Re: [WIRELESS-LAN] EAP-TLS using ADCS and/or SecureW2

When the supplicant is properly configured, it is not dependent on an individual leaf certificate and will not be impacted by the renewal of the EAP server certificate. tim From: The EDUCAUSE Wireless Issues Community Group Listserv Date: Friday, February 7, 2020 at 1:42 PM To:

Re: [WIRELESS-LAN] [WIRELESS-LAN] Google Home Different SSIDs

If you just close the Home app while the Home/Chromecast is attempting to connect, it will connect successfully. Wait about 60 seconds before opening the Home app again. From: The EDUCAUSE Wireless Issues Community Group Listserv Date: Saturday, December 14, 2019 at 12:11 PM To:

Re: [WIRELESS-LAN] InCommon certificate trust chain issues with upgraded Windows Systems

An EAP server certificate from a PKI in your control is always the recommended path. A public CA-signed EAP server certificate should be a last resort. tim From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of "McClintic, Thomas" Reply-To: The EDUCAUSE Wireless Issues

Re: [WIRELESS-LAN] Feasibility of an open SSID for student use

Just a clarification. Android 10 generates a MAC address per ESSID for the lifetime of the OS instance. It does not change daily. From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Felix Windt Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv Date:

Re: [WIRELESS-LAN] Onboarding Android devices

PEAP is not standardized and was not designed to be used outside a Windows AD-joined, GPO controlled environment. I'm hoping Google's changes (very welcome IMO) and continued restrictions on Apple platforms will steer people away from legacy, deprecated protocols/EAP methods. tim On

Re: [WIRELESS-LAN] Issues with Windows 10

nd equally secure to a supplicant utility, so we also support that avenue for configuration. However, if you don't have a public-CA-signed certificate, they display the words "Not Trusted" in red bold letters during the certificate verification process. On Tue, Jul 31, 2018 at 5:30 PM

Re: [WIRELESS-LAN] Issues with Windows 10

Just curious, for those running a supplicant configuration utility, why are you using a public CA-signed EAP server certificate? On 7/31/18, 4:21 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Charles Rumford" wrote: On 07/31/2018 04:18 PM, Michael Dickson

Re: [WIRELESS-LAN] Aruba Clearpass Guest Portal

Feel free to unicast me any questions as well. tim TIM CAPPALLI | Aruba Security On 6/4/18, 3:46 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Kenny, Eric" wrote: Hi Patrick, We are using the guest portal for self-registered and sponsored guest

Re: [WIRELESS-LAN] ClearPass - not so clear anymore

Hector, Something definitely seems amiss then. I’ll take a look at the case. A maximum of 1 access license is consumed per MAC address, regardless of multiple sessions or lack of accounting stop. Thanks for the followup. tim From: The EDUCAUSE Wireless Issues Constituent Group Listserv

Re: [WIRELESS-LAN] ClearPass - not so clear anymore

learPass - not so clear anymore Authentication might not stop, but what about access to the UI or the ability to make config changes? -H From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Cappalli, Tim (Aruba Security) Sent: T

Re: [WIRELESS-LAN] ClearPass - not so clear anymore

Hector, During a roam event where a new session is created, a stop should also be generated by the NAD, so this should be a non-issue. Also, as of 6.7.2, TACACS+ does not directly consume any access licenses (as long as you have at least 100 access licenses installed, TACACS+ usage is

Re: [WIRELESS-LAN] Amazon Fire Tablet Line - 802.1x Support Dropped?

Kind of makes sense though doesn’t it? Why would you want to allow a device unique private key to be used without requiring a device unlock? From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of "Turner, Ryan H"

Re: [WIRELESS-LAN] Wall plate AP and Coax line sharing box

For the Aruba AP-303H, there is now a bracket that allows for two keystone pass-through connectors on the bottom. AP-303H-MNTW (JY688A) On 1/23/18, 4:12 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Richard Nedwich"

Re: [WIRELESS-LAN] IOS 11 problem with eap-mschapv2/peap authentication

Just curious. Why aren't you using the same EAP server certificate across all of your RADIUS servers? From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Linchuan Yang Reply-To: The EDUCAUSE Wireless

Re: [WIRELESS-LAN] Wi-Fi Request for University Conference event

What are you using for a AAA solution? ClearPass fully supports per-device PSK with Cisco WLC’s with full self-registration. tim From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Jason Cook

Re: [WIRELESS-LAN] UT Austin Biennial Network Report

William – Very interested in this: >> The wireless“eduroam” service is not available at the university, or for >> university members at other institutions. Current interpretation of the laws >> and policies surrounding use of state resources is that eduroam use is >> prohibited on university

Re: [WIRELESS-LAN] UT Austin Biennial Network Report

William – Very interested in this: >> The wireless“eduroam” service is not available at the university, or for >> university members at other institutions. Current interpretation of the laws >> and policies surrounding use of state resources is that eduroam use is >> prohibited on

Re: [WIRELESS-LAN] Move In/Opening Week- Any Problems?

ClearPass will auto-generate an internal WebAuth request by default after a device registration. Create a service to accept this request and issue a disconnect message to the controller to force a reauthentication. See these screenshots for the service config, it’s very basic. You only need

Re: [WIRELESS-LAN] Android phones having strange issues

Aruba ClearPass Onboard also fully supports Android Oreo. On 8/22/17, 6:16 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Richard Nedwich" wrote: Hi Bruce, Yes, our Wizard

Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

ireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Cappalli, Tim (Aruba Security) Sent: Wednesday, July 12, 2017 10:33 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] EAP-PEAP risk

Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

E Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Cappalli, Tim (Aruba Security) Sent: Wednesday, July 12, 2017 10:33 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment I’m curious abou

Re: [WIRELESS-LAN] EAP-PEAP risk/benefit assessment

I’m curious about “…certs may give a false sense of security and identity”. Can you elaborate on that? Tim From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Thomas Carter Reply-To: The EDUCAUSE Wireless

Re: [WIRELESS-LAN] 802.1x expired certificate (Eduroam)

It really depends on how the supplicant is configured. If a configuration tool was used, it may have locked the supplicant to a specific cert and disallowed the user to approve exceptions. On 7/4/17, 11:34 AM, "The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Julian Y

Re: [WIRELESS-LAN] Eduroam adoption (and migration process)

Can you elaborate on this comment? “whereas with eduroam we were kind of locked-in to the PEAP model.” Eduroam is EAP agnostic. On 4/27/17, 10:57 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Curtis K. Larsen"

Re: [WIRELESS-LAN] Multiple SSIDs, AIrGroups, Consumer Devices and you...

Ben, You can put a user into a restricted headless “provisioning” role temporarily which would allow them to connect to your headless network and configure the device. We can write policy to check the device registration database to ensure that they actually have a registered headless device

Re: [WIRELESS-LAN] Shared iPads

Jason – Are the tablets managed by an MDM/EMM? From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of "Osborne, Bruce W (Network Operations)" Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv

Re: [WIRELESS-LAN] ClearPass AirGroup in the classroom

Also keep in mind that the registration feature isn’t just for AirGroup. Many of our enterprise and edu customers leverage it as headless device self-service registration for wired and wireless (Chromecasts, AppleTV, printers, game consoles, etc). Users can register and manage all of their

Re: [WIRELESS-LAN] macOS Sierra and 802.1X certificate storage/validation

As of 10.12.3, it does not seem to be prompting users to store the certificate anymore. Still trying to track down what changed. On 3/28/17, 3:27 PM, "The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Julian Y Koh"

Re: [WIRELESS-LAN] Dorm Wireless Authentication

Lee, so I assume you’re not supporting mDNS and DLNA based services? From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of "Bucklaew, Jerry" Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv

Re: [WIRELESS-LAN] Certificate for 802.1x

One trick with configuring clients: You can configure the client with common name validation and then validate the root CA. When you have to renew the certificate, users *shouldn’t* receive any messages because the validation information in the supplicant remains the same. The ideal solution

Re: [WIRELESS-LAN] Certificate for 802.1x

Couple of things - Wildcard and EV certificates should never be used for RADIUS - Keep in mind that EAP server certificate trust is different than system level certificate trust. o Even with a public certificate, you will still receive a certificate prompt on initial

RE: [WIRELESS-LAN] SSID names

An interesting workflow for captive portal is to use locally significant IP space on your controllers for pre-authentication states, then leverage a server initiated workflow that disconnects the user after successful authentication and they reconnect into their final VLAN/IP space/role.

RE: [WIRELESS-LAN] SSID names

An interesting workflow for captive portal is to use locally significant IP space on your controllers for pre-authentication states, then leverage a server initiated workflow that disconnects the user after successful authentication and they reconnect into their final VLAN/IP space/role.

RE: [WIRELESS-LAN] SSID names

Have you considered using eduroam as your primary 802.1X SSID? -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Julian Y Koh Sent: Tuesday, February 21, 2017 15:43 To:

RE: [WIRELESS-LAN] Windows 10 eduroam EAP/TLS adding "host/" before username in RADIUS request?

Yes, you can easily support local machine authentications on eduroam by configuring service rules that check for BEGINS_WITH host\ and ENDS_WITH .domain.edu. I deployed this at a university in a previous life. Worked well. Even if there was some way to support machine authentication at

RE: [WIRELESS-LAN] wild card certs and PEAP

certificate for several years on multiple servers without any SANs. Bruce Osborne Senior Network Engineer Network Operations - Wireless (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Cappalli, Tim (Aruba) [mailto:t...@hpe

RE: [WIRELESS-LAN] wild card certs and PEAP

matches the CN or SAN. So you can't always do that. But you could do something like *.radius.univ.edu<http://radius.univ.edu> as a SAN and call them radius01.radius.univ.edu<http://radius01.radius.univ.edu> which would match. Sent from my iPhone On Feb 3, 2017, at 2:45 PM, C

RE: [WIRELESS-LAN] wild card certs and PEAP

always do that. But you could do something like *.radius.univ.edu <http://radius.univ.edu> as a SAN and call them radius01.radius.univ.edu <http://radius01.radius.univ.edu> which would match. Sent from my iPhone On Feb 3, 2017, at 2:45 PM, Cappalli, Tim (Aruba) <t...@hpe

RE: [WIRELESS-LAN] wild card certs and PEAP

For an EAP server certficiate, you do not need SANs for every server. You can do something generic like “network-login.domain.edu” and put that cert on every box. The SANs will never be referenced and will just add significant cost. From: The EDUCAUSE Wireless Issues Constituent Group

RE: [WIRELESS-LAN] Windows 10 eduroam EAP/TLS adding "host/" before username in RADIUS request?

Sounds like the client is configured for computer authentication, not user. You can change this in the supplicant configuration. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Watters, John Sent: Wednesday, February 1,

RE: [WIRELESS-LAN] XBox One Session Timeout

You could return a different session-timeout value based on policy in your AAA server. Device Category: Game Console Device OS Family: Microsoft Sesssion-Timeout: X From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf

RE: [WIRELESS-LAN] support of L2 peering devices?

Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> ] On Behalf Of Cappalli, Tim (Aruba) Sent: Wednesday, November 30, 2016 9:43 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>

RE: [WIRELESS-LAN] support of L2 peering devices?

<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> ] On Behalf Of Cappalli, Tim (Aruba) Sent: Wednesday, November 30, 2016 8:41 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU <mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] support of L2 peering devices? Tim, Chromeca

RE: [WIRELESS-LAN] support of L2 peering devices?

Tim, Chromecast will work with the AirGroup service Googlecast enabled and with drop broadcast/multicast enabled on the VAP. This can work in large subnets or multiple smaller subnets. Tim Aruba ClearPass Team From: The EDUCAUSE Wireless Issues Constituent Group Listserv