An interesting workflow for captive portal is to use locally significant IP space on your controllers for pre-authentication states, then leverage a server initiated workflow that disconnects the user after successful authentication and they reconnect into their final VLAN/IP space/role.
From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Schuette, David Sent: Wednesday, February 22, 2017 11:25 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] SSID names We found the use of a captive portal to reduce the usage of our infrastructure and internet. We went from over 60,000 unique clients to less than 28,000 a day.. Still have to dish out the addresses. Sent from my Verizon 4G LTE smartphone -------- Original message -------- From: Jake Snyder <jsnyde...@gmail.com<mailto:jsnyde...@gmail.com>> Date: 2/22/17 9:03 AM (GMT-07:00) To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] SSID names Clients will connect and take up an IP with or without a captive portal. They might stay connected longer without access to the internet, but they hit the captive portal which requires an IP. To me, if you rely on a captive portal to solve dhcp issues, you've undersized your subnets and dhcp pools. I see lots of orgs trying very low dhcp timers to "solve" this. The solution is to have a subnet scoped to support the peak number number of unique clients for a given day. Sent from my iPhone On Feb 22, 2017, at 8:16 AM, Jonathan Waldrep <wald...@vt.edu<mailto:wald...@vt.edu>> wrote: > I do have in my back pocket a plan to flatten these /24s into one larger network if need be We recently moved to this model and it has been great so far. One /17 network per router. -- Jonathan Waldrep Network Engineer Network Infrastructure and Services Virginia Tech On Wed, Feb 22, 2017 at 9:39 AM, Tony Skalski <a...@stolaf.edu<mailto:a...@stolaf.edu>> wrote: >how do you stop roaming mobile devices from sucking up all your dhcp addresses? Devices always get the same IP address (until we change the VLAN assignments for the AP group (i.e. vap profile in Aruba-speak)). Granted, Aruba's VALN-assignment hashing algorithm is not perfect and once in a while one of the /24s assigned to the guest SSID exceeds 80% used (our alerting threshold), but that has only happened a few times since school started in September. I do have in my back pocket a plan to flatten these /24s into one larger network if need be, given that Aruba has sufficient controls to deal with {broad,multi}cast traffic. ajs On Wed, Feb 22, 2017 at 7:00 AM, Osborne, Bruce W (Network Operations) <bosbo...@liberty.edu<mailto:bosbo...@liberty.edu>> wrote: With the captive portal removed, how do you stop roaming mobile devices from sucking up all your dhcp addresses? We have found that a captive portal helps reduce usage by roaming devices. Bruce Osborne Senior Network Engineer Network Operations - Wireless (434) 592-4229<tel:(434)%20592-4229> LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Tony Skalski [mailto:a...@stolaf.edu<mailto:a...@stolaf.edu>] Sent: Tuesday, February 21, 2017 4:48 PM Subject: Re: SSID names Up until this past summer, we had three SSIDs: a guest SSID, an open SSID for college users and a 1x protected SSID for college users. There was considerable overlap between the open and guest SSIDs, so we collapsed them into one. We now have: eduroam and 'St. Olaf Guest'. We decided we were OK with 1x-incapable devices using the guest network and removed the captive portal we had on the old guest SSID. On Tue, Feb 21, 2017 at 3:06 PM, Adam T Ferrero <a...@temple.edu<mailto:a...@temple.edu>> wrote: These have served us pretty well. We only have a mac auth SSID in our residence halls. Occasionally it would be useful to have it everywhere but we don't currently. TUsecurewireless WPA2 enterprise which gives different access levels (staff, student, guest) TUguestwireless Open for onboarding (SMS text credentials) eduroam Guest like access for anyone Adam -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] On Behalf Of Michael Dickson Sent: Tuesday, February 21, 2017 4:02 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] SSID names eduroam (our only 802.1x offering) UMASS (open, CP, primarily for guests) UMASS-DEVICES (MAC auth'd device support for non-802.1x capable devices, as allowed by policy) Mike Michael Dickson Network Analyst Information Technology University of Massachusetts Amherst 413-545-9639<tel:413-545-9639> michael.dick...@umass.edu<mailto:michael.dick...@umass.edu> PGP: 0x16777D39 On 2017-02-21 15:36, Jim Stasik wrote: > Hello, I have been encouraged by one of our governance bodies to > consider renaming our wireless SSIDs to better match the network names > to the function of the networks behind them. I don't get it, but > maybe I am a little too close to it. We don't have any residential on > our campuses so have just two primary SSIDs in use on our campus (as > well as eduRoam). One is named Public and is our onboarding/guest > network. The other is our authenticated/secure network which we call > MC3Waves and is for all students, staff, faculty and administrators, > with 802.1x on the back end to steer the end user to the appropriate > role. We have had these network around for as long as I can remember > (15 years maybe). I am curious how others are naming and separating > the SSIDs in their environment? > > Thanks in advance, > > Jim Stasik > > Director of Enterprise Infrastructure Services > > Montgomery County Community College > > jsta...@mc3.edu<mailto:jsta...@mc3.edu> > > 215.641.6678<tel:215.641.6678> > > ------------------------- > > Montgomery County Community College is proud to be designated as an > Achieving the Dream Leader College for its commitment to student > access and success. > ********** Participation and subscription information for this > EDUCAUSE Constituent Group discussion list can be found at > http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. -- Tony Skalski Systems Administrator a...@stolaf.edu<mailto:a...@stolaf.edu> 507-786-3227<tel:(507)%20786-3227> St. Olaf College Information Technology 1510 St. Olaf Avenue Northfield, MN 55057-1097 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. -- Tony Skalski Systems Administrator a...@stolaf.edu<mailto:a...@stolaf.edu> 507-786-3227<tel:(507)%20786-3227> St. Olaf College Information Technology 1510 St. Olaf Avenue Northfield, MN 55057-1097 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
