I'm not too familiar with how Aruba handles arps, does it do proxy arp? I have
seen Apple devices go to sleep before all broadcast/multicast traffic is sent
by the AP, although that was 5 years ago. So I can believe that a behaviour
change could cause increased ARPs if the devices aren't seeing
Microsoft note this behaviour and have some sort of workaround in their NPS MFA
extension:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#radius-protocol-behavior-and-the-nps-extension
Really though, doing MFA for RADIUS is a square peg in a round
Which is great and I agree with but Android went and made it really hard to
onboard a private CA and so now people are going back to public certs for EAP
to lower their support burden.
Sent from my Galaxy
Original message
From: Tim Cappalli <0194c9ecac40-dmarc-requ...@
ich would clear after a
reboot. I haven't seen that since going to 8.7.1.3 40 days ago so I
think it's fixed. This one was more of a problem since clients would try
to connect and fail and not try another AP, so it actually caused
ongoing outages.
We also have a 375 and 377 but they've
Printing has auth, any decent screen mirrorring solution requires a PIN, plus
airgroup or similar to limit by location.
Sent from my Galaxy
Original message
From: Tim Cappalli <0194c9ecac40-dmarc-requ...@listserv.educause.edu>
Date: 16/4/21 22:22 (GMT+08:00)
To: WIRELESS-L
what speeds you rate limit to if it is rate
> limited and how you came to that conclusion.
There was a talk on this at WLPC Phoenix 2019 about this
https://wlanprofessionals.com/the-netflix-effect-on-guest-wi-fi-jim-palmer-wlpc-phoenix-2019/
--
James Andrewartha
Network & Projects Eng
it). Microsoft
isn’t helping because there’s no cloud RADIUS (NPS is explicitly not supported
in Azure). It’s the responsibility of vendors to provide accessible tools for
security.
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australi
ge is only on Pixel devices, is that because no
others have Android 11 or because only Google is implementing it?
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
From: The EDUCAUSE Wireless Issues
I disagree, but OWE or SAE with a captive portal then? At least I can use
modern authentication methods like hardware keys and TOTP with a browser.
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160
Why couldn't Google add trust-on-first-use to Android like Apple has with iOS
and macOS, and Microsoft has in Windows?
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
From: The EDUCAUSE
without any band selection on the APs.
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
On 10/10/20 3:32 am, Jake Snyder wrote:
> On thing to keep in mind is that iOS devices start behavior poor
cess, which is
about how much progress I was expecting when this all kicked off.
Thanks,
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
**
Replies to EDUCAUSE Community Group emails are
ely agree that vendors (both client and wifi
infrastructure) should make EAP-TLS easier to deploy.
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
**
Replies to EDUCAUSE Community Gro
Where's
the Microsoft supported agent that does device-specific TTLS-PAP like
you suggest?
Also https://www.securew2.com/blog/pitfalls-of-eap-ttls-pap/ is the top
google result for [TTLS-PAP], admittedly it's about user credentials not
device credentials but it's still a risk.
--
On 21/7/20 5:21 am, Tim Cappalli wrote:
> Passpoint solves all of these issues.
Where is the vendor support for it? Autopilot white glove doesn't even
support wireless networks at all.
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western
Cisco WLC/Edit.../RFC 3576
Configuration, and then what Manage RFC 3576 Configurations... has. I
have this, which has the correct port:
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
**
Rep
heduled for tomorrow
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
On 10/1/20 5:01 pm, James Andrewartha wrote:
> Hi all,
>
> I read this thread with some trepidation, since we'r
ing on the AP - I've seen
three different bad behaviours on Extreme, Aruba and Cisco. We've got
200 Surface Pro 7s with Intel AX201 chipsets which I'll hopefully
Thanks,
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
r a replacement under warranty.
I'm not aware of any blog posts about it, this comes from the #apple-tv
channel on the MacAdmins Slack https://macadmins.herokuapp.com/
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442
reasonably manageable now. Just don’t get the 4K version, if they get
stuck in an app and lose their connection to the MDM you have to RMA them.
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
On
/center/content/CiscoSecurityAdvisory/cisco-sa-20180516-dna
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
on behalf of Lee H Badman
R
gs, and both of those can trust multiple CAs for a given SSID. On
iOS we don't push out wireless config, but we were going to reprovision
the remaining ones anyway at the end of this year so that's fine.
Thanks,
--
James Andrewartha
Network & Projects Engineer
Christ Church Gram
s
>> infrastructure), what is the consensus on the following strategies:
>>
>>
>>
>> Option 1: Using a self-signed/private PKI and a 10 year cert. Onboard
>> with "verify server certificate" enabled
>>
>>
>>
>> Option 2: Rem
How did you measure the 35% improvement?
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
on behalf of GT Hill
Reply-To: The EDUC
600Mbps on a single AP is impressive, is that with a 40MHz or 80MHz channel?
What sort of client mix is generating that much traffic?
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
From:
No
And it needs a whole ‘nother controller (APIC-EM) with supported switches
http://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/application-policy-infrastructure-controller-enterprise-module/datasheet-c78-739052.html
and WLC (8540, 5520, 3504 only).
--
James Andrewa
overlaps with Nyansa
so I won’t be investigating that. Also because my budget is capital-focused
currently which means I need physical items to stick asset tags on, and 11ac
Wave 2 APs don’t excite me at all (the only MU-MIMO capable device on campus is
my personal phone).
Thanks,
--
James
5GHz AC Access Point
[snip]
> I didn't post the link to the data sheet but is listed on the site.
Is it actually available yet? The only in-wall AP I see on the ubnt.com
is the 2.4GHz-only one.
Thanks,
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
C
this
function, the list according to Wikipedia is:
Apple AirPort Express with firmware version 7.4.1 or 7.4.2[3]
Apple AirPort Extreme with firmware version 7.4.1 or 7.4.2[3]
Apple AirPort Time Capsule[3]
Apple TV (all generations)
Computers running Mac OS X Snow Leopard act as a Bonjour sleep pro
address. What sort of
devices are the ones stealing the IP addresses?
For us, the solution was to statically (via DHCP) assign IPs to the
Apple TVs.
Thanks,
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 042
interference, and will allow better AP positioning.
Yes, you do need to run an extra cable (although not if you’re already using
dual-radio APs with 2.4GHz turned off), and it’ll still use a full AP license,
but at least give us that option *gets off hobby horse*.
--
James Andrewartha
Network
I’d settle for being able to jump to a new code version without upgrading
everything. It’s a bit easier with virtual controllers, just spin up a new one
and move some APs to it. Of course, even when you do that users still take a
week to start reporting problems …
--
James Andrewartha
Network
Apple
devices in particular.
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
**
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list
nt didn't send, or in responses to the
> clients request unless promiscuous mode is enabled. which then isn't a fair
> test of what the laptop did or did not hear.
My baseline hardware was a 15" Mid-2012 rMBP running 10.9.5, which is
only 11n capable. When rebooted in
n 10-40% of the ARP packets of the second laptop in my testing, depending
on the load.
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
From: The EDUCAUSE Wireless
IP addresses.
We have filed a ticket with Apple, radar://26488949 if anyone has any
contacts to escalate it. The fastest resolution we've had for any Apple
bug is 3 years, so I don't expect this to be fixed any time soon.
--
James Andrewartha
Network & Projects Engin
P
was configured with an 11g protection rate of 11Mbps. Setting that to
2Mbps and the client could talk fine.
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
**
Participation and subscription i
DFS channels
and 40MHz at the start of the year but I was getting a lot of radar
alerts so went back to 20MHz and non-DFS in 5GHz.
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
**
Partic
It's not Cisco, but applying an ACL on the controller to block access to the
local subnet might work:
https://community.extremenetworks.com/extreme/topics/block_mu_to_mu_traffic_ap_filter_rule
Sent from my Samsung device
Original message
From: Oliver Elliott
Date: 2015/07/08
u can run netsh wlan show profile name="SSID" key=clear I wonder how it
will interact with Aerohive Private PSK and Ruckus Dynamic PSK which give each
user their own individual PSKs per-device.
http://www.reddit.com/r/sysadmin/comments/3aam8m/because_i_really_want_my_clients_wpa_keys_s
onally I'm on 10.10.3 and can confirm it's very
annoying, we're waiting for a fix before upgrading our fleet of laptops.
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
//www.cisco.com/c/en/us/products/collateral/wireless/aironet-3600-series/white_paper_c11-713103.html#_Toc383047848
http://chimera.labs.oreilly.com/books/123401739/ch03.html#medium_access_procedures
http://chimera.labs.oreilly.com/books/123401739/ch05.html#section-channel-selection
--
and my
client base is 80% 5GHz. Since we're a K-12 1:1 iPad school, I can at
least predict where the ac clients are going to be as we go through our
3 year refresh cycle.
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08)
ver I also needed to add init.ess.apple.com (found via
wireshark) before activation would succeed. We're using Extreme
(Enterasys) NAC and wifi, which allows DNS whitelisting.
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08
g when those packets are received, although
they are noted at the kernel layer.
So it still looks broken, and like it’s a supplicant issue to me. Has anyone
else tried it out?
Thanks,
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph.
push
theoretical boundaries for just a few users.
[1]
http://www.cisco.com/c/en/us/products/collateral/wireless/aironet-3600-series/white_paper_c11-713103.html
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 04
ggers roaming on
-70dB RSSI, uses 802.11k and 802.11r to speed up the process. It mentions
there are other criteria in different environments, but annoyingly doesn¹t
provide any references.
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Weste
eer-to-peer AirPlay, because it provides a fast, direct
> connection between the AirPlay sender and AirPlay receiver.
> Peer-to-peer AirPlay is always secured with Require Device Authentication.
> This setting isn’t configurable by the user, and it prevents any nearby rogue
> us
profile or download it directly on the device, they don't work with
Apple Configurator or an third-party MDM.
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
**
Participation and subscr
most places. We do
have 1 AP per classroom (yes, I know, it made sense when iPads only had
20Mhz/1SS 802.11n).
Which vendors offer 5GHz-only APs? Particularly with 802.11ac being 5GHz
only and performing best at short ranges, it seems like a great way to
provide fill-in coverage and performance, as
hey'll put a pin on the screen and you put that in to
> connect to it.
Not necessarily a PIN:
http://gigaom.com/2014/06/26/chromecast-will-use-ultrasonic-sounds-to-pair-your-tv-with-your-friends-phones/
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Clare
Actually, a little further reading and I can see PacketFence does allow inline
enforcement, at which point you have the full power of iptables available to
you.
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
02.1x
on wired too, but the tooling around X.509 will have to improve a lot before I
do.
Thanks,
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
From: The EDUCAUSE Wi
ganization has a complex network."
http://www.apple.com/ios/ios8/enterprise/
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
**
Participation and subscription information for this E
we're seeing Bonjour instability (you try telling a teacher to
plug into a cable after using AirPlay last year), which may be caused by
too much broadcast/multicast traffic or possibly just Bonjour not
handlins seeing queries from devices on different VLANs.
--
James Andrewartha
Network & Pro
y better for Mac configuration at least,
there's still problems (albeit different ones). WPA2-PSK (unless you use
a dynamic PSK like Ruckus) also means all authenticated clients can
decrypt everyone else's traffic which isn't great for security.
--
James Andrewartha
Network & P
ffner/2014/01/10/airplay-without-bonjour-on-enterprise-wireless-networks/
So the app advertises the Airplay service over the network, but only the
device it's running on sees the advertisement because you have multicast
disabled?
--
James Andrewartha
Network & Projects Engineer
Christ
ts can
only see their own Apple TVs, but does it let the user authorise others to
use it, e.g. for shared residences?
Thanks,
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
**
Particip
tps://itunes.apple.com/us/app/solstice-client/id604298374?mt=8
[3]
http://help.apple.com/profilemanager/mac/3.0/#apd621BA9DF-4301-4D76-8A90-84E05E343FFA
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160
of mirroring from iOS - you can only display from their app. If
we were happy with that, our projectors (Epson) have their own app
available now. For us, being a K-12 school that only has Apple devices,
the Apple TV is a no brainer given its price.
--
James Andrewartha
Network & Projects Engine
o dual band units and turning the 2.4 radio off.
Some vendors have APs with radios that can work on either 2.4 or 5GHz.
Meru and Xirrus are the ones that come to mind, I can't remember if any
other vendors offer that.
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar Sch
02.11ac for a while yet.
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
**
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can
e types of things in spite of all their other wireless issues.
The vendor information I've seen says that 4 spatial streams will debut
with 802.11ac Phase 2 in 2015, along with MU-MIMO (which will be really
worthwhile for us with plenty of 1SS mobile devices).
--
James Andrewartha
Netwo
/ps5678/ps13367/data_sheet_c78-729421.html
They almost got it into a 802.3af power budget, except it runs in 3x3:3
MIMO instead of 4x4:3 which shouldn't make too much of a difference.
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australi
responses be
> raised from its default 5 second value to 30 seconds, since the Macs are
> eventually responding - it just takes a long time in some cases.
I've upped my RADIUS timeout to 30 seconds (from 15), I'll see if that
has any effect.
--
James Andrewartha
Network & Pro
to the same outside IP as the server)
>
> You can have multiple caching servers - but even a single mac mini can
> offload quite a bit of you outside networks.
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08)
to see what signal
strength the OS perceives for each BSSID (sorted by RSSI so long as your
SSIDs have no spaces):
/System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport
-s | sort -rnk3
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, West
a circle. Not as much fine control over wireless details like
minimum basic rates, AMPDU etc. Troubleshooting (not that I've had to do
any) involves sshing in to the AP (they run Linux).
For the price, you could pick up a three pack and have a play yourself.
I've sent you my thoughts ab
set policy rule admin-profile macsource 9c-20-7b-00-00-00 mask 24
admin-pid 14
set policy rule 14 udpsourceportIP 5353 mask 16 drop
set policy rule 14 udpdestportIP 5353 mask 16 drop
Thanks,
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, West
all features or not maintain sessions if the controller fails.
I haven't really looked at the new range of thick APs like Meraki or
Aerohive, so can't comment on their architecture.
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont,
ning wifi off and on or rebooting). This is mostly only a
problem when I'm doing testing an iPad with our NAC, I spoke to our
vendor (Enterasys) and they've noticed it as well.
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
t, you'll want a good partner - that was one reason
we didn't go with Cisco, as that partner had done our CUCM install and
left us in the lurch a bit.
To sum up, the wireless tech is important, but so are all the parts that
surround it too, so work out what else you want from the wir
e set and forget than
ongoing management, mainly targeted at small deployments from what I can
tell.
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
**
Participation and subscription info
NS-SD domains, but I don't know how you control who can do
that, or if they can.
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
**
Participation and subscription information for th
their base units, just turn off the wireless interface
The other option is avahi, which can reflect bonjour across subnets:
http://www.prolixium.com/mynews?id=969
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9
DNS-SD, you could perhaps use DHCP
option 82 to publish subdomains for DNS-SD that only publishes Apple TVs
in the building of that AP or switch. I've no idea how you'd manage that
sort of mapping though, doing it manually is out of the question, is
there any software to manage that s
with some hackery. Obviously a well-engineerd product beats
general hacks any day.
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
**
Participation and subscription information for this EDUC
77 matches
Mail list logo
