Thursday, October 29, 2009

EAP Packet Types, EAP Supplicants


EAP request -sent by the authenticator to supplicant
     The type field is used to indicate what is requested
     The sequence number is used to allow authenticator
     peer to match the response to the request.
EAP response - sent by supplicant to the authenticator

     The sequence number is used to match EAP request,
     except if the response is a negative acknowledgement (NAK)
EAP success - sent from authenticator to supplicant
     Sent when successful authentication has occurred.
EAP failure - sent from authenticator to supplicant
     Sent when unsuccessful authentication has occurred.

EAP Supplicants
  • PEAP MSCHAPv2 - uses TLS tunnel to protect an encapsulated MSCHAPv2 exchange between WLAN clients and the authentication server.
  • PEAP GTC - uses a TLS tunnel to protect a generic token card exchange (one time password or LDAP authentication)
  • EAP FAST - uses a tunnel similar to PEAP, but does not require the use of a PKI infrastructure.
  • EAP TLS - uses PKI to authenticate the WLAN network to the WLAN client, requiring a client certificate and an authentication server certificate

Data Rates, RRM, Auto RF, Rogue detection scanning

Data rate set to mandatory - allows transmission for all packets, unicast & multicast.  If more than one data rate is set to mandatory - multicast/broadcast are sent at the highest common mandatory rate of all associated clients.

Data rate set to supported - allows transmissions at this rate for unicast packets only.

The transmit power control (TPC) and dynamic frequency management performed by RRM are not the TPC & DFS required for operation in the UNII-2 bands that are defined in 802.11h

WLC code version 4.815 introduced a significant number of enhancements to RRM.

Auto RF: In each RF group, a leader is chosen.  The leader collects network wide neighbor information from a group of controllers and the leader does the channel/power computation for an optimal system wide map.

AP's transmit RRm neighbor packets at full power at regular intervals.  These messages contrain a field that is a has of the RF group name, BSSID and time stamp.  Once packets are validated to have the same RF group name as the receiving AP, the information is forwarded to the WLC with the LWAPP packet status field containing the SNR & RSSI of the received neighbor packet.

TPC performs only downward power level adjustments.
Coverage hole detection and correction increases power levels.

When the average SNR of a single client dips below the SNR threshold for at least 60 seconds, this is seen as an indication that the WLAN client does not have a viable location to which to roam.

Client load balancing is done at the client association, not when a client is connected.

Rogue detection scanning happens off channel for a period not greater than 60ms to listen to other channels.  Packet headers are forwarded to the WLC for analysis.  On average, this is 0.2% of the AP's time.

Client Power, Best Practices, Channel Topology & Range

Client power should be adjusted to match the AP power settings.
Maintaining a higher setting on the client does not result in higher performance and it can cause interference in nearby cells.

Antennas give the WLAN three fundamental properties:

Best Practices:
  Number of users per AP 15-25 (data only)
                                                7-8 (voice)
           limit data rates

Changes to the channel topology causes clients to reassociate, and calls to drop.  Change sin AP power do not impact client connectivity.

Range is generally affected by a factor of a 30% increase (approximately) for every halving of a data rate.

Sunday, October 11, 2009

RF Power Terminology

dB - attenuation/amplification of the power level - expressed as the base 10 logarithm of the ratio of the power of two signals, as shown here:
  • dB = 10 x Log10 (P1/P2)
dBi - power gain rating of antennas
dBm - uses same calculations as dB, but has a reference value of 1mW.  Can also describe receiver sensitivity in -dBm.

Data networks: AP separation of 120-130 feet
Voice networks: cell edge at -67dBm, 2 non overlapping APs at an RSSI +35
                             baseline power of 35-50mw
                             requires 15% more APs than a 100mW deployment

APs have an aggregate throughput less than the data rate because the 802.11 provides a reliable transport mechanism that ACKs all packets, thereby halving the throughput on the channel.

Saturday, October 10, 2009

WLAN RF Design Considerations

Higher frequencies exhibit less range and are subject to greater attenuation from solid objects.

FCC = 11 channels
ETSI = 13 channels
TELEC = 14 channels (special licensing needed for Channel 14)

  • frequency - 5.150 - 5.250
  • channels - 36, 40, 44, 48
  • frequency - 5.250 - 5.350
  • channels - 52, 56, 60, 64
  • required DFS/TPC
UNII-2 (new channels/2004)
  • frequency - 5.470 - 5.725
  • channels - 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140
  • 5.725 - 5.825
  • 149, 153, 157, 161, 165
  • requires DFS/TPC
802.11A has 23 useable channels (where permitted)

IEEE 802.11 Task Group Initiatives: LINK

DSSS encodes redundant information into the RF signal chipping sequence = 11 chips per bit.
Binary Phase Shifting Keying/Quadrature Phase-Shift Keying (BPSK/QPSK) @ 1Mb/2Mb
8 chips at the 11 & 5.5MBs data rate.
At 11Mbps, 8 bits are transmitted for every one bit of data.

The chipping sequence is transmitted in parallel across the spread spectrum frequency range.

802.11g Modulation and Transmission Types: LINK

Enterprise Design Guide

L2 LWAPP tunnel uses Ethertype 0xBBBB to encapsulate traffic between the AP and WLC.
L2 LWAPP does not provide corresponding CoS marking for Ethertype frames and is not able to provide transparent end-to-end QoS.

LWAPP control packet originates from UDP source port 12223
Control type 12 is the configuration command to a LWAPP AP by a WLC

AP groups do not allow multicast roaming across group boundaries.

RF group leaders exchange RRM messages every 600 seconds by default.
Maximum number of WLCs per RF group = 20

Mobility Tunneling - If uRPF checks are enabled on the next-hop routed interface, traffic is dropped after the client roams to a different subnet.

The benefit of DHCP Proxy is realized during an L3 client roam, or when a client roams across an AP group boundary.  In these cases, the WLC will receive a DHCP renewal erquest upon which it will verify the client is roaming within the mobilty group and allow the client to renew (keep) its IP address/subnet assignment even though the client roamed to a new subnet on a foreign WLC.
  • DHCP Proxy is required with asymmetric mobility tunneling.
The default behavior of the WLC is to respond to ARP queries directly based on its local ARP cache.  The WLC CLI command
         network arpunicast enable
can be used to override this behavior.  The purpose of this command is to avoid excessive retries by IP clients looking for a WLAN client that may have roamed from the WLAN network.

Broadcast & Multicast traffic
When enabled - is a global setting
-disable CDP on interfaces connecting to WLCs
-port filter incoming CDP and HSRP traffic on VLANs connecting to the WLCs
-multicast security including link layer multicast security must be considered

Centralizing WLCs
The distributed deployment model is not recommended because of current shortcomings with multicast support associated with L3 roaming.

Average LWAPP control traffic planes on the network is approximately .35kb/sec
The overhead introduced by tunneling (L3) adds 44 bytes to a typical IP packet to/from a WLAN client.  Average packet size = 300 bytes.  This is a 15% overhead increase.

Additionally, Cisco recommends that Catalyst Integrated Security Features (CISF) be enabled on the LWAPP AP switchports to provide additional protection to the WLAN infrastructure.

APs in the same physical location should be joined to the same WLC.
All APs without primary, secondary or tertiary WLC definitions will join a WLC configured for master controller mode.

Firmware changes
-Migrate APs to secondary WLC, upgrade primary WLC and then migrate APs back in a controlled manner.
AP failback should be disabled to ensure APs return to their primary WLC in a controlled manner.

Wired Guest Access Using WLCs

Two seperate solutions - VLAN translation and Auto Anchor mode

Single Controller/VLAN translation mode
Access switch trunks wired guest traffic in the guest VLAN to the WLC providing the guest access solution.  This WLC carries out the VLAN translation form the ingress wired guest VLAN to the egress VLAN

Two WLCs/Auto Anchor Mode
The access switch trunks wired guest traffic to a local WLC nearest the access switch.  This local WLC anchors the client onto a DMZ anchor WLC configured for wired and wireless guest access.

5 guest LANs for wired guest access are supported
  security: open, web-auth, web pass through

If the EoIP tunnel between the remote and anchor WLC fails, the client database is cleaned up from the anchor WLC.  The client needs to re-associate and reauthenticate.

  • Multicast and broadcast traffic on wired guest LANs is dropped.

  • No L2 security is supported
  • MFP with WLC & LAP

    Client MFP is supported on v4.1.171.0 and above.
    Version provides optimal performance with MFP.

    MFP adds a long set of information elements to each probe request or SSID beacon.  Some clients cannot process ths information and may not be able to assicate to an SSID with MFP enabled.

    The AP addes a MIC IE to each management frame.
    NTP must be used to ensure timestamp synchronization

    The MIC is added to the end of the frame before the FCS.

    Infrasturcture MFP is enabled/disabled on the WLC globally.
    Protection can be disabled per AP.
     - protection: disable on WLANS with devices that cannot cope with extra IEs
     - validation: disable on APs that are overloaded/overpowered.

    Client MFP Functionality
    Encrypts management frames ent between APs and CCXv5 clients so they can drop class 3 management frames (disassociation, deauthentication and QoS/WMM actions)
    Clients must support CCXv5 MFP and must negotiate WPA2 with either TKIP or AES-CCMP.
    EAP or PSK can be used to obtain the PMK.
    CCKM and controller mobility management are used to distribute session keys between APs or L2 and L3 fast roaming.
    CCXv5 clients do not emit any broadcast class 3 management frames.

    Client MFP does not use the key generation and distribution mechanisms that were derived for Infrastructure MFP.  Instead, client MFP leverages the security mechanisms defined by IEEE 802.11i to also protect class 3 unicast management frames.

    AES-CCMP and TKIP protected frames include a sequence counter in the IV fields.

    The current transmit counter is used for both data and management frames, but a new receive counter is used for management frames.

    MFP-1 reporting mechanisms are sued to report management frame de-encapsulation errors detected by APs.  The WLC collects MFP validation errors & forwards collated information to WCS.

    Clients that are not CCXv5 can assciate with an MFP-2 WLAN.  The APs keep track of thse MFP-2 clients and determine whether MFP-2 security measures are applied to outobund unicast management frames and expected on inbound unicast management frames.

    MFP is not supported on APs in rgoue-detection or sniffer-mode.

    If Client MFP is required, all clients must support MFP-2 or they are unable to connect to the WLAN.

    Controller Menu>Security>Wireless Protection Policies>Management Frame Protection
       controller time source valid = false (this indicates the time on the WLC is set locally)

    show wps summary
    show wps mfp summary
    show ap config general [ap-name]

    debug wps mfp lwapp
    debug wps mfp detail
    debug wps mfp report
    debug wps mfp mm

    QoS on WLANs

    L2 - 802.1p
    L3 - IP DSCP

    It is not possible to tag packets with DSCP between the WLC and AP if no DSCP or 802.1p is in the original packet (outer header).

    There is no support for CoS markings on WLANS in L2 LWAPP mode.

    Traffic Classification Chart: LINK

    You cannot use WMM mode on the SSID if 7920 phones are in use
    You cannot use WMM mode & Client Controlled CAC on the same WLAN

    When AP controlled CAC is used, the AP sends out  Cisco proprietary CAC information element and it does not send the standard QBSS IE

    APs must be on trunk ports to join a WLC if the WLC is in L2 mode and WMM is enabled.

    Multicast Roaming

    L2: sessions are maintainted simply because the foreign ap (if configured properly) already belongs to a multicast group and traffic is not tunneled to a different anchor point on the network.
    L3: depends on what tunneling mode is configured on the WLCs.  The IGMP messages sent from a wireless client can be affected.

    Default mobility tunneling mode is asymmetrical.

    Use the 239/8 block
    Do not use 239.0.0.X or 239.128.0.X - overlaps with link local MACs and floods out all the switch ports even with IGMP snooping turned on.

    WLCs drop any multicast packets to 12222, 12223, or 12224.
    Multicast traffic is transmitted at the 6Mbs data rate on the 802.11A network.
    If several WLANs try to transmit at 1.5MBps, packet loss occurs.

    If the source of the multicast group is on a wired LAN, the source IP address for the multicast group is the management interface of the WLC.

    If the source of the multicast group is a wireless client, the multicast packet is unicast, the WLC makes two copies of the multicast packet.  One copy is sent out the VLAN associated to the WLAN SSID on which it arrived.
    --This enables receivers on the wired LAN to receive the multicast stream and the router to learn about the new multicast group.  The second copy of the packet is LWAPP encapsulated and sent to the LWAPP multicast group so that wireless clients can receive the multicast stream.

    L2 switches: no configuration is required for multicast.  All IOS-based L2 switches have CGMP enabled by default.

    ip igmp join-group []

    Locating a faulty hop
    To display info on the last hop router:
        show ip igmp
      show ip mroute
      show ip mcache
      show ip interface counts
      show ip mroute count

    Using the RFF interface info, move to the last hop router to the first hop router following the IP address path.  Repeat all commands except show ip igmp.

    Multicast with WLCs

    APs accept IGMP queries only from the router & muticast packets with a source IP address of the WLC to which they are currently associated.

    Unicast- the WLC unicasts ever multicast packet to every AP associated to the controller.  This is inefficient
    Multicast- the WLC sends multicast packets to a multicast group.  Packet replication is done by the network.

    Broadcast & Multicast traffic must be enabled seperately.
    Broadcast is disabled by default
        config network broadcast enable
      it uses the mulicast mode configured on the WLC, even if multicast is not turned on.

    To enable broadcast without enabling mutlicast, you must use the CLI.  You cannot set the IP address or multicast mode unless multicast is enabled in the GUI.
              config network multicast mode multicast
         config network multicast unicast

    IGMP snooping must be enabled on the WLC to make multicast with AAA override.
    IGMP snooping is not supported on 2000, 2100 or ISR modules

    CCIE Wireless - Lab Exam Reading List

    I have a feeling that the most useful documents in this reading list are going to be the Cisco design guides, and configuration guides. The Amazon reviews for the books recommended lean toward the information in the books being rather outdated (of course the IEEE standards book isn't outdated - it's a *standard*)

    The Cisco Product Documentation will be available while taking the lab, but it is no longer in the UniverCD format - it is the format found at this link.  It will take some time for me to get used to finding things through this menu interface.

    Reference Materials
    Design and Solution Guides
    •  Enterprise Mobility 4.1 Design Guide (October 31, 2007)
    •  Wi-Fi Location-Based Services 4.1 Design Guide (May 20, 2008)
    •  Voice over Wireless LAN 4.1 Design Guide (May 6, 2008)

    Configuration and Configuration Example Guides
    •  Cisco Wireless LAN Controller Configuration Guide, Release 4.2
    •  Cisco Location Appliance Configuration Guide, Release 3.1
    •  WLAN Controller Configuration Examples and TechNotes
    •  Cisco IOS Software Configuration Guide for Cisco Aironet Access Points Cisco IOS Releases 12.4(10b)JA and 12.3(8)JEC
    •  Cisco Wireless Control System Configuration Guide, Release 4.2
    •  Cisco Unified Wireless IP Phone 7921G Deployment Guide
    •  Cisco Aironet 802.11a/b/g Wireless LAN Client Adapters (CB21AG and PI21AG)Installation and Configuration Guide, Release 4.0

    •  Cisco Spectrum Expert Users Guide
    •  IEEE 802.11 Handbook: A Designer's Companion, Second Edition
    •  IEEE 802.11 specification

    *also recommended: The Official CWNP Dictionary of Wireless Terms and Acronyms.

    CCIE Wireless Lab Equipment and Software List


    Of this list, I have one of everything *except* the 6500/SUP720/WiSM.. imagine that..

    My trouble spots

    From the CCIE Wireless Lab Exam Blueprint v1.0 (login required)

    I already know my trouble spots are these:
    Implement network infrastructure to support WLANs
    • Implement QoS to support voice services over the switching infrastructure

    Implment Autonomous Infrastructure
    • Configure WDS
    • Implement association filters
    • Implement multicast settings
    • Implement QoS

    Implement Unified Infrastructure
    • Implement multicast settings
    Implement Unified Controllers and APs
    • Implement security - WPS settings
    • Implement security MFP/AP authentication
    • Implement wired and wireless Guest access
    • Implement L2 security policies (802.11i, static dynamic WEP, mac filtering etc..)
    • Implement AAA (WLC to Radius/LDAP
    Implement Unified WCS and Location
    • Create and deploy template groups
    • Implement loation server
    • Tune location services given needs (tag tracking, notifications, timers)
    Implement Voice over Wireless
    • Implement support for 7920/7921 deployments for both Unified and Autonomous
    • Implement QoS settings (voice/video/EDCA)
    • Audit voice deployment

    Ok, here goes nuthin'

    I'm going to use this space to organize my thoughts in preperation for my CCIE wireless lab date.  I'll be documenting my weak spots in an effort to strengthen my knowledge on those topics.  I don't know if someone else will find this information useful, I can only hope.

    I've been working with wireless technology since 2003, and during that time I've done field upgrades of radio cards in preparation for lwapp conversions, used a WLSE to schedule IOS upgrades, used WCS to perform simulated site surveys, the list goes on and on.  It is all in my Linkedin profile if you're interested.. just ask!