INTEL WIRELESS
Wired Stuff
WiFi Tablet Corner
My80211 White Papers (Coming Soon!)

Cisco Wireless Compatibility Matrix (Nov. 2011)

Podcasts / Videos

My80211 Videos

Cisco: 802 11 frames with Cisco VIP George Stefanick

Fluke Networks: Minimize Wi Fi Network Downtime

Aruba: Packets never lie: An in-depth overview of 802.11 frames

ATM15 Ten Talk “Wifi drivers and devices”

Houston Methodist Innovates with Wireless Technology

Bruce Frederick Antennas (1/2)

 

Bruce Frederick dB,dBi,dBd (2/2)

Cisco AP Group Nugget

Social Links
Revolution WiFi Capacity Planner

Anchor / Office Extends Ports

 

Peek Inside Cisco's Gear

See inside Cisco's latest wireless gear!

2.4 GHz Channel Overlap

EXAMPLE 1  

EXAMPLE 2

EXAMPLE 3  

CWSP RELEASE DATE 2/08/2010
  • CWSP Certified Wireless Security Professional Official Study Guide: Exam PW0-204
    CWSP Certified Wireless Security Professional Official Study Guide: Exam PW0-204
    by David D. Coleman, David A. Westcott, Bryan E. Harkins, Shawn M. Jackman

    Shawn Jackman (Jack) CWNE#54 is a personal friend and has been a mentor to me for many years.  I've had the pleasure and opportunity to work with Jack for 4 years. Jack is a great teacher who takes complex 802.11 standards and breaks them down so almost anyone can understand the concept at hand. I'm excited for you brother. Great job and job well done! Put another notch in the belt!

IEEE 802.11a/g/n Reference Sheet

 

LWAPP QoS Packet Tagging

 

 

Interference Types

BLUETOOTH
 

Microwave Oven
 

Cordless Phone

JAMMER!
 

  

Entries by George (324)

Monday
Jan112010

802.11 Client Active and Passive Scanning

 

 

It is important to understand the difference between active and passive client scanning. Here is an overview ~ Wireless clients learn about available APs by scanning other IEEE 802.11 channels for available APs on the same WLAN/SSID. Scanning other IEEE 802.11 channels can be performed actively or passively as follows: 

Active scan—Active scanning occurs when the client changes its IEEE 802.11 radio to the channel being scanned, broadcasts a probe request, and then waits to hear any probe responses (or periodic beacons) from APs on that channel (with a matching SSID). The IEEE 802.11 standards do not specify how long the client should wait, but 10 ms is a representative period. The probe request frames used in an active scan are one of two types:

Directed probe—The client sends a probe request with a specific destination SSID; only APs with a matching SSID will reply with a probe response 

Broadcast probe—The client sends a broadcast SSID (actually a null SSID) in the probe request; all APs receiving the probe-request will respond, with a probe-response for each SSID they support.

Passive scan—Passive scanning is performed by simply changing the clients IEEE 802.11 radio to the channel being scanned and waiting for a periodic beacon from any APs on that channel. By default, APs send beacons every 100 ms. Because it may take 100 ms to hear a periodic beacon broadcast, most clients prefer an active scan.

 

During a channel scan, the client is unable to transmit or receive client data traffic. There are a number of approaches clients take to minimize this impact to client data traffic:

•Background scanning—Clients may scan available channels before they need to roam. This allows them to build-up knowledge of the RF environment and available APs so they may roam faster if it becomes necessary. Impact to client traffic can be minimized by only scanning when the client is not actively transmitting data, or by periodically scanning only a single alternate channel at a time (scanning a single channel incurs minimal data loss)

•On-roam scanning—In contrast with background, on-roam scanning occurs after a roam has been determined necessary. Each vendor/device may implement its own algorithms to minimize the roam latency and the impact to data traffic. For example, some clients might only scan the non-overlapping channels.

 

 

Typical Scanning Behavior

Although most client roaming algorithms are proprietary, it is possible to generalize the typical behavior.

Typical wireless client roam behavior consists of the following activities:

•On-roam scanning—This ensures clients have the most up-to-date information at the time of the roam.

•Active scan—An active scan is preferred over a passive scan, due to lower latency when roaming.
There are some informational attributes that may be used to dynamically alter the roam algorithm:

•Client data type—For example, voice call in progress

•Background scan information—Obtained during routine periodic background scans

Ways in which attributes can be used to alter the scan algorithm include: •Scan a subset of channels—For example, information from the background scan can be used to determine which channels are being used by APs in the vicinity. •Terminate the scan early—For example, if a voice call is in progress, the first acceptable AP might be used instead of waiting to discover all APs on all channels. •Change scan timers—For example, if a voice call is in progress, the time spent waiting for probe responses might be shortened during an active scan.

From -- Cisco Voice Over Wireless LAN 4.1 Design Guide

 

Monday
Jan112010

Understand your Cisco WLC Dashboard -- Find your links faster

 

 

If you’re going for the Cisco CCIE lab you need to know the GUI and CLI cold. Let’s face it. Time is short and your tasks will be MANY when you sit lab. You don’t want to have an issue between the chair and the PC. If you catch my drift … 

If you are new to the WLC the dashboard can be a little overwhelming for some folks. Lets face it, there are TON and TONs of ‘nerd knobs’. And knowing where these commands live can be a task.  When consulting and training, I came up with a process that helped students quickly grasp where these commands live. Let’s review the dashboard shall we ….

The dashboard has (8) buttons. They are Monitor, WLANs, Controller, Wireless, Security, Management
Commands and Help. 

MONITOR– Monitor is just that. The monitor page shows you a HUD of what is going on in your WLC. Understand each of the fields and the data collected in the monitor page for quick reference. This will help you to gather information when troubleshooting. For example controller summary, access point summary, client summary, rogue summary and most recent traps are located here. These areas give you a real QUICK snap shot of valuable information.  In short – Monitor is just that … Monitoring of your WLC …

WLANs – This is where your SSIDs live. This is where you will create your SSIDs, apply security (L2/L3), Wireless QoS and SSID tuning, such as P2P blocking, session timeout, etc.  You will find these under the advance tab.  On the left panel you will see an Advanced link as well. NOT to be confused with the Advance tab under WLANs. This is where your AP group config lives. In Short – WLANs is where your SSIDs live.

CONTROLLER – Controller is where your Wired lives. This is where you will configure your controller interfaces, vlans, gateways,  dhcp, ip addresses, general controller settings, ports, internal DHCP services, mobility groups, CDP and NTP.  These are all wired related options… In Short – Controller is where your wired lives

WIRELESS – This is probably one of the busiest links and the most confusing for first time users. In fact you have more options on this link then any of the others. Wireless is where your access points, RRM, mesh, QoS profiles, hreap groups and your wireless network (data rates) etc live. I might suggest you become very very comfortable with the options under wireless.

Lets look briefly at a few of the options. On the left panel you have access points. This is a list of access points that are joined to the controller. Under which you have radios  802.11a/n and  802.11b/g/n. This is where you can config the different radio per access point.

The next session under this is the 802.11a/n and 802.11b/g/n. Again not to be confused with the commands under access points. This is where your network and RRM settings live for each side of the radio. In short – Understand the wireless link COLD. This is where your access point and wireless data rates live. 

SECURITY – This is where your controller security and database security lives. Again, not to be confused with security under WLAN. You will find you radius server options, local eap, TACACS+, webauth, ACLs, wireless protection polices, etc. In short – Think of wired WLC security

MANAGEMENT – This is where your controller management lives. These commands are very very forward. HTTP, HTTPS, TELNET, SSH, logs, user sessions, user account creation, snmp, management via wireless. In short – This is where you will manage your WLC

COMMANDS – This is where you will upload/download  code, sig files, reset factory defaults, reboot the controller, set time. In short – This is where you will find your administration of code updates.

HELP – No need to cover this … If you are looking at this during your lab … You may not be ready for the lab … 

Saturday
Jan092010

Airnergy WiFi power system gives RCA a reason to exist (video)

 

 

Has anyone heard about this new device that charges battery's from WiFi signals? I am really interested to hear how this works? If this is indeed real, this takes the prize for best technology innovation of the decade in my book..  Check it out, what do you think..

We don't usually associate RCA with new and innovative technologies, but we think know they're on to something with its Airnergy power system, which harvests energy from WiFi signals. Shipping this summer, the pocketable dongle picks up WiFi signals from the air and manages to charge an internal battery through some magic inside. You don't have to connect to a network, you just have to be in a place that has signal, and it will automatically charge up. As if we weren't intrigued already, they told us that they're planning on building the tech into actual cellphone batteries, so you would theoretically never need to plug in again and your device would always be topped off. Yeah, we want.

 

We don't usually associate RCA with new and innovative technologies, but we think know they're on to something with its Airnergy power system, which harvests energy from WiFi signals. Shipping this summer, the pocketable dongle picks up WiFi signals from the air and manages to charge an internal battery through some magic inside. You don't have to connect to a network, you just have to be in a place that has signal, and it will automatically charge up. As if we weren't intrigued already, they told us that they're planning on building the tech into actual cellphone batteries, so you would theoretically never need to plug in again and your device would always be topped off. Yeah, we want.

Here is the video link: http://www.viddler.com/explore/engadget/videos/1001/ 

Leeched: http://www.engadget.com 

 

 

Saturday
Jan092010

Why you should consider "Monitor" Access Points as part of your Cisco Unified WLAN design and architecture

 

 

You are probably asking yourself, why!? Or perhaps, you did not know you could add access points in “Monitor” mode only. So, let’s deep dive this design consideration and why you as a Wireless Admin may want to consider deploying monitor access points in your WLAN.

We all seen the access point and client rogue alerts, signature attacks, (IDS, IPS) and other environment events on the WLC and WCS dashboard. Do you know how these alerts are gathered? This function is part of RRM (Radio Resource Monitoring/Management) Lets look how…

Cisco Unified (Lightweight) access points go off-line and conduct scans in the environment. Much like if you had a sniffer, in the area of the access point conducting the scan on your laptop.  During these scans the information gathered is sent to the WLC where this information is processed and displayed.  But here is the problem.   

Cisco Unified (Lightweight) access points only spends 0.2% off-channel scanning. Further more, the access point will only spend 60ms during EACH scan (10ms to switch channels and 50ms to scan the actual channel).  This activity is distributed across your WLAN so that adjacent access points are not scanning at the same time.

Note: In the presence of voice traffic (in the last 100 ms), the access points defer off-channel measurements.

I’ve completed specific testing with no monitor access points deployed in large enterprise environments, only using existing access points with default RRM monitoring enabled.

I conducted testing where I deployed a (1/6) access point ratio. By this I mean for every 6 production access points I would add (1) access point in monitor mode and found a 5% increase on average of environment information. The reason for this increase is simple. Access points that are only on a channel for short intervals can not see every packet, while access points that are on channel can see far greater more packets. 

Additionally, Cisco unified access point modes include more then just monitor. It includes rouge detector and sniffer modes. Allowing you to leverage your monitor access points in more ways then one. 

In closing, you may want to consider deploying monitor access points in your design.

Wednesday
Jan062010

Coleman Technologies, Inc. Joins Forces With and Becomes Part of Presidio, Inc.

 

 

This is an interesting move to start off 2010.

GREENBELT, MD -- 01/06/10 -- Presidio, Inc., a diversified professional and managed services firm delivering advanced IT infrastructure solutions, announced today that Coleman Technologies, Inc. has merged with and into Presidio, Inc. Coleman, based in Orlando, FL, is a leading edge IT and systems engineering services firm and will complement Presidio's existing business lines, including: Presidio Networked Solutions, a professional services and advanced IT infrastructure solutions provider; Presidio Managed Networks, a Managed Services and Telecom Consulting firm; Atlantix Global, a provider of remarketed technology solutions; and Presidio Technology Capital, a captive leasing operation.

This combination brings an exciting new dynamic to Presidio's already vibrant Virtualization/Data Center; Collaboration/Unified Communications; Mobility; Security and Managed Services practices. Coleman further expands Presidio's extensive team that has been purposely built to focus on providing innovative advanced IT infrastructure solutions for the complete IT Lifecycle. The result is a company with unmatched strength in customer service and support, technical acumen and financial viability.

Coleman brings a complementary and expanded geographic reach, solidifying Presidio's market presence in Florida, Georgia, Oklahoma and the Public Sector, while accelerating a more expansionary footprint throughout Texas, Tennessee, the Carolinas, Alabama, Ohio, Illinois and Indiana. The merger also significantly strengthens Presidio's current capabilities in Contact Center and Managed Services. Additionally, Coleman holds several unique capabilities in their Federal Systems and Electronic Systems groups with solutions ranging from hardened communications devices (EnviroXtreme), to mobile communications solutions (RAPTOR) and covert GPS tracking devices (AGenT), that leverage their product development and software design skills and solutions.

Joel Schleicher, Chairman and Chief Executive Officer of Presidio, Inc., stated, "We are ecstatic with this combination due to Coleman's stellar reputation, unique approach to the market, and culture. We view the Coleman team as the perfect complement to Presidio. There are few companies that offer the engineering/implementation excellence, customer satisfaction approach and are as forward thinking, from a standpoint of utilizing technology as a productivity enhancement tool for their customers, as Coleman."

Highlights of the merged company include:

 

-- Revenue of over $1.1B, making it the leading solutions provider in
its markets
-- 70 Cisco CCIEs and over 1,800 technology certifications
-- 530+ highly certified engineering and consulting professionals among
our 1,200 employees, delivering unequalled levels of engineering
expertise
-- 425 Business Development Professionals to meet developing market needs
-- Recognition as one of Cisco's top five (5) partners in North America,
along with being the fourth largest in Unified Communications and
third largest in Contact Center, and similar stature with other
strategic partners including VMware and Microsoft
-- One of only five (5) Cisco global partners approved to design and
deploy the largest and most complex VBlock 2 Solutions
-- HP Virtualization Elite Partner trained and certified to design and
deploy HP's Matrix and other advanced datacenter server and storage
solutions
-- Expanded Managed Services including additional Network Operations
Centers (NOCs) and Security Operations Centers (SOCs)
-- Excellence in customer satisfaction and increased industry
recognition including:
-- Cisco accolades : Partner of the Year; Global Enterprise Partner
of the Year; Commercial Partner of the Year for North America;
Solution Innovation Partner of the Year; Customer Advocacy Partner
of Year; Data Center Partner of the Year; Customer Satisfaction
Excellence;
-- Top certifications in Virtualization and Data Center;
Collaboration and Voice; Wireless; Security; Physical Security;
ISO 9001:2000 and Managed Services;
-- EMC Services Partner of the Year in 2009 and 2008 and EMC's
6th largest partner in NA;
-- First VMware Certified Center of Excellence in North America.

Speaking on the deal, Ben Patz, Chief Executive Officer of Coleman Technologies, Inc, commented, "Joining with Presidio broadens the solutions we can offer our customers, expands our market for innovative solutions and enhances our ability to invest in our people and processes. Moving forward, our combined teams will continue to deliver the same innovative services and solutions that have differentiated us in the marketplace and upon which our customers have come to depend."

Tuesday
Jan052010

My80211.com now on Twitter !

 

 

I got bit by the "twitter" bug. You can now follow me on twitter. Where I will share with you the going on's in and around wireless deployments and troubleshooting!

 http://twitter.com/wirelesssguru

Monday
Jan042010

IPhone APP: IPhone Network Sniffer

  

Once the issues are ironed out, this could be a handy tool in the hands of a hacker. I may just have to jailbreak my iPhone.

 

Pirni is the worlds first native network sniffer for iPhone. The iPhone's Wi-Fi has some major drawbacks in its hardware design, thus we can not properly set the device in promiscuous mode.

This is why Pirni comes with an ARP spoofer that successfully routes all the network traffic through your device and then uses packet forwarding to send it to it's normal recipient (ie. the router).

After a successful network sniffing, you can transfer the dumpfile to your computer and open it up with Wireshark (or any other traffic analyzer that supports pcap) to analyze the traffic.

BPF filters allow you to select which packets to be dumped. This allows you to "filter" packets, so that only "interesting" packets can be supplied to the software using BPF; this can avoid copying "uninteresting" packets from the operating system kernel to software running in user mode, reducing the CPU requirement to capture packets and the buffer space required to avoid dropping packets.

 

leeched from: www.net-security.org

Friday
Jan012010

WLC Disable Wireless Client (CLIENT EXCLUSION)

There can be countless reasons why you may want to block a wireless client from accessing the WLAN. One real world scenario happened a few months back where I was contacted by a customer who's enterprise was just hit with a virus. As they quarantined and identified infected hosts they could not account for 50+ wireless clients, which were infected and online.

As they cleaned infected machines, these machines became infected again due to these 50+ devices. They needed a way to disable them from the WLAN,  but didn't have time to locate the 50+ nor did they know their exact location.Here is how to disable clients blocking access to the WLAN.

NOTE: WHEN A CLIENT IS ON THE EXCLUSION LIST, THE WLC IGNORES PROBE REQUEST FROM THE CLIENT. SEE DEBUG BELOW

 

 

 

 

CONFIG CLIENT EXCLUSION

(Cisco Controller) >config exclusionlist ?              
add            Creates a local exclusion-list entry
delete         Deletes a local exclusion-list entry
description    Sets the description for an exclusion-list entry

(Cisco Controller) >config exclusionlist add 00:25:d3:8b:00:13

REMOVE CLIENT EXCLUSION (ALLOWS CLIENT ACCESS TO WLAN)

(Cisco Controller) >config exclusionlist delete 00:25:d3:8b:00:13

DEBUG CLIENT WHILE EXCLUDED

NOTE: THE WLC IS IGNORING THE CLIENTS PROBE REQUEST


(Cisco Controller) debug>client 00:25:d3:8b:00:13
Fri Jan  1 17:57:04 2010: 00:25:d3:8b:00:13 Ignoring probe request due to exclusion-listing of the mobile
Fri Jan  1 17:57:08 2010: 00:25:d3:8b:00:13 Ignoring probe request due to exclusion-listing of the mobile
Fri Jan  1 17:57:09 2010: 00:25:d3:8b:00:13 Ignoring probe request due to exclusion-listing of the mobile
Fri Jan  1 17:57:12 2010: 00:25:d3:8b:00:13 Ignoring probe request due to exclusion-listing of the mobile
Fri Jan  1 17:57:13 2010: 00:25:d3:8b:00:13 Ignoring probe request due to exclusion-listing of the mobile
Fri Jan  1 17:57:17 2010: 00:25:d3:8b:00:13 Ignoring probe request due to exclusion-listing of the mobile
Fri Jan  1 17:57:21 2010: 00:25:d3:8b:00:13 Ignoring probe request due to exclusion-listing of the mobile
Fri Jan  1 17:57:22 2010: 00:25:d3:8b:00:13 Ignoring probe request due to exclusion-listing of the mobile
Fri Jan  1 17:57:25 2010: 00:25:d3:8b:00:13 Ignoring probe request due to exclusion-listing of the mobile
Fri Jan  1 17:57:26 2010: 00:25:d3:8b:00:13 Ignoring probe request due to exclusion-listing of the mobile
Fri Jan  1 17:57:27 2010: 00:25:d3:8b:00:13 Ignoring probe request due to exclusion-listing of the mobile
Fri Jan  1 17:57:29 2010: 00:25:d3:8b:00:13 Ignoring probe request due to exclusion-listing of the mobile
Fri Jan  1 17:57:29 2010: 00:25:d3:8b:00:13 Association request(2): Exclusion-listed!!

Wednesday
Dec302009

WLC "DHCP Address Assignment Required" Option 

DHCP address assignment required is one of those check boxes that makes you go huh, while you scratch your head, if you don't know how it works. Cisco's best pratice for voice is to disable this feature. However, keep in mind,  if DHCP Addr. Assignment Required is selected, clients must obtain an IP address via DHCP. Any client with a static IP address is not allowed on the network.


The DHCP Required option in WLAN settings allows you to force clients to do a DHCP address
request/renew every time they associate to the WLAN before they are allowed to send or receive other
traffic to the network.
 
From a security standpoint, this allows for a more strict control of IP addresses
in use, but also might have affects in the total time for roaming before traffic is allowed to pass again.
 
Additionally, this might affect some client implementations which do not do a DHCP renew until the
lease time expires. For example, Cisco 7920,7921 and 7925 phones might have voice problems while they roam if this option is enabled, as the controller does not allow voice or signaling traffic to pass until
the DHCP phase is completed.
 
Some third−party printer servers might also be affected. In general, it is a good idea not to use this option if the WLAN has non−Windows clients. This is because the more strict controls might induce connectivity issues, based on how the DHCP client side is implemented.
 
Additional Notes: The WLAN advance configuration has an option to require that a user must pass DHCP before going into the RUN state (a state where the client will be able to pass traffic through the controller). This option requires the client to do a full or half DHCP request. The main thing the controller is looking from the client is a DHCP request and a ACK coming back from the DHCP server. As long as the client does these steps, the client will pass the DHCP required step and move to the RUN state.

L2 and L3 Roaming

L2 - Roam—If the client has a valid DHCP lease and performs a L2 roam between two different controllers on the same L2 network, the client should not need to re-dhcp and the client entry should be completely moved to the new controller from the original controller. Then if the client does need to DHCP again, the DHCP bridging or proxy process on the current controller would transparently bridge the packet again.

L3 – Roam—In a L3 roam scenario the client is moving between 2 different controllers in different L3 networks. In this situation the client is anchored to the original controller and listed in the client table on the new foreign controller. During the anchoring scenario the client’s DHCP is handled by the anchor controller as the client data is tunneled within an EoIP tunnel between the foreign and anchor controllers.

 
SHOW WLAN <WLAN ID>
To confirm the current config, this option lives under the show wlan <WLAN ID>
 
(Cisco Controller) >show wlan 1
WLAN Identifier.................................. 1
Profile Name..................................... TEST
Network Name (SSID).............................. TEST
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Number of Active Clients......................... 6
Exclusionlist.................................... Disabled
Session Timeout.................................. 1800 seconds
Interface........................................ management
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Quality of Service............................... Silver (best effort)
WMM.............................................. Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
<omitted>
 
CONFIG DHCP Address Assignment Required
Hummm... For the life of me I can not find the CLI command for this config. I will post it shortly, but here is the GUI command.
 
WLANs-->(click on SSID)--> ADVANCE TAB--> Check box DHCP Addr. Assignment Required
Tuesday
Dec292009

Configure TKIP Countermeasure Holdoff Timer on Autonomous

After having worked on countless Cisco WLAN VoIP deployments a general rule of thumb from Cisco TAC is to disable TKIP countermeasure on ALL voice WLANs and lessen the timer for DATA WLANs. Again this is all subject to your comfort level and performance requirements. Personally, I can't say I have ever seen this to be an issue or had an issue that was directly related to the countermeasure. But something to chew on!

TKIP countermeasure mode can occur if the Access Point receives 2 message integrity check (MIC) errors within a 60 second period. When this occurs, the Access Point will de-authenticate ALL TKIP clients associated to that 802.11 radio and holdoff any clients for the countermeasure holdoff time (default = 60 seconds).

 

ap#config t

ap(config)#interface dot11Radio 0

Note: This is radio specific on autonomous access points


ap(config-if)#countermeasure tkip 0

Note:  Configures TKIP MIC countermeasures hold-down timer (0-65535 seconds), unlike the WLC which is (0-60 seconds)

Tuesday
Dec292009

Configure TKIP Countermeasure Holdoff Timer on WLC

After having worked on countless Cisco WLAN VoIP deployments a general rule of thumb from Cisco TAC is to disable TKIP countermeasure on ALL voice WLANs and lessen the timer for DATA WLANs. Again this is all subject to your comfort level and performance requirements. Personally, I can't say I have ever seen this to be an issue or had an issue that was directly related to the countermeasure. But something to chew on!

TKIP countermeasure mode can occur if the Access Point receives 2 message integrity check (MIC) errors within a 60 second period. When this occurs, the Access Point will de-authenticate ALL TKIP clients associated to that 802.11 radio and holdoff any clients for the countermeasure holdoff time (default = 60 seconds).


(Cisco Controller)config wlan security <tkip> hold-down <seconds> <wlan id>

Note:  Configures TKIP MIC countermeasures hold-down timer (0-60 seconds)


The following command disables TKIP countermeasure on WLAN 1 

(Cisco Controller) >config wlan security tkip hold-down 0 1

 

Monday
Dec282009

Wi-Fi Alliance Now Testing Single-Stream "N"

This is very interesting news. The WiFi Alliance is considering the certification of single-stream 802.11n product.

The Wi-Fi Alliance said it has started testing single-stream access points and routers that use 802.11n technology.

In an email to SmallNetBuilder, Kelly Davis-Felner, the WFA's Marketing Director said that testing had started last week.

Products that pass the test will not be Wi-Fi CERTIFIED n, since the 802.11n standard does not allow for single-stream access points and routers. Instead, they will carry the mark shown above (or a version without the "a" for single-band products).

According to Alliance literature, the single-stream certification indicates that the product is Wi-Fi CERTIFIED to the previous standards shown, and also contains some of the features of Wi-Fi CERTIFIED n. These products may be referred to as “wireless-n” or “Wi-Fi n” by manufacturers.

Single stream products typically support a maximum connection rate of 65 Mbps using the default 20 MHz channel bandwidth and 135 Mbps using 40 MHz channel bandwidth.

Leeched from: http://smallnetbuilder.com 

Sunday
Dec272009

WLC Paging Disabled - "Similar to - term length 0"

We've all been there... You need to drop the show-run command and you get the "Press Enter to continue Or <Ctl Z> to abort" or "--More-- or (q)uit". All you want is to drop the entire config. Wells here is how.

If you are fimilar with Cisco IOS routers and switches then you may have used the "term length 0"command. This eliminates the the page breaks. Under the WLC "Airespace OS" the equivalent is the "config paging disabled" 

(Cisco Controller) >config paging ?

enable         enable paging

disable        disable paging 

 

DISABLE CONFIG PAGING

The following command will allow the entire show command drop in one piece:

(Cisco Controller) >config paging disable

 

ENABLE CONFIG PAGING

The following command will allow paging:

(Cisco Controller) >config paging enable

Sunday
Dec272009

Recover your WLC password

So you forgot your WLC password, eh? WLC version 5.1 and later, you can use the CLI from the controller's serial console in order to configure a new user name and password. Complete these steps in order to configure a new user name and password.

       1. After the controller boots up, enter Restore-Password at the user prompt.
       Note: For security reasons, the text that you enter does not appear on the controller       console.

       2. At the Enter User Name prompt, enter a new user name.

       3. At the Enter Password prompt, enter a new password.

       4. At the Re-enter Password prompt, re-enter the new password.
       note: The controller validates and stores your entries in the database.

       5. When the User prompt reappears, enter your new username.

       6. When the Password prompt appears, enter your new password.
 

Note: For WLCs that run earlier versions of firmware (prior to 5.1), there is no way to recover the password.

If you use the Cisco Wireless Control System (WCS) in order to manage the WLC, wireless LAN controller Module (WLCM) or Wireless Services Module (WiSM), you should be able to access the WLC from the WCS and create a new administrative user without logging into the WLC itself.

Or, if you did not save the configuration on the WLC after you deleted the user, then a reboot (power cycling) of the WLC should bring it back up with the deleted user still in the system. If you do not have the default admin account or another user account with which you can log in, your only option is to default the WLC to factory settings and reconfigure it from scratch.

 

Sunday
Dec272009

Configure Local MAC Authentication on Cisco WLCs 

Mac filtering was popular back when WEP was the only means of wireless security. Mac filtering added an additional layer of authentication by validating the wireless NIC mac address prior to authenticating to a wireless network. Although, mac filtering is still used today, it is a management burden for larger deployments and it is very easy for a hacker to spoof the mac address with a sniffer since the mac is sent in the clear.

What you need know about local authentication on the Cisco WLC. By default, the WLC local database supports 512 entries and can be configured up to a total of 2048 max entries. This is a hard limitation and can not be exceeded unless you use a Radius server for MAC authentication.

LOCAL WLC DATABASE

The local user database is limited to a maximum of 2048 entries and is set to a default value of 512 entries. 

The local database stores entries for these items:
•MAC filters (clients)
•AP MIC/SSC (AP authorization list)
•Dynamic Interfaces
•Management users
•Local net users
•Excluded Clients
 
Together, ALL of these types of entries CANNOT exceed the configured database size.
In order to increase the local database to 2048, use this command from the CLI:
  
(Cisco Controller)Config database size ?
<count>        Enter the maximum number of entries (512-2048)
 
SHOW DATABASE SUMMARY 
 
This command will display the size of the database and current number of entries. 
 
(Cisco Controller) >show database summary
 
Current Max database entries..................... 512 <--- Default database size
Max database entries on next reboot.............. 512
Current number of entries used................... 5 <--- This is 3 user accounts and 2 dynamic interfaces
 
CONFIG MACFILTER IN LOCAL WLC DATABASE
 
The macfilter and WLAN ID are requirements
config <macfilter> <WLAN ID> [interface_name] [description] [IP address] 
 
These commands are optional and are not a requirement
[interface_name] [description] [IP address] 
 
(Cisco Controller) >config macfilter add 00:21:6A:11:A8:AA 2
 
 
ENABLE MACFILTERING ON WLAN
 
(Cisco Controller) >config wlan mac-filtering enable  2
 
SHOW MACFILTER SUMMARY
 
(Cisco Controller) >show macfilter summary
 
MAC Filter RADIUS Compatibility mode............. Cisco ACS
MAC Filter Delimiter............................. None
Local Mac Filter Table
MAC Address               WLAN Id          IP Addr           Description
-----------------------   --------------   ---------------   --------------------------------
00:21:6a:11:a8:aa           2              unknown
 
 
SHOW MACFILTER DETAIL 

(Cisco Controller) >show macfilter detail 00:21:6a:11:a8:aa
 
MAC Address...................................... 00:21:6a:11:a8:aa
WLAN Identifier.................................. 2
Interface Name...................................
IP Address....................................... unknown
Description......................................
 
MAP MAC ADDRESS TO IP ADDRESS

The config macfilter ip-address command lets you map an existing MAC-filter to an IP address. Use this command in order to configure an IP address into the local MAC filter database:
 
Config <macfilter> <WLAN ID> [interface_name] [description] [IP address] 
(Cisco Controller) >config macfilter add 00:21:6A:11:A8:AA 2 interface "description" 192.168.1.10
 
Note: <description>  Enter optional description (up to 32 characters) within double quotes

 

 

Wednesday
Dec232009

CISCO VOIP BEST PRACTICE - WLC IEEE 802.1X Timeout for EAP-FAST

When using EAP-FAST you want to insure you give the client enough time to obtain the PAC. By default the WLC is set to only 2 seconds. However I noticed with code 6.0.188.0 it is set to 30 seconds by default. This command can only be configed from the CLI of the WLC.

When using EAP-FAST, the IEEE 802.1X timeout on the controller must be increased (default = 2 seconds) in order for the client to obtain the PAC via automatic provisioning. The default timeout on the Cisco ACS server is 20 seconds, which is the recommended value.
To change the IEEE 802.1X timeout on the Cisco Wireless LAN controller, connect using Telnet or SSH to the controller and enter the following command:
(Cisco Controller)> config advanced eap request-timeout 20

(Cisco Controller)> show advanced eap

EAP-Identity-Request Timeout (seconds)........... 1
EAP-Identity-Request Max Retries................ 20
EAP Key-Index for Dynamic WEP.................... 0
EAP-Request Timeout (seconds)................... 20
EAP-Request Max Retries.......................... 2

 

Tuesday
Dec222009

Configure NTP / MANUAL Time on WLC

Did you know if you don’t set the time on a WLC it is very likely your access points won't join your WLC. Why do you ask!?  LWAPP/CAPWAP access points contain certificates. If your controller's time is set outside of the access points certificate validity they wont join the WLC.

You can check your access points certificate validity with the following command from the AP CLI. A lot of information will be displayed with this syntax. You are interested in the section that states "Certificate". You need to insure your WLC time is set within the APs validity time frame.

(Cisco Controller) >show crypto ca certificates

Certificate
  Status: Available

  Certificate Serial Number: 3BC24B9600000012211221
  Certificate Usage: General Purpose
  Issuer:
  cn=Cisco Manufacturing CA
  o=Cisco Systems

  Subject:
   Name: C1130-001c58734445
   ea=support@cisco.com
   cn=C1130-001c58734445
   o=Cisco Systems
    l=San Jose
   st=California
     c=US

  CRL Distribution Points:

    http://www.cisco.com/security/pki/crl/cmca.crl

  Validity Date:

    start date: 12:56:31 UTC Jun 30 2007
    end   date: 13:06:31 UTC Jun 30 2017
    Associated Trustpoints: Cisco_IOS_MIC_cert

 

Lets set the time on the WLC. You can set the time manually which is locally stored on the WLC or via NTP server.

(Cisco Controller) >config time ?

manual         Configures the system time.
ntp               Configures the Network Time Protocol.
timezone      Configures the system's timezone

Lets look at the manual config:

(Cisco Controller) >config time manual ?
(Cisco Controller) >config time manual <MM/DD/YY> <HH:MM:SS>
(Cisco Controller) >config time manual 12/21/09 23:30:00

Lets now look at the NTP config:

(Cisco Controller) >config time ntp ?
interval       Configures the Network Time Protocol Polling Interval.
server         Configures the Network Time Protocol Servers. 

<Interval> is the polling interval the WLC will sync with the NTP server - between 3600 and 604800 (in seconds).
<Server> is the NTP server ip address. You also can index the NTP servers. By this it means you can add multple servers.

(Cisco Controller) >config time ntp server <index> <ip address>
(Cisco Controller) >config time ntp server 1 192.168.1.1 

Note: If you want to delete your NTP entry use 0.0.0.0 as your IP address.

The last part of the config is to set the time zone

Sunday
Dec202009

IPhone APP: dot11wavelength

I stumbled across an interesting IPhone app called dot11wavelength by The Perseus Group @ www.wirelessfabric.com. This app displays the on channel frequencies for the different 802.11a (5GHz) and 802.11g (2.4GHz) channels.

This app is helpful if you need the exact frequency for a channel in the field or if you are studying for your CWNA exam. They just updated the APP to include other country channel frequencies (JP,ES,IT, DE and FR).

 

 

Sunday
Dec202009

Wi-Fi On Four Wheels: Chevrolet Offers Dealer-Installed Wireless Internet System For SUVs, Trucks And Vans

I remember some of the first "home made" WiFi rigs in cars many years ago in fact I built one myself. It is no surprise to see this hit main stream. Having media and information at your finger tips is the advantage of todays technology. And lets face it, we've all done it at one point or another we needed to check email and pulled over to leech someones WiFi. However, the concern is, will this be just another distraction for drivers? I mean really.. You see it all the time, folks talking on cells and texting while diving, but now surfing?!?  From a hacking side of things ... This would make one sweet a$$ honey pot ! Talk about the information you could mine from one of these puppys !



DETROIT – Owners of several Chevrolet models can transform their vehicle into a rolling Wi-Fi hot spot with Chevrolet Wi-Fi by Autonet Mobile. This dealer-installed system enables full Internet access inside the vehicle – and up to a 150 feet radius around the vehicle – with a laptop or mobile Wi-Fi device. 

“Chevrolet Wi-Fi by Autonet Mobile enhances commuting, family vacations and work,” says Chris Rauser, Chevrolet Accessories Manager. “It benefits active families on the go, as well as professionals who need immediate information at remote job sites. Its uses are almost endless.” 

Autonet Mobile is the world’s first Internet service provider designed exclusively for vehicles. As a GM Officially Licensed Product, Chevrolet Wi-Fi by Autonet Mobile is certified to work with the following new Chevrolet models: 

  • Equinox
  • Traverse
  • Silverado
  • Tahoe
  • Suburban
  • Avalanche
  • Express 

Chevrolet Wi-Fi reflects the trend of increased Internet access on the go. According to JiWire’s Mobile Audience Insights Report, eight percent of all public Wi-Fi users log-in while traveling on subways (three percent) and ferries or cruise ships (five percent). In addition, JiWire reports that total public Wi-Fi users jumped 18 percent in just seven months, from December 2008 to June 2009.  

Chevrolet Wi-Fi is designed for use by passengers, or by the driver when the vehicle is parked. The system requires no special software and achieves speeds up to 1.5 mbps. It uses TRU Technology to maintain Internet connections over the 3G network while the vehicle is in motion, allowing uninterrupted streaming of videos and more.

For families, Chevrolet Wi-Fi allows kids and teens to research homework topics on the ride home, connect to friends on social sites, and stream videos on long drives. The internet connection can support several devices at once, enabling multiple passengers to use the connection for their separate devices.  

When it comes to worksite use, the Wi-Fi connection offers immediate access to everything the Web offers to make the job quicker and easier, from access to online ordering sites, municipal sites with permit and building code information and more. And when used with a laptop computer, the information comes in a larger, easier to navigate format than the small displays of cell phones.

Additional docking stations are available, enabling customers to easily move the Chevrolet Wi-Fi by Autonet Mobile router from vehicle to vehicle. 

Through Dec. 31, Chevrolet Wi-Fi is available for $199 ($399 retail price, less $200 mail-in rebate with two-year service agreement). Go to GMextras.com for more information. 

About Chevrolet 
Chevrolet is one of America 's best-known and best-selling automotive brands, and one of the fastest growing brands in the world. With fuel solutions that go from "gas-friendly to gas-free," Chevy has nine models that get 30 miles per gallon or more on the highway, and offers three hybrid models. More than 2.5 million Chevrolets that run on E85 biofuel have been sold. Chevy delivers expressive design, spirited performance and provides the best value in every segment in which it competes. More information on Chevrolet can be found at www.chevrolet.com. For more information on the Vot, visithttp://media.gm.com/volt/.

Monday
Dec142009

New Cisco 802.11n Antennas for AP1250

Long over due from Cisco. If anyone uses these I would like to hear your feedback.

Cisco has just introduced three new antennas to give additional options in AP1250 installations. The ANT2451NV is a ceiling mount, dual-band omnidirectional 802.11n antenna, and the ANT2460NP and ANT5160NP are 802.11n patch antennas for 2.4GHz, and 5GHz respectively.

Please see the following part numbers, list pricing, and installation references.

  • AIR-ANT2451NV-R= 2.4 GHz 3 dBi/5 GHz 4 dBi 802.11n dual band omni antenna $475
  • AIR-ANT2460NP-R= 2.4 GHz 6 dBi 802.11n directional antenna $350
  • AIR-ANT5160NP-R= 5 GHz 6 dBi 802.11n directional antenna $350