Main Nav

Dear All

 

Good morning. We noticed that most our iphone clients connect to the “eduroam” SSID automatically when they step into the campus (not our normal SSID for students, faculty, and staff). And the encryption and security settings are same between these two SSIDs. These clients have to manually change the wireless configuration on the iphones, and they can connect to our normal SSID.

 

We are using Cisco WLCs, and other devices (e.g. laptops, Android, etc.) do not have this problem.

 

Do you have the similar issue with your wireless network? Is there any connection strategies of iphone?

 

Thank you, and have a nice day.

 

Yours,

Linchuan Yang (Antony)

Wireless Networking Analyst
Network Assessment and Integration,
IITS-Concordia University
Tel: (514)848-2424 ext. 7664

 

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

We have the same issue, because our “main” SSID comes after eduroam (alphabetically, our main ssid begins with a “f”).  From what we found, anyone that has both eduroam and the “main” SSID configured on a iPhone, or iPad, will latch to eduroam, and requires manual interaction to switch.

 

From my understanding, the best way to “correct” the issue is to re-name the ssid so that it comes before eduroam. 

 

There may be other methods, but from what I recall, none are 100% certain of working.

 

 

Patrick Knee

Network Administrator

Computing & Communications

Memorial University

www.mun.ca/cc

 

We've been considering this problem as part of our eduroam deployment (we're still in the configuring and testing stage, no services offered yet), and we decided one of our goals would be that instead of trying to force students to pick the right one, that we would instead configure the network side so that our users didn't have to care. Remember that the identity provided for eduroam has the university name as the realm. Our plan is to take any users that identify with our realm of wpi.edu to the eduroam SSID, and send back a RADIUS attribute that drops them on the same VLAN as our primary university SSID. (In our case we're also keying off of the client MAC address and correlating with our IPAM registration database, but that's an optional extra step.) That way any of our users can connect to either the university SSID or eduroam and get exactly the same connectivity, while any external eduroam guests get dropped onto our guest VLAN. Simple, clean, and completely transparent to our users. Frank Sweetser fs at wpi.edu | For every problem, there is a solution that Manager of Network Operations | is simple, elegant, and wrong. Worcester Polytechnic Institute | - HL Mencken On 03/10/2014 11:51 AM, Linchuan Yang wrote: > Dear All > > Good morning. We noticed that most our iphone clients connect to the “eduroam” > SSID automatically when they step into the campus (not our normal SSID for > students, faculty, and staff). And the encryption and security settings are > same between these two SSIDs. These clients have to manually change the > wireless configuration on the iphones, and they can connect to our normal SSID. > > We are using Cisco WLCs, and other devices (e.g. laptops, Android, etc.) do > not have this problem. > > Do you have the similar issue with your wireless network? Is there any > connection strategies of iphone? > > Thank you, and have a nice day. > > Yours, > > Linchuan Yang (Antony) > > Wireless Networking Analyst > Network Assessment and Integration, > IITS-Concordia University > Tel: (514)848-2424 ext. 7664 > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Message from dannyeaton@rice.edu

That setup is similar to what we're doing - if any of our @rice.edu users join the eduroam, we then assign them in either the 'staff/faculty' or 'student' role/VLAN group which maps to a specific MPLS/VPN. If someone from @*.edu joins, they get assigned to our 'visitor' role/VLAN group which also maps to our visitor MPLS/VPN. We've been considering this problem as part of our eduroam deployment (we're still in the configuring and testing stage, no services offered yet), and we decided one of our goals would be that instead of trying to force students to pick the right one, that we would instead configure the network side so that our users didn't have to care. Remember that the identity provided for eduroam has the university name as the realm. Our plan is to take any users that identify with our realm of wpi..edu to the eduroam SSID, and send back a RADIUS attribute that drops them on the same VLAN as our primary university SSID. (In our case we're also keying off of the client MAC address and correlating with our IPAM registration database, but that's an optional extra step.) That way any of our users can connect to either the university SSID or eduroam and get exactly the same connectivity, while any external eduroam guests get dropped onto our guest VLAN. Simple, clean, and completely transparent to our users. Frank Sweetser fs at wpi.edu | For every problem, there is a solution that Manager of Network Operations | is simple, elegant, and wrong. Worcester Polytechnic Institute | - HL Mencken On 03/10/2014 11:51 AM, Linchuan Yang wrote: > Dear All > > Good morning. We noticed that most our iphone clients connect to the "eduroam" > SSID automatically when they step into the campus (not our normal SSID > for students, faculty, and staff). And the encryption and security > settings are same between these two SSIDs. These clients have to > manually change the wireless configuration on the iphones, and they can connect to our normal SSID. > > We are using Cisco WLCs, and other devices (e.g. laptops, Android, > etc.) do not have this problem. > > Do you have the similar issue with your wireless network? Is there any > connection strategies of iphone? > > Thank you, and have a nice day. > > Yours, > > Linchuan Yang (Antony) > > Wireless Networking Analyst > Network Assessment and Integration, > IITS-Concordia University > Tel: (514)848-2424 ext. 7664 > > ********** Participation and subscription information for this > EDUCAUSE Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. !DSPAM:911,531de9ef44331645698605! ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
We are doing something similar to WPI with our live eduroam deployment. We went the other direction, though. If you login to our eduroam SSID with something other than @uvm.edu, the radius server returns the VLAN id of our Guest vlan and the user is dropped into there thanks to the "Allow AAA override" setting on the WLCs. With this solution it doesn't matter which SSID the user's device remembers, they get the access they need. -dan Dan Brisson Network Engineer University of Vermont (Ph) 802.656.8111 dbrisson@uvm.edu On 3/10/2014 12:35 PM, Frank Sweetser wrote: > We've been considering this problem as part of our eduroam deployment > (we're still in the configuring and testing stage, no services offered > yet), and we decided one of our goals would be that instead of trying > to force students to pick the right one, that we would instead > configure the network side so that our users didn't have to care. > > Remember that the identity provided for eduroam has the university > name as the realm. Our plan is to take any users that identify with > our realm of wpi.edu to the eduroam SSID, and send back a RADIUS > attribute that drops them on the same VLAN as our primary university > SSID. (In our case we're also keying off of the client MAC address > and correlating with our IPAM registration database, but that's an > optional extra step.) That way any of our users can connect to either > the university SSID or eduroam and get exactly the same connectivity, > while any external eduroam guests get dropped onto our guest VLAN. > > Simple, clean, and completely transparent to our users. > > Frank Sweetser fs at wpi.edu | For every problem, there is a > solution that > Manager of Network Operations | is simple, elegant, and wrong. > Worcester Polytechnic Institute | - HL Mencken > > On 03/10/2014 11:51 AM, Linchuan Yang wrote: >> Dear All >> >> Good morning. We noticed that most our iphone clients connect to the >> “eduroam” >> SSID automatically when they step into the campus (not our normal >> SSID for >> students, faculty, and staff). And the encryption and security >> settings are >> same between these two SSIDs. These clients have to manually change the >> wireless configuration on the iphones, and they can connect to our >> normal SSID. >> >> We are using Cisco WLCs, and other devices (e.g. laptops, Android, >> etc.) do >> not have this problem. >> >> Do you have the similar issue with your wireless network? Is there any >> connection strategies of iphone? >> >> Thank you, and have a nice day. >> >> Yours, >> >> Linchuan Yang (Antony) >> >> Wireless Networking Analyst >> Network Assessment and Integration, >> IITS-Concordia University >> Tel: (514)848-2424 ext. 7664 >> >> ********** Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/groups/. >> > > ********** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Message from dannyeaton@rice.edu

You are correct, my apologies. @rice.edu goes to 'staff' or 'student', @*.* goes to visitor. > That setup is similar to what we're doing - if any of our @rice.edu > users join the eduroam, we then assign them in either the > 'staff/faculty' or 'student' role/VLAN group which maps to a specific > MPLS/VPN. If someone from @*.edu joins, they get assigned to our > 'visitor' role/VLAN group which also maps to our visitor MPLS/VPN. Danny, @rice.edu gets assigned to specific VLANs @*.edu gets assigned to visitor VLANs What about @other-R&E-domains (.ac.it, .nih.gov, nyser.net,...)? Are you really selecting on @*.edu, or you are passing all others to the visitor VLAN? Thanks, Philippe www.eduroam.us > > We've been considering this problem as part of our eduroam deployment > (we're still in the configuring and testing stage, no services offered > yet), and we decided one of our goals would be that instead of trying > to force students to pick the right one, that we would instead > configure the network side so that our users didn't have to care. > > Remember that the identity provided for eduroam has the university > name as the realm. Our plan is to take any users that identify with > our realm of wpi..edu to the eduroam SSID, and send back a RADIUS > attribute that drops them on the same VLAN as our primary university > SSID. (In our case we're also keying off of the client MAC address > and correlating with our IPAM registration database, but that's an > optional extra step.) That way any of our users can connect to either > the university SSID or eduroam and get exactly the same connectivity, > while any external eduroam guests get dropped onto our guest VLAN. > > Simple, clean, and completely transparent to our users. > > Frank Sweetser fs at wpi.edu | For every problem, there is a solution > that > Manager of Network Operations | is simple, elegant, and wrong. > Worcester Polytechnic Institute | - HL Mencken > > On 03/10/2014 11:51 AM, Linchuan Yang wrote: >> Dear All >> >> Good morning. We noticed that most our iphone clients connect to the > "eduroam" >> SSID automatically when they step into the campus (not our normal >> SSID for students, faculty, and staff). And the encryption and >> security settings are same between these two SSIDs. These clients >> have to manually change the wireless configuration on the iphones, >> and they can > connect to our normal SSID. >> >> We are using Cisco WLCs, and other devices (e.g. laptops, Android, >> etc.) do not have this problem. >> >> Do you have the similar issue with your wireless network? Is there >> any connection strategies of iphone? >> >> Thank you, and have a nice day. >> >> Yours, >> >> Linchuan Yang (Antony) >> >> Wireless Networking Analyst >> Network Assessment and Integration, >> IITS-Concordia University >> Tel: (514)848-2424 ext. 7664 >> >> ********** Participation and subscription information for this >> EDUCAUSE Constituent Group discussion list can be found at >> http://www.educause.edu/groups/. >> > > ********** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at http://www.educause.edu/groups/. > > > > ********** > Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. !DSPAM:911,531e06ee44331756218522! ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
No Problem Danny. I'm just breathing again ;-)
Linchuan, Patrick,

If you use the solution from Frank Sweetser or Danny Eaton, you really don't care which SSID your own users are latched on your campus.
Regardless of the SSID, make sure that your own users are being assigned to the same VLANs that they would be have been assigned
had they joined the regular secure SSID from your University. 

When we talk to institutions about eduroam we tell them that there is really no need to create additional subnets if there is already a secure network
and a visitor network on campus (unless some specific designs require so). You can assign users with @local-school to the secure subnets/VLANs and assign user with @everything-else to your visitor subnets/VLANs. 
And if you have a privileged relation with another neighboring campus you can also assign the secure VLANs to that REALM
(@theneighboringcampuswithwhomwehaveaprivilegedrelation) of that campus.

This method tends to make it easy on Firewall rules and subnet/VLAN creation.
You have to mess around with your Wi-Fi management system (e.g. controller etc...) and your RADIUS though!

This said...always make sure that you require the eduroam SSID to force the usage of the REALM (a condition that you can enforce in RADIUS),
regardless if local or not! (we forgot to do that initially at UTK, and we ended up with travelers not having a great eduroam experience)



Philippe

Philippe Hanset
 

Would someone on the list please send me their freeRadius config for the realm based eduroam authentication?  It will save me a lot of time.  We are planning on spinning up eduroam in the near future and having unc.edu tunnel to a staff vlan and non unc.edu go to others.  If you have some Aruba config snapshots that would be super duper as well :)

Ryan Turner
Senior Network Engineer, ITS
The University of North Carolina at Chapel Hill
+1 919 274 7926 Mobile
+1 919 445 0113 Office

Message from dannyeaton@rice.edu

And, just to add – we’re using FreeRadius for wireless authentication – it checks locally for @rice.edu, and goes up the eduroam chain for anything other. 

 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hanset, Philippe C
Sent: Monday, March 10, 2014 2:43 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Question about the connection of iphone users (eduroam)

 

Linchuan, Patrick,

 

If you use the solution from Frank Sweetser or Danny Eaton, you really don't care which SSID your own users are latched on your campus.

Regardless of the SSID, make sure that your own users are being assigned to the same VLANs that they would be have been assigned

had they joined the regular secure SSID from your University. 

 

When we talk to institutions about eduroam we tell them that there is really no need to create additional subnets if there is already a secure network

and a visitor network on campus (unless some specific designs require so). You can assign users with @local-school to the secure subnets/VLANs and assign user with @everything-else to your visitor subnets/VLANs. 

And if you have a privileged relation with another neighboring campus you can also assign the secure VLANs to that REALM

(@theneighboringcampuswithwhomwehaveaprivilegedrelation) of that campus.

 

This method tends to make it easy on Firewall rules and subnet/VLAN creation.

You have to mess around with your Wi-Fi management system (e.g. controller etc...) and your RADIUS though!

 

This said...always make sure that you require the eduroam SSID to force the usage of the REALM (a condition that you can enforce in RADIUS),

regardless if local or not! (we forgot to do that initially at UTK, and we ended up with travelers not having a great eduroam experience)

 

 

 

Philippe

 

Philippe Hanset

 

 

Dear All

 

Thank you for your suggestion.

 

Have a good evening.

 

Yours,

Linchuan Yang (Antony)

Wireless Networking Analyst
Network Assessment and Integration,
IITS-Concordia University
Tel: (514)848-2424 ext. 7664

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

So this is different than my testing results.  The iPad I am using (currently on 7.0.3) always connects to the last network I was last connected to.  I have done this several times now with three SSIDs.  One starts with D, eduroam and the last one (our primary) Mwireless.

The only time I connected to eduroam was when I was leaving a coverage area.  I dropped MWireless and it tried to connect to eduroam (may have connected briefly).  However, if I left the area while it was connected to MWireless, when I came back it would still connect to MWireless.  I also tried turning off WiFi with same results.




------------------------
Walter Reynolds
Principal Systems Security Development Engineer
Information and Technology Services
University of Michigan
(734) 615-9438


Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.