nac

CTS 150: Wi-Fi Design Day, NAC, Troubleshooting, C9800, and More

Stephen Cooper flies from Australia to San Jose to record in-person for Clear To Send. But really he was in town for work and made time to meet with me, Rowell, to talk about different topics in wireless.

Interview with Stephen Cooper

We met at the Westin hotel which happened to be the quietest place downtown due to a winter holiday event occurring.

He’s a Technical Solutions Architect for Cisco residing in Australia. Previously was the Ekahau SE for Asia Pacific working out of Australia. And before that he was at Dimension Data.

It’s challenging to find wireless guys who understand wireless and network access control such as Cisco ISE or Aruba ClearPass. At Dimension Data Stephen had to work on these types of projects. Network access control usually falls with the security team and the wireless guys don’t have much insight into how it’s deployed.

Troubleshooting is critical for wireless professionals. Understanding how the network should be working helps identifies root causes faster.

While at Ekahau, Stephen was very remote from the rest of the team. He met with a lot of customers where shifting their minds towards thinking about design first and understanding fundamentals. A vendor default is not vendor recommendation. And a challenge Stephen noticed at Ekahau is customers may not necessarily know that distinction.

When it comes to design, we often see that device types are forgotten and not considered into the design process. But the wireless community has been very good at bringing device types and their characteristics into light.

Moving to Cisco, Stephen has been able to work with clients on wireless designs, helping with migration strategies between controllers, helping customers understand how to get onto locations services network or VoIP ready network. He’s more focused on wireless and Cisco DNA – future architecture.

With Cisco’s next generation wireless architecture and intent-based network, Stephen thinks you have more flexibility with how you can deploy new controllers, but there’s still life in the AireOS controllers. There’s a large legacy install but they can still do telemetry you can use in DNA Assurance. You may not get the same level as detail compared to the C9800s.

Wi-Fi Design Day was born out of Ekahau and was started in the UK. It was meant to educate people but have it a community driven event. The first event was a huge success in London and when it was announced in Australia it was also popular. The event is unique where it’s vendor neutral with experts from multiple vendors talking about Wi-Fi as well as end users talking about their use cases. This event is much smaller and intimate compared to larger conferences.

Links & Resources

Twitter: Stephen__Cooper
Blog: wificoops.com

CTS 068: Wi-Fi Network Access Control with Andrew Chappelle

In this episode, we welcome Andrew Chappelle from Calgary, Alberta, Canada.

We talked about network access control focusing on securing the Wi-Fi network. He shared his experience with complex NAC systems such as Cisco ISE or Aruba ClearPass and also share his view of what the future of access control will look like.

Andrew Chappelle (CCIE-W #42377) works as a System Engineer for Aruba HPE out of Calgary. In his previous positions, he worked a lot on complex network access deployments. He is very knowledge about Wi-Fi and will soon be CWNE! I guess, we are going to have to bring him back on the show when he does! You can find him on twitter at @AngryWrelessGuy. He blogs at angrywirelessguy.wordpress.com.

Interview with Andrew Chappelle

Wi-Fi Network Access Control

The WHY: Why do we need a network access control for the WLAN infrastructure? Let’s talk about customer’s requirements:

  • Offer different access and level of security for different type of users & devices
  • Enable easy & secure BYOD
  • Segment the Wi-Fi network so guest traffic is isolated
  • Make the user experience is easier

The WHAT: What are the solutions to meet these requirements?

  • SSID for corporate users (would do both BYOD and corporate access) – SSID consolidation
  • SSID for guest
  • Profiling

The HOW: How do we implement it? What do we need to make it happen?

  • NAC server
  • Certificate PKI

We talked about the most common EAP methods used today.

What is coming next? What can we expect seeing in these NAC solutions in the near future?

Resources

Links to ISE documentation:

Links to ClearPass documentation:

Upcoming Episode on Wi-Fi Issue

Here is the link to the Wi-Fi issues submission form for one of our upcoming episode.

This Week In Wireless

Cisco – New AireOS version – released the 8.3.111.0

Adaptive 802.11r

802.11r is the IEEE standard for fast roaming and this concept of roaming is also known as Fast Transition (FT). Here the initial handshake with the new AP is done even before the client roams to the target AP. The feature allows you to set up a network without choosing Enable for Fast Transition (FT). The Apple devices (iOS 10 clients) signal the Cisco APs to identify this functionality. Cisco APs mutually signal that adaptive 802.11r is supported on the network and perform an FT association on the WLAN.

Legacy wireless clients that do not support 802.11r can still join the same network however does not benefit from faster FT roaming. Legacy devices that do not recognize the FT AKM’s beacons and probe responses join as an 11i/WPA2 device.

This feature is supported on the following Wave2 APs:

  • Cisco Aironet 1560 Series APs
  • Cisco Aironet 1800 Series APs
  • Cisco Aironet 2800 Series APs
  • Cisco Aironet 3800 Series APs

QoS Fastlane

QoS Fastlane simplifies the application traffic prioritization process so that network congestion is minimized and time sensitive traffic (like voice or video) is delivered on time.

To choose which iOS apps have their traffic prioritized by QoS Fastlane, configure the network with a configuration profile.

This feature support now extends to the following Cisco APs:

  • Cisco Aironet 1560 Series APs
  • Cisco Aironet 1800 Series APs
  • Cisco Aironet 2800 Series APs
  • Cisco Aironet 3800 Series APs

Temporal Key Integrity Protocol (TKIP) Support

TKIP security protocol option is supported on the following Cisco APs:

  • Cisco Aironet 1560 Series APs
  • Cisco Aironet 1810 Series APs
  • Cisco Aironet 1815 Series APs
  • Cisco Aironet 1830 Series APs
  • Cisco Aironet 1850 Series APs
  • Cisco Aironet 2800 Series APs
  • Cisco Aironet 3800 Series APs

Resolved Caveats

CSCus83638 Cisco AP 5-GHz radio is stuck – beaconing continues but does not accept client associations.

CSCva32411 Clients losing connectivity when reauthenticates with 802.1x over Cisco 702w AP

CSCvb72192 Cisco 1850 APs running Click OS: IPhone6S fails to connect to adaptive 802.11r WLAN

Ask a Question

From Temur:
“Hello, do you have experience to use EAP-SIM or hotspot 2.0 in hotels or public areas to avoid installation of 3G/4G re translators from GSM providers? The problem is, if there is no 3G coverage in hotel floors, all the providers are installing those ugly antennas at each floor, near to my APs. we have three providers , so imagine what will happen to hotel design if all of them tries to install antennas. Is it possible to use existing WiFi infrastructure to avoid such installations?”

Response

If you’re using Cisco APs, such as the 3700s, you could use the module for cell service.

Best option is to use Wi-Fi calling but you need to verify that it works with your carrier. Some carriers do not support it and also some devices do not support Wi-Fi calling.

The other option is to install a DAS system and have all providers use the same DAS system. This should be possible without having to install antennas for each carrier. Check out CTS050.

WLANCOMP.com

The WLAN Community Compensation Comparison is a survey conducted by Keith Parsons back late last year.
You can compare what would be your revenue if you were to more somewhere else.

On top of this, Keith tweeted a few results from the compensation survey this week:

802.11eh Patches

Brennan Martin has some cool 802.11eh Canadian Wi-Fi patches. Cost per patch is $6 USD, which is just enough to cover his cost.

WLPC Videos

The videos from WLPC Phoenix 2017 have been released. Check them out on Keith’s Vimeo page.

Carrier Wave

Other very good blog articles shared on the Carrier Wave Paper this week.

Following up with WLPC:

  • Install Spectools on the WLPC Odroid
  • Giving back to the community by Rasika