We are in the process of trying to move all of our users to our wpa/wpa2 dot1x
wireless. We hope to shut down the wide open non-authenticated ssid this
summer. We've had numerous communications sent out and we always seem to get
responses that the new dot1x network is slower than the old and
Hi Bob-
We've been doing dot1x now for a few years, and in my opinion people
tend to struggle with:
- What EAP type to use
- What RADIUS server to use
- How to get supplicants configured, and whether or not to
support a variety of supplicants
- What about AD
Last time I checked, Windows mobile didnt come with a dot1x supplicant
(that worked). Do you require users to purchase their own supplicant
or do you have a site license?
Lelio Fulgenzi, Senior Analyst
Computing Communications
University of Guelph
519-824-4120 x56354
...sent from my iPod -
We have a separate PDA network with MAC filtering and restricted ACLs to make
up for MAC filtering being weak.
Daniel Bennett
IT Security Analyst
Security+
PA College of Technology
One College Ave
Williamsport PA 17701
(P) 570.329.4989
From: The EDUCAUSE Wireless Issues Constituent Group
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
We've been running a combination of WPA/TKIP and WPA2/AES with 802.1x
(PEAP/MS-CHAPv2) for approximately 1.5 years now, WEP with 802.1x for
several years prior to that. For about the past 2 years, we've been
running on a single WISM with all
We are using MS IAS for radius with PEAP. We don’t have trouble getting folks
configured and connected. Just after that we get complaints of ‘getting kicked
off’ and was wondering if anyone else sees this sort of behavior. I suspect
this mostly occurs during roams, but don’t really have any
We don’t see this but have you checked the “support fast roaming” (or something
like that) setting on the IAS and clients?
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Bob Richman
Sent: Thursday, February 19,
We use the new Network Policy Server, part of Windows 2008 Server. We found
that enabling fast reconnect on the client (For windows) could help to prevent
users from loosing connection. There are also other contributing factors:
· Do you have the AP saturation to support seamless
We have currently expanded our wireless coverage on our campus to include most
of our residence halls. Our wireless network infrastructure consists of HP
Procurve 420 access points throughout most of our campus and we are using
RADIUS MAC authentication (no additional encryption) to place
The 2nd point Daniel makes is what I am trying to zero in on. We are thinking
that in areas where the saturation is not optimal, handoffs worked just fine on
a wide open wlan, but then causes problems when using an 802.1x authenticated
wlan.
From: The EDUCAUSE Wireless Issues Constituent Group
Check your WLAN Session timeout - this forces a full re-auth at the specified
interval. The default for dot1x is every 30 minutes. You may want to make this
value larger. The User Idle Timeout will do the same thing, but most laptops
generate enough incidental traffic to keep the idle timer
What Bob just said is true. We found that less saturated areas had issues that
went unnoticed in the days of open wireless. Increasing saturation where we
could fixed those areas.
Daniel Bennett
IT Security Analyst
Security+
PA College of Technology
One College Ave
Williamsport PA 17701
(P)
If you are using WPA/TKIP, change your Auth Key Mgmt to 802.1X + CCKM on
your WLAN in order to activate Fast Secure Roaming.
Charles Bisel
WLAN Architect
Bayer Corporation
100 Bayer Road
Pittsburgh, PA 15205
EMAIL charles.bi...@bayerbbs.com
WEB http://www.bayerus.com
Johnson, Bruce T
True, WZC doesn't support CCKM, however unless I missed something, I don't
recall Bob mentioning a specific supplicant. Clients who use WZC (why
anyone would is beyond me) will still be able to connect without issue, as
it is considered optional on the WLAN.
Charles Bisel
IT Operations
Bayer
One useful application with WZC-based PEAP is machine authentication for
unattended devices that need to stay connected. I'm not sure any non-native
supplicant supports this.
Bruce T. Johnson | Network Engineer | Partners Healthcare
Network Engineering | 617.726.9662 | Pager: 31633 |
There isnt, which is a real bummer, as there are many many drawbacks to the
WZC client
On 2/19/09 8:41 AM, Johnson, Bruce T bjohns...@partners.org wrote:
One useful application with WZC-based PEAP is machine authentication for
unattended devices that need to stay connected. I'm not sure any
Juniper's Odyssey supports PEAP machine authentication, however you'll
typically only see Odyssey in an enterprise environment.
The only thing that I like about WZC is that its settings can be
configured and enforced via Group Policy. Well, two things... it's also
free.
Charles Bisel
WLAN
We also have AP420s setup with radius auth using 802.1x, however our RADIUS
server is a 2008 network policy server. The only thing I can think of is in the
web config on the wireless interfaces page on the APs do you have the VLAN
tagging enabled on for the SSID?
The only issue we've had with
My assumption was that they were broadcasting a large number of SSIDs (up to 8)
in a dense environment (possibly 5 -6 APs). At this level I would assume the
beacon traffic and back-off algorithms may come into play. I will look into
this either way. Brian, please correct me if my assumptions
Thanks for the reply.
Yes, we do have VLAN tagging enabled and, in fact, that is how the placement of
the computers in the correct VLAN typically works and has worked for the last
several years. It has only become a problem, and the problem is intermittent,
in the last 3 or 4 months. HP has
We have three SSIDs that we use here. From my limited testing the
percentage drop in bandwidth utilization for management traffic happened
after upping the beacon time interval. I did not try and set it back to
the default to see if the utilization would correspondingly climb back
up as yet.
:) Just had to ask. Sometimes the solution is an easy one. The only other way I
know of to control broadcasts on the AP420s is bc-mc-limiting command from the
command line for the Ethernet interface. Actually I may try this for our issue
as well.
The release notes for firmware version 2.1.2
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Johnson, Bruce T wrote:
One useful application with WZC-based PEAP is machine
authentication for unattended devices that need to stay
connected. I'm not sure any non-native supplicant supports this.
I've not used the software, but the Open1X
One caution I would put out for any product that can do machine
authentication is to realize that it means the supplicant is working
prior to user interactive login and with access to system level
credentials. And then does it change over to the users creds once they
login interactively?
One
Does anyone have this command for aruba mc2400? I'm too lazy to look it up
:)
On 2/19/09 11:46 AM, Tupker, Mike mtup...@mtmercy.edu wrote:
:) Just had to ask. Sometimes the solution is an easy one. The only other way
I know of to control broadcasts on the AP420s is bc-mc-limiting command from
WISMs have good broadcast and multicast controls by default as addressed below:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch2_Arch.html#wp1028269
Dennis Xu
Network Analyst
Computing and Communication Services
University of Guelph
5198244120 x 56217
- Original
Hi all,
Our university just purchased a small truck load (300) of iPod Touches for
the students to use and they have a problem connecting to our wireless
infrastructure.
Our wireless infrastructure consists of Cisco lightweight APs, (some 1200¹s,
1242¹s and some 1130¹s) with the WISM¹s,
If you don't use WZC, what supplicant is used in your client base?
Frank
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Charles Bisel
Sent: Thursday, February 19, 2009 10:35 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Given that Cisco controller 5.2 code features CAPWAP versus LWAPP in earlier
versions, can anyone comment on any found gotchas or significant operational
differences to be aware of (I know CAPWAP needs new ports opened on firewalls,
for example)? I also notice that the new 1140s MUST run
Hi,
This is an automatic reply. My mailbox does not accept messages without a
Subject. Your email did not appear to contain a Subject and was
automatically deleted. Please re-send it with a meaningful subject and I
will receive your message and respond.
Thank you!
**
Participation
30 matches
Mail list logo
