Re: [WIRELESS-LAN] Authentication failures at peak times (Cisco)

2014-09-01 Thread Wright, Don 
Brandon,
 Can you see any radius issues based on stats on your controllers,
timeouts, etc.  We were seeing these on our FR servers last fall before we
moved to our vendor support radius appliances.
-
Don Wright
Lead Network Operations Engineer
Brown University



On Wed, Aug 27, 2014 at 3:21 PM, Case, Brandon J  wrote:

> Would you be able to elaborate on the improvements you did over the
> summer? We have a similar setup with regards to the backend, although ours
> is just freeradius -> ldap without the F5. Our usage levels are just a bit
> higher than yours but we're receiving lots of user reports of the inability
> to authenticate but nothing consistent enough to isolate and test
> repeatedly.
>
> Thanks,
> Brandon
>
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Wang, Yu
> Sent: Wednesday, August 27, 2014 3:15 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] Authentication failures at peak times (Cisco)
>
> Where are all your user accounts hosted? What kind of user database that
> serves the wireless system? Do you have a rough number of how many
> concurrent users at peak time?
>
> We had peak time wireless authentication failure issues in the past Spring
> semester. We did performance tests in the summer and found out it was the
> backend (F5 + LDAP). We did improvements in the summer and we have not seen
> the issue in the first three days of Fall semester. Yesterday's wireless
> usage set a new record with over 32k unique users and over 15k concurrent
> users.
>
> We use Aruba wireless with 802.1X, WPA2-Ent, PEAP, MSCHAPv2 + freeradius +
> F5 + ldap. It's different than yours but from the error you mentioned, it's
> likely the backend was congested.
>
>
>
> Yu Wang
> 
> Network Architect
> Information Technology Services
> The Florida State University
> 850-645-6810
> yu.w...@fsu.edu
>
>
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Eric T. Barnett
> Sent: Wednesday, August 27, 2014 2:12 PM
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: [WIRELESS-LAN] Authentication failures at peak times (Cisco)
>
> We've got a relatively small deployment compared to many on this list, but
> we've run into a problem we just can't put our finger on. We're using 5508s
> and ISE as a RADIUS server and we're having HUGE latencies on
> WPA2-Enterprise PEAP authentication. There's times when almost no one can
> authenticate. What's really weird is that the controllers show "AAA
> Authentication Error" when this happens even though the username and
> password is correct. None of the devices seem distressed and there's no
> network problems we can see. Anyone ever seen this before or have any ideas
> how to troubleshoot? TAC so far has been not incredibly useful but they
> have only been on the case for a day or so now. I can hear my users
> sharpening the pitchforks...
>
> Thanks,
>
> Eric Barnett
> Wireless Administrator
> Information and Technology Services
> Arkansas State University
> 870 680 4243
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] SV: [WIRELESS-LAN] Cisco 8.0 code released

2014-09-01 Thread Wright, Don 
Wyatt,
What is the alternative you're looking at?  Not allow the redirect and
then what?

-
Don Wright
Lead Network Operations Engineer
Brown University



On Fri, Aug 29, 2014 at 4:47 PM, Wyatt Schill 
wrote:

> Yes, testing it out now.  Each browser gives it's own version of "This
> isn't really https://www.google.com, you shouldn't proceed warning".
>
>
> Because it is a MITM redirect, there isn't a good way around it.
>
>
> After all the training we give to staff to not click through those
> warnings, we'll have to decide if it is a feature we want to turn on or
> not.  (it is an option to enable or disable in MANAGEMENT -> HTTP-HTTPS ->
> HTTPS REDIRECTION)
>
>
>
>
>
> Wyatt Schill
> Senior Network Engineer
> Green River Community College
> 12401 SE 320th St. Auburn, WA 98092
> wsch...@greenriver.edu
>
>
>
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dan Brisson
> Sent: Tuesday, August 19, 2014 19:18
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] SV: [WIRELESS-LAN] Cisco 8.0 code released
>
> Isn't the client's browser going to complain about a domain name mismatch
> b/c of the redirect to the https WebAuth page?  There's no way to fix that,
> is there?
>
> -dan
>
>
> Dan Brisson
> Network Engineer
> University of Vermont
> (Ph) 802.656.8111
> dbris...@uvm.edu
>
> On 8/19/14, 9:54 PM, Vlade Ristevski wrote:
> > I really want to run this code because of the https redirect
> > fix:
> >
> > "If a client requests a web page through HTTPS, the client is
> > redirected to the WebAuth login page."
> >
> > but am still licking my wounds from our 7.6.120.0 debacle.
> >
> > We do a web redirect to our onboarding page and with so many homepages
> > set to google and facebook (which use https) it's a big deal for us.
> >
> >
> >  Original message 
> >> Date: Mon, 18 Aug 2014 09:30:13 -0700
> >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
> >  (on behalf of Kitri Waterman
> > )
> >> Subject: Re: [WIRELESS-LAN] SV: [WIRELESS-LAN] Cisco 8.0 code
> > released
> >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> >>
> >>" VLAN tagging on AP700W—Allows you to define
> >>individual VLAN tags for each individual Ethernet
> >>port available on Cisco Aironet 700W Series Access
> >>Points. This feature allows traffic to be separated
> >>not only between wireless and wired networks, but
> >>also among the four Ethernet ports."
> >>
> >>Finally.
> >>
> >>Kitri Waterman
> >>--
> >>Network Engineer (Wireless)
> >>University of Oregon
> >>
> >>On 8/18/14, 7:13 AM, Mike King wrote:
> >>
> >>  Let's see how the mailing list treats this:
> >>  http://www.riders4helmets.com/wp-
> > content/uploads/2011/01/mouseinhelmet1.jpg
> >>  On Mon, Aug 18, 2014 at 9:22 AM, Danny Eaton
> >>   wrote:
> >>
> >>Early bird gets the worm but second mouse gets
> >>the cheese...
> >>I'll put it in my lab.
> >>
> >> Original message 
> >>From: Anders Nilsson
> >>Date:18/08/2014 08:08 (GMT-06:00)
> >>To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> >>Subject: [WIRELESS-LAN] SV: [WIRELESS-LAN] Cisco
> >>8.0 code released
> >>
> >>Nobody remembers a coward!!!  ;)
> >>
> >>
> >>
> >>Cheers
> >>
> >>Anders
> >>
> >>
> >>
> >>Från: The EDUCAUSE Wireless Issues Constituent
> >>Group Listserv
> >>[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] För
> >>Oliver Elliott
> >>Skickat: den 18 augusti 2014 14:59
> >>Till: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> >>Ämne: Re: [WIRELESS-LAN] Cisco 8.0 code
> >>released
> >>
> >>
> >>
> >>Now who's feeling brave enough to run this on
> >>production wism2s?!
> >>
> >>
> >>
> >>Oli
> >>
> >>
> >>
> >>On 18 August 2014 13:18, Trent Hurt
> >> wrote:
> >>
> >>
> > http://www.cisco.com/c/en/us/td/docs/wireless/controller/relea
> > se/notes/crn80.html
> >>
> >>
> >>--
> >>
> >>Oliver Elliott
> >>Network Specialist
> >>IT Services
> >>University of Bristol
> >>e: oliver.elli...@bristol.ac.uk
> >>t: 0117 92 (87861)
> >>
> >>** Participation and subscription
> >>information for this EDUCAUSE Constituent Group
> >>discussion list can be found at
> >>http://www.educause.edu/groups/.
> >>
> >>!DSPAM:911,53f1fabf213627805617502! **
> >>Participation and subscription information for
> >>this EDUCAUSE Constituent Group discussion list
> >>can be found at http://www.educause.edu/groups/.
> >>
> >>  ** Participation and subscription
> >>  information for this EDUCAUSE Constituent Group
> >>  discussion list can be found at
> >>  http://www.educause.edu/groups/.
> >>
>

Re: [WIRELESS-LAN] Wireless "Fix" in Apple Update

2014-07-02 Thread Wright, Don 
We have a case open for the EAP roaming and dropout issue with Apple
support and they've sent us the following:

Engineering continues to investigate your issue. We believe they have
identified corrective actions available now in pre-release software.  The
following pre-release software is now available through the Apple OS X
Developer Program or the Software Customer Seeding Program.

- OS X Yosemite v10.10 - Build: 14A238x

Members of these programs may install this software to test, in their
environment, on non-production devices.

AppleCare Enterprise Technical Support and Apple Engineering would greatly
appreciate your testing of your current issue using this pre-release
version of OS X.

I haven't done any first hand testing yet so I can verify if this is the
resolution.  I'm hoping to get a laptop with this version on it next week
and will give it a try.

-
Don Wright
Brown University
CWSP, CWNA, ACMP







On Wed, Jul 2, 2014 at 6:28 AM, Michael Dickson 
wrote:

> I'm guessing the 10.9.4 "fix" refers strictly to a wake-from-sleep issue
> and not the intermittent-delay-with-EAP issue outlined at
> http://support.apple.com/kb/TS5258.
>
> Mike
>
> Michael Dickson
> Network Analyst
> Office of Information Technologies
> University of Massachusetts Amherst
> Voice 413.545.9639
>
> On Jul 1, 2014, at 12:14 PM, Travis Schick  wrote:
>
> > Just did some testing with my macbook using 10.9.4 I still see the
> same 15+ second delay re-authenticating with eap.
> >
> > I have not yet heard from apple what version of mavericks will contain
> the fix - but appears 10.9.4 was not it.
> >
> > Travis
> >
> >
> > On Mon, Jun 30, 2014 at 12:47 PM, Lee H Badman  wrote:
> > Did you all see this one:
> http://www.cultofmac.com/285567/os-x-mavericks-10-9-4-released-big-wifi-fix-updated-safari/
> >
> >
> > -Lee
> >
> > Lee Badman
> > Wireless/Network Architect
> > ITS, Syracuse University
> > 315.443.3003
> > (Blog: http://wirednot.wordpress.com)
> >
> >
> >
> > ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
> >
> >
> > ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
> >
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Clearpass Policy Manager

2014-04-11 Thread Wright, Don 
   I would echo Tim's message above.  We have basically the same setup and
have our entire campus wireless authentication (1X and captive portal)
going through these.  Over 600,000 requests per day across two servers and
no issues so far.  If you've never had visibility into your radius servers
before, you'll love CPPM.  We've already uncovered issues that we didn't
know we had when we did the install, and Access Tracker is great for
troubleshooting client issues.  Aruba has a 25 license trail version you
can try out, or they can give you a webex demo.  I you haven't seen it, I'd
urge you to just take a look before you decide on a purchase.
-
Don Wright
Lead Network Operations Engineer
Brown University
CWSP, CWNA, ACMP






On Thu, Apr 10, 2014 at 10:07 PM, Tim Cappalli wrote:

> We have two 25K virtual appliances serving wired and wireless RADIUS and
> TACACS+ which comes out to over 500,000 authentications per day.
>
>
>
> We have both VM's configured to Aruba spec. No issues thus far. We've had
> them in production for well over a year. Great product. Feel free to
> message me off list.
>
>
>
> Tim
>
>
>
>
>
> Tim Cappalli  | CWNA ACSP ACCP ACMP CCNA
> Mobility Engineer  |  Brandeis University
> cappa...@brandeis.edu | (617) 701-7149 <+16177017149>
> @tcappy0707  | 
> linkedin.com/in/timcappalli/
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Sharon Luciw
> *Sent:* Thursday, April 10, 2014 3:53 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] Clearpass Policy Manager
>
>
>
> We are just about to purchase Clearpass so we are interested as well.
>
>
>
>
>
>
>
> Sincerely,
>
>
>
> Sharon Luciw
>
> Director, Networks & Client Services
>
> ETS
>
> Foothill-De Anza Community College District
>
> (650) 949-6161
>
>
>
> "Security is Everyone's Responsibility"
>
>
>
> *NOW ACTIVE:  New ETS Request Tracking System.  Go To:  etshelp.fhda.edu
> *
>
> *Sign in using your MyPortal login name and password.*
>
>
>
>
>
> If you have questions or concerns, please contact the Call Center at (408)
> 864-8324
>
>
>
>
>
> --
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Cameron, Damien L. [
> dlcame...@nsu.edu]
> *Sent:* Thursday, April 10, 2014 9:13 AM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* [WIRELESS-LAN] Clearpass Policy Manager
>
> I wanted to get some opinions on Clearpass Policy Manager.
>
>
>
> How have you deployed it? As a VM or using their HW appliance? My concern
> here is scalability and flexibility?
>
> What method did you use to find the right scale for CPPM? We recently
> deployed Airwave, and I am using the client data for my initial counts.
>
>
>
> *Damien Cameron*
>
> Network Engineer
>
> Norfolk State University
>
> Office of Information Technology
>
> Marie v. McDemmond Center for applied Research
>
> Room 401
>
> 555 Park Avenue
>
> Norfolk, VA 23504
>
> O: (757) 823-9123
>
>
>
>
> --
>
> This message has an embedded link. If you click the link, you will be
> re-directed to an external web site. Please note: ETS will NEVER ask you to
> provide your login ID or password online. You should NEVER provide your
> personal information online under any circumstances, unless you know the
> site you are visiting is absolutely safe (i.e. https:// note the 's')
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>  ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Ripley's Believe it or not, wireless edition

2014-02-26 Thread Wright, Don 
  What is the ARM OTA setting called?  We're on 6.1.3.9.
Thanks,
- Don


On Wed, Feb 26, 2014 at 2:41 PM, Kurtz, Eric  wrote:

>  Interesting. - We are also experiencing the same issue with PS3.
>  Turned off OTA and now the PS3 works.
>
>
>
>
>
>
> *Eric Kurtz Network Engineer*
>
> Office of Information Technology
> Susquehanna University
> 514 University Avenue
> Selinsgrove, PA 17870-1164
> 570.372.4537
> ku...@susqu.edu
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Turner, Ryan H
> *Sent:* Wednesday, February 26, 2014 12:29 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* [WIRELESS-LAN] Ripley's Believe it or not, wireless edition
>
>
>
> I am hard pressed to explain this.  We've had a good number of reports of
> PS3s not being able to connect to wired or wireless in our residence
> halls.  This corresponded to a pervasive wireless initiative that resulted
> in all new switches and Aruba access points installed for about 8,000
> resident students.  The PS3s would not show any wireless networks
> available, but more surprisingly, they would not establish a physical
> connection to switch ports, either.  I brought a PS3 back to my office, and
> completely ignoring the wireless side, attempted to figure out what was
> happening to the wired side.  I connected it, with success, to every type
> of switch I could find, new and old.  I sent it back.  We got more reports,
> and now I was forced to go into the field to look at the issue.  I went to
> a dorm with a troubled unit, reset it, and configured it for a wired
> connection.  It would not establish a link.  Could it be a switch
> negotiation incompatibility issue?  I turned off negotiation and manually
> set the config on both sides to no success.  I then used an old hub that I
> knew would work to bridge the PS3 to our network.  No link to the hub from
> the PS3.  At this point, we took the same device and hub to a new location
> on campus.  Booted up the PS3, with it ONLY connected to the hub (the hub
> wasn't connected to anything), and we got a physical link.  I went into
> network settings to see if I could see wireless networks (I saw a good
> number).  But then it dawned on me that we were in a significantly less
> dense wireless environment in the environment where the device was
> working.  It should have no effect on the device since we were configured
> for wired, but I was grasping at straws.   Was it possible that the density
> of Aps (and subsequent beacons) back at the original dorm was throwing the
> PS3 into a bad state caused the wired port to not work?
>
>
>
> So, we went back to the dorm, shut down ALL of the access points in the
> building that were near it, and then booted it up.  LINKED FIRST TRY.  It
> linked directly to the switch, and then indirectly through the hub.  I
> started to power back on access points, and about halfway through, the
> physical link went away.  We then reversed course, turned the Aps back off
> and rebooted the PS3 to verify it would get a link again.  It did.  I then
> turned all the Aps back on, to lose the PS3 link.  We then rebooted the PS3
> with all Aps back on, and it would not establish a link.  There was no
> bridging occurring through the PS3 that would cause a spantree lock
> (verified).
>
>
>
> I am at a loss to explain this.
>
>
>
> Ryan H Turner
>
> Senior Network Engineer
>
> The University of North Carolina at Chapel Hill
>
> CB 1150 Chapel Hill, NC 27599
>
> +1 919 445 0113 Office
>
> +1 919 274 7926 Mobile
>
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>  ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Mavericks update

2014-02-25 Thread Wright, Don 
   I'm hoping they may have addressed it under the cloak of "improvements
to the stability, compatibility and security of your mac.."  without even
mentioning it officially.
- Don


On Tue, Feb 25, 2014 at 1:26 PM, Dan Brisson  wrote:

>  Doesn't look promising:
>
> http://support.apple.com/kb/HT6114
>
> I'm not seeing any mention of Wireless fixes/enhancements.
>
> -dan
>
>
> Dan Brisson
> Network Engineer
> University of Vermont
> (Ph) 802.656.8111dbris...@uvm.edu
>
> On 2/25/14, 1:21 PM, Wright, Don wrote:
>
>  Looks like MacOS 10.9.2 became available today from the App Store.
>  It will be interesting to see if the wifi roaming and dropping issues have
> been resolved.
>
>  - Don Wright
> Brown University
>  ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
>
>  ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Mavericks update

2014-02-25 Thread Wright, Don 
Looks like MacOS 10.9.2 became available today from the App Store.  It
will be interesting to see if the wifi roaming and dropping issues have
been resolved.

- Don Wright
Brown University

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Broadcast/multicast from multiple VLANs on a single SSID

2014-02-21 Thread Wright, Don 
James,
GTK's are shared between the access point (radio) and all the clients
associated to it and not at the broader SSID level.  We use Aruba wireless
and they have the ability to turn BC/MC traffic into unicast and prevent it
from being flooded back out into the air.  You can also manage your bonjour
clients and traffic (very granular with their Clearpass appliance) at the
controller.

Don Wright
Brown University


On Thu, Feb 20, 2014 at 3:36 AM, James Andrewartha <
jandrewar...@ccgs.wa.edu.au> wrote:

> Hi list,
>
> We moved to a single WPA2-Enterprise SSID with RADIUS responses dropping
> users into a particular VLAN at the start of the year. However,
> multicast and broadcast traffic is seen by all clients, regardless of
> VLAN. After some thought, this makes sense because the SSID has a common
> group temporal key for broadcast/multicast. However I was wondering if
> all clients had to have the same GTK, or if it's possible (or if some
> vendor even implements) having a different one for clients on different
> VLANs.
>
> We are probably going to split up the clients across multiple SSIDs
> again, as we're seeing Bonjour instability (you try telling a teacher to
> plug into a cable after using AirPlay last year), which may be caused by
> too much broadcast/multicast traffic or possibly just Bonjour not
> handlins seeing queries from devices on different VLANs.
>
> --
> James Andrewartha
> Network & Projects Engineer
> Christ Church Grammar School
> Claremont, Western Australia
> Ph. (08) 9442 1757
> Mob. 0424 160 877
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] OS X 802.1x auth issue

2014-02-03 Thread Wright, Don 
Michael,  Are you using AAA Fastconnect allowing your controller to handle
radius requests instead of using a backend server?  While we haven't done
this ourselves, I know of others that have run into the same issue of not
being able to keep up with the auth requests.  You'll notice this even more
as smartphones will re-auth all the time.
- Don


On Fri, Jan 31, 2014 at 4:26 PM, Michael Hulko  wrote:

> One other wrench in this at least from the Aruba standpoint check the
> cpu load on the Auth process  we found back in late October that one of
> our heaviest used controller (M3 running 6.1.3.7) was pegging over 90%
> utilization for the Auth process which at the time
> we believed the authentication was being additionally impacted (mostly
> drops).  It was indicated (source does not want to be mentioned) that there
> was a hard limit to the number of auth's per second the controller could
> handle (approx. 40 - 50/sec), at peak we were
> running around ~100/sec.  We upgraded to the version 6.3.x to resolve
> other issues.  We noticed that the system now spawned 3 Auth processes, but
> we still getting complaints.  We then discovered through TAC and internal
> investigation that a new dot1x throttling
> mechanism had been introduced in the version of code. This new
> "Throttling" was still impacting our authentications but saving the cpu's
> on the auth process.  We were instructed to adjust the Watermarks to reach
> a balance point from the defaults.  This is a slidiing scale
> the higher the Watermarks, the higher the cpu process, but the less drops
> experienced.
>
> to view the cpu process:  "Show cpuload current | include auth"
>
> On 6.3x code:
>
> to view the Throttle parameters: "show dot1x counters"  (There is some
> math involved when the system decides to drop packets)
> to view the dropped auths: "show ap debug client-mgmt-counters" and look
> for the "Associations Dropped Due to Auth Throttling"
>
> In the end, the old addage still holds true..."You can never please 100%
> of the people 100% of the timeKeep calm and carry on"
>
> M
>
>
>
> On 2014-01-31, at 2:11 PM, Jeffrey Sessler wrote:
>
>  We noticed that the WLAN with band/load-steering enabled had a high
> report rate of Macintosh connectivity issues, and the WLAN that did not was
> trouble free.
>
> I suspect what was happening was this: Mac would initially associate
> (Ent-WPA2), then the controller would force it to move to another band
> and/or AP. It's at this point (a roam) that the Apple certificate issue
> would kick in, and it was hit or miss as to the Mac re-associating or
> failing. This was especially problematic when a Mac client was equidistant
> from two AP's.
>
> Turning off band/load steering pretty much eliminated the bulk of the
> connectivity issues, and trusting the certificate solved the rest.
>
> Band/load steering is just problematic because you can never predict how a
> client will react to it.
>
> Jeff
>
> >>> On Friday, January 31, 2014 at 10:57 AM, in message <
> CAPCnwUdh-=jawm78pjfuu1n9bhs9d_japthbfnwrrgsrbzg...@mail.gmail.com>,
> Norman Elton  wrote:
>Interesting. What were the band-steering symptoms? Any way to pin the
> problem down to band-steering, or was it trial and error?
>
> Norman
>
>
> On Fri, Jan 31, 2014 at 1:44 PM, Edward Ip wrote:
>
>>  I agree with Jeff, we recently disabled band steering on our Aruba
>> controllers and it has helped a bit.
>> *Edward Ip*
>> *Algonquin College* | 1385 Woodroffe Avenue | Room C316 | Ottawa |
>> Ontario | K2G 1V8 | Canada
>> algonquincollege.com
>>
>>   *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv
>> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Jeffrey
>> Sessler
>> *Sent:* Friday, January 31, 2014 1:40 PM
>>
>> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
>> *Subject:* Re: [WIRELESS-LAN] OS X 802.1x auth issue
>>
>>  We've seen the cert issue, and OS 10.8 and 10.9 don't seem to like
>> band/load-steering. The cert issue coupled with band-steering and/or
>> load-steering make the Mac's very unhappy.
>>Jeff
>>
>> >>> On Friday, January 31, 2014 at 10:05 AM, in message <
>> CAPCnwUdAuZqKuFwOycKrGmXgiKCrb_Wy82=o5xc3be+o7an...@mail.gmail.com>,
>> Norman Elton  wrote:
>>And a follow up. Has anyone actually confirmed that this bug is
>> actually causing client complaints? We do seem to riding a wave of
>> complaints from MacBook owners. We are only just now starting to
>> change cert trust settings. Hopefully we'll know more next week as
>> students have a chance to test things out over the weekend.
>>
>> Norman Elton
>> College of William & Mary
>>
>> On Fri, Jan 31, 2014 at 12:59 PM, Norman Elton 
>> wrote:
>> >> It also appears specific to certs based on 2048 bit keys. Also there
>> is no
>> >> cert validation delay upon initial connect... only when attempting to
>> >> reauth... ie after a death or a roam event.
>> >
>> > Can anyone confirm the bug only affects certs with 2048 bit keys? I
>> > don't see that

Re: [WIRELESS-LAN] OS X 802.1x auth issue

2014-02-03 Thread Wright, Don 
You mentioned "load balance mode", were you running band-steering and
spectrum-load-balancing at the same time on the same APs?  Check with
Aruba, but I think they will tell you this is not a recommended practice
and better to stick with band-steering only assuming your coverage will
support both radios.
Also, I read somewhere that recent MacOS updates already try to
"band-steer" the client to the 5GHZ radio?  If that's true, your controller
setting really isn't having an affect anyway, and the client are getting
themselves into trouble..
- Don


On Fri, Jan 31, 2014 at 2:03 PM, Edward Ip  wrote:

> When we did a packet capture, we saw that the Mac clients would try to
> associate on the 2.4GHz band and then move over to the 5GHz band and then
> back. We saw this happen quite a bit. This made the re association longer
> when our clients roamed.
>
>
>
> Sometimes in certain areas of our college if 2 APs are within range with
> about the same SNR, the Mac client would get shifted between the two APs
> due to load balance mode turned on. Due to the cert issue and the re
> association process it would drive our Mac clients (err...students) crazy
> around crunch time.
>
>
>
> *Edward Ip*
>
> *Algonquin College* | 1385 Woodroffe Avenue | Room C316 | Ottawa | 
> Ontario|K2G 1V8|Canada
>
> algonquincollege.com
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Norman Elton
> *Sent:* Friday, January 31, 2014 1:57 PM
>
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] OS X 802.1x auth issue
>
>
>
> Interesting. What were the band-steering symptoms? Any way to pin the
> problem down to band-steering, or was it trial and error?
>
>
>
> Norman
>
>
>
> On Fri, Jan 31, 2014 at 1:44 PM, Edward Ip 
> wrote:
>
> I agree with Jeff, we recently disabled band steering on our Aruba
> controllers and it has helped a bit.
>
> *Edward Ip*
>
> *Algonquin College* | 1385 Woodroffe Avenue | Room C316 | Ottawa | 
> Ontario|K2G 1V8|Canada
>
> algonquincollege.com
>
>
>
> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Jeffrey Sessler
> *Sent:* Friday, January 31, 2014 1:40 PM
>
>
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] OS X 802.1x auth issue
>
>
>
> We've seen the cert issue, and OS 10.8 and 10.9 don't seem to like
> band/load-steering. The cert issue coupled with band-steering and/or
> load-steering make the Mac's very unhappy.
>
>
>
> Jeff
>
> >>> On Friday, January 31, 2014 at 10:05 AM, in message <
> CAPCnwUdAuZqKuFwOycKrGmXgiKCrb_Wy82=o5xc3be+o7an...@mail.gmail.com>,
> Norman Elton  wrote:
>
> And a follow up. Has anyone actually confirmed that this bug is
> actually causing client complaints? We do seem to riding a wave of
> complaints from MacBook owners. We are only just now starting to
> change cert trust settings. Hopefully we'll know more next week as
> students have a chance to test things out over the weekend.
>
> Norman Elton
> College of William & Mary
>
> On Fri, Jan 31, 2014 at 12:59 PM, Norman Elton 
> wrote:
> >> It also appears specific to certs based on 2048 bit keys.   Also there
> is no
> >> cert validation delay upon initial connect... only when attempting to
> >> reauth... ie after a death or a roam event.
> >
> > Can anyone confirm the bug only affects certs with 2048 bit keys? I
> > don't see that listed anywhere in Apple's release. It's an interesting
> > twist.
> >
> > Thanks!
> >
> > Norman Elton
> > College of William & Mary
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at 
> http://www.educause.edu/groups/.
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] OS X 802.1x auth issue

2014-01-28 Thread Wright, Don 
   Taking a slight tangent here, has client roaming and dropout problems
motivated anyone to move to a WPA2-PSK model across their campus?  The
second part of the question is if you have, is it any better or worse to
manage than an 802.1X network?
- Don


On Thu, Jan 23, 2014 at 3:22 PM, Ian McDonald  wrote:

>  Ahh, autocorrect errors nearly always cause amusement. A recent
> advertisement offered 'special pubic sector discounts'
>
>
> Thanks
>
> --
> ian
>
> Sent from my phone, please excuse brevity and misspelling.
>   --
> From: Travis Schick 
> Sent: 23/01/2014 20:11
>
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] OS X 802.1x auth issue
>
>'It also appears specific to certs based on 2048 bit keys.   Also
>> there is no cert validation delay upon initial connect... only when
>> attempting to reauth... ie after a death or a roam event."
>>
>
>  Correct.
>
> hehe... Not sure Apple can help with the delay after a death event but
> perhaps after a *de-auth* or any other event that causes a client to
> reconnect. :)
>   ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
>  ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] OS X 802.1x auth issue

2014-01-23 Thread Wright, Don 
Anyone have concerns about making the trust setting changes to the
certificate chain?  I'm thinking of the intermediate certs mostly.  Setting
"always trust" on a client machine just makes me a little uncomfortable.
 - Don


On Tue, Jan 21, 2014 at 12:13 PM, Ian McDonald  wrote:

> I'd be more interested in a method for doing this in a .mobileconfig file,
> or for them to fix it in a manner that doesn't involve us having to mess
> about on the clients.
>
> --
> ian
>
> -Original Message-
> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Michael Dickson
> Sent: 21 January 2014 17:06
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] OS X 802.1x auth issue
>
> Is anyone working on (or successfully implemented) a scalable,
> automated(?) solution to change the SSL to 'Always Trust' for target certs
> and distributed this to their client devices en masse? x-press-con-nect
> folks offered a glimmer of hope for adding this feature to their routine
> but I was wondering if we could do something quicker.
>
> Has anyone tweaked Apple's command - suggested in their KB article - into
> an Applescript for distribution? As the cert is already installed on the
> devices I would thing some modification is needed.
>
> http://support.apple.com/kb/TS5258
>
> Michael Dickson
> Network Analyst
> Office of Information Technologies
> University of Massachusetts Amherst
> Voice 413.545.9639
>
> On Jan 21, 2014, at 7:41 AM, Tim Cappalli  wrote:
>
> > Absolutely! This is huge. They never, ever (ever ever ever) admit there
> is an issue. Maybe we're seeing some change at the fruit?
> >
> >
> > (Unlikely, but it's nice to dream)
> >
> >
> > Tim Cappalli  |  ACCP /  ACMP /  CCNA
> > Network Engineer  |  Brandeis University cappa...@brandeis.edu | (617)
> > 701-7149
> >
> > From: The EDUCAUSE Wireless Issues Constituent Group Listserv
> > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Joel Coehoorn
> > Sent: Friday, January 17, 2014 7:58 PM
> > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> > Subject: Re: [WIRELESS-LAN] OS X 802.1x auth issue
> >
> > Even acknowledging the issue is a huge help for me: Mac people have a
> hard time believing Apple could possibly have done anything wrong with
> their device until you have something like this to point to. Until Apple
> own recommendation is to change the setting on the device, their view is
> the problem *must* be in the network.
> >
> > Sent from my iPad
> >
> > On Jan 17, 2014, at 5:14 PM, Marcelo Lew  wrote:
> >
> > Looks like Apple finally sort of "admitted" of an issue with 802.1x
> > authentication, several months later and most of us already knew this
> > work around, but better late than never J
> >
> > http://support.apple.com/kb/TS5258
> >
> >
> > 
> >
> > ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
> > ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
> > ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found athttp://
> www.educause.edu/groups/.
> >
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] 802.11AC Future Infrastructure

2013-12-18 Thread Wright, Don 
The packets being dropped on the way back to the AP because they're
overrunning the 100M interface during peak wireless usage.   You'll also
notice if you do a speedtest that the download is much worse than the
upload.  We seen this disappear when we swap in a gig switch.
- Don


On Wed, Dec 18, 2013 at 3:22 PM, Daniel Eklund  wrote:

> What is it you think is happening during output drops?
>
> --
> Daniel Eklund
> Network Planning Manager
> ITS Communications Systems and Data Centers
> University of Michigan
> 734.763.6389
>
>
> On Wed, Dec 18, 2013 at 3:11 PM, Wright, Don 
> wrote:
> > I would say take a close look at the 100M ports connected to your N or AC
> > APs and check for output drops.  We've seen this in some locations where
> we
> > we're careful about refreshing with N AP's.  It likely comes at peak
> times
> > so if you're just graphing the in/out you will miss it.
> >
> > Don Wright
> > Brown University
> >
> >
> >
> > On Wed, Dec 18, 2013 at 2:39 PM, Ian McDonald 
> wrote:
> >>
> >> They certainly are using some strange math, my experience (and that of
> >> other institutions nearby) is that the vast majority of my N access
> points
> >> don't suffer from being connected to 100M poe switches, and in the
> places we
> >> have 1G to them, they generally don't use more than 100M.
> >>
> >>
> >> Thanks
> >>
> >> --
> >> ian
> >>
> >> Sent from my phone, please excuse brevity and misspelling.
> >> 
> >> From: Hanset, Philippe C
> >> Sent: 18/12/2013 19:33
> >>
> >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> >> Subject: Re: [WIRELESS-LAN] 802.11AC Future Infrastructure
> >>
> >> And the WLAN industry also does strange math ;-)
> >>
> >> A lot of services are going to the Cloud, mostly using your pipe to the
> >> Internet.
> >> It seems that, progressively or even rapidly, the limiting factor is not
> >> Wi-Fi anymore but rather the pipe to the internet.
> >> 1 Gbps to each Wireless AP is a lot of bandwidth! and a lot of
> >> oversubscription all around (edge, distribution, core, WAN)
> >> Unless you plan to distribute UHDTV (8K TV) to your dorms, I wouldn't
> >> worry about getting more than 1 Gbps to each AP for a long time.
> >> Also most of 802.11ac APs are fine with 802.3af!
> >>
> >>
> >> Philippe Hanset
> >> www.eduroam.us
> >>
> >> On Dec 18, 2013, at 12:56 PM, Lee H Badman 
> >>  wrote:
> >>
> >> The WLAN industry is doing an absolutely horrible, almost shameful job
> of
> >> managing the message on cabling for 11ac, says I.
> >>
> >> Lee Badman
> >> Network Architect/Wireless TME
> >> ITS, Syracuse University
> >> 315.443.3003
> >>
> >> -Original Message-
> >> From: Turner, Ryan H [rhtur...@email.unc.edu]
> >> Received: Wednesday, 18 Dec 2013, 12:52
> >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> >> [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
> >> Subject: Re: [WIRELESS-LAN] 802.11AC Future Infrastructure
> >>
> >> BTW…  Before anyone jumps on me, I understand the purpose of the
> question.
> >> It’s great to know the best practices for the ‘what if’ situation.
> >>
> >>
> >>
> >> Ryan H Turner
> >> Senior Network Engineer
> >> The University of North Carolina at Chapel Hill
> >> CB 1150 Chapel Hill, NC 27599
> >> +1 919 445 0113 Office
> >> +1 919 274 7926 Mobile
> >>
> >>
> >>
> >> From: The EDUCAUSE Wireless Issues Constituent Group Listserv
> >> [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Turner, Ryan H
> >> Sent: Wednesday, December 18, 2013 12:47 PM
> >> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> >> Subject: Re: [WIRELESS-LAN] 802.11AC Future Infrastructure
> >>
> >>
> >>
> >> Call me naïve, but I think 10 gig uplinks for ac WAPs is serious
> overkill.
> >> We have almost 4,500 switches across campus, most with 1 gig user
> uplinks,
> >> and the vast majority are perfectly fine with 1G (heck, we could swap a
> good
> >> number of those for 100 Meg, and they’d barely notice).  These are
> switches
> >> with 48+ connected devices, all at 1 gig.  So, for most access points
> that
> >> will be seeing far less users than a traditional edge

Re: [WIRELESS-LAN] 802.11AC Future Infrastructure

2013-12-18 Thread Wright, Don 
I would say take a close look at the 100M ports connected to your N or AC
APs and check for output drops.  We've seen this in some locations where we
we're careful about refreshing with N AP's.  It likely comes at peak times
so if you're just graphing the in/out you will miss it.

Don Wright
Brown University



On Wed, Dec 18, 2013 at 2:39 PM, Ian McDonald  wrote:

>  They certainly are using some strange math, my experience (and that of
> other institutions nearby) is that the vast majority of my N access points
> don't suffer from being connected to 100M poe switches, and in the places
> we have 1G to them, they generally don't use more than 100M.
>
>
> Thanks
>
> --
> ian
>
> Sent from my phone, please excuse brevity and misspelling.
>   --
> From: Hanset, Philippe C 
> Sent: 18/12/2013 19:33
>
> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> Subject: Re: [WIRELESS-LAN] 802.11AC Future Infrastructure
>
>  And the WLAN industry also does strange math ;-)
>
>  A lot of services are going to the Cloud, mostly using your pipe to the
> Internet.
> It seems that, progressively or even rapidly, the limiting factor is not
> Wi-Fi anymore but rather the pipe to the internet.
> 1 Gbps to each Wireless AP is a lot of bandwidth! and a lot of
> oversubscription all around (edge, distribution, core, WAN)
> Unless you plan to distribute UHDTV (8K TV) to your dorms, I wouldn't
> worry about getting more than 1 Gbps to each AP for a long time.
> Also most of 802.11ac APs are fine with 802.3af!
>
>
>  Philippe Hanset
> www.eduroam.us
>
>  On Dec 18, 2013, at 12:56 PM, Lee H Badman 
>  wrote:
>
>  The WLAN industry is doing an absolutely horrible, almost shameful job
> of managing the message on cabling for 11ac, says I.
>
> Lee Badman
> Network Architect/Wireless TME
> ITS, Syracuse University
> 315.443.3003
>
> -Original Message-
> *From:* Turner, Ryan H [rhtur...@email.unc.edu]
> *Received:* Wednesday, 18 Dec 2013, 12:52
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU [
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU]
> *Subject:* Re: [WIRELESS-LAN] 802.11AC Future Infrastructure
>
>   BTW…  Before anyone jumps on me, I understand the purpose of the
> question.  It’s great to know the best practices for the ‘what if’
> situation.
>
>
>  Ryan H Turner
>  Senior Network Engineer
>  The University of North Carolina at Chapel Hill
>  CB 1150 Chapel Hill, NC 27599
>  +1 919 445 0113 Office
>  +1 919 274 7926 Mobile
>
>
>   *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:
> WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Turner, Ryan H
> *Sent:* Wednesday, December 18, 2013 12:47 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* Re: [WIRELESS-LAN] 802.11AC Future Infrastructure
>
>
>  Call me naïve, but I think 10 gig uplinks for ac WAPs is serious
> overkill.  We have almost 4,500 switches across campus, most with 1 gig
> user uplinks, and the vast majority are perfectly fine with 1G (heck, we
> could swap a good number of those for 100 Meg, and they’d barely notice).
> These are switches with 48+ connected devices, all at 1 gig.  So, for most
> access points that will be seeing far less users than a traditional edge
> switch with a one gig uplink, I don’t see the need to go crazy with the
> feed speed.  I could see deploying 2 single gig links to the .ac access
> points, but not 10 gig.  Exceptions to this ‘could’ be very dense classroom
> environments with a lot of access points (there are exceptions to
> everything).
>
>
>  Ryan H Turner
>  Senior Network Engineer
>  The University of North Carolina at Chapel Hill
>  CB 1150 Chapel Hill, NC 27599
>  +1 919 445 0113 Office
>  +1 919 274 7926 Mobile
>
>
>   *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [
> mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> ] *On Behalf Of *Stewart, Joe
> *Sent:* Wednesday, December 18, 2013 12:40 PM
> *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
> *Subject:* [WIRELESS-LAN] 802.11AC Future Infrastructure
>
>
>  As this technology begins to be deployed is anyone out there planning
> ahead for wave two of this?  I know it’s not going to happen for a while
> but I’m curious if there are folks in the process of new construction where
> you have the option to add the infrastructure now to support the 10Gbps.
> If so, has there been any documentation on what cable type would be
> recommended for this? (ex. CAT6A or CAT7).
>
>
>  Thanks,
>
>
>
>
>  Joe Stewart
>  Network Specialist I
>  Information Systems and Network Services
>  Claremont McKenna College
>  325 E. 8th Street, Roberts South #12
>  Claremont, CA 91711
>
>
>  ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>  ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>  ** Participation and subscription informat

Eapol-Rate-Optimization

2013-12-03 Thread Wright, Don 
   Just curious, have any Aruba shops tried enabling "EAPOL rate
optimization" to try helping with the Apple roaming/dropping issue?  It's a
new setting in 6.1 and while it didn't help in my testing, I've heard
others have had success with it.  Would someone care to update with details?

Don Wright
Brown University

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Mac OS X Best Current Practices

2013-10-23 Thread Wright, Don 
  Since these questions get to what people are doing to deal with Apple
MacOS and iOS clients, I'm curious as to what, if any issues others on the
list are seeing.  Here's mine.

   - MacOS mid-2012 to recent macbooks are randomly dropping off the wlan
   - The above macbooks take 30 seconds or more to reconnect with roamed to
   APs

   Apple has produced a patch specifically for mid-2013 MacbookAirs, but
nothing for the other models.

   If you are also seeing these issue on your campus, what eap-type,
certificate size and wireless vendor are you using?

We are using eap-ttls, 2048 bit certificates and Aruba wireless.

   To Jason's question:
Apple configs, none that I know of (except cert settings below).

Aruba configs, in the 802.1x profile, turn off OKC (Apple doesn't support
it anyway), turn on Validate PMKID.

General Wifi configs, turn on band-steering (may or may not help depending
on your coverage), client certificates should always trust EAP and SSL, and
remove revocation settings.  Also see Travis Schick's in depth post
regarding the ID request timer.

- Don Wright
Brown University


On Wed, Oct 23, 2013 at 9:56 PM, Jason Healy  wrote:

> Hello all,
>
> Over the past weeks/months there have been a few threads about Mac OS X,
> and various tidbits about tweaks, configs, changes, and other items that
> help with the different problems.  I'm hoping to roll these all together on
> this thread for easier reference.
>
> We're an all-Apple campus with an Aruba setup and 802.1X (PEAP) for our
> primary SSID.  We push the server cert out to all clients, and then they
> authenticate with their normal LDAP credentials.  It works "most of the
> time", but there are always issues here and there.
>
> I just want to make sure we're doing what we should to help the user
> experience.  I'd appreciate any:
>
>  - Apple configs (settings on the client)
>  - Aruba configs (if they are specific settings there)
>  - General Wifi configs (e.g., raising auth timers, band steering,
> certificate sizes, etc).
>
> Please share any changes you make to a vanilla system to help the Macs
> along...
>
> Thanks,
>
> Jason
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

WLAN engineer responsibilities

2013-07-30 Thread Wright, Don 
 If some of you are fortunate enough to have a FTE wlan
specialist/engineer (we don't), I'm curious as to what duties typically
fall under their responsibility.  I'm thinking along the lines of the
following:

Wireless network and infrastructure design
Security design and IDS configuration and monitoring
Escalation support for technical issues
New version and feature testing and validation
Visual floor plan updates
Access point design and placement for new and updated buildings

   I'm sure this just scratches the surface for some wlan engineers out
there, so what other wlan related tasks and responsibilities typically land
in your lap?

Thanks in advance.
Don Wright
Brown University

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Android wifi continually receiving data bursts

2012-07-08 Thread Wright, Don 
  I've heard this same complaint from a user on our campus.  He claims
his droid lasts all weekend on his home wireless, but runs down in a day on
our campus.  I'm not sure why this would be, assuming he runs the same apps
all the time.  My only thought was that his wi-fi driver was actively
scanning (aggressive roaming) the other access points he would see here
looking for better signal.  Anyone have any other ideas ?
-
Don Wright
Brown University

*Please consider the environment before printing this email.*

*`·.¸¸.·´¯`·.¸.·´¯`·...¸ ><º>`·.¸¸.·´¯`·.¸.·´¯`·...¸><º>*


On Tue, Jul 3, 2012 at 5:07 PM, Hurt,Trenton W.
wrote:

>  I have started getting complaints from users regarding battery life on
> android devices when connected to our campus wifi.  The issue is being seen
> when you install a type of bandwidth meter app on the device.  The one I
> use is  android status and I look at the network section to see the Rx and
> Tx statistics.  Once connected to wireless the device still receives bursts
> of traffic, at least according to the app on the device.  We are cisco wifi
> shop and I’m running 7.2mr1 code on the wlc’s.  Has anyone else heard or
> seen this issue? 
>
> ** **
>
> ** **
>
> I found this post
> http://forum.xda-developers.com/showthread.php?t=1738171   which states…**
> **
>
> ** **
>
> *This is simply because your wifi antenna still "hears" the data going
> through the wireless network on which you are connecter. Even if your phone
> doesn't asks for any data at the moment the traffic there is on the network
> will still be counted by the wifi chip on your phone.
>
> It will be the same on any public network or if you have another phone or
> a computer connecter on the same wireless router and generating traffic.*
>
> ** **
>
> ** **
>
> I have tried to increase the DTIM setting on one of the wlans and it
> didn’t help.  Any suggestions?
>
> ** **
>
> Thanks
>
> Trent
>
> ** **
>
> ** **
>
> ** **
>
> Trenton Hurt, CWNA, CCNP(W), CCNA(W), CCNA(V), CCNA(R/S)
> Wireless Network Administrator
> University of Louisville
> Phone (502) 852-1513
> FAX (502) 852-1424
> [image: Description: Description:
> C:\Users\twhurt01\AppData\Local\Temp\XPgrpwise\IMAGE_19.BMP]
>
> ** **
>  ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

<>

Re: [WIRELESS-LAN] Aruba Point to Point (PTP)

2012-07-08 Thread Wright, Don 
Brian,
I know you're an Aruba shop as we are, and we've had success with a
pair of AP-175's in a half mile line of sight link.  Rock solid. even
passed voip over it.  What I didn't like was that it's setup as an outdoor
mesh and needs a controller.  I'll be testing a pair MST-100 (formerly
Azalea, now Aruba) bridges later this summer.  These are standalone units
and don't need a controller.  I'll let you know how this works out the next
time we talk.
-
Don Wright
Brown University

*Please consider the environment before printing this email.*

*`·.¸¸.·´¯`·.¸.·´¯`·...¸ ><º>`·.¸¸.·´¯`·.¸.·´¯`·...¸><º>*


On Wed, Jun 13, 2012 at 8:13 AM, Brian David  wrote:

> All,
>
> I wanted to get peoples perspective on their PTP wireless deployment. 
>
> How reliable is it for you. How much does the weather affect it?
>
> How much through put are you getting and in what frequency are you using?*
> ***
>
> We are looking to have a temporary deployment for a particular building
> that is less than
>
> a mile away and has excellent line of sight.
>
> Any input would be great. 
>
> Thank you in advance.
>
> ** **
>
> *Brian J David*
>
> *Network Systems Engineer*
>
> *Boston College*
>
> *[image: Description: bc logo small]*
>
> * *
>
> ** **
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at
> http://www.educause.edu/groups/.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

<>

Re: [WIRELESS-LAN] Filter-ID passing from FreeRadius v2 to controller

2012-04-05 Thread Wright, Don 
Chris,
   Thanks for the reply.  I passed this along to my systems people and they
are checking into it.  I have some more details as we were looking at this
today.

 When running in debug mode, they run the rad-test utility and see the
filter-id in the challenge packets.  What they don't see is the filter-id
included in the access-accept packet going back to the controller.

 Hope this helps.

- Don



On Tue, Apr 3, 2012 at 4:45 PM, Christopher Wieringa wrote:

> It is hard to say exactly why it isn't adding it in without seeing some
> actual configuration or server debugging text, but there are a few areas
> you can check.
>
> First, make sure that you have the dictionary with that radius attribute
> loaded.   It should be loaded by default, but it doesn't hurt to check that
> the dictionaries are being loaded.  With a quick search it looks like it
> the attribute you want is in the file "dictionary.rfc2865" named
> "Filter-Id".  I don't have a copy of FreeRadius 1.x's dictionaries around,
> but the attribute name might have changed slightly in the 2.x series - make
> sure you are referring to it correctly.
>
> Next, make sure that you are populating Filter-Id as a reply attribute -
> are you setting it through a LDAP attribute map, from SQL's radreply or
> radgroupreply tables, or some other method?  If you think you are, then I
> would suggest running your radius server in debug mode (./radiusd -X) and
> watching an authentication and see why or why not it is being added to the
> radius reply.
>
> If that still doesn't work, for testing, you can add the following lines
> into your post-auth section of the server config to add the attribute to
> all completed and accepted requests.
>
> update reply {
>  Filter-Id := "student"
> }
>
> You also might try the FreeRadius listserv for support as well (make sure
> to include configuration snippets and debugging output), or email me direct
> with the same.
>
> Chris Wieringa
>
>
>   >>> On 4/3/2012 at 2:42 PM, "Wright, Don" 
> wrote:
> > We have been testing with the latest version 2.x of FreeRadius and are
> > having trouble passing the Filter-ID information back to our Aruba
> > controllers.  Note the packet traces below show the missing Filter-ID in
> > the 2.x version, and where it is present on our functioning version 1.x
> > FreeRadius servers.  My systems people have tried different configuration
> > settings on the server based on the documentation they are looking at,
> but
> > without any positive results so far.
> > Does anyone have an idea of what setting might resolve this, or can
> > point us to documentation that shows how this works?  Thanks in advance
> for
> > any help.
> >
> > Don Wright
> > Brown University
> >
> > From Version 1.x server:
> >
> > 16:04:51.121056 IP (tos 0x0, ttl  64, id 0, offset 0, flags
> > [DF], proto: UDP (17), length: 207) 10.4.28.15.1645 >
> > 128.148.10.104.32797: RADIUS, length: 179
> > *Access Accept (2)*, id: 0xaa, Authenticator:
> > c85628210672caeedf2c8e3ade84cdfa
> >*Filter ID Attribute (11), length: 9, Value: student*
> >   Vendor Specific Attribute (26), length: 58, Value: Vendor:
> > Microsoft (311) [|radius] [|radius]
> >
> >
> > From Version 2.x server:
> >
> > 15:39:34.337535 IP (tos 0x0, ttl  64, id 59206, offset 0, flags
> > [none], proto: UDP (17), length: 197) 10.4.28.12.1645 >
> > 128.148.10.104.33828: RADIUS, length: 169
> >*Access Accept (2)*, id: 0xbf,
> > Authenticator: 85c2f9f515ee8ff6a8bee1d88cae243c
> >Vendor Specific Attribute (26), length: 58, Value: Vendor:
> > Microsoft (311) [|radius] [|radius]
> >
> > **
> > Participation and subscription information for this EDUCAUSE Constituent
> > Group discussion list can be found at http://www.educause.edu/groups/.
>
>
>
> --
> --
> Chris Wieringa
> cwier...@calvin.edu
> Sr. Systems Engineer
> Calvin Information Technology
>
> **
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Filter-ID passing from FreeRadius v2 to controller

2012-04-03 Thread Wright, Don 
   We have been testing with the latest version 2.x of FreeRadius and are
having trouble passing the Filter-ID information back to our Aruba
controllers.  Note the packet traces below show the missing Filter-ID in
the 2.x version, and where it is present on our functioning version 1.x
FreeRadius servers.  My systems people have tried different configuration
settings on the server based on the documentation they are looking at, but
without any positive results so far.
Does anyone have an idea of what setting might resolve this, or can
point us to documentation that shows how this works?  Thanks in advance for
any help.

Don Wright
Brown University

>From Version 1.x server:

16:04:51.121056 IP (tos 0x0, ttl  64, id 0, offset 0, flags
[DF], proto: UDP (17), length: 207) 10.4.28.15.1645 >
128.148.10.104.32797: RADIUS, length: 179
*Access Accept (2)*, id: 0xaa, Authenticator:
c85628210672caeedf2c8e3ade84cdfa
   *Filter ID Attribute (11), length: 9, Value: student*
  Vendor Specific Attribute (26), length: 58, Value: Vendor:
Microsoft (311) [|radius] [|radius]


>From Version 2.x server:

15:39:34.337535 IP (tos 0x0, ttl  64, id 59206, offset 0, flags
[none], proto: UDP (17), length: 197) 10.4.28.12.1645 >
128.148.10.104.33828: RADIUS, length: 169
   *Access Accept (2)*, id: 0xbf,
Authenticator: 85c2f9f515ee8ff6a8bee1d88cae243c
   Vendor Specific Attribute (26), length: 58, Value: Vendor:
Microsoft (311) [|radius] [|radius]

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: Very high number of wireless devices returning from break

2012-01-26 Thread Wright, Don 
   Here's my Airwave graph for comparison and now represents 11,000+ users.
 The really surprising increase in the middle group (green) which is my
captive portal.  This has been a steady ~1800 average over the last year,
now pushing 4000.

[image: Screen shot 2012-01-26 at 4.50.15 PM.png]

Don Wright
Brown University



On Thu, Jan 26, 2012 at 11:09 AM, Wright, Don wrote:

> All,
>  It seems an alarmingly high number of wireless devices have returned
> to our campus this week.  After at least of year of steadily increasing
> numbers, we are now seeing a roughly 40% increase since last December.  At
> first I didn't believe what I was seeing and opened a case with the vendor
> to confirm reporting was accurate.  Tied into this, we upgraded by a major
> version earlier this month and I thought this could be related.  Apparently
> not the case, everything we've looked at tells us that the numbers are
> accurate.  I'm still looking a stats, but haven't been able to come up with
> anything yet.
> Is anyone else seeing this magnitude of increase in devices over
> winter break ?
>
>  Don Wright
> Brown University
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

<>

Very high number of wireless devices returning from break

2012-01-26 Thread Wright, Don 
All,
 It seems an alarmingly high number of wireless devices have returned
to our campus this week.  After at least of year of steadily increasing
numbers, we are now seeing a roughly 40% increase since last December.  At
first I didn't believe what I was seeing and opened a case with the vendor
to confirm reporting was accurate.  Tied into this, we upgraded by a major
version earlier this month and I thought this could be related.  Apparently
not the case, everything we've looked at tells us that the numbers are
accurate.  I'm still looking a stats, but haven't been able to come up with
anything yet.
Is anyone else seeing this magnitude of increase in devices over winter
break ?

Don Wright
Brown University

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.