Profile

CommunityPlatform_1350x900.jpg

James Andrewartha

Edit My Profile

My Content

1 to 20 of 32 total

RE: What DDI Solutions you are using - The good and the bad (or wish we would have)

Posted By James Andrewartha 01-08-2025 01:37:46 AM
Found In Egroup: Network Management \ view thread
We don't have anything at the moment, I've been evaluating and the one that stands out to me that hasn't been mentioned is Cygna IPControl. It's also a bit cheaper than some of the other options (and notably purchase + support, not ongoing subscription), but still expensive IMHO, and I haven't come across ...

RE: Anyone using Windows Hello?

Posted By James Andrewartha 10-30-2024 01:52:57 AM
Found In Egroup: Cybersecurity \ view thread
First up, there's two different types on Windows Hello - the original, and Windows Hello for Business. The first is not particularly secure, as it just controls access to cached credentials on the device. WHfB however is full public/private key encryption stored on a TPM if available. It can only be ...

RE: Modernizing macOS Wireless Environment

Posted By James Andrewartha 10-16-2024 02:21:12 AM
Found In Egroup: Wireless Local Area Networking \ view thread
No, but comments from other organisations was that integrating with AD CS wasn't worthwhile for wireless auth if you could avoid it There are scripts around to create fake users and computers, but they're fragile, and another reason to spin up a CA not related to AD. I use and recommend SCEPman (the ...

RE: EAP-TLS thread

Posted By James Andrewartha 09-09-2024 11:50:14 PM
Found In Egroup: Wireless Local Area Networking \ view thread
While not wanting to stop anyone from doing EAP-TLS, I recently came across EAP-FIDO which is being drafted at the moment and is worth thinking about if you want even more security in the future, particularly since it supports userVerification. Registration is out of scope so will need some consideration, ...

RE: Network Monitoring & Config Backup

Posted By James Andrewartha 09-04-2024 12:30:39 AM
Found In Egroup: Network Management \ view thread
LibreNMS is great, I use RANCID for backups but it also supports https://github.com/ytti/oxidized ------------------------------ James Andrewartha Network and Projects Engineer Christ Church Grammar School jandrewartha@ccgs.wa.edu.au ------------------------------

RE: ADFS to Entra Migration

Posted By James Andrewartha 09-02-2024 10:42:43 PM
Found In Egroup: Identity and Access Management \ view thread
I've found plenty of SAML SPs don't check for certificate expiry, they just keep working. Not saying you should rely on it but also it's probably not a well-tested codepath, or SPs explicitly don't check because of the issues with having to roll over certificates. Entra OAuth secrets are only valid ...

RE: Posting changes to community

Posted By James Andrewartha 06-30-2024 11:46:53 PM
Found In Egroup: Network Management \ view thread
Ryan, I'd appreciate you asking them about K12 as well. I see on the membership page they have a price for K12 which my school wouldn't pay. My bigger complaint is about the forum archives being behind a login wall, which happened with the change to the new platform a few years ago (and I complained ...

RE: VLAN Pruning AP Ports

Posted By James Andrewartha 04-19-2024 09:32:00 AM
Found In Egroup: Network Management \ view thread
The Aruba switch way for option 4 is called Downloadable User Roles, I've seen people talk about doing it for AP ports but didn't find any examples after a quick google. Option 3 for Extreme is fabric attach, and it is extremely (pun-intended) nice. It's not VPN but instead layer 2 services (which ...

RE: Troubleshooting Wi-fi calling and what ended up working

Posted By James Andrewartha 03-07-2024 12:45:00 AM
Found In Egroup: Wireless Local Area Networking \ view thread
The hostnames for Wi-Fi calling should follow this pattern, but apparently some carriers do it differently just because: epdg.epc. . .pub.3gppnetwork.org MNC stands for Mobile Network Code, and MCC stands for Mobile Country Code. From https://whirlpool.net.au/wiki/telstravowifi - ...

RE: Certificate Deployment to devices managed by Microsoft Intune and Jamf

Posted By James Andrewartha 12-20-2023 09:58:00 PM
Found In Egroup: Network Management \ view thread
Hi Mark, On https://www.macadmins.org/ there's a big "JOIN SLACK NOW" button that goes to https://macadmins.slack.com/join/shared_invite/zt-27gqcnz84-UHIQaKQIpDhU_fZPGRevPA#/shared-invite/email which should generate an invitation. Thanks, James ------------------------------ James ...

RE: Certificate Deployment to devices managed by Microsoft Intune and Jamf

Posted By James Andrewartha 11-23-2023 01:14:00 AM
Found In Egroup: Network Management \ view thread
I'm setting up SCEPman for Jamf (and Intune) at the moment. The biggest gotcha was Jamf enforces limits on what RDNs types are acceptable - Jamf support linked me to https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf which says "OIDs can be represented as dotted numbers, ...

RE: WPA3 and Aruba

Posted By James Andrewartha 02-26-2023 10:14:00 PM
Found In Egroup: Wireless Local Area Networking \ view thread
> why MPSK/PPSK is tedious and not viable on WPA3 Personal networks Ruckus claim to have somehow made DPSK work on 6GHz https://www.businesswire.com/news/home/20230119005140/en/RUCKUS-Networks-Enables-Multi-Dwelling-Units-to-Access-New-6-GHz-Spectrum-Enhancing-Advanced-Wi-Fi-Services ----- ...

PlayStation 5 doesn't like 802.11k quiet IE

Posted By James Andrewartha 01-16-2023 10:57:00 PM
Found In Egroup: Wireless Local Area Networking \ view thread
I ran across this one recently and thought it might be useful for others to know. If a PlayStation 5 is connected to a network with 802.11k Quiet IE enabled, its wifi and bluetooth will lock up a few minutes after connecting, resulting in no network connectivity and controllers not working (unless connected ...

RE: Blocking / Allowing QUIC

Posted By James Andrewartha 10-24-2022 07:57:00 PM
Found In Egroup: Network Management \ view thread
Also QUIC has been used as the base for HTTP/3 which has widespread browser support. We block it, but we also have a fairly heavy content filter, being a K12. https://en.wikipedia.org/wiki/HTTP/3 ------------------------------ James Andrewartha Network and Projects Engineer Christ Church Grammar ...

RE: 802.1x Prompting Wireless Architecture Questions

Posted By James Andrewartha 09-20-2022 11:09:00 PM
Found In Egroup: Wireless Local Area Networking \ view thread
Credential guard prevents the use of NTLM credentials, which is what the "use desktop login credentials to join PEAP/MSCHAPv2" requires. https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-considerations#wi-fi-and-vpn-considerations https://www.m ...

RE: Requesting Revisit of Community Practice

Posted By James Andrewartha 09-14-2022 08:03:00 PM
Found In Egroup: Cybersecurity \ view thread
Well that's because it's not a mailing list, it's a "Member Engagement Platform". Anyway it does support polls but they can only be created by super users for some ridiculous reason https://support.higherlogic.com/hc/en-us/articles/360033056971-Polls-Overview ------------------------------ James ...

RE: 802.1x Prompting Wireless Architecture Questions

Posted By James Andrewartha 09-12-2022 01:02:00 AM
Found In Egroup: Wireless Local Area Networking \ view thread
My Samsung Galaxy S21 has "Use system certificates" as an option (also "Don't validate"). I was wrong, Android does have separate CA, VPN/app user and Wi-Fi certificate stores, and installing a general CA has a warning and PIN/biometric auth prompt while Wi-Fi and VPN don't. https://documentation ...

RE: 802.1x Prompting Wireless Architecture Questions

Posted By James Andrewartha 09-11-2022 08:56:00 PM
Found In Egroup: Wireless Local Area Networking \ view thread
Android has always allowed using public CAs to verify 802.1X certificates, and since Android 11 and up on certain hardware the "Do not validate" option for the certificate has been removed. This means you either need to use a public CA, or onboard your certificate which is a real pain on Android since ...

RE: Extreme Wireless with Aruba Clearpass Guest Captive Portal

Posted By James Andrewartha 08-22-2022 11:09:00 PM
Found In Egroup: Wireless Local Area Networking \ view thread
@Sarah Stanziano I forgot that to make it work for Extreme I'd added a CoA template to Administration » Dictionaries » RADIUS Dynamic Authorization Templates. ​ ​For XIQ I needed to create a second user profile on the same ...

RE: Extreme Wireless with Aruba Clearpass Guest Captive Portal

Posted By James Andrewartha 08-01-2022 09:04:00 PM
Found In Egroup: Wireless Local Area Networking \ view thread
Here's the CoA enforcement profile: The MAC Caching Enforcement policy: and the MAC auth enforcement policy: For my next trick I'm trying to get ClearPass guest working with ExtremeCloud IQ (XIQ fka Aerohive), but it doesn't seem to be respecting the filter-ID. ------------------------------ ...