CTS 068: Wi-Fi Network Access Control with Andrew Chappelle

In this episode, we welcome Andrew Chappelle from Calgary, Alberta, Canada.

We talked about network access control focusing on securing the Wi-Fi network. He shared his experience with complex NAC systems such as Cisco ISE or Aruba ClearPass and also share his view of what the future of access control will look like.

Andrew Chappelle (CCIE-W #42377) works as a System Engineer for Aruba HPE out of Calgary. In his previous positions, he worked a lot on complex network access deployments. He is very knowledge about Wi-Fi and will soon be CWNE! I guess, we are going to have to bring him back on the show when he does! You can find him on twitter at @AngryWrelessGuy. He blogs at angrywirelessguy.wordpress.com.

Interview with Andrew Chappelle

Wi-Fi Network Access Control

The WHY: Why do we need a network access control for the WLAN infrastructure? Let’s talk about customer’s requirements:

  • Offer different access and level of security for different type of users & devices
  • Enable easy & secure BYOD
  • Segment the Wi-Fi network so guest traffic is isolated
  • Make the user experience is easier

The WHAT: What are the solutions to meet these requirements?

  • SSID for corporate users (would do both BYOD and corporate access) – SSID consolidation
  • SSID for guest
  • Profiling

The HOW: How do we implement it? What do we need to make it happen?

  • NAC server
  • Certificate PKI

We talked about the most common EAP methods used today.

What is coming next? What can we expect seeing in these NAC solutions in the near future?

Resources

Links to ISE documentation:

Links to ClearPass documentation:

Upcoming Episode on Wi-Fi Issue

Here is the link to the Wi-Fi issues submission form for one of our upcoming episode.

This Week In Wireless

Cisco – New AireOS version – released the 8.3.111.0

Adaptive 802.11r

802.11r is the IEEE standard for fast roaming and this concept of roaming is also known as Fast Transition (FT). Here the initial handshake with the new AP is done even before the client roams to the target AP. The feature allows you to set up a network without choosing Enable for Fast Transition (FT). The Apple devices (iOS 10 clients) signal the Cisco APs to identify this functionality. Cisco APs mutually signal that adaptive 802.11r is supported on the network and perform an FT association on the WLAN.

Legacy wireless clients that do not support 802.11r can still join the same network however does not benefit from faster FT roaming. Legacy devices that do not recognize the FT AKM’s beacons and probe responses join as an 11i/WPA2 device.

This feature is supported on the following Wave2 APs:

  • Cisco Aironet 1560 Series APs
  • Cisco Aironet 1800 Series APs
  • Cisco Aironet 2800 Series APs
  • Cisco Aironet 3800 Series APs

QoS Fastlane

QoS Fastlane simplifies the application traffic prioritization process so that network congestion is minimized and time sensitive traffic (like voice or video) is delivered on time.

To choose which iOS apps have their traffic prioritized by QoS Fastlane, configure the network with a configuration profile.

This feature support now extends to the following Cisco APs:

  • Cisco Aironet 1560 Series APs
  • Cisco Aironet 1800 Series APs
  • Cisco Aironet 2800 Series APs
  • Cisco Aironet 3800 Series APs

Temporal Key Integrity Protocol (TKIP) Support

TKIP security protocol option is supported on the following Cisco APs:

  • Cisco Aironet 1560 Series APs
  • Cisco Aironet 1810 Series APs
  • Cisco Aironet 1815 Series APs
  • Cisco Aironet 1830 Series APs
  • Cisco Aironet 1850 Series APs
  • Cisco Aironet 2800 Series APs
  • Cisco Aironet 3800 Series APs

Resolved Caveats

CSCus83638 Cisco AP 5-GHz radio is stuck – beaconing continues but does not accept client associations.

CSCva32411 Clients losing connectivity when reauthenticates with 802.1x over Cisco 702w AP

CSCvb72192 Cisco 1850 APs running Click OS: IPhone6S fails to connect to adaptive 802.11r WLAN

Ask a Question

From Temur:
“Hello, do you have experience to use EAP-SIM or hotspot 2.0 in hotels or public areas to avoid installation of 3G/4G re translators from GSM providers? The problem is, if there is no 3G coverage in hotel floors, all the providers are installing those ugly antennas at each floor, near to my APs. we have three providers , so imagine what will happen to hotel design if all of them tries to install antennas. Is it possible to use existing WiFi infrastructure to avoid such installations?”

Response

If you’re using Cisco APs, such as the 3700s, you could use the module for cell service.

Best option is to use Wi-Fi calling but you need to verify that it works with your carrier. Some carriers do not support it and also some devices do not support Wi-Fi calling.

The other option is to install a DAS system and have all providers use the same DAS system. This should be possible without having to install antennas for each carrier. Check out CTS050.

WLANCOMP.com

The WLAN Community Compensation Comparison is a survey conducted by Keith Parsons back late last year.
You can compare what would be your revenue if you were to more somewhere else.

On top of this, Keith tweeted a few results from the compensation survey this week:

802.11eh Patches

Brennan Martin has some cool 802.11eh Canadian Wi-Fi patches. Cost per patch is $6 USD, which is just enough to cover his cost.

WLPC Videos

The videos from WLPC Phoenix 2017 have been released. Check them out on Keith’s Vimeo page.

Carrier Wave

Other very good blog articles shared on the Carrier Wave Paper this week.

Following up with WLPC:

  • Install Spectools on the WLPC Odroid
  • Giving back to the community by Rasika

Join Clear To Send

Come join the Clear To Send community.

Powered by ConvertKit
About the Author
Rowell, CWNE #210, is a network engineer in Higher-Ed. He enjoys working with wireless networking technologies and loves to share and engage with the community. You can connect with him on Twitter, LinkedIn, and Facebook.

Leave a Reply

Your email address will not be published. Required fields are marked *