active Directory, I would appreciate 
you taking a moment to share how you are set up. Feel free to respond off list 
as well.

Many thanks!

==
Ryan Holland
Network Engineer, Wireless
Office of the Chief Information Officer
The Ohio State University
614-292-9906   holland@osu.edu

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: Instructions

[Randall C Grimshaw]

We use a HELP style SSID with a configuration utility and other documentation 
like you have created on it. The utility is available from Cloudpath.net

Randy

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Daniel Bennett
Sent: Wednesday, November 04, 2009 1:37 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] FW: Instructions

I have a meeting coming up on how to best inform new students of how to gain 
access to wireless once they get here.  We have instructions in pdf format for 
all operating systems.  I am wondering how your Institutions get that kind of 
information in hands of new incoming freshman.  Especially those living in the 
dorms.

Thanks,

Daniel Bennett
IT Security Analyst
Pennsylvania College of Technology
One College Ave
Williamsport PA, 17701
570.329.4989
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] iphone 3.0 auto-join problems?

[Randall C Grimshaw]

In a NAC containment environment, we have been able to work-around this 
'feature' by satisfying the http request. View the simple 'success.html' file 
from apple and place a similar file on your system in the same location. The 
iPhone will assume connectivity is available and stop trying to be so helpful. 
We have done similar things in the past regarding MS Teredo 'features'

Randy

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Ryan Holland
Sent: Wednesday, July 29, 2009 9:05 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] iphone 3.0 auto-join problems?

I'm glad to see others with this problem (meaning that in nicest way possible 
of course). I had opened case 337745 with Apple. From what I found, the phone 
sends out probe requests for the known network and receives responses, but the 
phone never sends 802.11 auth frames (let alone association frames) for said 
network. Only if the user taps the network does the phone connect.

I'll see about the suggested 3.1 beta - sounds intriguing.

==
Ryan Holland
Network Engineer, Wireless
CIO - Infrastructure
The Ohio State University
614-292-9906   holland@osu.edu


Subject:

Re: iphone 3.0 auto-join problems?

From:

Jorj Bauer mailto:j...@isc.upenn.edu>>

Reply-To:

The EDUCAUSE Wireless Issues Constituent Group Listserv 
mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>>

Date:

Thu, 2 Jul 2009 11:30:24 -0400

Content-Type:

multipart/signed

Parts/Attachments:

[cid:image002.png@01CA102F.83986370]


text/plain
 (32 lines) , 
PGP.sig
 (191 bytes)




> We are receiving complaints from people who have upgraded to the

> iPhone 3.0

> firmware. We operate 2 Wireless SSID's on our campus (guest and

> regular).

> Our Guest ssid is a WPA-PSK that redirects to a portal and our

> Regular SSID

> is an 802.1x authenticated ssid. Users using the Regular ssid had to

> install

> a profile the first time they used it.

>

> Prior to version 3.0 of the iPhone, users devices would remember the

> last

> network they connected to and auto-connect to the Regular network.

> Now it

> does not do that. Instead, it goes like:





It's a bug in iPhone OS 3.0. You should probably talk with Apple about

access to the 3.1 beta for testing...



--

Jorj Bauer

Manager of Engineering, Research and Development

Information Systems and Computing, University of Pennsylvania

XMPP: j...@upenn.edu



** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

<>

RE: [WIRELESS-LAN] Guest Wireless Access

[Randall C Grimshaw]

It is a home grown system.

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Tupker, Mike
Sent: Thursday, July 16, 2009 9:21 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Guest Wireless Access

Just out of curiosity what are you using for a captive portal and to do the 
guest accounts?

Mike Tupker
Systems Administrator
Mount Mercy College

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Randall C Grimshaw
Sent: Thursday, July 16, 2009 8:13 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Guest Wireless Access

In addition to our 802.1x network, we provide an open network SSID guarded by a 
captive portal gateway. Any member of the campus community can sponsor a guest 
account on the captive portal. This resource has limited ports and bandwidth.

Randy


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[wireless-...@listserv.educause.edu] On Behalf Of Rick Coloccia 
[coloc...@geneseo.edu]
Sent: Thursday, July 16, 2009 2:11 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Guest Wireless Access

I've been asked to open our wireless network up and provide guest access
of some sort.  Would you mind sharing what offerings each of your
institutions provide in terms of guest wireless access, please?
Thanks!
-Rick

--
Rick Coloccia, Jr.
Network Manager
State University of NY College at Geneseo
1 College Circle, 119 South Hall
Geneseo, NY 14454
V: 585-245-5577
F: 585-245-5579

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.
**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Guest Wireless Access

[Randall C Grimshaw]

In addition to our 802.1x network, we provide an open network SSID guarded by a 
captive portal gateway. Any member of the campus community can sponsor a guest 
account on the captive portal. This resource has limited ports and bandwidth.

Randy


From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[wireless-...@listserv.educause.edu] On Behalf Of Rick Coloccia 
[coloc...@geneseo.edu]
Sent: Thursday, July 16, 2009 2:11 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Guest Wireless Access

I've been asked to open our wireless network up and provide guest access
of some sort.  Would you mind sharing what offerings each of your
institutions provide in terms of guest wireless access, please?
Thanks!
-Rick

--
Rick Coloccia, Jr.
Network Manager
State University of NY College at Geneseo
1 College Circle, 119 South Hall
Geneseo, NY 14454
V: 585-245-5577
F: 585-245-5579

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.
**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Wireless network names

[Randall C Grimshaw]

One compelling reason for choosing a SSID name is Trademark. There are some who 
say (this is unproven to the best of my knowledge) that f you register your 
name as a trademark you have a better chance of legally defending your right 
not to have others broadcast it - nefarious or otherwise. It looks like you 
already have started 'family branding' around cedarwireless-...why would 
you want to change?
Randy
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Nathan Hay
Sent: Tuesday, March 31, 2009 3:12 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Wireless network names

We are trying to decide on some network names for our various networks and we 
are looking for input from other schools.

Would anyone mind sharing their SSID names and a brief description of their 
target audience of devices/users?

We are specifically interested in choosing a new name for our SSID that is 
primarily for smartphone/PDA/iPhone/iPod touch devices.

Here's what we have currently:

cedarwireless-guest:  coffee shop type wireless with limited access, only in 
academic buildings
cedarwireless-special:  non-broadcast SSID for smartphone/PDA/iPhone/iPod touch 
and game consoles
cedarwireless-unsecure:  clear network with captive portal for laptops 
(students and others)
cedarwireless-secure:  WPA2-Enterprise network for laptops (students and others)

Thanks,

Nathan






Nathan P. Hay
Network Engineer
Computer Services
Cedarville University
www.cedarville.edu
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] IDEngines and Autoconnect

[Randall C Grimshaw]

The IdEngines company closed and was in part acquired by ... but the 
Autoconnect product is also marketed as Cloudpath.net XPressConnect

And yes, we are also a satisfied customer.

Randy

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Dennis Xu
Sent: Wednesday, March 11, 2009 12:08 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] IDEngines and Autoconnect

We have heard many positive feedback about IDEngines and Autoconnect. We are 
just trying to evaluate this product and I cannot find this company anymore. Is 
this product completely replaced by XpressConnect? For the folks using this 
product, do you still get good support? will you stay with this product or look 
for other alternatives? Any suggestions are appreciated.

Thanks,

Dennis Xu
Network Analyst
Computing and Communication Services
University of Guelph
5198244120 x 56217

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Cisco lightweight APs and non-IOS DHCP for controller discovery

[Randall C Grimshaw]

This is the ISC DHCP configuration that we use to supply Cisco LWAPP
AP's with their controller address.

option space LWAPP;
option LWAPP.controller code 241 = ip-address;
class "LWAPP" {
  match option vendor-class-identifier;
}
subclass "LWAPP" "Cisco AP c1130"
{
  vendor-option-space LWAPP;
  option LWAPP.controller 10.1.0.9;
}
subclass "LWAPP" "Cisco AP c1200"
{
  vendor-option-space LWAPP;
  option LWAPP.controller 10.1.0.9;
}
subclass "LWAPP" "Cisco AP c1240"
{
  vendor-option-space LWAPP;
  option LWAPP.controller 10.1.0.9;
}
subclass "LWAPP" "Cisco AP c1241"
{
  vendor-option-space LWAPP;
  option LWAPP.controller 10.1.0.9;
}

Randall Grimshaw, Syracuse University, [EMAIL PROTECTED]

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Sylvain
Robitaille
Sent: Friday, October 31, 2008 11:23 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Cisco lightweight APs and non-IOS DHCP for
controller discovery


posted to comp.dcom.sys.cisco and alt.internet.wireless, and mailed
to The EDUCAUSE Wireless Issues mailing list, with apologies to any
who see multiple copies as a result ...

This message is long (262 lines), and I apologize in advance for that.
However, I hope that it will provide missing information for anyone
having trouble getting Cisco lightweight wireless access points to
locate
their controllers, using the DHCP vendor-specific option ("option 43")
from third-party DHCP servers (such as ISC's dhcpd).

I am posting this on my last day in my current position as a wireless
network administrator (I'm moving on to a new systems-oriented job),
so I will be able to participate in any followups that will not include
further experimentation with configuration of the access points, or DHCP
attributes specific to them.

In the interest of (attempted) brevity (which I realize I failed to
accomplish!), I assume that the reader understands the sequence used
by the access points for LWAPP Discovery Protocol, and understands DHCP
and DNS.  I don't claim to be an expert on any of the above (please
don't
email me directly with specific questions; there are mailing lists and
netnews groups for that, populated by folks who know a lot more than I
do), but I have successfully (and finally!) gotten this to work as it
should, using ISC's dhcpd running on Linux.

I struggled with this for more than a year, continually running into
a roadblock, and falling back to using a DNS resource-record for
CISCO_LWAPP_CONTROLLER.${domain}, which is fine for a relatively small
installation (our installation isn't very small, though).  Our
consultants
(not from Cisco, but they would themselves consult with Cisco) were at
a loss for a proper solution to this problem, and frequently resorted
to pre-configuring access-points (allegedly on Cisco's recommendation)
with controller addresses.  Again, this approach is not unreasonable for
a small installation, but is simply does not scale to larger
installations
with lots of wireless access points.

We started working with lightweight access-points late summer 2007,
when we started deploying a mesh network to surround our campuses,
and recently started upgrading our (approximately 360) stand-alone IOS
access-points (a mix of 350s, 1130s, 1230s, 1240s, and recently 1250s)
to lightweight AP1250s.  For controllers we have a mix of 4400-series
controllers and Wism blades.

We intended to configure our setup such that each campus would have
its own set of primary and secondary controllers, with a fail-over
to a controller normally serving another campus, and the outdoor
mesh network (AP1500 series access points) would have its own set
of controllers.  For this reason, using the DNS resource-record
(CISCO_LWAPP_CONTROLLER.${domain}) was deemed to be an unsuitable
approach to having our APs find their controllers (the DNS domain is
the same across our campuses).

The APs are not all on the same network segments that the controllers
are on, so the layer 3 broadcast approach to controller discovery
isn't suitable for us.  There are more access-points than is reasonable
for manual pre-configuration of each, and we are growing our wireless
network into more buildings as time goes on, so that isn't about to
become more feasible.

The Cisco lightweight access-points are supposed to be able to find
controllers based on receiving a list of controller IP addresses
from a DHCP server in the vendor-specific option, aka "option 43".
Cisco provides documentation that describes how to configure different
DHCP servers (including Cisco's own IOS DHCP server, built into some
IOS devices, Microsoft's, Sun's, and one they identify as "Linux DHCP
server", which is very likely the ISC's dhcpd, but that isn't made
clear;
and others).

The specific document I refer to here is "DHCP Option 43 for Lightweight
Cisco Aironet Access Points Configuration Example" (Document ID: 97066,
(c) 2007 - 2008 Cisco Systems, Inc. 

RE: [WIRELESS-LAN] Network Access Control

[Randall C Grimshaw]

Who is using NAC (Network Access Control) for wireless client
authentication and posturing? 

1) What solution did you select?

 

Impulse SafeConnect

 

2) How easily did it integrate with you existing infrastructure?

 

We were the pilot for some advanced 802.1x functionality, but it
integrated nicely. Radius authentication starts and stops are passed to
the NAC. Phase 1, this replaced a large portion of a homegrown solution.


 

3) What is your existing infrastructure and wireless solution?

 

Cisco LWAPP thin APs

 

4) How well has it performed?

 

Very well with some tuning. The developers are excellent to work with.
The solution provides an agent that assists with continuous posture
checking and quarantine for Windows Machines. There is an agent for the
Mac with less functionality at this time.

 

5) If you had to do it again would you select the same product?

 

Yes.

 

6) What were the success and failures of the deployment?

 

The deployment is a success. Opening went very smoothly. The vendor is
making progress on the remaining feature requests.

 

7) What was the impact on your technical staff to prepare for
deployment?

 

We did move all management interfaces for the network and other
infrastructure to a separate private network. I recommend doing this
regardless of product selection. We did a lot of testing.

 

8) How well does it scale?

 

We are approaching 5200 concurrent users on wireless and growing. We
also manage our wired resnet networks. Phase 1.

 

9) How are the management tools and maintenance for the solution?

 

The management tools are minimal. The solution is pretty much a packaged
service so maintenance has been limited and the support has been
terrific. We developed our own reporting tools and have turned them over
to the vendor who has expressed an interest in integrating similar
functionality.

 

Now on to Phase2.

 

Thank a million,

 

You are welcome a million. There are going to be more questions, please
feel free to write me off-list for more answers.

 

Randy Grimshaw

Syracuse University

[EMAIL PROTECTED]

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Using MAC Authentication

[Randall C Grimshaw]

I will offer the caution that in a captive portal, in regard to accountability, 
MAC harvesting is an all or nothing proposition. You will be surprised how 
often computers are loaned and authenticated using different accounts. If you 
harvest for one population, that population will eventually borrow 
significantly, computers owned by neighbor populations. This is not to imply 
that it is a bad idea, just that there is overlap that you should be aware of.
Randy



From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Ryan 
Lininger
Sent: Tue 7/1/2008 10:34 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Using MAC Authentication



We have been considering something similar.  Our thought was to use MAC
authentication via radius to our wired NAC system.  The idea being that
if they registered their system then the MAC would be in the database
and they wouldn't get the captive portal at login.  (Before I get
flamed, our NAC registers all NIC's, wired and wireless, at the time of
registration.)  This is just a theory here at the moment so I can't
speak to the effectiveness, usage, etc. but I like the idea.

The main concern I have related to MAC authentication, however, is MAC
spoofing.  It is very easy to spoof a wireless MAC address so if that is
your form of authentication then it is very easy to bypass your
authentication.

Ryan Lininger
Network Systems Engineer
Denison University
p 740.587.6229
f 740.587.5722
[EMAIL PROTECTED]



Michael Dickson wrote:
> We are considering using MAC authentication to allow users to bypass
> the captive portal web login page to access our wireless network. This
> is considered sort of a stop-gap measure until 802.1x is fully
> implemented.
>
> Is anyone maintaining (by harvesting or user-initiated manual entry) a
> MAC auth table after initial captive portal login so that users can
> bypass the web login page every time they connect?
>
> We are considering a manual opt-in process instead of an auto-harvest
> and we would not harvest MAC addresses of folks with guest accounts.
>
> Is this generally a good idea? What is the down side of not making
> users sign in every session?
>
> As an aside, we are considering extending the dhcp lease times and the
> reauth intervals so that users don't have to log in again if they walk
> to class from their dorms, etc.
>
> We are an Aruba shop. We currently have an open SSID, no encryption,
> with captive portal as the only point of authentication. 802.1x
> rollout expected soon.
>
> As always, thanks for the help!
>
> Mike
>
> ***
> Michael Dickson Phone: 413-545-9639
> Network Analyst [EMAIL PROTECTED]
> University of Massachusetts
> Network Systems and Services
> ***
>
> **
> Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.



**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Using Private IP addresses for wireless users.

[Randall C Grimshaw]

By vlsm, I only meant variable length subnet masks. A /29 subnet
provides enough numbers for interconnects, NAC, and other network
devices related to the backbone without the waste. These are still
routable addresses.

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of ray
Sent: Thursday, May 29, 2008 11:56 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Using Private IP addresses for wireless
users.

We've also moved all switches, AP, printers, clocks, vending machines,
etc 
to private address space.  However I haven't moved backbone
interconnects, 
as that would break traceroute from off campus.

On Thu, 29 May 2008, Randall C Grimshaw wrote:

> We also have moved all backbone interconnects and other small networks
> to vlsm. The tighter space became, the more creative we became.
>

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Ray DeJean   http://www.r-a-y.org
Systems EngineerSoutheastern Louisiana University
IBM Certified Specialist  AIX Administration, AIX Support
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Using Private IP addresses for wireless users.

[Randall C Grimshaw]

We also have moved all backbone interconnects and other small networks
to vlsm. The tighter space became, the more creative we became.

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Lee H Badman
Sent: Thursday, May 29, 2008 10:49 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Using Private IP addresses for wireless
users.

Neal-

We also view our publicly routed IP space as a finite space, to be
managed carefully. Though we do no NAT or private IP space for wireless
users, we are seeing tremendous benefit in both security and public IP
space preservation by moving large blocks of devices that have no need
to see (or to be seen by) the Internet to private spaces.

For example, all or our APs and controllers are managed in private
space. The gain? Around 1,700 IP addresses today, well over 2,000 by
year's end.

We are starting to move management of our network switches into private
space- another 1,000 IPs saved.

Also, starting to work with folks responsible for vending machines, door
controllers, PCI-compliance devices, etc- all very good candidates for
private space. Hundreds more public addresses saved, and lots of
security gains. 

NAT, on the other hand, has been an unpopular notion for many reasons
for us. Probably the most noteworthy is tracking who did what and when
(from both the nuisance traffic tracking and troubleshooting angles)
when thousands of users all NAT to a single IP address (or a few IP
addresses).

-Lee

Lee H. Badman
Wireless/Network Engineer
Information Technology and Services
Syracuse University
315 443-3003

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Johnson, Neil M
Sent: Thursday, May 29, 2008 9:56 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Using Private IP addresses for wireless users.

We will be out of address space for one of our wireless nets (currently
a /21) in the fall.

We do not have a larger block available, and attempts to obtain
additional address space by fall are not looking promising, so there is
a distinct possibility that will have to move our wireless users to
private address space.

So I'm looking for information from other institutions who use private
address space for their wireless networks.

We are primarily a Meru shop, although we have about 86 Cisco LWAPP AP's
in production. We use 802.1X (WPA2 Enterprise) for authentication.

Here are the questions I have:

- How do you implement NAT ?
- How do you provide DHCP addresses to your clients ?
- How do you handle IDS and Flow data collection ?
- What tools and processes do you use to tie a public IP address back to
an 802.1X authenticated user ?
- What kind of application issues have you run into and how do you
handle them ?
- Are your end-users satisfied with the service ?

Thanks.

--
Neil Johnson
Network Engineer
The University of Iowa
W: 319 384-0938
M: 319 540-2081
http://www.uiowa.edu

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

No virus found in this incoming message.
Checked by AVG. 
Version: 8.0.100 / Virus Database: 269.24.3/1472 - Release Date:
5/29/2008 7:27 AM

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] residence all security

[Randall C Grimshaw]

We use WPA PEAP 802.1x with AD (MSCHAPv2) with Vista nicely (even WPA2
on some networks) so I am a bit confused by your statements.
Our DHCP based NAC worked pretty well on 802.1x but we are implementing
Impulse for the fall for additional functionality.
Randy Grimshaw, Syracuse University

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[EMAIL PROTECTED] On Behalf Of Sam Stelfox
Sent: Wednesday, May 21, 2008 1:34 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] residence all security

We are redoing our wireless from scratch here at the college and I'll 
share a few of the options that we've considered. Our wireless system 
encompasses our entire campus and we want to seperate the students from 
the faculty. The faculty for the most part use laptops owned by the 
college so we can make some assumptions based on our setup of what kind 
of security levels we can use. First off we have a Windows 2003 Active 
Directory setup on our campus, all the computer's times are synced to an

ntp server and we have a local CA.

Before this we had one SSID for both students and staff with 802.1x 
authentication using their active directory credentials. This worked 
great as long as we didn't want to get any Vista machines on the 
wireless or people that don't have an account (think conferences). The 
Vista issue was the biggest reason we're redoing our wireless. The 
problem (I'm guessing, we never actually figured it out) was something 
to do with the root certificates and our self-signed server certificate 
(even though we had "Validate server certificate" unchecked on the
clients).

What we are currently planning is to use 802.1x authentication on a 
faculty/staff SSID as we haven't moved to Vista for them officially and 
don't have plans too anytime soon. Students on the other hand we can't 
control what operating system they have and it's a sad fact of life for 
us that most of them will be coming back to campus with Vista. In light 
of this we are going to be using a WPA key for the students and a 
captive portal to identify them. We haven't decided how long the timeout

for the captive portal authentication will be. We considered WPA2 but we

also run into the compatibility problem again, but have decided that WPA

provides a reasonable amount of security.

Our student and staff/faculty SSID both route to different VLANs. We use

a packeteer to limit the bandwidth on the student portion of the network

and let the staff/faculty have unrestricted access to the pipe.

I hope I have given you some ideas and would love to hear some 
criticism/concerns about this setup. If there are gaping flaws that I 
have missed it sure would be good to know before rolling it out.

Entwistle, Bruce wrote:
>
> I will apologize in advance, as I believe this has been discussed in 
> the past.  During the upcoming summer we will be installing a wireless

> network in our residence halls.  We are looking at different options 
> of how we are going to authenticate and secure the network 
> connections.  If you could please share what methods have or have not 
> worked in addressing the authentication and security issues I would 
> appreciate it.
>
>  
>
> Thank you
>
> Bruce Entwistle
>
> Associate Director of Enterprise Services
>
> University of Redlands
>
> ** Participation and subscription information for this 
> EDUCAUSE Constituent Group discussion list can be found at 
> http://www.educause.edu/groups/. 

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Wireless 802.1x working well- now add NAC?

[Randall C Grimshaw]

Not even the iPhone works well with 802.1x at this time. So the answer
is that you still need to provide a more open SSID for these devices and
for casual guests. We host a third SSID for the purpose of configuring
clients to use the 802.1x SSID, and still others for special purposes
around campus.

It is tempting to say that they share the same hardware, but there are
different approaches to access control in the backend.

MHO is that 802.1x is a good thing and worth the effort.

But the answer to your question is no.

 



From: Jamie Savage [mailto:[EMAIL PROTECTED] 
Sent: Thursday, February 07, 2008 10:46 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Wireless 802.1x working well- now add NAC?

 


Hi, 
   At these institutions where 802.1x is working well..do
you control the types of wireless devices that the students use?  We
don't control the types of clients, so we're looking at providing
wireless access for all flavoursieWindows, MAC, LINUX, various
hand-helds.etc.  Is it safe to say that anything 'recent' should
work well with 802.1x? 

..thx...J 

James Savage   York University

Senior Communications Tech.   108 Steacie Building
[EMAIL PROTECTED]4700 Keele Street
ph: 416-736-2100 ext. 22605Toronto, Ontario
fax: 416-736-5701M3J 1P3, CANADA
** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] NEWS item: A Wi-Fi Virus Outbreak? It's Possible

[Randall C Grimshaw]

We can scoff at the problems with the distribution model proposed in
this scenario. But if it draws attention to a commonly overlooked source
of risk in a targeted incident... it may be a good thing.

.

-Original Message-
From: Frank Bulk [mailto:[EMAIL PROTECTED] 
Sent: Thursday, January 10, 2008 8:49 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] NEWS item: A Wi-Fi Virus Outbreak? It's Possible

http://abcnews.go.com/Technology/PCWorld/story?id=4083225 

Kind of interesting, though it's not the low-hanging fruit.  Rather than
attack the PC itself, which is normally cleanable, attackers could
create a
rogue version of DD-WRT that installed on any susceptible routers.  Most
people leave their broadband routers with default passwords and IP
settings,
so an 'upgrade' might go on unnoticed.  From that point, no matter what
the
subscriber did to clean their computer, they would never be clean.

Again, unlikely, but a story like this makes for good headlines.

Frank

**
Participation and subscription information for this EDUCAUSE Constituent
Group discussion list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Automating wireless configuration on clients

[Randall C Grimshaw]

It is just your basic DHCP/DNS based captive system. A DHCP server gives
private network addresses with a brain dead DNS resolver that wildcards
almost everything to one destination. The VPN behind the SSID doesn't
have to route anywhere off campus, and the allowed destinations are ACL
restricted. There are twists like a reverse-proxy tunnel to the AV
vendors update site etc...

<>mailto:[EMAIL PROTECTED] 
Sent: Friday, November 02, 2007 1:07 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Automating wireless configuration on clients

 


I don't suppose you could elaborate on your help SSID. For instance, how
does the redirection work? Is this like a captive portal type of page
only the page just redirects to your registration/download system? We
have been looking for ways to get our help site out to the students but
we realize a help web site doesn't do any good without Internet access. 

_
Angela K. Hollman
Information Technology Services
Network Analyst
(308)865-8176 



Randall C Grimshaw <[EMAIL PROTECTED]> 

11/02/2007 09:24 AM 

Please respond to
The EDUCAUSE Wireless Issues Constituent Group Listserv


To

WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 

cc

 

Subject

Re: [WIRELESS-LAN] Automating wireless configuration on clients

 

 

 




We took a crack at this. What we found was that it is quite easy to do
with Vista, but the variety of Vendor OEM wireless managers in use for
XP and some nasty XP spyware frequently interfered with the tool. We are
under the recent impression that the iD-Engines product has had a better
success rate and we are considering using that. As a contingency we also
have some development code using the Nicomsoft library which may someday
have the functions we need. 

For Macintosh we created an applescript tool that loads a saved profile
but there is no mechanism for saving that profiles credentials reliably,
so we would get occasional calls that it didn't work. Up-to-date
Macintosh systems configure themselves very easily without any tool. The
current recommendation is to have the user update the OS and let the
Connection Manager perform (and save) the configuration. Leopard may
change that based on the initial feedback, but I suspect Apple has the
ability to resolve these issues again. 

Rather than hike around with flash drives, we have a xxhelp SSID (where
xx is our trademarked SSID) that is open but goes nowhere but the
registration/download system. 

<>mailto:[EMAIL PROTECTED] 
Sent: Friday, November 02, 2007 9:30 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Automating wireless configuration on clients 

  
We are researching ways to automate the creation of our SSID on a
student's laptop via a script of some kind.  Our technicians would pop
in a flash drive, run the script from it, and the SSID with the needed
802.1X settings would be created.  This would also serve as a way to
"refresh" the configuration if the student configured the SSID
incorrectly. 
  
We need to support XP, Vista, and Mac OS X. 
  
Has anyone done this before?  Any suggestions on where to start? 
  
Nathan 
  
  
  
  
  
  
Nathan P. Hay
Network Engineer
Computer Services
Cedarville University
www.cedarville.edu <http://www.cedarville.edu/>  

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. ** Participation and
subscription information for this EDUCAUSE Constituent Group discussion
list can be found at http://www.educause.edu/groups/. 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Automating wireless configuration on clients

[Randall C Grimshaw]

We took a crack at this. What we found was that it is quite easy to do
with Vista, but the variety of Vendor OEM wireless managers in use for
XP and some nasty XP spyware frequently interfered with the tool. We are
under the recent impression that the iD-Engines product has had a better
success rate and we are considering using that. As a contingency we also
have some development code using the Nicomsoft library which may someday
have the functions we need.

For Macintosh we created an applescript tool that loads a saved profile
but there is no mechanism for saving that profiles credentials reliably,
so we would get occasional calls that it didn't work. Up-to-date
Macintosh systems configure themselves very easily without any tool. The
current recommendation is to have the user update the OS and let the
Connection Manager perform (and save) the configuration. Leopard may
change that based on the initial feedback, but I suspect Apple has the
ability to resolve these issues again.

Rather than hike around with flash drives, we have a xxhelp SSID (where
xx is our trademarked SSID) that is open but goes nowhere but the
registration/download system.

<>mailto:[EMAIL PROTECTED] 
Sent: Friday, November 02, 2007 9:30 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Automating wireless configuration on clients

 

We are researching ways to automate the creation of our SSID on a
student's laptop via a script of some kind.  Our technicians would pop
in a flash drive, run the script from it, and the SSID with the needed
802.1X settings would be created.  This would also serve as a way to
"refresh" the configuration if the student configured the SSID
incorrectly.

 

We need to support XP, Vista, and Mac OS X.

 

Has anyone done this before?  Any suggestions on where to start?

 

Nathan

 

 

 

 

 

 

Nathan P. Hay
Network Engineer
Computer Services
Cedarville University
www.cedarville.edu   

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Open Cisco COntroller Caveat/DHCP issue

[Randall C Grimshaw]

I am not so sure. If the controller is caching the DHCP response as it
appears to be doing, then 200 clients in cache simultaneously is a very
likely event.

<>mailto:[EMAIL PROTECTED] 
Sent: Friday, October 05, 2007 9:00 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Open Cisco COntroller Caveat/DHCP issue

 

Hi Frank-

 

I would hope. But the wording leaves a lot to the imagination, and we
are seeing enough oddities on occasion that could point at something
like this that clarification is in order, if nothing more than for a
sanity check.

 

Lee



From: Frank Bulk [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 05, 2007 8:45 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Open Cisco COntroller Caveat/DHCP issue

 

Lee:

 

I think the key phrase is "at the same time".  This may be a bug found
when Cisco or someone else did scalability testing with test tools, not
a likely event in production.

 

Frank

 



From: Lee H Badman [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 05, 2007 7:29 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Open Cisco COntroller Caveat/DHCP issue

I'm trying to get clarification on this open caveat, but so far can't
get a clear answer on the specifics of the bug:

 

CSCsj25953-When 200 or more wireless clients try to associate to a
controller at the same time, the clients become stuck in the DHCP_REQD
state. The controller receives the DHCP offer from an external DHCP
server but does not send the offer to the access point in LWAPP.

 

Obviously, getting to 200 clients on a single controller is routine
operations on a busy network, especially when one controller has 150
associated access points. Has anyone else dug in on this one, and gotten
any real details? It sounds potentially catastrophic, or that it could
be relatively harmless, but without more detail it's hard to know...

 

Regards-

 

Lee H. Badman

Wireless/Network Engineer

Information Technology and Services

Syracuse University

315 443-3003

 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. ** Participation and
subscription information for this EDUCAUSE Constituent Group discussion
list can be found at http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Machine Authentication in Vista

[Randall C Grimshaw]

Once you get a configuration that works, use netsh to distribute the 
configuration. Our install wrapper essentially does this:
 
netsh.exe wlan disconnect interface="Wireless Network Connection"
netsh.exe wlan delete profile "YourOldNetworkName"
netsh.exe wlan delete profile "YourNetworkName"
netsh.exe wlan delete profile "YourSetupNetworkName"
netsh.exe wlan add profile filename="YourNetShExport.xml" interface="Wireless*"
netsh.exe wlan disconnect interface="Wireless Network Connection"
netsh.exe wlan connect name=YourNetworkName ssid=YourNetworkName 
interface="Wireless Network Connection"

At this point the balloons pop-up and the user enters their credentials.
 
We get a little fancier than this but you get the idea.
 
<>mailto:[EMAIL PROTECTED]
Sent: Fri 8/31/2007 1:31 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Machine Authentication in Vista



More background info: 

We use machine authentication to authenticate our faculty machines through our 
radius setup as part of our 802.1x process. The students are being 
authenticated through the same radius servers and so we are seeing the machine 
auth logons. The big problem this is creating is that students' machines will 
startup and a windows message will appear (especially on Vista) telling them 
that the connection to our network has failed. This is machine authentication 
going through and failing on the wireless network. Then according to how quick 
the machine is the network does connect either seconds or minutes later. If we 
could eliminate machine authentication on Vista, the first logon to the 
wireless network should connect instead of failing. 
_
Angela K. Hollman
Information Technology Services
Network Analyst
(308)865-8176 



Hector J Rios <[EMAIL PROTECTED]> 

08/31/2007 12:14 PM 
Please respond to
The EDUCAUSE Wireless Issues Constituent Group Listserv  



To
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
cc
Subject
Re: [WIRELESS-LAN] Machine Authentication in Vista  






Machine authentication will only work if your radius server supports it. If you 
don't have it set up, then I wouldn't worry about turning it off on the client 
machines. On our campus we authenticate both domain and non-domain users and in 
our instructions we just tell everybody to check "Authenticate as computer when 
information is available" (in XP, of course). The non domain users always get 
authenticate it against AD. 
  
From: Angela K Hollman [mailto:[EMAIL PROTECTED] 
Sent: Friday, August 31, 2007 11:57 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Machine Authentication in Vista 
  

We are authenticating students against AD as non domain members so machine auth 
will not function. 

_
Angela K. Hollman
Information Technology Services
Network Analyst
(308)865-8176 


Hector J Rios <[EMAIL PROTECTED]> 

08/31/2007 11:28 AM 



Please respond to
The EDUCAUSE Wireless Issues Constituent Group Listserv  





To
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU 
cc
Subject
Re: [WIRELESS-LAN] Machine Authentication in Vista  

  










Why do you want to turn off machine authentication? Just curious. 
 
 
 
From: Angela K Hollman [mailto:[EMAIL PROTECTED] 
Sent: Friday, August 31, 2007 8:44 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Machine Authentication in Vista 
 

Hello, 

Does anyone out there know where the button, checkbox or registry key is to 
switch machine authentication off in Windows Vista when doing 802.1x over 
wireless? 

In Windows XP, we simply uncheck the box labeled "Authenticate as computer when 
computer information is available." 


Sincerely, 

_
Angela K. Hollman
Information Technology Services
Network Analyst
(308)865-8176 ** Participation and subscription information for this 
EDUCAUSE Constituent Group discussion list can be found at 
http://www.educause.edu/groups/. 

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/. 

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/. 

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/. 

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.