Apologies for not recognizing your name. Of course none of that was new to
you. But of course, you also know about the enterprise wifi solutions with
tunneling and handoff, so I'm not sure what we're even discussing anymore
:-)
--Matt
On Sat, Apr 6, 2013 at 9:22 PM, David Lang wrote:
> On Sat,
Because the Wi-Fi authentication happens *before* the IP address is handed
out.
Frank
-Original Message-
From: David Lang [mailto:da...@lang.hm]
Sent: Saturday, April 06, 2013 7:37 PM
To: Frank Bulk
Cc: LOPSA Tech; Matt Simmons
Subject: RE: [lopsa-tech] Wifi
On Sat, 6 Apr 2013, Frank Bu
If someone spends $50K on a system that has 12 access points then they're
either piloting a small centralized configuration that's ready to scale to
large numbers or just foolish.
Yes, you can build a VPN environment for Wi-Fi that scales to hundreds of
Mbps, but your approach diverges from 99%
On Sat, 6 Apr 2013, Matt Simmons wrote:
Sorry, if it wasn't clear, in the previous email, when I said
The goal being to maximize coverage while minimizing the number of
associated mobile devices and at the same time, minimizing the utilized
frequency space.
I meant minimize the number of assoc
On Sat, 6 Apr 2013, Matt Simmons wrote:
how large do you need to be fore this to break? I've done this at
conferences with over 2000 people, 40 APs across a large hotel. >There were
no signs of problems. I'm interested to learn what problems to look for.
Consider the case of a campus-type ins
Sorry, if it wasn't clear, in the previous email, when I said
The goal being to maximize coverage while minimizing the number of
associated mobile devices and at the same time, minimizing the utilized
frequency space.
I meant minimize the number of associated mobile devices /to any one AP/.
-MS
>how large do you need to be fore this to break? I've done this at
conferences with over 2000 people, 40 APs across a large hotel. >There were
no signs of problems. I'm interested to learn what problems to look for.
Consider the case of a campus-type installation where a single company has
multip
Thanks for the info. One thing I found interesting in the wikipedia writeup of
802.11r (linked to from the 802.11k page) was the explination that tansitioning
from one AP to another used to be fast but with the addition of many newer
things (like 802.11x authentication) the delays are getting la
On Sat, 6 Apr 2013, Frank Bulk wrote:
Yes, an SMB doesn't normally doesn't worry about L3 boundaries. If only
have a few hundred clients in an area you could very well operate
comfortable with a /23 in one L2 broadcast domain.
Your approach of bridging resolves L3 boundary concerns and allows
On Sat, 6 Apr 2013, Frank Bulk wrote:
If you're using consumer APs then you're not going to have smooth handoffs
to APs, so user sessions will be interrupted as the client dis-associates to
the old AP, associates to the new, acquires an IP address, and then
re-establishes the VPN. That's not sm
Yes, an SMB doesn't normally doesn't worry about L3 boundaries. If only
have a few hundred clients in an area you could very well operate
comfortable with a /23 in one L2 broadcast domain.
Your approach of bridging resolves L3 boundary concerns and allows for
retaining of the Wi-Fi client's IP as
With an enterprise-class Wi-Fi system the access points, either between each
other, or via a controller, manage the handoff clients using PMK so that the
arriving client doesn't need to go through the full connection process.
(http://www.networkcomputing.com/mobile/archives/mobile_archive_112305.ht
You would need to be rather large to need to cross L3 boundries.
I advocate putting the APs on a separate network from your other traffic, and
having the APs act as bridges. That way users can move from AP to AP and there's
no need to tunnel traffic anywhere, once it gets on the wired network y
On Sat, 6 Apr 2013, Frank Bulk wrote:
The problem with scaling with consumer grade APs is that they lack
- manageability
- automatic channel management
- coordinated RF power control
I see these as all being related, and running OpenWRT on the APs so that they
are 'just linux boxes', with all
If you're using consumer APs then you're not going to have smooth handoffs
to APs, so user sessions will be interrupted as the client dis-associates to
the old AP, associates to the new, acquires an IP address, and then
re-establishes the VPN. That's not smooth.
In regards to volumes, there are m
The problem comes when they cross L3 boundaries. Enterprise wireless
infrastructures (or campus-wide installations) do tunneling of the device's
traffic back to the original AP they authenticated to, all with seamless
handoff.
--Matt
On Sat, Apr 6, 2013 at 7:50 PM, David Lang wrote:
> why doe
why does the movement of users matter much? Users can roam between different APs
with the same SSID with a VPN just fine.
Also, why do you say 'low traffic volumes'? if you are encrypting the data, it's
going to cost to encrypt it even if you do it at the wifi level instead of the
VPN level.
The problem with scaling with consumer grade APs is that they lack
- manageability
- automatic channel management
- coordinated RF power control
- support for smooth handoffs
- coordinated load balancing of traffic and clients
- PoE-based powered
- plenum rating
- support by Voice over Wi-Fi handse
In an environment when the Wi-Fi clients don't move around much, the Wi-Fi
clients are all devices with VPN-capable, and traffic volumes are low, VPNs
may work, but in most organizations, and especially higher-ed, WPA2 with AES
based on RADIUS authentication is the BCP. Most organizations want
mac
On Sat, 6 Apr 2013, Frank Bulk wrote:
Hmm, I want to access my organization's resources over Wi-Fi -- why treat it
as untrusted? The security with WPA2 using AES is more than sufficient.
That same statement was made about WEP and WPA. It may be true, it may not be
true (they don't have a goo
On Sat, 6 Apr 2013, Roy McMorran wrote:
Thanks for the thoughtful questions David... see below
On 4/6/13 1:37 AM, David Lang wrote:
Other than the fact that your APs lock up, what problem are you trying to
solve?
That's high on the list. Also...
* accommodate more users in larger rooms su
On Sat, 6 Apr 2013, Edward Ned Harvey (lopser) wrote:
From: tech-boun...@lists.lopsa.org [mailto:tech-boun...@lists.lopsa.org]
On Behalf Of David Lang
Your Wifi is an untrusted network that can be sniffed and attacked by anyone
in
the area. So don't let it connect directly to your internal netw
Hmm, I want to access my organization's resources over Wi-Fi -- why treat it
as untrusted? The security with WPA2 using AES is more than sufficient.
Frank
-Original Message-
From: tech-boun...@lists.lopsa.org [mailto:tech-boun...@lists.lopsa.org] On
Behalf Of David Lang
Sent: Saturday, A
We use NAGIOS and the same openmanage plugin as listed below, querying over
SNMP. It works really well for us. I've tried to persuade TrustWave
(formerly RedCondor) to enable this on their appliances, so I can monitor
them in the same way. I had a RAID battery out for several months that I
only
On 2013-04-06 at 13:48 +, Edward Ned Harvey (lopser) wrote:
> If you're using AES-256 and keys (not just passwords) then no, they
> can't sniff it. No more than they could sniff your VPN traffic on the
> public internet.
AES is not magic fairy dust which magically makes things secure, it's a
Thanks for the thoughtful questions David... see below
On 4/6/13 1:37 AM, David Lang wrote:
Other than the fact that your APs lock up, what problem are you trying
to solve?
That's high on the list. Also...
* accommodate more users in larger rooms such as classrooms, auditorium,
conference
> From: tech-boun...@lists.lopsa.org [mailto:tech-boun...@lists.lopsa.org]
> On Behalf Of Adam Tauno Williams
>
> On Sat, 2013-04-06 at 00:36 +, Edward Ned Harvey (lopser) wrote:
> > I believe radius only handles password authentication.
>
> That's false. Radius supports TLS based authentica
> From: tech-boun...@lists.lopsa.org [mailto:tech-boun...@lists.lopsa.org]
> On Behalf Of David Lang
>
> Your Wifi is an untrusted network that can be sniffed and attacked by anyone
> in
> the area. So don't let it connect directly to your internal network.
If you're using AES-256 and keys (not j
On Sat, 2013-04-06 at 00:36 +, Edward Ned Harvey (lopser) wrote:
> > From: tech-boun...@lists.lopsa.org [mailto:tech-boun...@lists.lopsa.org]
> > On Behalf Of Brian Gold
> > I would
> > HIGHLY recommend setting up radius authentication if you have
> > a centralized ldap system (Active Directory
29 matches
Mail list logo
