RE: ResHall Wireless - FlexConnect
No Cisco support for multicast to unicast? Aruba has had that support for years and we have been using it for IPTV over Wi-Fi. Aruba calls this Dynamic Multicast Optimization. Bruce Osborne Wireless Engineer IT Infrastructure Media Solutions (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Jake Snyder [mailto:jsnyde...@gmail.com] Sent: Wednesday, March 18, 2015 3:50 PM Subject: Re: ResHall Wireless - FlexConnect Other vendors are doing this too. I know from a recent presentation at Atmosphere 2015 that Aruba performs the RA Multicast to Unicast conversion. It's a known limitation in terms of how the 802.11 protocol works. Different vendors are implementing different features to overcome it, but it's an expected thing. There is currently not support for Multicast to Unicast conversion for Flexconnect, they simply bridge broadcast/multicast traffic. On Wed, Mar 18, 2015 at 1:36 PM, Frans Panken frans.pan...@surfnet.nlmailto:frans.pan...@surfnet.nl wrote: Breaking IPv6 is indeed undesirable ;-) Fortunately, other vendors do not share your opinion. Good news for the majority on this list: the bug is limited to Cisco's FlexConnect. -Frans Jake Snyder schreef op 18/03/15 om 20:19: It is expected from an 802.11 perspective. May not be desirable, but that is how the wireless standard works. Unicasting RAs over the air fixes this. Sent from my iPhone On Mar 18, 2015, at 12:42 PM, Frans Panken frans.pan...@surfnet.nlmailto:frans.pan...@surfnet.nl wrote: No, it is not. The result is that it breaks IPv6 on local VLANs: clients receive multiple prefixes on local VLANs. Jake Snyder schreef op 18/03/15 om 17:51: Leaking of RAs between VLANS is expected behavior as RA are multicast. Because the 802.11 protocol sends multicast traffic as broadcast over the air and every device on a BSSID shares the same group key for encryption, any client can decode any multicast packet, including RAs not on the same VLAN. Again, this is expected behavior. The solution to this is to use multicast to unicast conversion for the RA, however i've never done this in a flexconnect deployment. This is also important in IPv4 deployments where you need to secure who can gain access to a multicast stream. On Wed, Mar 18, 2015 at 10:32 AM, Frans Panken frans.pan...@surfnet.nlmailto:frans.pan...@surfnet.nl wrote: We use FlexConnect in both central and local switched mode (v 8.110.6). We use a single SSID and distinguish various user groups, differentiated by Radius and mapped on different VLANs. We observe that VLANs leak traffic to other VLANs. This is in particular very undesired with IPv6, where router adverstisements from one VLAN is broadcast to other VLANs (this also happens on IPv4, e.g., with ARP and other broadcast traffic). Even VLANs that are only centrally accessible leak traffic to local VLANs. This is a security issue that in my oppinion does not receive the desired attention. Frans Watters, John schreef op 18/03/15 om 07:29: Please post any results you have if/when try expand FlexConnect to your entire campus. It looks like you are close to our size (we now have about 125 buildings about 38K students plus about 4K faculty/staff). Thanks. Sent from my iPhone On Mar 17, 2015, at 4:12 PM, Hector J Rios hr...@lsu.edumailto:hr...@lsu.edu wrote: I've not performed tests to that scale yet. Plus we are only considering this for our ResHalls, of which we have 21 buildings only. -Hector -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Watters, John Sent: Tuesday, March 17, 2015 11:55 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect We played with FlexConnect for a number of months but still could not get what we needed it to do on a consistent basis. Essentially we wanted FlexConnect to drop users into their building VLAN so they would be able to easily interact with the same devices that the wired connections in the buildings could see. As I'm sure you know, this also resolves many of the Apple, Chromecast, etc., problems. We did have one caveat though that we just couldn't get past -- we wanted to drop faculty/staff into one VLAN and students into another (we can easily return the proper VLAN for a particular client in a particular building from Radius server - FreeRadius with a call to our LDAP server for info) but we also need to send everything else back to the controller for central switching (e.g., police connections, special bar-code scanners that roam and serve to identify a user, but not being used for client traffic, for example, to give out free flu shots to eligible folks or let folks into a sporting event). We just couldn't get past having 95+% locally switched
Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect
There is support for it in local mode, just not in flex. Sent from my iPhone On Mar 19, 2015, at 5:41 AM, Osborne, Bruce W (Network Services) bosbo...@liberty.edu wrote: No Cisco support for multicast to unicast? Aruba has had that support for years and we have been using it for IPTV over Wi-Fi. Aruba calls this Dynamic Multicast Optimization. Bruce Osborne Wireless Engineer IT Infrastructure Media Solutions (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Jake Snyder [mailto:jsnyde...@gmail.com] Sent: Wednesday, March 18, 2015 3:50 PM Subject: Re: ResHall Wireless - FlexConnect Other vendors are doing this too. I know from a recent presentation at Atmosphere 2015 that Aruba performs the RA Multicast to Unicast conversion. It's a known limitation in terms of how the 802.11 protocol works. Different vendors are implementing different features to overcome it, but it's an expected thing. There is currently not support for Multicast to Unicast conversion for Flexconnect, they simply bridge broadcast/multicast traffic. On Wed, Mar 18, 2015 at 1:36 PM, Frans Panken frans.pan...@surfnet.nl wrote: Breaking IPv6 is indeed undesirable ;-) Fortunately, other vendors do not share your opinion. Good news for the majority on this list: the bug is limited to Cisco's FlexConnect. -Frans Jake Snyder schreef op 18/03/15 om 20:19: It is expected from an 802.11 perspective. May not be desirable, but that is how the wireless standard works. Unicasting RAs over the air fixes this. Sent from my iPhone On Mar 18, 2015, at 12:42 PM, Frans Panken frans.pan...@surfnet.nl wrote: No, it is not. The result is that it breaks IPv6 on local VLANs: clients receive multiple prefixes on local VLANs. Jake Snyder schreef op 18/03/15 om 17:51: Leaking of RAs between VLANS is expected behavior as RA are multicast. Because the 802.11 protocol sends multicast traffic as broadcast over the air and every device on a BSSID shares the same group key for encryption, any client can decode any multicast packet, including RAs not on the same VLAN. Again, this is expected behavior. The solution to this is to use multicast to unicast conversion for the RA, however i've never done this in a flexconnect deployment. This is also important in IPv4 deployments where you need to secure who can gain access to a multicast stream. On Wed, Mar 18, 2015 at 10:32 AM, Frans Panken frans.pan...@surfnet.nl wrote: We use FlexConnect in both central and local switched mode (v 8.110.6). We use a single SSID and distinguish various user groups, differentiated by Radius and mapped on different VLANs. We observe that VLANs leak traffic to other VLANs. This is in particular very undesired with IPv6, where router adverstisements from one VLAN is broadcast to other VLANs (this also happens on IPv4, e.g., with ARP and other broadcast traffic). Even VLANs that are only centrally accessible leak traffic to local VLANs. This is a security issue that in my oppinion does not receive the desired attention. Frans Watters, John schreef op 18/03/15 om 07:29: Please post any results you have if/when try expand FlexConnect to your entire campus. It looks like you are close to our size (we now have about 125 buildings about 38K students plus about 4K faculty/staff). Thanks. Sent from my iPhone On Mar 17, 2015, at 4:12 PM, Hector J Rios hr...@lsu.edu wrote: I've not performed tests to that scale yet. Plus we are only considering this for our ResHalls, of which we have 21 buildings only. -Hector -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Watters, John Sent: Tuesday, March 17, 2015 11:55 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect We played with FlexConnect for a number of months but still could not get what we needed it to do on a consistent basis. Essentially we wanted FlexConnect to drop users into their building VLAN so they would be able to easily interact with the same devices that the wired connections in the buildings could see. As I'm sure you know, this also resolves many of the Apple, Chromecast, etc., problems. We did have one caveat though that we just couldn't get past -- we wanted to drop faculty/staff into one VLAN and students into another (we can easily return the proper VLAN for a particular client in a particular building from Radius server - FreeRadius with a call to our LDAP server for info) but we also need to send everything else back to the controller for central switching (e.g., police connections, special bar-code scanners that roam and serve to identify a user, but not being used for client traffic, for example, to give out free flu shots
RE: [WIRELESS-LAN] ResHall Wireless - FlexConnect
We use WiSM2s, and based strictly on the numbers supported by this platform (which are pretty horrible: 25 APs per FlexConnect group) I don't think we will be using FlexConnect any time soon. -Hector -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Watters, John Sent: Wednesday, March 18, 2015 1:29 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect Please post any results you have if/when try expand FlexConnect to your entire campus. It looks like you are close to our size (we now have about 125 buildings about 38K students plus about 4K faculty/staff). Thanks. Sent from my iPhone On Mar 17, 2015, at 4:12 PM, Hector J Rios hr...@lsu.edu wrote: I've not performed tests to that scale yet. Plus we are only considering this for our ResHalls, of which we have 21 buildings only. -Hector -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Watters, John Sent: Tuesday, March 17, 2015 11:55 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect We played with FlexConnect for a number of months but still could not get what we needed it to do on a consistent basis. Essentially we wanted FlexConnect to drop users into their building VLAN so they would be able to easily interact with the same devices that the wired connections in the buildings could see. As I'm sure you know, this also resolves many of the Apple, Chromecast, etc., problems. We did have one caveat though that we just couldn't get past -- we wanted to drop faculty/staff into one VLAN and students into another (we can easily return the proper VLAN for a particular client in a particular building from Radius server - FreeRadius with a call to our LDAP server for info) but we also need to send everything else back to the controller for central switching (e.g., police connections, special bar-code scanners that roam and serve to identify a user, but not being used for client traffic, for example, to give out free flu shots to eligible folks or let folks into a sporting event). We just couldn't get past having 95+% locally switched and the remainder centrally switched for over 200 buildings many with now over 100 APs each without using FlecConnect groups which are limited to numbers way too small for our campus. We can even live comfortably without roaming between buildings. MOst folks are not used to being able to roam between buildings downtown or many cannot roam between apartments off campus. How did you get around the FlexConnect group problem? == -jcw From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Hector J Rios [hr...@lsu.edu] Sent: Tuesday, March 17, 2015 9:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless I tested FlexConnect on 8.0.110.0. Here are my observations: *Great alternative to switch data locally (obviously) *No AVC Support *When controller is down, AP goes into standalone more. Must make sure that AP is not able to reach any other controller you don't want. This was fixed with an ACL. *Client details page does not show client IPv6 address. Client still gets IPv6 address. (PRIME does show it if you run a report). *Client details page does not show VLAN ID. *Putting AP in FlexConnect mode does not require reboot (Cool!) *No IPv6 ACL support More testing to do, but so far so good. -Hector From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hector J Rios Sent: Thursday, March 12, 2015 11:13 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless We use Cisco's wireless solution with WiSM2s and a variety of WAPs. We actually implemented the guest anchor controller solution last year with dual controllers (WLC2504) and we've been happy. I like Britton's idea of using FlexConnect at the dorms to switch the student data locally. However, I believe there are some limitations that would keep us from using it such as no support for AVC, and some limitations on IPv6. -Hector From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W (Network Services) Sent: Thursday, March 12, 2015 7:42 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAU SE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless Hector, You do not say what wireless solution you are using. Let me assume a Cisco or Aruba controller based solution. You can have vlans from your
RE: [WIRELESS-LAN] ResHall Wireless - FlexConnect
Here is the info Jeffry: The number of FlexConnect groups and access point support depends on the platform that you are using. You can configure the following: Up to 100 FlexConnect groups and 25 access points per group for a Cisco 5500 Series Controller. Up to 1000 FlexConnect groups and 50 access points per group for a Cisco Flex 7500 Series Controller in the 7.2 release. Up to 2000 FlexConnect groups and 100 access points per group for Cisco Flex 7500 and Cisco 8500 Series Controllers in the 7.3 release. Up to 20 FlexConnect groups and up to 25 access points per group for the remaining platforms. http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration-guide/b_cg76/b_cg76_chapter_010001010.html#d34284e204a1635 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Legge, Jeffry Sent: Wednesday, March 18, 2015 9:51 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect Hector I am just starting to think about using FlexConnect. I have two Wism2's and about 750 Aps. Can you tell me where I can read up on the 25 AP restriction? -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hector J Rios Sent: Wednesday, March 18, 2015 10:10 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect We use WiSM2s, and based strictly on the numbers supported by this platform (which are pretty horrible: 25 APs per FlexConnect group) I don't think we will be using FlexConnect any time soon. -Hector -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Watters, John Sent: Wednesday, March 18, 2015 1:29 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect Please post any results you have if/when try expand FlexConnect to your entire campus. It looks like you are close to our size (we now have about 125 buildings about 38K students plus about 4K faculty/staff). Thanks. Sent from my iPhone On Mar 17, 2015, at 4:12 PM, Hector J Rios hr...@lsu.edu wrote: I've not performed tests to that scale yet. Plus we are only considering this for our ResHalls, of which we have 21 buildings only. -Hector -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Watters, John Sent: Tuesday, March 17, 2015 11:55 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect We played with FlexConnect for a number of months but still could not get what we needed it to do on a consistent basis. Essentially we wanted FlexConnect to drop users into their building VLAN so they would be able to easily interact with the same devices that the wired connections in the buildings could see. As I'm sure you know, this also resolves many of the Apple, Chromecast, etc., problems. We did have one caveat though that we just couldn't get past -- we wanted to drop faculty/staff into one VLAN and students into another (we can easily return the proper VLAN for a particular client in a particular building from Radius server - FreeRadius with a call to our LDAP server for info) but we also need to send everything else back to the controller for central switching (e.g., police connections, special bar-code scanners that roam and serve to identify a user, but not being used for client traffic, for example, to give out free flu shots to eligible folks or let folks into a sporting event). We just couldn't get past having 95+% locally switched and the remainder centrally switched for over 200 buildings many with now over 100 APs each without using FlecConnect groups which are limited to numbers way too small for our campus. We can even live comfortably without roaming between buildings. MOst folks are not used to being able to roam between buildings downtown or many cannot roam between apartments off campus. How did you get around the FlexConnect group problem? == -jcw From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Hector J Rios [hr...@lsu.edu] Sent: Tuesday, March 17, 2015 9:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless I tested FlexConnect on 8.0.110.0. Here are my observations: *Great alternative to switch data locally (obviously) *No AVC Support *When controller is down, AP goes into standalone more. Must make sure that AP is not able to reach any other controller you don't want. This was fixed with an ACL. *Client
RE: [WIRELESS-LAN] ResHall Wireless - FlexConnect
Hector I am just starting to think about using FlexConnect. I have two Wism2's and about 750 Aps. Can you tell me where I can read up on the 25 AP restriction? -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hector J Rios Sent: Wednesday, March 18, 2015 10:10 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect We use WiSM2s, and based strictly on the numbers supported by this platform (which are pretty horrible: 25 APs per FlexConnect group) I don't think we will be using FlexConnect any time soon. -Hector -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Watters, John Sent: Wednesday, March 18, 2015 1:29 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect Please post any results you have if/when try expand FlexConnect to your entire campus. It looks like you are close to our size (we now have about 125 buildings about 38K students plus about 4K faculty/staff). Thanks. Sent from my iPhone On Mar 17, 2015, at 4:12 PM, Hector J Rios hr...@lsu.edu wrote: I've not performed tests to that scale yet. Plus we are only considering this for our ResHalls, of which we have 21 buildings only. -Hector -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Watters, John Sent: Tuesday, March 17, 2015 11:55 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect We played with FlexConnect for a number of months but still could not get what we needed it to do on a consistent basis. Essentially we wanted FlexConnect to drop users into their building VLAN so they would be able to easily interact with the same devices that the wired connections in the buildings could see. As I'm sure you know, this also resolves many of the Apple, Chromecast, etc., problems. We did have one caveat though that we just couldn't get past -- we wanted to drop faculty/staff into one VLAN and students into another (we can easily return the proper VLAN for a particular client in a particular building from Radius server - FreeRadius with a call to our LDAP server for info) but we also need to send everything else back to the controller for central switching (e.g., police connections, special bar-code scanners that roam and serve to identify a user, but not being used for client traffic, for example, to give out free flu shots to eligible folks or let folks into a sporting event). We just couldn't get past having 95+% locally switched and the remainder centrally switched for over 200 buildings many with now over 100 APs each without using FlecConnect groups which are limited to numbers way too small for our campus. We can even live comfortably without roaming between buildings. MOst folks are not used to being able to roam between buildings downtown or many cannot roam between apartments off campus. How did you get around the FlexConnect group problem? == -jcw From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Hector J Rios [hr...@lsu.edu] Sent: Tuesday, March 17, 2015 9:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless I tested FlexConnect on 8.0.110.0. Here are my observations: *Great alternative to switch data locally (obviously) *No AVC Support *When controller is down, AP goes into standalone more. Must make sure that AP is not able to reach any other controller you don't want. This was fixed with an ACL. *Client details page does not show client IPv6 address. Client still gets IPv6 address. (PRIME does show it if you run a report). *Client details page does not show VLAN ID. *Putting AP in FlexConnect mode does not require reboot (Cool!) *No IPv6 ACL support More testing to do, but so far so good. -Hector From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hector J Rios Sent: Thursday, March 12, 2015 11:13 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless We use Cisco's wireless solution with WiSM2s and a variety of WAPs. We actually implemented the guest anchor controller solution last year with dual controllers (WLC2504) and we've been happy. I like Britton's idea of using FlexConnect at the dorms to switch the student data locally. However, I believe there are some limitations that would keep us from using it such as no support for AVC, and some limitations on IPv6. -Hector From: The EDUCAUSE Wireless
Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect
We use FlexConnect in both central and local switched mode (v 8.110.6). We use a single SSID and distinguish various user groups, differentiated by Radius and mapped on different VLANs. We observe that VLANs leak traffic to other VLANs. This is in particular very undesired with IPv6, where router adverstisements from one VLAN is broadcast to other VLANs (this also happens on IPv4, e.g., with ARP and other broadcast traffic). Even VLANs that are only centrally accessible leak traffic to local VLANs. This is a security issue that in my oppinion does not receive the desired attention. Frans Watters, John schreef op 18/03/15 om 07:29: Please post any results you have if/when try expand FlexConnect to your entire campus. It looks like you are close to our size (we now have about 125 buildings about 38K students plus about 4K faculty/staff). Thanks. Sent from my iPhone On Mar 17, 2015, at 4:12 PM, Hector J Rios hr...@lsu.edu wrote: I've not performed tests to that scale yet. Plus we are only considering this for our ResHalls, of which we have 21 buildings only. -Hector -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Watters, John Sent: Tuesday, March 17, 2015 11:55 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect We played with FlexConnect for a number of months but still could not get what we needed it to do on a consistent basis. Essentially we wanted FlexConnect to drop users into their building VLAN so they would be able to easily interact with the same devices that the wired connections in the buildings could see. As I'm sure you know, this also resolves many of the Apple, Chromecast, etc., problems. We did have one caveat though that we just couldn't get past -- we wanted to drop faculty/staff into one VLAN and students into another (we can easily return the proper VLAN for a particular client in a particular building from Radius server - FreeRadius with a call to our LDAP server for info) but we also need to send everything else back to the controller for central switching (e.g., police connections, special bar-code scanners that roam and serve to identify a user, but not being used for client traffic, for example, to give out free flu shots to eligible folks or let folks into a sporting event). We just couldn't get past having 95+% locally switched and the remainder centrally switched for over 200 buildings many with now over 100 APs each without using FlecConnect groups which are limited to numbers way too small for our campus. We can even live comfortably without roaming between buildings. MOst folks are not used to being able to roam between buildings downtown or many cannot roam between apartments off campus. How did you get around the FlexConnect group problem? == -jcw From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Hector J Rios [hr...@lsu.edu] Sent: Tuesday, March 17, 2015 9:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless I tested FlexConnect on 8.0.110.0. Here are my observations: *Great alternative to switch data locally (obviously) *No AVC Support *When controller is down, AP goes into standalone more. Must make sure that AP is not able to reach any other controller you don't want. This was fixed with an ACL. *Client details page does not show client IPv6 address. Client still gets IPv6 address. (PRIME does show it if you run a report). *Client details page does not show VLAN ID. *Putting AP in FlexConnect mode does not require reboot (Cool!) *No IPv6 ACL support More testing to do, but so far so good. -Hector From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hector J Rios Sent: Thursday, March 12, 2015 11:13 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless We use Cisco's wireless solution with WiSM2s and a variety of WAPs. We actually implemented the guest anchor controller solution last year with dual controllers (WLC2504) and we've been happy. I like Britton's idea of using FlexConnect at the dorms to switch the student data locally. However, I believe there are some limitations that would keep us from using it such as no support for AVC, and some limitations on IPv6. -Hector From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W (Network Services) Sent: Thursday, March 12, 2015 7:42 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless Hector, You do not say what wireless
Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect
Leaking of RAs between VLANS is expected behavior as RA are multicast. Because the 802.11 protocol sends multicast traffic as broadcast over the air and every device on a BSSID shares the same group key for encryption, any client can decode any multicast packet, including RAs not on the same VLAN. Again, this is expected behavior. The solution to this is to use multicast to unicast conversion for the RA, however i've never done this in a flexconnect deployment. This is also important in IPv4 deployments where you need to secure who can gain access to a multicast stream. On Wed, Mar 18, 2015 at 10:32 AM, Frans Panken frans.pan...@surfnet.nl wrote: We use FlexConnect in both central and local switched mode (v 8.110.6). We use a single SSID and distinguish various user groups, differentiated by Radius and mapped on different VLANs. We observe that VLANs leak traffic to other VLANs. This is in particular very undesired with IPv6, where router adverstisements from one VLAN is broadcast to other VLANs (this also happens on IPv4, e.g., with ARP and other broadcast traffic). Even VLANs that are only centrally accessible leak traffic to local VLANs. This is a security issue that in my oppinion does not receive the desired attention. Frans Watters, John schreef op 18/03/15 om 07:29: Please post any results you have if/when try expand FlexConnect to your entire campus. It looks like you are close to our size (we now have about 125 buildings about 38K students plus about 4K faculty/staff). Thanks. Sent from my iPhone On Mar 17, 2015, at 4:12 PM, Hector J Rios hr...@lsu.edu wrote: I've not performed tests to that scale yet. Plus we are only considering this for our ResHalls, of which we have 21 buildings only. -Hector -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Watters, John Sent: Tuesday, March 17, 2015 11:55 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect We played with FlexConnect for a number of months but still could not get what we needed it to do on a consistent basis. Essentially we wanted FlexConnect to drop users into their building VLAN so they would be able to easily interact with the same devices that the wired connections in the buildings could see. As I'm sure you know, this also resolves many of the Apple, Chromecast, etc., problems. We did have one caveat though that we just couldn't get past -- we wanted to drop faculty/staff into one VLAN and students into another (we can easily return the proper VLAN for a particular client in a particular building from Radius server - FreeRadius with a call to our LDAP server for info) but we also need to send everything else back to the controller for central switching (e.g., police connections, special bar-code scanners that roam and serve to identify a user, but not being used for client traffic, for example, to give out free flu shots to eligible folks or let folks into a sporting event). We just couldn't get past having 95+% locally switched and the remainder centrally switched for over 200 buildings many with now over 100 APs each without using FlecConnect groups which are limited to numbers way too small for our campus. We can even live comfortably without roaming between buildings. MOst folks are not used to being able to roam between buildings downtown or many cannot roam between apartments off campus. How did you get around the FlexConnect group problem? == -jcw From: The EDUCAUSE Wireless Issues Constituent Group Listserv [ WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Hector J Rios [ hr...@lsu.edu] Sent: Tuesday, March 17, 2015 9:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless I tested FlexConnect on 8.0.110.0. Here are my observations: *Great alternative to switch data locally (obviously) *No AVC Support *When controller is down, AP goes into standalone more. Must make sure that AP is not able to reach any other controller you don't want. This was fixed with an ACL. *Client details page does not show client IPv6 address. Client still gets IPv6 address. (PRIME does show it if you run a report). *Client details page does not show VLAN ID. *Putting AP in FlexConnect mode does not require reboot (Cool!) *No IPv6 ACL support More testing to do, but so far so good. -Hector From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hector J Rios Sent: Thursday, March 12, 2015 11:13 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless We use Cisco's wireless solution with WiSM2s and a variety of WAPs. We actually implemented the guest anchor
Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect
It is expected from an 802.11 perspective. May not be desirable, but that is how the wireless standard works. Unicasting RAs over the air fixes this. Sent from my iPhone On Mar 18, 2015, at 12:42 PM, Frans Panken frans.pan...@surfnet.nl wrote: No, it is not. The result is that it breaks IPv6 on local VLANs: clients receive multiple prefixes on local VLANs. Jake Snyder schreef op 18/03/15 om 17:51: Leaking of RAs between VLANS is expected behavior as RA are multicast. Because the 802.11 protocol sends multicast traffic as broadcast over the air and every device on a BSSID shares the same group key for encryption, any client can decode any multicast packet, including RAs not on the same VLAN. Again, this is expected behavior. The solution to this is to use multicast to unicast conversion for the RA, however i've never done this in a flexconnect deployment. This is also important in IPv4 deployments where you need to secure who can gain access to a multicast stream. On Wed, Mar 18, 2015 at 10:32 AM, Frans Panken frans.pan...@surfnet.nl wrote: We use FlexConnect in both central and local switched mode (v 8.110.6). We use a single SSID and distinguish various user groups, differentiated by Radius and mapped on different VLANs. We observe that VLANs leak traffic to other VLANs. This is in particular very undesired with IPv6, where router adverstisements from one VLAN is broadcast to other VLANs (this also happens on IPv4, e.g., with ARP and other broadcast traffic). Even VLANs that are only centrally accessible leak traffic to local VLANs. This is a security issue that in my oppinion does not receive the desired attention. Frans Watters, John schreef op 18/03/15 om 07:29: Please post any results you have if/when try expand FlexConnect to your entire campus. It looks like you are close to our size (we now have about 125 buildings about 38K students plus about 4K faculty/staff). Thanks. Sent from my iPhone On Mar 17, 2015, at 4:12 PM, Hector J Rios hr...@lsu.edu wrote: I've not performed tests to that scale yet. Plus we are only considering this for our ResHalls, of which we have 21 buildings only. -Hector -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Watters, John Sent: Tuesday, March 17, 2015 11:55 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect We played with FlexConnect for a number of months but still could not get what we needed it to do on a consistent basis. Essentially we wanted FlexConnect to drop users into their building VLAN so they would be able to easily interact with the same devices that the wired connections in the buildings could see. As I'm sure you know, this also resolves many of the Apple, Chromecast, etc., problems. We did have one caveat though that we just couldn't get past -- we wanted to drop faculty/staff into one VLAN and students into another (we can easily return the proper VLAN for a particular client in a particular building from Radius server - FreeRadius with a call to our LDAP server for info) but we also need to send everything else back to the controller for central switching (e.g., police connections, special bar-code scanners that roam and serve to identify a user, but not being used for client traffic, for example, to give out free flu shots to eligible folks or let folks into a sporting event). We just couldn't get past having 95+% locally switched and the remainder centrally switched for over 200 buildings many with now over 100 APs each without using FlecConnect groups which are limited to numbers way too small for our campus. We can even live comfortably without roaming between buildings. MOst folks are not used to being able to roam between buildings downtown or many cannot roam between apartments off campus. How did you get around the FlexConnect group problem? == -jcw From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Hector J Rios [hr...@lsu.edu] Sent: Tuesday, March 17, 2015 9:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless I tested FlexConnect on 8.0.110.0. Here are my observations: *Great alternative to switch data locally (obviously) *No AVC Support *When controller is down, AP goes into standalone more. Must make sure that AP is not able to reach any other controller you don't want. This was fixed with an ACL. *Client details page does not show client IPv6 address. Client still gets IPv6 address. (PRIME does show it if you run a report). *Client details page does not show VLAN ID. *Putting AP in FlexConnect mode does
Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect
No, it is not. The result is that it breaks IPv6 on local VLANs: clients receive multiple prefixes on local VLANs. Jake Snyder schreef op 18/03/15 om 17:51: Leaking of RAs between VLANS is expected behavior as RA are multicast. Because the 802.11 protocol sends multicast traffic as broadcast over the air and every device on a BSSID shares the same group key for encryption, any client can decode any multicast packet, including RAs not on the same VLAN. Again, this is expected behavior. The solution to this is to use multicast to unicast conversion for the RA, however i've never done this in a flexconnect deployment. This is also important in IPv4 deployments where you need to secure who can gain access to a multicast stream. On Wed, Mar 18, 2015 at 10:32 AM, Frans Panken frans.pan...@surfnet.nl mailto:frans.pan...@surfnet.nl wrote: We use FlexConnect in both central and local switched mode (v 8.110.6). We use a single SSID and distinguish various user groups, differentiated by Radius and mapped on different VLANs. We observe that VLANs leak traffic to other VLANs. This is in particular very undesired with IPv6, where router adverstisements from one VLAN is broadcast to other VLANs (this also happens on IPv4, e.g., with ARP and other broadcast traffic). Even VLANs that are only centrally accessible leak traffic to local VLANs. This is a security issue that in my oppinion does not receive the desired attention. Frans Watters, John schreef op 18/03/15 om 07:29: Please post any results you have if/when try expand FlexConnect to your entire campus. It looks like you are close to our size (we now have about 125 buildings about 38K students plus about 4K faculty/staff). Thanks. Sent from my iPhone On Mar 17, 2015, at 4:12 PM, Hector J Rios hr...@lsu.edu mailto:hr...@lsu.edu wrote: I've not performed tests to that scale yet. Plus we are only considering this for our ResHalls, of which we have 21 buildings only. -Hector -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Watters, John Sent: Tuesday, March 17, 2015 11:55 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect We played with FlexConnect for a number of months but still could not get what we needed it to do on a consistent basis. Essentially we wanted FlexConnect to drop users into their building VLAN so they would be able to easily interact with the same devices that the wired connections in the buildings could see. As I'm sure you know, this also resolves many of the Apple, Chromecast, etc., problems. We did have one caveat though that we just couldn't get past -- we wanted to drop faculty/staff into one VLAN and students into another (we can easily return the proper VLAN for a particular client in a particular building from Radius server - FreeRadius with a call to our LDAP server for info) but we also need to send everything else back to the controller for central switching (e.g., police connections, special bar-code scanners that roam and serve to identify a user, but not being used for client traffic, for example, to give out free flu shots to eligible folks or let folks into a sporting event). We just couldn't get past having 95+% locally switched and the remainder centrally switched for over 200 buildings many with now over 100 APs each without using FlecConnect groups which are limited to numbers way too small for our campus. We can even live comfortably without roaming between buildings. MOst folks are not used to being able to roam between buildings downtown or many cannot roam between apartments off campus. How did you get around the FlexConnect group problem? == -jcw From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Hector J Rios [hr...@lsu.edu mailto:hr...@lsu.edu] Sent: Tuesday, March 17, 2015 9:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless I tested FlexConnect on 8.0.110.0. Here are my observations: *Great alternative to switch data locally (obviously) *No AVC Support *When controller is down, AP goes into standalone more. Must make sure
Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect
Breaking IPv6 is indeed undesirable ;-) Fortunately, other vendors do not share your opinion. Good news for the majority on this list: the bug is limited to Cisco's FlexConnect. -Frans Jake Snyder schreef op 18/03/15 om 20:19: It is expected from an 802.11 perspective. May not be desirable, but that is how the wireless standard works. Unicasting RAs over the air fixes this. Sent from my iPhone On Mar 18, 2015, at 12:42 PM, Frans Panken frans.pan...@surfnet.nl mailto:frans.pan...@surfnet.nl wrote: No, it is not. The result is that it breaks IPv6 on local VLANs: clients receive multiple prefixes on local VLANs. Jake Snyder schreef op 18/03/15 om 17:51: Leaking of RAs between VLANS is expected behavior as RA are multicast. Because the 802.11 protocol sends multicast traffic as broadcast over the air and every device on a BSSID shares the same group key for encryption, any client can decode any multicast packet, including RAs not on the same VLAN. Again, this is expected behavior. The solution to this is to use multicast to unicast conversion for the RA, however i've never done this in a flexconnect deployment. This is also important in IPv4 deployments where you need to secure who can gain access to a multicast stream. On Wed, Mar 18, 2015 at 10:32 AM, Frans Panken frans.pan...@surfnet.nl mailto:frans.pan...@surfnet.nl wrote: We use FlexConnect in both central and local switched mode (v 8.110.6). We use a single SSID and distinguish various user groups, differentiated by Radius and mapped on different VLANs. We observe that VLANs leak traffic to other VLANs. This is in particular very undesired with IPv6, where router adverstisements from one VLAN is broadcast to other VLANs (this also happens on IPv4, e.g., with ARP and other broadcast traffic). Even VLANs that are only centrally accessible leak traffic to local VLANs. This is a security issue that in my oppinion does not receive the desired attention. Frans Watters, John schreef op 18/03/15 om 07:29: Please post any results you have if/when try expand FlexConnect to your entire campus. It looks like you are close to our size (we now have about 125 buildings about 38K students plus about 4K faculty/staff). Thanks. Sent from my iPhone On Mar 17, 2015, at 4:12 PM, Hector J Rios hr...@lsu.edu mailto:hr...@lsu.edu wrote: I've not performed tests to that scale yet. Plus we are only considering this for our ResHalls, of which we have 21 buildings only. -Hector -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Watters, John Sent: Tuesday, March 17, 2015 11:55 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect We played with FlexConnect for a number of months but still could not get what we needed it to do on a consistent basis. Essentially we wanted FlexConnect to drop users into their building VLAN so they would be able to easily interact with the same devices that the wired connections in the buildings could see. As I'm sure you know, this also resolves many of the Apple, Chromecast, etc., problems. We did have one caveat though that we just couldn't get past -- we wanted to drop faculty/staff into one VLAN and students into another (we can easily return the proper VLAN for a particular client in a particular building from Radius server - FreeRadius with a call to our LDAP server for info) but we also need to send everything else back to the controller for central switching (e.g., police connections, special bar-code scanners that roam and serve to identify a user, but not being used for client traffic, for example, to give out free flu shots to eligible folks or let folks into a sporting event). We just couldn't get past having 95+% locally switched and the remainder centrally switched for over 200 buildings many with now over 100 APs each without using FlecConnect groups which are limited to numbers way too small for our campus. We can even live comfortably without roaming between buildings. MOst folks are not used to being able to roam between buildings downtown or many cannot roam between apartments off campus. How did you get around the FlexConnect group problem? == -jcw From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect
Other vendors are doing this too. I know from a recent presentation at Atmosphere 2015 that Aruba performs the RA Multicast to Unicast conversion. It's a known limitation in terms of how the 802.11 protocol works. Different vendors are implementing different features to overcome it, but it's an expected thing. There is currently not support for Multicast to Unicast conversion for Flexconnect, they simply bridge broadcast/multicast traffic. On Wed, Mar 18, 2015 at 1:36 PM, Frans Panken frans.pan...@surfnet.nl wrote: Breaking IPv6 is indeed undesirable ;-) Fortunately, other vendors do not share your opinion. Good news for the majority on this list: the bug is limited to Cisco's FlexConnect. -Frans Jake Snyder schreef op 18/03/15 om 20:19: It is expected from an 802.11 perspective. May not be desirable, but that is how the wireless standard works. Unicasting RAs over the air fixes this. Sent from my iPhone On Mar 18, 2015, at 12:42 PM, Frans Panken frans.pan...@surfnet.nl wrote: No, it is not. The result is that it breaks IPv6 on local VLANs: clients receive multiple prefixes on local VLANs. Jake Snyder schreef op 18/03/15 om 17:51: Leaking of RAs between VLANS is expected behavior as RA are multicast. Because the 802.11 protocol sends multicast traffic as broadcast over the air and every device on a BSSID shares the same group key for encryption, any client can decode any multicast packet, including RAs not on the same VLAN. Again, this is expected behavior. The solution to this is to use multicast to unicast conversion for the RA, however i've never done this in a flexconnect deployment. This is also important in IPv4 deployments where you need to secure who can gain access to a multicast stream. On Wed, Mar 18, 2015 at 10:32 AM, Frans Panken frans.pan...@surfnet.nl wrote: We use FlexConnect in both central and local switched mode (v 8.110.6). We use a single SSID and distinguish various user groups, differentiated by Radius and mapped on different VLANs. We observe that VLANs leak traffic to other VLANs. This is in particular very undesired with IPv6, where router adverstisements from one VLAN is broadcast to other VLANs (this also happens on IPv4, e.g., with ARP and other broadcast traffic). Even VLANs that are only centrally accessible leak traffic to local VLANs. This is a security issue that in my oppinion does not receive the desired attention. Frans Watters, John schreef op 18/03/15 om 07:29: Please post any results you have if/when try expand FlexConnect to your entire campus. It looks like you are close to our size (we now have about 125 buildings about 38K students plus about 4K faculty/staff). Thanks. Sent from my iPhone On Mar 17, 2015, at 4:12 PM, Hector J Rios hr...@lsu.edu wrote: I've not performed tests to that scale yet. Plus we are only considering this for our ResHalls, of which we have 21 buildings only. -Hector -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Watters, John Sent: Tuesday, March 17, 2015 11:55 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect We played with FlexConnect for a number of months but still could not get what we needed it to do on a consistent basis. Essentially we wanted FlexConnect to drop users into their building VLAN so they would be able to easily interact with the same devices that the wired connections in the buildings could see. As I'm sure you know, this also resolves many of the Apple, Chromecast, etc., problems. We did have one caveat though that we just couldn't get past -- we wanted to drop faculty/staff into one VLAN and students into another (we can easily return the proper VLAN for a particular client in a particular building from Radius server - FreeRadius with a call to our LDAP server for info) but we also need to send everything else back to the controller for central switching (e.g., police connections, special bar-code scanners that roam and serve to identify a user, but not being used for client traffic, for example, to give out free flu shots to eligible folks or let folks into a sporting event). We just couldn't get past having 95+% locally switched and the remainder centrally switched for over 200 buildings many with now over 100 APs each without using FlecConnect groups which are limited to numbers way too small for our campus. We can even live comfortably without roaming between buildings. MOst folks are not used to being able to roam between buildings downtown or many cannot roam between apartments off campus. How did you get around the FlexConnect group problem? == -jcw From: The EDUCAUSE Wireless Issues Constituent Group Listserv [ WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect
Please post any results you have if/when try expand FlexConnect to your entire campus. It looks like you are close to our size (we now have about 125 buildings about 38K students plus about 4K faculty/staff). Thanks. Sent from my iPhone On Mar 17, 2015, at 4:12 PM, Hector J Rios hr...@lsu.edu wrote: I've not performed tests to that scale yet. Plus we are only considering this for our ResHalls, of which we have 21 buildings only. -Hector -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Watters, John Sent: Tuesday, March 17, 2015 11:55 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect We played with FlexConnect for a number of months but still could not get what we needed it to do on a consistent basis. Essentially we wanted FlexConnect to drop users into their building VLAN so they would be able to easily interact with the same devices that the wired connections in the buildings could see. As I'm sure you know, this also resolves many of the Apple, Chromecast, etc., problems. We did have one caveat though that we just couldn't get past -- we wanted to drop faculty/staff into one VLAN and students into another (we can easily return the proper VLAN for a particular client in a particular building from Radius server - FreeRadius with a call to our LDAP server for info) but we also need to send everything else back to the controller for central switching (e.g., police connections, special bar-code scanners that roam and serve to identify a user, but not being used for client traffic, for example, to give out free flu shots to eligible folks or let folks into a sporting event). We just couldn't get past having 95+% locally switched and the remainder centrally switched for over 200 buildings many with now over 100 APs each without using FlecConnect groups which are limited to numbers way too small for our campus. We can even live comfortably without roaming between buildings. MOst folks are not used to being able to roam between buildings downtown or many cannot roam between apartments off campus. How did you get around the FlexConnect group problem? == -jcw From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Hector J Rios [hr...@lsu.edu] Sent: Tuesday, March 17, 2015 9:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless I tested FlexConnect on 8.0.110.0. Here are my observations: *Great alternative to switch data locally (obviously) *No AVC Support *When controller is down, AP goes into standalone more. Must make sure that AP is not able to reach any other controller you don't want. This was fixed with an ACL. *Client details page does not show client IPv6 address. Client still gets IPv6 address. (PRIME does show it if you run a report). *Client details page does not show VLAN ID. *Putting AP in FlexConnect mode does not require reboot (Cool!) *No IPv6 ACL support More testing to do, but so far so good. -Hector From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hector J Rios Sent: Thursday, March 12, 2015 11:13 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless We use Cisco's wireless solution with WiSM2s and a variety of WAPs. We actually implemented the guest anchor controller solution last year with dual controllers (WLC2504) and we've been happy. I like Britton's idea of using FlexConnect at the dorms to switch the student data locally. However, I believe there are some limitations that would keep us from using it such as no support for AVC, and some limitations on IPv6. -Hector From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W (Network Services) Sent: Thursday, March 12, 2015 7:42 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless Hector, You do not say what wireless solution you are using. Let me assume a Cisco or Aruba controller based solution. You can have vlans from your controller tunnel to an anchor controller in a DMZ. Use 802.1X authentication based on AD groups. This solution permits controlled internal access and, if you desire, unfiltered Internet access. Until recently, we did something similar with our open Guest wireless network on our Aruba system. We now use a different solution for this. The anchor controller idea was based on Cisco wireless training several years ago. At that time, it was their recommended guest solution. Bruce Osborne
Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect
When talking about taking a single SSID and switching some traffic locally and some traffic centrally there is a way to do that using RADIUS. There is a feature called VLAN Based Central Switching. Based on the VLAN you return you can switch traffic either locally or centrally. There are some rules around how this works: 1. If the VLAN passed exists on the flexconnect AP, the traffic is switched locally. 2. If the VLAN passed does not exist on the flexconnect AP, it is forwarded centrally. 3. If the VLAN ID doesn't exist on the WLC, the VLAN is assumed bogus and traffic is dropped on the interface defined under Wlan/AP Group as any centrally traffic would traditionally be done. The trick is if you need to return an interface group or you have overlapping vlan IDs. Today, you can use interface names if the APs are in local mode, but flexconnect rejects this. The workaround is to use the bogus vlan so traffic is forwarded centrally and then define the AP-Group interface so that it drops onto the correct interface (or interface group). I have a request to allow the ability to use interface names when dealing with flexconnect, but we will see if/when this makes it into shipping code. Thanks Jake Snyder @jsnyder81 -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Watters, John Sent: Tuesday, March 17, 2015 11:55 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect We played with FlexConnect for a number of months but still could not get what we needed it to do on a consistent basis. Essentially we wanted FlexConnect to drop users into their building VLAN so they would be able to easily interact with the same devices that the wired connections in the buildings could see. As I'm sure you know, this also resolves many of the Apple, Chromecast, etc., problems. We did have one caveat though that we just couldn't get past -- we wanted to drop faculty/staff into one VLAN and students into another (we can easily return the proper VLAN for a particular client in a particular building from Radius server - FreeRadius with a call to our LDAP server for info) but we also need to send everything else back to the controller for central switching (e.g., police connections, special bar-code scanners that roam and serve to identify a user, but not being used for client traffic, for example, to give out free flu shots to eligible folks or let folks into a sporting event). We just couldn't get past having 95+% locally switched and the remainder centrally switched for over 200 buildings many with now over 100 APs each without using FlecConnect groups which are limited to numbers way too small for our campus. We can even live comfortably without roaming between buildings. MOst folks are not used to being able to roam between buildings downtown or many cannot roam between apartments off campus. How did you get around the FlexConnect group problem? == -jcw From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Hector J Rios [hr...@lsu.edu] Sent: Tuesday, March 17, 2015 9:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless I tested FlexConnect on 8.0.110.0. Here are my observations: *Great alternative to switch data locally (obviously) *No AVC Support *When controller is down, AP goes into standalone more. Must make sure that AP is not able to reach any other controller you don't want. This was fixed with an ACL. *Client details page does not show client IPv6 address. Client still gets IPv6 address. (PRIME does show it if you run a report). *Client details page does not show VLAN ID. *Putting AP in FlexConnect mode does not require reboot (Cool!) *No IPv6 ACL support More testing to do, but so far so good. -Hector From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hector J Rios Sent: Thursday, March 12, 2015 11:13 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless We use Cisco's wireless solution with WiSM2s and a variety of WAPs. We actually implemented the guest anchor controller solution last year with dual controllers (WLC2504) and we've been happy. I like Britton's idea of using FlexConnect at the dorms to switch the student data locally. However, I believe there are some limitations that would keep us from using it such as no support for AVC, and some limitations on IPv6. -Hector From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W (Network Services) Sent: Thursday, March 12, 2015 7:42 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN
RE: ResHall Wireless - FlexConnect
I've not performed tests to that scale yet. Plus we are only considering this for our ResHalls, of which we have 21 buildings only. -Hector -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Watters, John Sent: Tuesday, March 17, 2015 11:55 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless - FlexConnect We played with FlexConnect for a number of months but still could not get what we needed it to do on a consistent basis. Essentially we wanted FlexConnect to drop users into their building VLAN so they would be able to easily interact with the same devices that the wired connections in the buildings could see. As I'm sure you know, this also resolves many of the Apple, Chromecast, etc., problems. We did have one caveat though that we just couldn't get past -- we wanted to drop faculty/staff into one VLAN and students into another (we can easily return the proper VLAN for a particular client in a particular building from Radius server - FreeRadius with a call to our LDAP server for info) but we also need to send everything else back to the controller for central switching (e.g., police connections, special bar-code scanners that roam and serve to identify a user, but not being used for client traffic, for example, to give out free flu shots to eligible folks or let folks into a sporting event). We just couldn't get past having 95+% locally switched and the remainder centrally switched for over 200 buildings many with now over 100 APs each without using FlecConnect groups which are limited to numbers way too small for our campus. We can even live comfortably without roaming between buildings. MOst folks are not used to being able to roam between buildings downtown or many cannot roam between apartments off campus. How did you get around the FlexConnect group problem? == -jcw From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Hector J Rios [hr...@lsu.edu] Sent: Tuesday, March 17, 2015 9:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless I tested FlexConnect on 8.0.110.0. Here are my observations: *Great alternative to switch data locally (obviously) *No AVC Support *When controller is down, AP goes into standalone more. Must make sure that AP is not able to reach any other controller you don't want. This was fixed with an ACL. *Client details page does not show client IPv6 address. Client still gets IPv6 address. (PRIME does show it if you run a report). *Client details page does not show VLAN ID. *Putting AP in FlexConnect mode does not require reboot (Cool!) *No IPv6 ACL support More testing to do, but so far so good. -Hector From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hector J Rios Sent: Thursday, March 12, 2015 11:13 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless We use Cisco's wireless solution with WiSM2s and a variety of WAPs. We actually implemented the guest anchor controller solution last year with dual controllers (WLC2504) and we've been happy. I like Britton's idea of using FlexConnect at the dorms to switch the student data locally. However, I believe there are some limitations that would keep us from using it such as no support for AVC, and some limitations on IPv6. -Hector From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W (Network Services) Sent: Thursday, March 12, 2015 7:42 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless Hector, You do not say what wireless solution you are using. Let me assume a Cisco or Aruba controller based solution. You can have vlans from your controller tunnel to an anchor controller in a DMZ. Use 802.1X authentication based on AD groups. This solution permits controlled internal access and, if you desire, unfiltered Internet access. Until recently, we did something similar with our open Guest wireless network on our Aruba system. We now use a different solution for this. The anchor controller idea was based on Cisco wireless training several years ago. At that time, it was their recommended guest solution. Bruce Osborne Wireless Engineer IT Infrastructure Media Solutions (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Hector J Rios [mailto:hr...@lsu.edu] Sent: Wednesday, March 11, 2015 9:48 AM Subject: ResHall Wireless I'm wondering how many of you treat the wireless in the ResHalls differently from the wireless on the rest of your campus. In terms of geography, we have 21 ResHalls
RE: ResHall Wireless - FlexConnect
We played with FlexConnect for a number of months but still could not get what we needed it to do on a consistent basis. Essentially we wanted FlexConnect to drop users into their building VLAN so they would be able to easily interact with the same devices that the wired connections in the buildings could see. As I'm sure you know, this also resolves many of the Apple, Chromecast, etc., problems. We did have one caveat though that we just couldn't get past -- we wanted to drop faculty/staff into one VLAN and students into another (we can easily return the proper VLAN for a particular client in a particular building from Radius server - FreeRadius with a call to our LDAP server for info) but we also need to send everything else back to the controller for central switching (e.g., police connections, special bar-code scanners that roam and serve to identify a user, but not being used for client traffic, for example, to give out free flu shots to eligible folks or let folks into a sporting event). We just couldn't get past having 95+% locally switched and the remainder centrally switched for over 200 buildings many with now over 100 APs each without using FlecConnect groups which are limited to numbers way too small for our campus. We can even live comfortably without roaming between buildings. MOst folks are not used to being able to roam between buildings downtown or many cannot roam between apartments off campus. How did you get around the FlexConnect group problem? == -jcw From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Hector J Rios [hr...@lsu.edu] Sent: Tuesday, March 17, 2015 9:27 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless I tested FlexConnect on 8.0.110.0. Here are my observations: *Great alternative to switch data locally (obviously) *No AVC Support *When controller is down, AP goes into standalone more. Must make sure that AP is not able to reach any other controller you don’t want. This was fixed with an ACL. *Client details page does not show client IPv6 address. Client still gets IPv6 address. (PRIME does show it if you run a report). *Client details page does not show VLAN ID. *Putting AP in FlexConnect mode does not require reboot (Cool!) *No IPv6 ACL support More testing to do, but so far so good. -Hector From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hector J Rios Sent: Thursday, March 12, 2015 11:13 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless We use Cisco’s wireless solution with WiSM2s and a variety of WAPs. We actually implemented the guest anchor controller solution last year with dual controllers (WLC2504) and we’ve been happy. I like Britton’s idea of using FlexConnect at the dorms to switch the student data locally. However, I believe there are some limitations that would keep us from using it such as no support for AVC, and some limitations on IPv6. -Hector From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W (Network Services) Sent: Thursday, March 12, 2015 7:42 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless Hector, You do not say what wireless solution you are using. Let me assume a Cisco or Aruba controller based solution. You can have vlans from your controller tunnel to an anchor controller in a DMZ. Use 802.1X authentication based on AD groups. This solution permits controlled internal access and, if you desire, unfiltered Internet access. Until recently, we did something similar with our open Guest wireless network on our Aruba system. We now use a different solution for this. The anchor controller idea was based on Cisco wireless training several years ago. At that time, it was their recommended guest solution. Bruce Osborne Wireless Engineer IT Infrastructure Media Solutions (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Hector J Rios [mailto:hr...@lsu.edu] Sent: Wednesday, March 11, 2015 9:48 AM Subject: ResHall Wireless I’m wondering how many of you treat the wireless in the ResHalls differently from the wireless on the rest of your campus. In terms of geography, we have 21 ResHalls that are in the perimeter of our campus. Some of these buildings are next to academic or administrative buildings. Eduroam is our main SSID. So, for the longest time it has only made sense to broadcast eduroam everywhere. Now, on the wired side of the house, our ResHalls have a dedicated connection that gives them direct, non-firewall access to the internet (for access to campus resources, a student must VPN). This came about as a request from the students
RE: ResHall Wireless
Hector, You do not say what wireless solution you are using. Let me assume a Cisco or Aruba controller based solution. You can have vlans from your controller tunnel to an anchor controller in a DMZ. Use 802.1X authentication based on AD groups. This solution permits controlled internal access and, if you desire, unfiltered Internet access. Until recently, we did something similar with our open Guest wireless network on our Aruba system. We now use a different solution for this. The anchor controller idea was based on Cisco wireless training several years ago. At that time, it was their recommended guest solution. Bruce Osborne Wireless Engineer IT Infrastructure Media Solutions (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Hector J Rios [mailto:hr...@lsu.edu] Sent: Wednesday, March 11, 2015 9:48 AM Subject: ResHall Wireless I'm wondering how many of you treat the wireless in the ResHalls differently from the wireless on the rest of your campus. In terms of geography, we have 21 ResHalls that are in the perimeter of our campus. Some of these buildings are next to academic or administrative buildings. Eduroam is our main SSID. So, for the longest time it has only made sense to broadcast eduroam everywhere. Now, on the wired side of the house, our ResHalls have a dedicated connection that gives them direct, non-firewall access to the internet (for access to campus resources, a student must VPN). This came about as a request from the students to have more freedom in their residence. Makes sense. But wireless is different as it goes through our campus core, traverses our perimeter firewall, and goes out our main internet connection. I've struggled to find an alternative solution to this. We recognize that students in ResHalls are different in the sense that they pay for a place to live and should get an internet service that is similar to their home service. However, any alternatives that we have considered (separate SSID, dynamic VLAN assignment, user groups) just seem to complicate the setup. Any good ideas out there or creative ways in which you have tackled this challenge? Thanks, Hector Rios, CCNP, CCA Assistant Director, Network Engineering Dept. of Networking and Infrastructure Information Technology Services Louisiana State University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: ResHall Wireless
We use Cisco's wireless solution with WiSM2s and a variety of WAPs. We actually implemented the guest anchor controller solution last year with dual controllers (WLC2504) and we've been happy. I like Britton's idea of using FlexConnect at the dorms to switch the student data locally. However, I believe there are some limitations that would keep us from using it such as no support for AVC, and some limitations on IPv6. -Hector From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W (Network Services) Sent: Thursday, March 12, 2015 7:42 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless Hector, You do not say what wireless solution you are using. Let me assume a Cisco or Aruba controller based solution. You can have vlans from your controller tunnel to an anchor controller in a DMZ. Use 802.1X authentication based on AD groups. This solution permits controlled internal access and, if you desire, unfiltered Internet access. Until recently, we did something similar with our open Guest wireless network on our Aruba system. We now use a different solution for this. The anchor controller idea was based on Cisco wireless training several years ago. At that time, it was their recommended guest solution. Bruce Osborne Wireless Engineer IT Infrastructure Media Solutions (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Hector J Rios [mailto:hr...@lsu.edu] Sent: Wednesday, March 11, 2015 9:48 AM Subject: ResHall Wireless I'm wondering how many of you treat the wireless in the ResHalls differently from the wireless on the rest of your campus. In terms of geography, we have 21 ResHalls that are in the perimeter of our campus. Some of these buildings are next to academic or administrative buildings. Eduroam is our main SSID. So, for the longest time it has only made sense to broadcast eduroam everywhere. Now, on the wired side of the house, our ResHalls have a dedicated connection that gives them direct, non-firewall access to the internet (for access to campus resources, a student must VPN). This came about as a request from the students to have more freedom in their residence. Makes sense. But wireless is different as it goes through our campus core, traverses our perimeter firewall, and goes out our main internet connection. I've struggled to find an alternative solution to this. We recognize that students in ResHalls are different in the sense that they pay for a place to live and should get an internet service that is similar to their home service. However, any alternatives that we have considered (separate SSID, dynamic VLAN assignment, user groups) just seem to complicate the setup. Any good ideas out there or creative ways in which you have tackled this challenge? Thanks, Hector Rios, CCNP, CCA Assistant Director, Network Engineering Dept. of Networking and Infrastructure Information Technology Services Louisiana State University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] ResHall Wireless
I'm a little late to the party, but as Bruce alluded to I'm not certain what wireless solution you're using. But in our case, we have a similar setup with different security rules in our student network. We actually carve off their network in a separate VRF and control their traffic routes. To make that work on wireless, we've done two things. In the larger dorms where they're routing at the building, we put their APs in FlexConnect mode and drop their wireless traffic into the building network. For the smaller dorms where routing isn't present, we have a separate network presented to our production controllers inside the Student VRF and broadcast the same SSID's tied to this network via AP groups only containing APs in those residence hall spaces. This gets a little weird sometimes with some dorms being physically close to staff spaces. But we work with those on a case by case basis. Most of our buildings are concrete, so that doesn't happen often... Britton Anderson blanders...@alaska.edu | Senior Network Communications Specialist | University of Alaska http://www.alaska.edu/oit | 907.450.8250 On Thu, Mar 12, 2015 at 4:41 AM, Osborne, Bruce W (Network Services) bosbo...@liberty.edu wrote: Hector, You do not say what wireless solution you are using. Let me assume a Cisco or Aruba controller based solution. You can have vlans from your controller tunnel to an anchor controller in a DMZ. Use 802.1X authentication based on AD groups. This solution permits controlled internal access and, if you desire, unfiltered Internet access. Until recently, we did something similar with our open Guest wireless network on our Aruba system. We now use a different solution for this. The anchor controller idea was based on Cisco wireless training several years ago. At that time, it was their recommended guest solution. *Bruce Osborne* *Wireless Engineer* *IT Infrastructure Media Solutions* *(434) 592-4229 %28434%29%20592-4229* *LIBERTY UNIVERSITY* *Training Champions for Christ since 1971* *From:* Hector J Rios [mailto:hr...@lsu.edu] *Sent:* Wednesday, March 11, 2015 9:48 AM *Subject:* ResHall Wireless I’m wondering how many of you treat the wireless in the ResHalls differently from the wireless on the rest of your campus. In terms of geography, we have 21 ResHalls that are in the perimeter of our campus. Some of these buildings are next to academic or administrative buildings. Eduroam is our main SSID. So, for the longest time it has only made sense to broadcast eduroam everywhere. Now, on the wired side of the house, our ResHalls have a dedicated connection that gives them direct, non-firewall access to the internet (for access to campus resources, a student must VPN). This came about as a request from the students to have more freedom in their residence. Makes sense. But wireless is different as it goes through our campus core, traverses our perimeter firewall, and goes out our main internet connection. I’ve struggled to find an alternative solution to this. We recognize that students in ResHalls are different in the sense that they pay for a place to live and should get an internet service that is similar to their home service. However, any alternatives that we have considered (separate SSID, dynamic VLAN assignment, user groups) just seem to complicate the setup. Any good ideas out there or creative ways in which you have tackled this challenge? Thanks, Hector Rios, CCNP, CCA Assistant Director, Network Engineering Dept. of Networking and Infrastructure Information Technology Services Louisiana State University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: ResHall Wireless
Both ruckus and aerohive offer similar tech with dynamic psk or ppsk. http://2.bp.blogspot.com/-XhUW84JOJj4/TdZdX3YbIJI/AAA/BpQ7LDfc5Yo/s1600/comparison%2Bbetween%2BPPSK.jpg But both have limits and may not work for larger schools with higher client counts From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bob Williamson Sent: Wednesday, March 11, 2015 11:10 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless Matthew, My guess is you already have an infrastructure in place, but Ruckus does a self activation portal which creates a dynamic PSK for each device. Hope that info helps, Bob Williamson Network Administrator Annie Wright Schools | 827 N Tacoma Ave, Tacoma, WA 98403 | www.aw.orghttp://www.aw.org/ D: 253.272.2216 | F: 253.572.3616 | bob_william...@aw.orgmailto:bob_william...@aw.org From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Williams, Matthew Sent: Wednesday, March 11, 2015 7:41 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless We’re still investigating this as well. Our wishlist would be a randomized PSK for each user, sort of like an authenticated guest network. We haven’t seen anything that can pull that off though. Respectfully, Matthew Williams IT Manager, Wireless Kent State University Office: (330) 672-7246 Mobile: (330) 469-0445 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Christopher Michael Allison Sent: Wednesday, March 11, 2015 10:31 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless We use a seperate SSID currently but they have an IP similar to the other wireless on campus. We have had talks about DMZing our Residence halls from main campus including their wireless. CHRISTOPHER ALLISON Network Engineer I Information Technology Mail Code 4622 625 Wham Drive Carbondale, Illinois 62901 chris.m.alli...@siu.edumailto:%20chris.m.alli...@siu.edu P: 618 / 453 - 8415 F: 618 / 453 - 5261 INFOTECH.SIU.EDUhttp://infotech.siu.edu/ [http://asset.siu.edu/_assets/images/email_sig/SIU_email_2line.gif] Choose a job you love, and you will never have to work a day in your life. Confucius From: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of Hector J Rios hr...@lsu.edumailto:hr...@lsu.edu Sent: Wednesday, March 11, 2015 8:47 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] ResHall Wireless I’m wondering how many of you treat the wireless in the ResHalls differently from the wireless on the rest of your campus. In terms of geography, we have 21 ResHalls that are in the perimeter of our campus. Some of these buildings are next to academic or administrative buildings. Eduroam is our main SSID. So, for the longest time it has only made sense to broadcast eduroam everywhere. Now, on the wired side of the house, our ResHalls have a dedicated connection that gives them direct, non-firewall access to the internet (for access to campus resources, a student must VPN). This came about as a request from the students to have more freedom in their residence. Makes sense. But wireless is different as it goes through our campus core, traverses our perimeter firewall, and goes out our main internet connection. I’ve struggled to find an alternative solution to this. We recognize that students in ResHalls are different in the sense that they pay for a place to live and should get an internet service that is similar to their home service. However, any alternatives that we have considered (separate SSID, dynamic VLAN assignment, user groups) just seem to complicate the setup. Any good ideas out there or creative ways in which you have tackled this challenge? Thanks, Hector Rios, CCNP, CCA Assistant Director, Network Engineering Dept. of Networking and Infrastructure Information Technology Services Louisiana State University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: ResHall Wireless
We use a seperate SSID currently but they have an IP similar to the other wireless on campus. We have had talks about DMZing our Residence halls from main campus including their wireless. ? CHRISTOPHER ALLISON Network Engineer I Information Technology Mail Code 4622 625 Wham Drive Carbondale, Illinois 62901 chris.m.alli...@siu.edumailto:%20chris.m.alli...@siu.edu P: 618 / 453 - 8415 F: 618 / 453 - 5261 INFOTECH.SIU.EDUhttp://infotech.siu.edu/ [http://asset.siu.edu/_assets/images/email_sig/SIU_email_2line.gif] Choose a job you love, and you will never have to work a day in your life. Confucius From: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of Hector J Rios hr...@lsu.edu Sent: Wednesday, March 11, 2015 8:47 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] ResHall Wireless I'm wondering how many of you treat the wireless in the ResHalls differently from the wireless on the rest of your campus. In terms of geography, we have 21 ResHalls that are in the perimeter of our campus. Some of these buildings are next to academic or administrative buildings. Eduroam is our main SSID. So, for the longest time it has only made sense to broadcast eduroam everywhere. Now, on the wired side of the house, our ResHalls have a dedicated connection that gives them direct, non-firewall access to the internet (for access to campus resources, a student must VPN). This came about as a request from the students to have more freedom in their residence. Makes sense. But wireless is different as it goes through our campus core, traverses our perimeter firewall, and goes out our main internet connection. I've struggled to find an alternative solution to this. We recognize that students in ResHalls are different in the sense that they pay for a place to live and should get an internet service that is similar to their home service. However, any alternatives that we have considered (separate SSID, dynamic VLAN assignment, user groups) just seem to complicate the setup. Any good ideas out there or creative ways in which you have tackled this challenge? Thanks, Hector Rios, CCNP, CCA Assistant Director, Network Engineering Dept. of Networking and Infrastructure Information Technology Services Louisiana State University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: ResHall Wireless
We’re still investigating this as well. Our wishlist would be a randomized PSK for each user, sort of like an authenticated guest network. We haven’t seen anything that can pull that off though. Respectfully, Matthew Williams IT Manager, Wireless Kent State University Office: (330) 672-7246 Mobile: (330) 469-0445 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Christopher Michael Allison Sent: Wednesday, March 11, 2015 10:31 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ResHall Wireless We use a seperate SSID currently but they have an IP similar to the other wireless on campus. We have had talks about DMZing our Residence halls from main campus including their wireless. CHRISTOPHER ALLISON Network Engineer I Information Technology Mail Code 4622 625 Wham Drive Carbondale, Illinois 62901 chris.m.alli...@siu.edumailto:%20chris.m.alli...@siu.edu P: 618 / 453 - 8415 F: 618 / 453 - 5261 INFOTECH.SIU.EDUhttp://infotech.siu.edu/ [http://asset.siu.edu/_assets/images/email_sig/SIU_email_2line.gif] Choose a job you love, and you will never have to work a day in your life. Confucius From: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU on behalf of Hector J Rios hr...@lsu.edumailto:hr...@lsu.edu Sent: Wednesday, March 11, 2015 8:47 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] ResHall Wireless I’m wondering how many of you treat the wireless in the ResHalls differently from the wireless on the rest of your campus. In terms of geography, we have 21 ResHalls that are in the perimeter of our campus. Some of these buildings are next to academic or administrative buildings. Eduroam is our main SSID. So, for the longest time it has only made sense to broadcast eduroam everywhere. Now, on the wired side of the house, our ResHalls have a dedicated connection that gives them direct, non-firewall access to the internet (for access to campus resources, a student must VPN). This came about as a request from the students to have more freedom in their residence. Makes sense. But wireless is different as it goes through our campus core, traverses our perimeter firewall, and goes out our main internet connection. I’ve struggled to find an alternative solution to this. We recognize that students in ResHalls are different in the sense that they pay for a place to live and should get an internet service that is similar to their home service. However, any alternatives that we have considered (separate SSID, dynamic VLAN assignment, user groups) just seem to complicate the setup. Any good ideas out there or creative ways in which you have tackled this challenge? Thanks, Hector Rios, CCNP, CCA Assistant Director, Network Engineering Dept. of Networking and Infrastructure Information Technology Services Louisiana State University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] ResHall Wireless
Why not just treat eduroam across the campus in this open way, ie don't restrict it (within reason). Oli On 11 March 2015 at 13:47, Hector J Rios hr...@lsu.edu wrote: I’m wondering how many of you treat the wireless in the ResHalls differently from the wireless on the rest of your campus. In terms of geography, we have 21 ResHalls that are in the perimeter of our campus. Some of these buildings are next to academic or administrative buildings. Eduroam is our main SSID. So, for the longest time it has only made sense to broadcast eduroam everywhere. Now, on the wired side of the house, our ResHalls have a dedicated connection that gives them direct, non-firewall access to the internet (for access to campus resources, a student must VPN). This came about as a request from the students to have more freedom in their residence. Makes sense. But wireless is different as it goes through our campus core, traverses our perimeter firewall, and goes out our main internet connection. I’ve struggled to find an alternative solution to this. We recognize that students in ResHalls are different in the sense that they pay for a place to live and should get an internet service that is similar to their home service. However, any alternatives that we have considered (separate SSID, dynamic VLAN assignment, user groups) just seem to complicate the setup. Any good ideas out there or creative ways in which you have tackled this challenge? Thanks, Hector Rios, CCNP, CCA Assistant Director, Network Engineering Dept. of Networking and Infrastructure Information Technology Services Louisiana State University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Oliver Elliott Senior Network Specialist IT Services University of Bristol e: oliver.elli...@bristol.ac.uk t: 0117 39 (41131) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
ResHall Wireless
I'm wondering how many of you treat the wireless in the ResHalls differently from the wireless on the rest of your campus. In terms of geography, we have 21 ResHalls that are in the perimeter of our campus. Some of these buildings are next to academic or administrative buildings. Eduroam is our main SSID. So, for the longest time it has only made sense to broadcast eduroam everywhere. Now, on the wired side of the house, our ResHalls have a dedicated connection that gives them direct, non-firewall access to the internet (for access to campus resources, a student must VPN). This came about as a request from the students to have more freedom in their residence. Makes sense. But wireless is different as it goes through our campus core, traverses our perimeter firewall, and goes out our main internet connection. I've struggled to find an alternative solution to this. We recognize that students in ResHalls are different in the sense that they pay for a place to live and should get an internet service that is similar to their home service. However, any alternatives that we have considered (separate SSID, dynamic VLAN assignment, user groups) just seem to complicate the setup. Any good ideas out there or creative ways in which you have tackled this challenge? Thanks, Hector Rios, CCNP, CCA Assistant Director, Network Engineering Dept. of Networking and Infrastructure Information Technology Services Louisiana State University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.