Wednesday, December 23, 2009

Helpful images

Cisco Compatible Extensions Security Features Example


From ccie(w)

Four-Way Handshake


From ccie(w)

Proactive Key Caching Architecture


From ccie(w)

WEP Encapsulation Process


From ccie(w)

WPA2 AES CCMP


From ccie(w)

WPA TKIP


From ccie(w)

Unified Wireless Rogue AP Detection


From ccie(w)

Tuesday, December 22, 2009

Management Frame Protection (MFP) & WPS settings

[notes]
WPS is casually mentioned in and around enabling MFP and MFP settings, but I found a link to a list of error messages that seem to indicate what it is/does: LINK 
  • wireless protection policy (WPS)
    • List of "show wps" commands: LINK 
Seems that you can't enable  ap-authentication until MFP is disabled:
  • MFP must be disabled before AP neighbor authentication is enabled.
And when you enable ap-authentication, NTP must be enabled on all switches in a multi-switch environment:
  • Please enable NTP on all switches in a multi-switch environment.
    I found a nice thread on the Cisco Learning Network about MFP Settings 


    and then I found a totally sweet blog about Wireless LAN Security Best Practices and other assorted wireless stuff by Herbert Haas some of it is a bit dated, but some of it is still applicable: LINK


    Then I found the Infrastructure Management Frame Protection (MFP) with WLC and LAP Configuration Example document:
    LINK

    Found this too - the Lightweight Access Point (LAP) Authorization in a Cisco Unified Wireless Network Configuration Example: LINK

    Configuring Filters

    [notes]
    I've never personally setup a wireless filter for a client for any reason - I've never had to micromanage a wireless network to that degree - well now I've got to - ok, so here are my notes that I found interesting while reading the "configuring filters" section of the Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 12.3(7)JA LINK


    • Using the CLI, you can configure up to 2,048 MAC addresses for filtering. Using the web-browser interface, however, you can configure only up to 43 MAC addresses for filtering.
    • Avoid using both the CLI and the web-browser interfaces to configure the wireless device. If you configure the wireless device using the CLI, the web-browser interface might display an inaccurate interpretation of the configuration. However, the inaccuracy does not necessarily mean that the wireless device is misconfigured. For example, if you configure ACLs using the CLI, the web-browser interface might display this message: "Filter 700 was configured on interface Dot11Radio0 using CLI. It must be cleared via CLI to ensure proper operation of the web interface." If you see this message you should use the CLI to delete the ACLs and use the web-browser interface to reconfigure them.
    • MAC address filters are powerful, and you can lock yourself out of the access point if you make a mistake setting up the filters. If you accidentally lock yourself out of your access point, use the CLI to disable the filters.
    • To make sure the filter operates properly, use lower case for all the letters in the MAC addresses that you enter. 
    • Client devices with blocked MAC addresses cannot send or receive data through the access point, but they might remain in the Association Table as unauthenticated client devices. Client devices with blocked MAC addresses disappear from the Association Table when the access point stops monitoring them, when the access point reboots, or when the clients associate to another access point.  
    • If you plan to block traffic to all IP addresses except those you specify as allowed, put the address of your own PC in the list of allowed addresses to avoid losing connectivity to the access point.  
    For specific Ethertype filters - refer to this Appendix of Protocol Filters from the Cisco IOS Software Configuration Guide for Cisco Aironet Access Points 12.3(7)JA: LINK






    Video of my wireless lab hardware

    How to broadcast multiple SSIDs on a Cisco autonomous access point

    Today I helped a customer implement a new SSID/VLAN on their network - and it was a trip back in time - as I've not laid eyes on a WLSE to configure autonomous access points in well over three years.

    I didn't realize that by default an autonomous access point won't broadcast two ssids on a single dot11radio interface.  Thank goodness for the internet - I found the solution and here are the two links I used for the proper configuration of dual broadcasting ssids:

    http://www.ja.net/services/authentication-and-authorisation/janet-roaming/technology.html#wireless_networks 

    http://www.cisco.com/en/US/docs/wireless/access_point/12.4_10b_JA/command/reference/cr12410b-chap2.html#wp2700587 

    A basic config example for broadcasting more than one SSID on a Cisco autonomous AP:
    (your AP must be running 12.3.8-JEC(GD) IOS firmware or newer to use these commands)


    dot11 ssid TEST1
    mbssid guest-mode

    dot11 ssid TEST2
    mbssid guest-mode

    Then you have to enable mbssid globally on your radio-interface:

    interface
    Dot11Radio0
    mbssid
    ssid TEST1
    ssid TEST2

    Monday, December 21, 2009

    WPA LEAP WPA2 PEAP

    [notes]

    dot11 ssid WPA2LEAP
       authentication open eap eap_methods
       authentication network-eap eap_methods
       authentication key-management wpa version 2
       guest-mode

    int dot11radio1
    ssid WAP2LEAP
    encryption mode ciphers tkip
    -------------------------------------------------
    dot11 ssid WPA2PEAP
       authentication open eap eap_methods
       authentication network-eap eap_methods
       authentication key-management wpa version 2
       guest-mode

    int dot11radio1
    ssid WAP2PEAP
    encryption mode ciphers aes-ccm
    -------------------------------------------------
    dot11 ssid WPALEAP
       authentication open eap eap_methods
       authentication network-eap eap_methods
       authentication key-management wpa
       guest-mode

    int dot11radio1
    ssid WPALEAP
    encryption mode ciphers tkip
    -------------------------------------------------
    dot11 ssid WPAPEAP
       authentication open eap eap_methods
       authentication network-eap eap_methods
       authentication key-management wpa
       guest-mode

    int dot11radio1
    ssid WPAPEAP
    encryption mode ciphers aes-ccm

    Thursday, December 10, 2009

    Configuring WDS with RADIUS server

    It has been *forever* since I've had to configure WDS - and as expected - it took me some time to get it configured properly, even with the Wireless Domain Services Configuration document from Cisco.

    I tried to configure both APs to be WDS infrastructure aps and thought I had to change the encryption types on the  SSIDs because of this document here: Configuring WDS, Fast Secure Roaming, and Radio Management


    I followed the configuration guide and used the GUI to intially configure WDS, then referred back to the CLI to observe which commands were entered as a result.


    Added configuration information for WDS infrastructure authentication of APs:


    aaa group server radius wlccp_server
     server 192.168.1.2 auth-port 1812 acct-port 1813
    !
    aaa group server radius wlccp_client
     server 192.168.1.2 auth-port 1812 acct-port 1813
    !
    aaa authentication login method_wlccp_server group wlccp_server
    aaa authentication login method_wlccp_client group wlccp_client
    !
    wlccp ap username wlccpuser password 0 wlccppassword

    wlccp authentication-server infrastructure method_wlccp_server
    wlccp authentication-server client any method_wlccp_client
      ssid WPA
    wlccp wds priority 200 interface BVI1

     

    Wednesday, December 9, 2009

    CCIE Wireless Lab Exam Topics (Blueprint) (as of 12/9/09)

    Exam Sections and Sub-task Objectives   
       
    1    Implement network infrastructure to support WLANs
    1.01    Implement Catalyst configuration (VLANs, VTP, STP, Trunk, Portchannel,LB..)
    1.02    Implement network connectivity in WLC
    1.03    Implement network connectivity in LAP (local mode, hreap + local switching)
    1.04    Implement network connectivity in AP (multiple vlans, vs single vlan)
    1.05    Configure client to connect/authenticate to SSIDs
    1.06    Implement DNS, DHCP, NTP
    1.07    Implement QoS to support voice services over the switching infrastructure
    1.08    Implement basic IP routing
    1.09    Troubleshoot network infrastructure to support Wireless

    2    Implement Autonomous Infrastructure
    2.01    Configure WDS
    2.02    Implement local radius
    2.03    Implement SSID/MBSSID as needed: Security policies and Bridging groups
    2.03    (a) Security policies
    2.03    (b) Bridging groups
    2.04    Implement radio roles
    2.05    Implement antenna settings
    2.06    Implement association filters
    2.07    Implement and control management access
    2.08    Implement MFP
    2.09    Implement multicast settings
    2.1    Implement QOS
    2.11    Implement peer to peer blocking
    2.12    Troubleshoot bridge connectivity problems
    2.13    Convert Autonomous to LWAP

    3    Implement Unified Infrastructure
    3.01    Implement Interface settings
    3.02    Implement mobility groups
    3.03    Implement WLANs
    3.04    Implement multicast settings
    3.05    Implement and control management access
    3.06    Implement controller redundancy/fallback
    3.07    Implement discovery mechanisms
    3.08    Implement AutoRF to adapt to site requirements
    3.09    Check and validate current channel/power settings
    3.1    Validate trap generation, notifications in WCS/WLC

    4    Implement Unified Controllers and AP's
    4.01    Implement peer to peer blocking
    4.02    "Implement Security
    4.02    (a) WPS settings
    4.02    (b) MFP/AP authentication
    4.02    (c) AP authorization"
    4.03    Implement QOS
    4.04    Implement local EAP authentication (against local user list, and external LDAP)
    4.05    Implement L3 security policies (Webauth, pass-through)
    4.06    Implement wired and wireless Guest
    4.07    Implement L2 security policies (802.11i, static dynamic WEP, mac filtering, etc..)
    4.08    Implement Local DHCP services for clients
    4.09    Implement AAA (WLC to Radius/LDAP)
    4.1    Troubleshoot client connectivity problems

    5    Implement Unified WCS and Location
    5.01    Implement controllers to WCS
    5.02    Create and deploy template, template groups
    5.03    Prepare building/floor map
    5.04    Create floor coverage proposal
    5.05    Implement location server
    5.06    Tune location services given needs (tag tracking, notifications, timers)
    5.07    Validate client connectivity/troubleshoot client via WCS/WLC
    5.08    Validate location information in WCS/WLC
    5.09    Validate security events with WCS/WLC
    5.1    Validate location information in WCS/WLC
    5.11    Validate trap generation, notifications in WCS/WLC
    5.12    Validate client connectivity/troubleshoot client via WCS/WLC

    6    Implement Voice over Wireless
    6.01    Implement support for 7920/7921 deployments, for both Unified and Autonomous
    6.02    Implement QoS settings:
    6.02    (a) Voice/Video
    6.02    (b) EDCA
    6.03    Audit voice deployment

    Tuesday, December 8, 2009

    AP as Local Authenticator (RADIUS)


    I'm digging into my trouble spots as the lab date gets closer.  There are many configurations I've never implemented through the course of work I've done as a wireless engineer.. now it is time to get into unfamiliar territory, no matter how simple it is.


    Section 4.09 - Implement AAA (WLC to Radius/LDAP)
    To start this off - there have been many configurations I've done where I've pointed a WLC to a RADIUS server & given each a shared secret, but I've never setup an AP to be its own RADIUS server, or pointed an autonomous AP at a RADIUS server.  I tackled these configurations this week.


    Pointing an AP to itself for RADIUS authentication was pretty straight forward once I used the right IP address for the RADIUS server.. 

    debug radius auth
    debug radius local-server

    These two commands are what made it clear that something was really wrong, and explained why the RADIUS auth was timing out.


    *Mar  3 22:15:01.564: RADIUS: no sg in radius-timers: ctx 0x139F050 sg 0x0000
    *Mar  3 22:15:01.564: RADIUS: Fail-over to (192.168.1.1:1645,1646) for id 1645/2


    The AP's IP address was 192.168.1.2 - and I'd mistakenly entered 192.168.1.1 - should have been obvious, but I missed the error initially.

    They key entries in the AP config were (in this order):

    ip dhcp excluded-address 192.168.1.1 192.168.1.5
    ip dhcp pool DHCP_POOL
       network 192.168.1.0 255.255.255.0

    aaa new-model
    aaa group server radius rad_eap
     server 192.168.1.2 auth-port 1812 acct-port 1813

    radius-server host 192.168.1.2 auth-port 1812 acct-port 1813 key 0 radiuskey
    radius-server vsa send accounting

    radius-server local
      nas 192.168.1.2 key 0 radiuskey
      group admins
        ssid WPA
      user jsmith password 0 jsmithpassword group admins


    aaa new-model
    aaa authentication login eap_methods group rad_eap

    dot11 ssid WPA
       authentication open eap eap_methods
       authentication network-eap eap_methods
       authentication key-management wpa
       guest-mode
       infrastructure-ssid optional


    References for the configuration were found on Cisco's site:
     LEAP Authentication on a Local RADIUS Server 

    Configuring an Access Point as a Local Authenticator
    How to configure different security options on a Cisco AP


    Wednesday, December 2, 2009

    Packet Captures!

    [notes]
    I'm sure this is all rehash - but here are links to others' great work done in capturing wireless packets & explaining each step.  No reason to reinvent the wheel.


    http://www.aircrack-ng.org/doku.php?id=wpa_capture

    Tutorial: How to crack WEP on a Wireless Distribution System (WDS)?
    http://www.aircrack-ng.org/doku.php?id=wds


    http://www.aircrack-ng.org/doku.php?id=videos


    http://perform.wpi.edu/wsniffer/

    sample TKIP parameters (pg 1183):

    http://www.scribd.com/doc/21723074/802-11-2007


    Wifi / Wireless LAN captures / 802.11

    http://wiki.wireshark.org/SampleCaptures#head-8200ea41fe91ebefa1b6ea9f86d344c290241276



    Monday, November 30, 2009

    7921G Deployment Guide

    [notes]
    If using 7921G world mode phone, you must enable 802.11d
        world-mode dot11d country US both

    If the AP does not support CCX or proxy ARP is not enabled, then the idle battery life will be up to 50% less.  Set the DTIM period to 2 and beacon period to 100

    TSpec has precedence over QBSS
    TCLAS is supported in WLC release 5.1.1.51.0

    Multicast packets are set at the highest basic data rate enabled.  Capacity and throughput are reduced when lower rates are enabled.

    Cisco APs can support up to 27 bi-directional RTP streams for 802.11a and 802.11g at a data rate of 24Mb+.  To achieve this, you must use U-APSD, and have minimal WLAN background traffic & RF utilization.  At 6 MBps, a Cisco AP can support up to 13 bi-directional RTP streams.

    DTPC
    Do not use the default setting of Max Power for client power, as this setting will not advertise DTPC to the client

    5Ghz channels overlap their adjacent channel, so there should be at least one channel of separation for adjacent Access Points.

    If planning to use UNII-2 extended channels (100-140), it is recommended to disable UNII-2 channels 52-64 on the AP.  Having many 5GHz channels enabled on the WLAN can delay discovery of new APs.

    If using 802.11b in a high multipath environment, lower data rates should be used in those areas (1&2MBps)

    To see all APs in the neighbor list menu, place a call to a wired IP phone, where scanning occurs constantly while the phone call is active in auto scan mode.

    WCS Client Calibration + RFID Tags

    [notes]
    Open caveat with dual band client calibration cscsh88795 – calibrate one band at a time or use two client devices to calibrate both bands simultaneously.  CCXv1 or Non CCX clients will be forced to reassociate/reauthenticate to generate probe requests.  They do not respond to unicast radio measurement requests

    When doing calibration – temporarily disable TPC, ensure WLAN calibration client connects to is configured to support Aironet IE.

    To use a “test point” in WCS – Advanced Debug must be enabled on the location appliance/MSE

    802.11b asset tags that transmit messages using L2 multicasts will not cause the initiation of any 802.11g protection mode under any circumstances.  This includes CCXv1 tags.
        - A probe request from an 802.11b tag that is not associated to an AP does not cause protection mode.  Not until the asset tag associates to the cell in question, or an adjacent cell on the same channel.  APs not on the same channel as the tag or not an adjacent RF, no protection mode is enabled.

    Enable Asset tag RF Data timeout – (valid range: 60-7200) (default: 1200)
    -    recommended to be set to a minimum of 3x to a maximum of 8x the longest tag transmission interval found in the general tag population.  This should be inclusive of any stationary and “in-motion” transmission intervals.

    RFID data timeout should always be greater than the asset tag polling interval on the location appliance/MSE

    Recording asset tag location history is disabled by default.
    The archival interval between writes of historical data to the database is 720 seconds by default.

    Tag activator range = 3 feet

    Transmission parameters:
    -    message repetitions: change from default value of 1 to 3 to overcome the tags’ transmissions being lost due to lost RSSI readings.  Settings above 5 are not necessary.

    LOCP Echo Request: 100 bytes transmitted on TCP destination port 16113
    LOCP Echo Response: 100 bytes
    LOCP Info. Request: From location appliance to WLC, 106 bytes on TCP destination port 16113
    LOCP Info. Response: from WLC to location appliance, if no tags are detected – 113 bytes, one tag detected – 144 bytes, two tags detected – 175 bytes (example tag tx not including telemetry data)

    Tag high priority notifications:
    When a call button is depressed on an asset tag (CCX compliant) a LOCP Information Notification is transmitted by the WLC to the location appliance/MSE.  The basic size is 130 bytes
    This transmission is sent to the location appliance/MSE for each high priority notification sreceived by EACH of the WLC’s registered APs.

    Chokepoint triggers in WCS
    Range value set on chokepoints is only for a visual aide of the chokepoint range.  The vendor’s management application is what truly adjusts the chokepoint range.

    Chokepoint usage – checkbox must be enabled in order for the location appliance/MSE to use chokepoint location techniques to localize tags.

    Chokepoint out of range timeout – this is the timer that is used to age the last “in-range” report received from  or received for an asset tag that is being localized using chokepoint location techniques

    AeroScout T2 tags
    The typical size of the tag multicast frame emitted when in the proximity of a chokepoint trigger = 71 bytes
    The routine periodic transmission = 56 bytes
    There are an extra 8 bytes of vendor specific information included

    CCX allows tags to communicate historical information about the chokepoints they traverse to CUWN.  This can increase the size of the frame by 10 bytes per chokepoint trigger (depending on number of historical entries maintained)

    The number of LOCP measurement notification generated by one or more WLCs for a single tag transmits multicast frames indicating it has been triggered by a chokepoint depends on:
    -    the number of registered APs within range of the tag that detected the chokepoint event
    -    the number of times the tag will transmit a multicast frame on each configured 802.11 channel in response to the chokepoint trigger

    The repetition count of the multicast frames sent after an exciter event is managed independent of the repetition count for other tag events.  This is configured on a per-exciter basis

    A tag sends one multicast frame from an exciter event – the WLC parses it into two separate LOCP notifications
        LOCP measurement notification – contains chokepoint group information = 160 bytes
    LOCP information notification – contains vendor specific information = 138 bytes in length

    The fragment number should always start from zero even if the burst length is zero.
    For a packet burst, the fragment number should be set to N where N is the packet index within the burst starting from zero.

    show RFID summary
    show RFID config
    config advanced location expiry {calibrating client|client|rogue-APs|tags}
    config advanced location RSSI-half-life {calibrating client|client|rogue-APs|tags}

    If tag detection is enabled and the asset tag is configured to transmit on the channel the AP is configured for, check to see that the AP is forwarding the multicast packet to the WLC by using this debug:
    debug dot11 dot11radio0 trace print mcast
        *as of code version 4.1 – this command must be entered at the AP console, it cannot be entered remotely at the WLC.

    verify asset tag telemetry and events:
    debug MAC addr [MAC address]
    debug dot11 RFID enable
    show LOCP status
    debug LOCP event enable

    v4.2 of CUWN introduces an enhancement that allows for individual limits to be placed on what portion of the location appliances’ aggregate tracked device capacity is allocated to each tracked device category (clients, tags, rogues)
     

    LBS 4.1 Design Guide

    [notes]
    TDOA formula: D=C(t)
    Distance in Meters = propagation speed of ~300m/microsecond (time in microseconds)

    TDOA uses relative time measurements at each receiving sensor in place of absolute time measurements.  It does not require a synchronized time source – the TDOA receivers require a time sync.
        TDOA is rooted in hyperbolic lateration, also referred to as Enhanced Observed Time Difference

    Path loss model for indoor propagation:
    PL = PL1meter + 10log (dn) + s

    PL = total path loss between receiver and sender in dB
    PL1meter = reference path loss for desired frequency when receiver to transmitter distance is one meter
    d = distance between receiver and transmitter in meters
    n = path loss exponent for the environment
    s = standard deviation associated with the degree of shadow fading present in the environment in dB
    Pure RSS based lateration techniques that do not take additional steps to account for attenuation and multipath in the environment rarely produce acceptable results except in very controlled situations

    Angle of arrival – (direction of arrival) locates the mobile station by determining the angle of incidence at which signals arrive at the receiving sensor.
        Well known implementation – VOR VHF Omnidirectional Range – system used for aircraft navigation from 108.1 – 117.95 MHz

    Location Patterning – may be implemented totally in software, which can reduce complexity and cost significantly compared to angulation or purely time based lateration systems.

    Location Patterning Positioning Algorithms:
    deterministic – attempt to find minimum statistical signal distance between a detected RSSI location vector and the location vectors of the various calibration sample points
    probabilistic – use probability inferences to determine the likelihood of a particular location given that a particular location vector array has already been detected.
    other techniques – neural networks, support vector modeling outside boundaries of deterministic and probabilistic approaches.

    It is not possible to use calibration data in more than one area of a building.  Despite any similarities, the probability that the location vectors collected at the same positions on each floor being identical is significantly low. *Cisco RF fingerprinting can share RF calibration models

    Active logistics shipping & receiving area:
    Accuracy degradation of 20% can reasonably be expected in a 30 day period
    It is not unreasonable to expect to re-verify calibration data accuracy quarterly and to plan for a complete recalibration semi-annually.

    Client probing
    Unassociated clients generate probe requests quite regularly.  Associated clients scan less often and may active scan or passive scan, or a mix of the two.  Passive scanning does little to improve location fidelity.

    CCXv2 clients support S36 Radio Measurement Requests and will perform active scanning and probe all configured SSIDs on command.
        CCX Location Measurement in WLC can be adjusted from 60 seconds (default) to 32,400 seconds

    WCS WLAN clients – first 250 are displayed, to view location data of those beyond the first 250, client filtering must be enabled

    Off-channel scans occur for ~500ms out of every 180 seconds of operation.
    -    or ~50ms per non-primary channel per 180 second interval

    APs configured as WGB do not respond to broadcast Radio Measurement Requests.  use IOS CLI command mobile station period threshold
    -    this command causes the WGB to perform an active scan when it detects low AP RSSI, excessive interference or a high % of frame loss

    Tag batter state info can be pushed via asynchronous NB notifications from the location appliance (MSE), tag telemetry is made available to location clients only via the SOAP/XML API

    Location appliance/MSE disk space command:
    df –H

    The dual on-board Ethernet controllers on the location appliance (MSE) are NOT intended for redundant/simultaneous connections to the same IP network.  This configuration is not recommended at this time

    #/etc/init.d/loc serverd stop
    #shutdown –h now
    The remote SSH session will be terminated before power down will be visible.  Wait 2 minutes after disconnect before powering off the location appliance/MSE

    Insufficient inter-Access Point distance can expose the system to short range antenna pattern anomalies, which may also be non-conducive to good location accuracy.
        distances of 40~70ft between each AP is best, they should be spaced greater than 28ft apart

    7921g, -67dBm, 20% overlap, 25dB SNR = 24 ft cell size
    Inter-Access Point spacing = 33 ft

    APs that are placed into the design solely for location purposes should not be included in either RRM TX PWR CTRL or coverage hole remediation processes.  Configure a static channel/power to remove them from the RRM process.

    WLC config checklist

    [notes]
    Set QoS to platinum
    enable WMM to enable QoS & ability to use U-APSD
    disable DHCP address assignment requested
    ensure Aggressive Load Balancing is disabled

    Settings>Status>Site Survey (from phone menu)
    When not in a call the phone only scans other non associated channels once the current signal strength reaches a certain threshold.  To see all APs, place a call to a wired IP phone

    Coverage statistics can be viewed by telnetting to the 7921 phone

    Vocera
    DHCP server cannot be run on the Vocera server
    -    devices may get duplicate IP addresses
    -    devices may not get IP addresses
    -    devices may get invalid, unusable information
    -    no DHCP option 150 is needed

    Badge broadcast is sent by the badge at DSCP EF, when the multicast comes back to the group from the WLC, it is marked as “best effort”

    792X and Client Roaming

    [notes]
    Client roaming – values are communicated to CCX compliant clients.  may be a little low for a VoWLAN deployment, as VoWLAN cell sizes are usually smaller.

    Voice call admission control – default value for Max Bandwidh = 75%

    For best performance, the most accurate assessment of call capacity; Load Based AC should be enabled.
        Max RF Reservation should not be greater than 60% - set at 40-60%

    Troubleshooting – WCS is best place to start

    DHCP option 150 = TFTP server for phone firmware

    To reset the phone to factory defaults = **2
    To unlock the phone configuration = **#

    7921s do not support WPA2 with TKIP
    7921s support WPA2 with AES, but CCKM is not supported

    ACS must be configured to explicitly support EAP-FAST authentication.  7921g supports only the automatic provisioning of the PAC, so Anonymous In-Band PAC Provisioning must be enabled.

    If a 7921 phone has both radios enabled:
    -    if default AUTO-RSSI is enabled, the phone will associate to the strongest RSSI on bootup
    -    if auto b/g or auto a is enabled, the phone will connect to auto setting and will fall back to non specified frequencies if the specified frequency is unavailable.  If the phone has associated to an AP on a particular band, it will only scan for & roam to APs on the same frequency band.
     

    Device Mobility

    [notes]
    Device mobility info – configures IP subnets and associates device pools to the IP subnets
    Device mobility group – defines a logical group of sites with similar dialing patterns
    Physical Location – geographically located device pools

    Roaming Sensitive Settings – override the device level settings when a device is roaming within or outside a device mobility group

    Device Mobility Related settings – will override the device level settings only when the device is roaming within a device mobility group

    DTIM settings are global, not to be changed on a per WLAN basis.
    RRM baseline level changed from -65dbm to -70dbm in 4.1.185 code

    If RF-Group mode is disabled, the WLCs run computations based only on the neighbor data gathered from the APs connected to that WLC via LWAPP, trying to optimize the signal to -70dbm between APs.

    Within an AP-group, there may be APs that do not see each other.  These APs form a logical RF sub-group whose RF parameters are calculated separately.

    The RF Group leader uses the gathered values to determine whether another channel schema will result in an improvement of at least 5db SNR for the worst performing AP.
        Preference is given to APs based on utilization.  A less used neighbor has a higher likelihood of having its channel changed

    show AP auto-RF IEEE {802.11a|802.11b} [AP-name]

    Transmit power level assignment is controlled by the TPC algorithm that is run at fixed intervals of every 10 minutes by default.
    TPC tries to adjust levels downward
    There is a 6db hysteresis used built into the TPC algorithm to prevent it from continuously hunting for the -70dbm value.

    Monitor intervals determine how often the APs stop serving clients to perform RRM & wireless duties.


    Saturday, November 14, 2009

    VoWLAN Design Guide 4.1

    [notes]
    VoWLAN Design Guide 4.1



    U-APSD – the primary benefit is that it allows the voice client to synchronize the transmit and receive of voice frames with the AP, thereby allowing the client to go into power-save mode between the transmit and receive of each voice frame tuple.


    The use of U-APSD allows the use of long DTIM intervals to maximize standby time without sacrificing call quality (also increases call capacity)

    Client in power save detects data waiting for it at the AP via the presence of a TIM in the AP beacon. The client PS-polls the AP to get the data


         There are two major problems with this:
            1. Requiring PS-polls on top of the normal data exchange to go through the standard access delays associated with DCF.
            2. Retrieving the buffered data is dependent on the DTIM, which is a multiple of the beacon interval. Standard beacon intervals are 100ms, DTIM intervals can be integer multiples of this.

    The AP sends data to the client as a TXOP burst where only the first frame has the EDCF access delay.
          - timing of the polling is controlled via the client. Jitter introduced is symmetric rather than N x 100ms

    TSpec allows an 802.11e client to signal its traffic requirements to the AP. It can also be used to control the use of various ACs in EDCF. The use of EDCF ACs rather than HCCA to meet TSpec requests is possible in many cases because the traffic parameters are sufficiently simple to allow them to be met by allocating capacity rather than creating a specific TXOP to meet the application requirements.

    QoS Basis Service Set (QBSS) is an IE element advertised by the Cisco AP. The load field indicates the portion of available bandwidth currently used to transmit data on the AP.


    1 octet 1 octet 4 bytes
    ELEMENT ID (11) LENGTH LOAD


    There are three QBSS IEs that need to be supported in certain situations
    • Old QBSS (draft 6 pre-standard)
    • New QBSS (draft 13 IEEE 802.11e (standard))
    • New distributed cac load IE (a Cisco IE)
    **The various QBSS IEs use the same ID, and therefore the three QBSSs are mutually exclusive. For example, the beacons and probe responses can contain only one QBSS IE.


    The QBSS used depends on the WMM & 7920 phone settings on the WLAN.
          Client CAC limit – supports legacy 7920 code pre v2.01
          AP CAC limit -7920 settings are learned from the WLAN advertisement

    Enabling admission control determines how much AP bandwidth will be set aside for voice clients attempting to roam to the AP. This is based on the APs capacity, not factoring in the possible channel loading impact of other APs in the area. Load Based ac uses channel load in capacity calculations.

    TSpec admission control is used to protect high priority resources, not to deny clients access to the WLAN.


    L2 LWAPP does not effectively support QoS because the AP does not send the 802.1p/q tags and in L2 LWAPP there is not an outer DSCP on which to fall back because the AP no longer uses NULL VLAN ID
          - APs carry out EDCF-like queuing on radio egress
          - APs do FIFO on the Ethernet egress

    Call capacity assuming no competing high priority WLAN traffic & normal background noise:
          - 14 simultaneous call son 2.4ghz
          - 20 simultaneous call son 5ghz

    WLAN QoS is performed AFTER the CCA.

    Standard office environment – AP client RADIUS of 43 feet, co-channel interference RADIUS of 150 feet using 2db gain antennas and a power output of 16dbm (40mw)

    VoWLAN & 5ghz – generally recommended to use the lower 4 channels & upper 4 channels. These channels do not require the use of DFS or TPC.
          UNII-1: 36, 40, 44, 48
          UNII-2: 52, 56, 60, 64, 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140
          UNII-3: 149, 153, 157, 161


    show {IEEE 802.11a | IEEE 802.11bg} L2 roam RF-params
    show {IEEE 802.11a | IEEE 802.11bg} L2 roam statistics [AP-MAC]
    show client roam-history [client-MAC]

    EIGRP – two main route summarization ways in campus test architecture = route summarization & stub
          reduce EIGRP hello/dead timers to 1 & 3 seconds (hello = 1 & dead = 3) rather than the default timers of 5 & 15


    QoS policing – check on classification using port trust state & policy maps being mutually exclusive in 2970, 3560, and 3750s


    Deployment models for Cisco Unified Communication Manager
    number of call processing agent clusters
    number of IP phones
    location of the call processing clusters & IP phones

    For voice traffic, it is better to deny network access under congestion conditions that to allow traffic to be dropped or delayed.

    QoS protects voice from being overrun by data
    CAC protects voice from voice
    CAC topology unaware – based on static configuration
    CAC topology aware – based on communication between call processing agent & the network about available resources – uses Resource Reservation Protocol (RSVP)


    LBS positioning technologies & TDOA

    [notes]
    LBS positioning technologies:
    • cell of origin (nearest cell)
    • distance (lateration)
    • angle (angulation)
    • location patterning (pattern recognition)
     RF fingerprinting – calibrating RF model to the particular environment
    location precision – repeatability/confidence level of successful detection 10m~90% of the time
    inter-access point recommended separation 50-70ft

    TDOA formula: D=C(t)



    Distance in Meters = propagation speed of ~300m/microsecond (time in microseconds)

    TDOA uses relative time measurements at each receiving sensor in place of absolute time measurements. It does not require a synchronized time source – the TDOA receivers require a time sync.


    TDOA is rooted in hyperbolic lateration, also referred to as Enhanced Observed Time Difference

    Path loss model for indoor propagation:


    PL = PL1meter + 10log (dn) + s

    PL = total path loss between receiver and sender in dB
    PL1meter = reference path loss for desired frequency when receiver to transmitter distance is one meter
    d = distance between receiver and transmitter in meters
    n = path loss exponent for the environment
    s = standard deviation associated with the degree of shadow fading present in the environment in dB


    Pure RSS based lateration techniques that do not take additional steps to account for attenuation and multipath in the environment rarely produce acceptable results except in very controlled situations


    Angle of arrival – (direction of arrival) locates the mobile station by determining the angle of incidence at which signals arrive at the receiving sensor.
         Well known implementation – VOR VHF Omnidirectional Range – system used for aircraft navigation from 108.1 – 117.95 MHz


    Location Patterning – may be implemented totally in software, which can reduce complexity and cost significantly compared to angulation or purely time based lateration systems.


    Location Patterning Positioning Algorithms:
         deterministic – attempt to find minimum statistical signal distance between a detected RSSI location vector and the location vectors of the various calibration sample points
         probabilistic – use probability inferences to determine the likelihood of a particular location given that a particular location vector array has already been detected.
         other techniques – neural networks, support vector modeling outside boundaries of deterministic and probabilistic approaches.

    It is not possible to use calibration data in more than one area of a building. Despite any similarities, the probability that the location vectors collected at the same positions on each floor being identical is significantly low. *Cisco RF fingerprinting can share RF calibration models

    Active logistics shipping & receiving area:
         Accuracy degradation of 20% can reasonably be expected in a 30 day period
    It is not unreasonable to expect to re-verify calibration data accuracy quarterly and to plan for a complete recalibration semi-annually.

    Client probing


    Unassociated clients generate probe requests quite regularly. Associated clients scan less often and may active scan or passive scan, or a mix of the two. Passive scanning does little to improve location fidelity.

    CCXv2 clients support S36 Radio Measurement Requests and will perform active scanning and probe all configured SSIDs on command.


    CCX Location Measurement in WLC can be adjusted from 60 seconds (default) to 32,400 seconds


    WCS WLAN clients – first 250 are displayed, to view location data of those beyond the first 250, client filtering must be enabled

    Off-channel scans occur for ~500ms out of every 180 seconds of operation.
         - or ~50ms per non-primary channel per 180 second interval


    APs configured as WGB do not respond to broadcast Radio Measurement Requests. use IOS CLI command mobile station period threshold


    - this command causes the WGB to perform an active scan when it detects low AP RSSI, excessive interference or a high % of frame loss


    Tag battery state info can be pushed via asynchronous NB notifications from the location appliance (MSE), tag telemetry is made available to location clients only via the SOAP/XML API

    Location appliance/MSE disk space command:
    df –H

    The dual on-board Ethernet controllers on the location appliance (MSE) are NOT intended for redundant/simultaneous connections to the same IP network. This configuration is not recommended at this time

    #/etc/init.d/loc serverd stop
    #shutdown –h now


    The remote SSH session will be terminated before power down will be visible. Wait 2 minutes after disconnect before powering off the location appliance/MSE


    Insufficient inter-Access Point distance can expose the system to short range antenna pattern anomalies, which may also be non-conducive to good location accuracy.
         distances of 40~70ft between each AP is best, they should be spaced greater than 28ft apart

    7921g, -67dBm, 20% overlap, 25dB SNR = 24 ft cell size
    Inter-Access Point spacing = 33 ft


    APs that are placed into the design solely for location purposes should not be included in either RRM TX PWR CTRL or coverage hole remediation processes. Configure a static channel/power to remove them from the RRM process.




     

    Mobile IP RFC 3344

    [notes]
    Mobile IP RFC 3344



    The Home Agent (HA) contains the location database unlike the CUWN, the HA does not maintain a distributed database between WLCs. It does not query other HA’s
     The mobile IP client joining the WLAN does not provide the HA with any information. There are two methods of client notification of a roam event:



    • Win OS L2 notification: Media Sense
    • Foreign Agent (FA) advertisements: the FAs are forwarded to the HA so the HA can build a new tunnel to the new FA and proceed to forward packets to the client.
    Several types of tunnels are available: GRE UDP IP in IP


    Behind a NAT gateway = UDP tunneling


    Typically, the foreign WLC modifies the destination MAC address of any packet from the wireless client to be its gateway MAC before forwarding it on.


    DHCP option 68 can be used to convey the HA to the MN (Mobile Node)

    Mobile IP client software manipulate the host’s forwarding table so that the lower metric interface is the mobile IP client interface




    VoWLAN

    [notes]
    VoWLAN



    Recommendation to place all antennas 1 to 2 wavelengths from highly reflective surfaces.
    2.4Ghz = 4.92 inches (12.5 cm)
    • 5GHz = 2.36 inches (6 cm)

    The human head and body attenuates 5db of RF signal
    If the antenna is in the body of the phone, the loss ~ 4db – 9db

    Handsets do not have diversity antennas due to the length of the 2.4ghz wavelength distance (4.92in)


    802.11A handsets do have a diversity antenna solution


    DFS, 802.11h
    When radar is detected:
    • stop packet transmission within 200ms
    • stop control transmission within 10 seconds
    • avoid transmitting on the channel for 30 minutes
    • scan a new channel for 60 seconds before transmitting

    Cisco recommends that for voice apps, the cell edge be determined by using the actual phone at the desired data rate.


    Voice packets sent between the AP and the phone are generally unicast RTP G711 packets with a typical size of 236 bytes.

    Cisco recommends all APs have a maximum transmission power of 13dBm.


    A call between two phones associated to the same AP counts as two active voice streams.

    Guest anchor WLC – can support EoIP tunnels from 40 WLCs and supports 2500 simultaneous users and has forwarding capacity of 2gbps.

    Multicast is not supported over guest tunnels.


    One additional port number can be monitored for redirection: network web-auth-port


    [notes]
    MESH



    By default, a RAP AP uses channel 161


    Background scanning on 1510s operates on the 802.11a link, for 1505s it operates on the 802.11b/g link.
    config mesh background-scanning enable/disable
    show mesh background-scanning

    Parent AP is chosen by using the adjusted ease. This is the ease of each neighbor divided by the number of hops to the RAP.
         Parents are given a 20% of bonus ease to reduce link flapping.

    Routing Around an Interface (RAI)


    config mesh secondary-backhaul enable


    For this to work properly, all APs beyond the first hop to the one that is being used on the first hop must be on the same channel. RRM does not work with RAI


    config mesh secondary-backhaul enable force same-secondary channel


    This forces the whole subtree rooted at one hop MAPs to have the same secondary channel. Ignore RRM or manually assigned for MAPs at two hops and deeper.


    Design constraints:

    Recommended backhaul is 18Mbps
    Number of backhaul hops – limit to 3 or 4
    Number of MAPs/RAP – suggested limit of 20/1

    Multiple RAPs for hardware diversity – deploy on same channel as primary RAP.
    32 MAPs/RAP limit should be remembered.


    Map density & distance
    If building out a mesh to backhaul data - 1000 Ft RADIUS
    Providing complete client coverage – 600 Ft RADIUS


    Cisco Unified Wireless QoS

    [notes]
    Cisco Unified Wireless QoS


    fixed network delay – encoding/decoding time
    variable network delay – queuing/congestion

    Radio downstream is most common deployment.
    Radio client upstream QoS depends on client implementation.


    When providing only radio downstream QoS from the AP, radio upstream client traffic is treated as best effort.


    Data frames in 802.11 are sent using distributed coordination function (DCF)
         interframe spaces – (SIFS, PIFS, DIFS)
         random backoff (contention window) DCF is used in 802.11 networks to manage access to the medium.


    Interframe spaces (base timing in 802.11b listed below – 802.11a/g are different)
         SIFS = 10us
         (PCF) PIFS = SIFS +1 x slot time = 30us
         (DCF) DIFS = 50us + 2 x slot time = 50us

    Random backoff
    When a data frame using DCF is ready to be sent it goes through the following steps:
         1. generates a random backoff number between 0 and a minimum contention window (CWmin)
         2. waits until the channel is free for a DIFS interval
         3. if the channel is still free, begins to decrement the random backoff number for every slot time (20us) that the channel remains free.
         4. if the channel becomes busy, the decrement stops & steps 2 – 4 are repeated
         5. if the channel remains free until the random backoff reaches zero, the frame can be sent.

    Contention window is defined by aCWmin & aCWmax
    The random number is between zero and aCWmin


    If the initial random backoff expires without successfully sending the frame, the STA or AP increments the retry counter & doubles the value random backoff window size. The doubling continues in size until the size equals aCWmax. The retries continue until the max retries or TTL is reached.
          This process is referred to as binary exponential backoff


    WMM is primarily the implementation of the EDCA component of 802.11e


    WMM uses the 802.11p classification scheme developed by the IEEE (now part of the 802.11d spec)

    U-APSD
    A U-APSD client remains listening to the AP until it receives a frame from the AP with an end of service period (EOSP) bit set. This bit tells the client it can now go back into power save mode. The use of U-APSD allows the use of long DTIM intervals to maximize standby time without sacrificing call quality.

    TSpec admission control – allows an 802.11e client to signal its traffic requirements to the AP. a TSpec request can be used to control the use of the various access categories in EDCA.
          - 7920 does not support TSpec
          - 7921G does support TSpec


    Add Traffic Stream (ADDTS) – it’s how a WLAN client performs an admission request to an AP. Signaling it’s TSpec request, an admission request is in one of two forms:


    ADDTS action frame – when a phone call is originated or terminated by a client associated to the AP


    Association & Re-association message – the association message might contain one or more TSpecs & one TSRS (traffic stream rate set) IE if the STA wants to establish the traffic stream as part of the association.


    WAN QoS & H-REAP – for locally switched WLANs with WMM traffic, the AP marks the dot1p value in the dot1q VLAN tag for upstream traffic. This occurs only on tagged VLANs; not on native VLANs.

    With multicast enabled, any kind of multicast packet received on the VLAN from the first hop router is transmitted over the wireless including HSRP hellos, all router, EIGRP, and PIM multicast packets.

    AP sends heartbeat messages to the WLC once every 30 seconds. If one response is missed, the AP sends 5 successive heartbeats (one per second) to determine whether connectivity still exists.

    Up to 8 H-REAP APs needs at least 128kbps. PKC capable clients that roam between H-REAP APs undergo full 802.1x authentication.

    If a WLAN is configured for IPSEC, CRANITE or FORTRESS, that WLAN cannot be configured for local switching on an H-REAP AP.

    If dynamic DHCP is used, establish more aggressive NAT translation entry timeouts for ports 12222 & 12223 to 20-25 seconds.


    ISRs CISF DSCP & dynamic ARP

    [notes]

    The only WLC that does not map WLAN traffic directly to a physical/logical interface at Layer 2 are ISR based WLC modules



    ISRs do not have access to all the IOS & IPS features. IP traffic from the WLAN clients must be directed in and out of specific ISR service module interfaces using IOS VRF features on the router.

    CISF is currently only available on the access switch – benefits obtained only if the traffic from the wireless attacker goes through the switch.


    The primary difference between an LAP & a standard client is that the DSCP value of a LAP should be trusted.

    Port security – if response is shutdown, port goes into err-disable. If response is restrict, traffic with unknown source MAC addresses is dropped
        - not recommended on H-REAP AP ports or WLC

    Dynamic ARP inspection – DAI is enabled on the access switch on a per-VLAN basis. This prevents ARP poisoning that may lead to MIM attacks. When DAI is configured on a VLAN, and ARP rate limiter is configured globally to prevent flooding of ARP requests coming from a certain port. The default value is 15 packets/sec. When the limit is reached, the port is disabled.


    Turn off ARP rate limiter on AP switchports
         IP ARP inspection limit none

    IP source guard - when enabled on an interface of the access switch, IP source guard dynamically creates a per port access list (PACL) based on the contents of the DHCP snooping binding table. There is an option (port security) to filter the incoming address, also using the MAC address in the DHCP snooping binding table.


    DHCP ARP Rogue Detection and MFPs

    [notes]
    DHCP & ARP protection

         When a WLC is a DHCP relay, it checks that the MAC included in the DHCP request matches the MAC of the WLAN client sending the request. The WLC does not forward DHCP requests back out the WLAN, this prevents a WLAN client from acting as a DHCP server.

    WLCs do not allow direct ARP communication between WLAN clients.

    AIR/RF detection
          When searching for a rogue AP, a LAP goes off channel for 50ms to listen for rogue clients and to monitor for noise & channel interference.


    Rogue detector – radio is OFF, its role is to listen on the wired network for MAC addresses of clients associated to rogue APs. It listens for ARP packets that include these macs.
          -should be connected to all available broadcast domains using a switched port analyzer (SPAN)


    MFP- the MIC used in MFP is not a simple crc hashing of the message – it also includes a digital signature component. This component is shared among mobility groups.

    Encryption Types

    [notes]
    TKIP is the encryption method certified as WPA

         two primary functions of TKIP are the generation of a per packet key using RC4 encryption of the MAC service data unit (MSDU) & a MIC in the encrypted packet. The IV changes with each frame transmission, and is susceptible to an active attack.

    AES counter mode/CBC MAC protocol (CCMP)
         Additional authentication data (AAD) is taken from the MAC header & included in the CCM encryption process.  To protect against replay attacks a sequenced (PN) packet number is included in the CCMP header.  The PN & portions of the MAC header are used to generate a nonce that is in turn used by the CCM encryption process.



    PKC – proactive key caching & CCM
     - an 802.11i extension that allows for the proactive caching (before a roam event) of the PMK that is derived during a client 802.1x/EAP authentication at the AP.


    CCKM – implementation is different than PKC, two mechanisms are incompatible.
                  show pmk-cache all

    802.11r workgroup is responsible for the standardization of an FSR mechanism for 802.11