CTS 068: Wi-Fi Network Access Control with Andrew Chappelle

In this episode, we welcome Andrew Chappelle from Calgary, Alberta, Canada.

We talked about network access control focusing on securing the Wi-Fi network. He shared his experience with complex NAC systems such as Cisco ISE or Aruba ClearPass and also share his view of what the future of access control will look like.

Andrew Chappelle (CCIE-W #42377) works as a System Engineer for Aruba HPE out of Calgary. In his previous positions, he worked a lot on complex network access deployments. He is very knowledge about Wi-Fi and will soon be CWNE! I guess, we are going to have to bring him back on the show when he does! You can find him on twitter at @AngryWrelessGuy. He blogs at

Interview with Andrew Chappelle

Wi-Fi Network Access Control

The WHY: Why do we need a network access control for the WLAN infrastructure? Let’s talk about customer’s requirements:

  • Offer different access and level of security for different type of users & devices
  • Enable easy & secure BYOD
  • Segment the Wi-Fi network so guest traffic is isolated
  • Make the user experience is easier

The WHAT: What are the solutions to meet these requirements?

  • SSID for corporate users (would do both BYOD and corporate access) – SSID consolidation
  • SSID for guest
  • Profiling

The HOW: How do we implement it? What do we need to make it happen?

  • NAC server
  • Certificate PKI

We talked about the most common EAP methods used today.

What is coming next? What can we expect seeing in these NAC solutions in the near future?


Links to ISE documentation:

Links to ClearPass documentation:

Upcoming Episode on Wi-Fi Issue

Here is the link to the Wi-Fi issues submission form for one of our upcoming episode.

This Week In Wireless

Cisco – New AireOS version – released the

Adaptive 802.11r

802.11r is the IEEE standard for fast roaming and this concept of roaming is also known as Fast Transition (FT). Here the initial handshake with the new AP is done even before the client roams to the target AP. The feature allows you to set up a network without choosing Enable for Fast Transition (FT). The Apple devices (iOS 10 clients) signal the Cisco APs to identify this functionality. Cisco APs mutually signal that adaptive 802.11r is supported on the network and perform an FT association on the WLAN.

Legacy wireless clients that do not support 802.11r can still join the same network however does not benefit from faster FT roaming. Legacy devices that do not recognize the FT AKM’s beacons and probe responses join as an 11i/WPA2 device.

This feature is supported on the following Wave2 APs:

  • Cisco Aironet 1560 Series APs
  • Cisco Aironet 1800 Series APs
  • Cisco Aironet 2800 Series APs
  • Cisco Aironet 3800 Series APs

QoS Fastlane

QoS Fastlane simplifies the application traffic prioritization process so that network congestion is minimized and time sensitive traffic (like voice or video) is delivered on time.

To choose which iOS apps have their traffic prioritized by QoS Fastlane, configure the network with a configuration profile.

This feature support now extends to the following Cisco APs:

  • Cisco Aironet 1560 Series APs
  • Cisco Aironet 1800 Series APs
  • Cisco Aironet 2800 Series APs
  • Cisco Aironet 3800 Series APs

Temporal Key Integrity Protocol (TKIP) Support

TKIP security protocol option is supported on the following Cisco APs:

  • Cisco Aironet 1560 Series APs
  • Cisco Aironet 1810 Series APs
  • Cisco Aironet 1815 Series APs
  • Cisco Aironet 1830 Series APs
  • Cisco Aironet 1850 Series APs
  • Cisco Aironet 2800 Series APs
  • Cisco Aironet 3800 Series APs

Resolved Caveats

CSCus83638 Cisco AP 5-GHz radio is stuck – beaconing continues but does not accept client associations.

CSCva32411 Clients losing connectivity when reauthenticates with 802.1x over Cisco 702w AP

CSCvb72192 Cisco 1850 APs running Click OS: IPhone6S fails to connect to adaptive 802.11r WLAN

Ask a Question

From Temur:
“Hello, do you have experience to use EAP-SIM or hotspot 2.0 in hotels or public areas to avoid installation of 3G/4G re translators from GSM providers? The problem is, if there is no 3G coverage in hotel floors, all the providers are installing those ugly antennas at each floor, near to my APs. we have three providers , so imagine what will happen to hotel design if all of them tries to install antennas. Is it possible to use existing WiFi infrastructure to avoid such installations?”


If you’re using Cisco APs, such as the 3700s, you could use the module for cell service.

Best option is to use Wi-Fi calling but you need to verify that it works with your carrier. Some carriers do not support it and also some devices do not support Wi-Fi calling.

The other option is to install a DAS system and have all providers use the same DAS system. This should be possible without having to install antennas for each carrier. Check out CTS050.

The WLAN Community Compensation Comparison is a survey conducted by Keith Parsons back late last year.
You can compare what would be your revenue if you were to more somewhere else.

On top of this, Keith tweeted a few results from the compensation survey this week:

802.11eh Patches

Brennan Martin has some cool 802.11eh Canadian Wi-Fi patches. Cost per patch is $6 USD, which is just enough to cover his cost.

WLPC Videos

The videos from WLPC Phoenix 2017 have been released. Check them out on Keith’s Vimeo page.

Carrier Wave

Other very good blog articles shared on the Carrier Wave Paper this week.

Following up with WLPC:

  • Install Spectools on the WLPC Odroid
  • Giving back to the community by Rasika

CTS 056: Legacy Wi-Fi Security

Pre-RSNA (Robust Security Network Association) is the main topic for this episode. Francois and I talk about why you shouldn’t be using these legacy security methods and in future episodes we talk about the Wi-Fi security mechanisms you should be using. This is part one of a multi-part series.

In the 802.11 Standard there are two ways to join a BSS:

  • Open System Authentication (WEP can then be used to encrypt the communications) OR
  • Shared Key Authentication (WEP is used for both the authentication and to encrypt the communications)

Legacy Security Methods


A couple of weaknesses have been found on WEP and it makes it very easy to crack.

The characteristics of WEP include:

  • Using static keys
  • Uses RC4 as a Cipher for encryption
  • Attacks against WEP:
    • Collision attack against the IV (Initialization Vector) – only 24 bits (repeat itself every 16 millions frames)
    • Attack against the weak encryption keys (40 or 104 bit)
    • Packet injection is a technic used to speed up the attacks against WEP
    • The ICV (Integrity Check Value) mechanism is also considered weak (Bit-flipping attack can be used to alter WEP packets)

IV Seen under WEP parameters

MAC Filtering

This is not really a security method but a common one people use. MAC filtering is a way to create a whitelist of MAC addresses allowed to join the Wi-Fi network. It’s easy to capture packets to find an authorized MAC address and then spoof it. L2 information are not encrypted in 802.11 frames. L3 to L7 is encrypted.

Hidden SSID

Another method which is not really security but commonly used. The SSID is not broadcasted in the beacon frames. The SSID still visible is management frames when a STA connects to it. You can spot the hidden SSID in a directed Probe Request frame.


It has been cracked. Not as easily as WEP but it has been cracked (using the same Cipher: RC4). Has been replaced by CCMP/AES. Also, TKIP only allows speeds up to 54Mbps. Like WEP, TKIP will be going away.

Links and Resources