Matt Starling

WN Blog 027 – Mist Multiple PSK SSID

Hey,

Welcome to our latest WiFi Ninjas blog!

In this post, we will be showing just how quick and easy it is to set up an SSID with Mist and leverage their Multiple PSK feature!

It took me no more than 5 minutes to get everything configured – with 3 x PSKs on the same SSID & connect both of my iPhones & iPad to the 3 multiple PSKs that I configured.

A couple of points & info around Multi PSK:

  • Every PSK has a Key Name
  • This name is reported in the Mist Management platform
  • Allows user-level accountability with PSK simplicity
  • If a PSK is compromised there is no need to change every client.
  • Multiple users allow any number to use the key
  • Single user ties this key to a specific MAC address
  • There is a limit of 5,000 PSK’s per ORG on the suggested firmware

Now a step by step guide to how I set up my SSID with multiple PSKs.

First, we head over to “Network” and we will want to add a new WLAN by hitting the “add WLAN” button in the top right of the dashboard. Once we have added the multiple PSK SSID it will look like this below:

When we are creating the SSID – under security, we need to hit the “More Options” button to reveal some additional WLAN Security features.

We then select “WPA-2/PSK with multiple passphrases” & then the add key.

Which will then present you with a popup box that will look like this below and we can enter our first Multiple PSK!

We have the option here to input our own or Mist will generate a random secure one for you.

Note if you put the email address as the key name that email will receive the PSK via email from the Mist dashboard.

Email from the Mist dashboard:

Once you have created all your multiple PSKs the dashboard will look like this and you will be ready to connect multiple devices to the same SSID but using different PSKs to connect. I just created 3 for the purpose of this blog.

I then connected my iPhone X to the SSID and used one of the MPSKs.

And then connected my iPhone 8 to the same SSID and used the other MPSK.

Also connected my iPad to the MPSK that I set up and sent via email to my [email protected] email address:

Now that all devices are connected to the SSID – I headed over to the WiFi client’s view on the Mist dashboard, where we can see both of my devices successfully connected and it shows you here which SSID they have connected to but also which PSK they used. In this example, it is MultiplePSK1, MultiplePSK2 & [email protected]

We can also go back to the WLAN and we can see how many users are connected to each of the MPSKs here as well:

That’s all it takes to set up a Multiple PSK SSID with Mist & it took me less than 5 minutes to get this set up and working in my environment.

Again another amazing feature from Mist that is very simple & easy to set up something which is so powerful & useful for your wireless network. This lets you have accountability & improved security to your PSK wireless networks which I personally think is a much better option than using captive portals with open authentication or an SSID with a single PSK for all users.

I hope you enjoyed this blog and if you have your own Mist AP at home or you use it currently in your production network – give setting up a Multiple PSK SSID a go and let me know your feedback!

Much love, as always – WiFi Ninjas x

WN Blog 025 – Hidden SSIDs

Hey!

Welcome to our first blog post of 2020! Happy new year to all 🙂

We wanted to kick off this year’s first blog post covering how secure is a Hidden SSID. We have been into a few customer environments recently where they were hiding some of their SSIDs as they believed this was more secure.

Shout out to Mr. Andrew McHale for his explanation as to why we shouldn’t be hiding SSIDs:

“Some clients don’t probe for SSID’s, they rely on Beacons to decide what is available. If you hide the SSID in the Beacon then some clients won’t see SSID to connect to.

Others will try listening to beacons first and only probe if they don’t see the SSID they’re looking for. This wastes time.

On DFS channels the client has to listen for a Beacon or Probe Response before it probes itself. Normally Vocera clients always probe for the specific SSID we have programmed it for. But on DFS channels, to save that probing time, if we hear a Beacon supporting our SSID we will forego probing on that channel. If you hide the beacon we have to apply that extra 15ms for probing and dwelling on that DFS channel.”

To summarise what Andrew was saying there is that we should not be hiding the SSIDs as it can have a negative impact on client roaming & association.

Let’s now do some testing and see how secure it is to hide an SSID & what steps we have to do to be able to find what the hidden SSID name is – if that is even possible of course 😉

For our tests today I will be using my Mist AP41 – connected back to my Mist Cloud dashboard. The SSID we will be trying to find is called “Matts_Hidden_SSID”. I will also be using the WLAN-Pi & Wireshark to capture wireless packets.

Here is how my SSID is configured on My Mist dashboard – we can clearly see the SSID name and that I have selected to hide the SSID.

MiSt 
Monitor 
Ma 
O), Clients 
Access Points 
switches 
Location 
Analytics 
Netw•ork 
Organization 
WIA NINJAS 
< Matts 
Hidden 
SSID 
Matts Hidden 
Labels 
SSID 
Security 
@ WPA-2/PSK with passphrase 
O 
WPA-2/EAP (802.1 X) 
Apply to Access Points 
SSID 
Aps 
Isolation 
AP Labels 
Specific APS 
WLAN Status 
@ Enabled C) Disabled 
Hide 
D No Static IP Devices 
Radio Band 
@ 2.4G and 5G 
O 
2.4G 
Band Steering 
O Enable 
Client Inactivity 
Drop inactive clients after 
Geofence 
O 
Open Access 
More Options 
Fast Roaming 
@ Default 
VLAN 
@ Untagged O 
Guest Portal 
Tagged 
O 
O 
Dynamic 
O 
1800 
O 
O 
O 
seconds 
No portal (go directlyto internet) 
Custom guest portal 
Forward to external portal 
SSO with Identity Provider C) Requires custom firmware 
Bypass guest/external portal in case of exception 
Contact Mist for Firmware 
D Minimum client RSSI (2.4G) O 
D Minimum client RSSI (5G) O 
Block clients having RSSI below the minimum 
Data Rates 
O 
Compatible (allow all connections) 
@ No Legacy (2.4G, no 1 1b) 
O 
High Density (disable all lower rates) 
prohibit peer to peer communication 
Filtering (Wired to Wireless) 
Broadcast/Multicast 
Custom Forwarding 
Custom Forwarding to Etho POE 
SSID Scheduling 
O Enabled @ Disabled 
QoS Priority 
Override QoS 
AirWatch 
O Enabled @ Disabled 
O 
Custom Rates 
WiFi Protocols 
WiFi-6 @ Enabled O 
WLAN Rate Limit 
Cl Limit uplink to 10 
O Limit downlink to 20 
Disabled 
Mbps

Next, let’s take a look at what wireless channels my AP is using in the 5GHz band so I can configure my WLAN-Pi to capture on those channels.

MiSt 
Monitor 
Ma 
O), Clients 
Access Points 
switches 
Location 
Analytics 
Netw•ork 
Organization 
WIA NINJAS 
Radio Management 
-92 darn 
AVG. NOISE 
Distribution 
Current Radio Values 
Name 
FRI, 09:16 AM 
site 
Matt Starling Home 
AVG. # NEIGHBORS 
MAC Address 
2.4 GHz 
5 GHz 
Optimize now 
0.0 0 
AP DENSITY 
AVG. # CO CHANNEL NEIGHBORS 
No. Clients 
Status 
Connected 
Channel 
Channel 
108+1 12 
0.1 
AVG. # APS PER CHANNEL 
Channel Width 
40 MHz 
1.00 
CHANNEL DIST. SCORE 
5 GHz Enabled 
17 dBm 
Channel 
5 GHz Overridden 
Power

We can see in the above image that my AP is using a 40MHz wide channel & occupying channels 108 + 112. So we need to configure my WLAN-Pi to use those channels.

wlanpi@wlanpi: - 
as: w Ianpi 
Using keyboard—interactive authentication . 
Password : 
/ Ill I \ 
Welcome Co Debian Stretch with 
Armhian Linux 4 . I g. 66—sunxi64 
System load: 
Memory usage : 
CPU temp : 
Usage of / : 
0.00 0.00 0.04 
16 * of gg3MB 
330c 
of ISG 
syszem 
Up time: 
I g min 
.2s4.g.232 
sudo apt update 
s udo apt 
install 
Lasc login: Thu occ 3 2019 from 192.168.42.2 
wlanpi@wlanpi : —$ sudo iw wIanO sec channel 108 40MHz 
Usage : 
iw [options] dev sec channel 
[NOHT 1 HT40+lHT40-l 
SMHz 1 10MHz 1 80MHz 
Options : 
— — debug 
enable net link debugging 
wlanpi@wlanpi : —$ sudo iw WI ano sec channel 108 HT40+ 
wlanpi@wlanpi : —$

Now we have configured the WLAN-Pi to capture on those channels, I was ready to start capturing some packets.

Let’s take a look at some of the packets that were starting to come flooding in – I could see my other SSID “WiFi Ninjas” that I had not set to be hidden being broadcasted in the beacon frames but I could see that there was also another SSID coming from my Mist AP but we could not see the hidden SSID – still pretty secure at this point 😉 

*SSH remote capture 
File Edit View Go Capture 
651 
8a2.11 
Ila 
dam s.a 
802.11 
802. Ila 
dam 6.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
658 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
dam s.a 
802.11 
802. Ila 
670 
802.11 
802. Ila 
Analyze Statistics Telephany 
Wireless Tools 
Help 
Apply a display filter 
Absolute Time 
Expr ession 
Spatial streams 
+ Management Fr ames 
Control Frames Data Frames 
Time as Formatted 
28.160416 
28.570037 
29.184500 
Delta Time 
a. 00BBB8 
a. 102371 
a. 000008 
a. 102480 
a. 102364 
a. 102382 
a. 000020 
a. 102493 
a. oooala 
a. 102333 
a. 102356 
a. 102367 
a. 000008 
a. 102484 
a. 102368 
Frequency 
R SSI 
-26 
- 26 
- 26 
- 28 
- 28 
- 26 
- 26 
- 28 
- 26 
- 26 
- 26 
- 28 
- 26 
- 26 
- 28 
- 28 
- 26 
- 26 
- 28 
-26 
TX Rate 
Data rate (M$s) 
Source 
Destination 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Broadcast 
Protocol 
Length 
359 
362 
359 
362 
359 
362 
359 
362 
359 
362 
359 
362 
359 
362 
359 
362 
359 
362 
359 
362 
Colouring Rule Name 
Beacon 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Beacon 
MCS index I 
ss1D 
wiFi 
wiFi 
wiFi 
wiFi 
wiFi 
wiFi 
wiFi 
wiFi 
wiFi 
Bandnidth 
PHY type 
Tag 
652 28.262787 
653 28.262795 
654 28.365275 
655 28.365283 
656 28.467647 
657 28.467655 
659 28.570057 
660 28.67255a 
661 28.67256a 
662 28.774893 
663 28.774901 
664 28.877257 
665 28.877265 
666 28.979632 
667 28.97964a 
668 29.082124 
669 29.082132 
554a 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
5540 
MHZ 
MHZ 
dam 
dam 
(2872 
6 Mist 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
79:32 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Info 
Beacon 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Bea con 
Beacon 
frame, 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
f rame 
frame, 
su=3B11, 
SN=3a12, 
SN=3a13, 
SN=3a14, 
SN=3a15, 
SN=3a16, 
SN=3a17, 
SN=3a18, 
SN=3a19, 
sN=3a2a, 
SN=3a21, 
SN=3a22, 
SN=3a23, 
SN=3a24, 
SN=3a25, 
SN=3a26, 
SN=3a27, 
SN=3a28, 
SN=3a29, 
sN=3a3a, 
Frame 653: 
359 bytes 
on 
wire (2872 bits), 
359 bytes 
c a ptu red 
bits ) 
on 
Radiotap Header va, Length 32 
802. II radio information 
IEEE 8B2.II Beacon frame Flags: . 
IEEE 8a2.11 wireless LAN 
Fixed parameters (12 bytes) 
v Tagged parameters (287 bytes) 
ag: SSID parameter set: Boa Boa Boa Boa Boa Boa Boa Boa Boa Boa Boa 
Number: SSID arameter set a 
interface 
Boa Boa Boa Boa Boa Boa 
Tag Iength: 17 
Tag: Supported Rates 6(8), 9, 12(8), 
Tag Number: Supported Rates (I) 
Tag Iength: 8 
18, 
42 
17 
15 
al 
a2 
5e 
24(8), 
36 
2/ 
48, 
54 , 
Su p ported 
Su p ported 
Su p ported 
Su p ported 
Rates . 
Rates : 
Rates : 
Rates : 
Rates : 
• 6(8) (ax8c) 
9 (0x12) 
12(8) (0x98) 
(ax24) 
Su 
rted 
aza 
gala 
aa2a 
aaaa 
aasa 
aasa 
ana 
ana 
gaga 
aaaa 
aaca 
aada 
aaea 
a afa 
3122 
alsa 
3142 
alfa 
[Mbit/ sec) 
• •LG8 $ 
64 
al 
17 
7a 
14 
47 
04 
a2 
al 
32 
17 
al 
al 
al 
2f 
2a 
34 
35 
11 
28 
al 
88 
04 
ff 
dd 
15 
11 
al 
17 
74 
46 
al 
ff 
fa 
79 
17 
34 
57 
al 
32 
11 
04 
al 
ab 
a2 
al 
al 
17 
78 
04 
gf 
18 
24 
al 
02 
17 
64 
le 
al 
al 
16 
04 
27 
2a 
51 
le 
95 
2a 
bf 
00 
17 
ff 
72 
al 
al 
a2 
dd 
12 
17 
68 
2d 
04 
32 
18 
98 
34 
99 
23 
la 
42 
2a 
35 
24 
47 
al 
le 
a2 
04 
42 
43 
79 
48 
2a 
38 
17 
7f 
a2 
al 
32 
sa 
24 
al 
le 
84 
al 
ff 
al 
al 
62

How about if we filter on probe responses only? By using this Wireshark filter: wlan.fc.type_subtype == 0x0005

*SSH remote capture 
File Edit View Go 
152 
8a2.11 
8B2.11a 
dam 6.ø 
8ø2.11 
7øø 
8ø2.11 
8ß2. 
dam 6.ø 
7ß3 
8ø2.11 
dam 6.ø 
7ß5 
8ø2.11 
dam 6.ø 
833 
8ø2.11 
dam 6.ø 
936 
8ø2.11 
dam 6.ø 
964 
8ø2.11 
dam 6.ø 
975 
8ø2.11 
dam 6.ø 
978 
8ø2.11 
dam 6.ø 
98ø 
8ø2.11 
dam 6.ø 
:49.4øgø56 44.78ø149 
8ø2.11 
dam 6.ø 
:49.418688 44.789781 
8ø2.11 
dam 6.ø 
44.8ø4283 
8ø2.11 
dam 6.ø 
:49.443324 44.814417 
8ø2.11 
dam 6.ø 
8ø2.11 
dam 6.ø 
2469 
8ø2.11 
dam 6.ø 
8ø2.11 
dam 6.ø 
2477 
8ø2.11 
6.ø 
8m.11 
8ß2. 
Capture 
= ox0005 
Analyze Statistics Telephony 
Wireless Tools 
Help 
"Ian fc. type_subtype 
Absolute Time 
+ Management Fr ames 
Control Frames 
Da ta Frames 
Time as Formatted 
7.564445 
Delta Time 
a. øøøøøø 
13.7ø56ß2 
8.837292 
ø.ø16123 
ø.ø1ø13ø 
2.9435ø4 
1.64ø69ø 
ø.4356ß3 
ø.øøgsøg 
ø.ø14625 
ø.ø1ß247 
g. 592379 
ø.øøg632 
ø.ø145ß2 
ø.ø1ø134 
4.1ø4218 
1.578936 
ø.ø13265 
ø.ø14984 
a. ø1ß264 
Frequency 
R SSI 
-26 
- 28 
- 26 
- 28 
- 26 
- 26 
- 26 
- 26 
- 26 
- 28 
- 26 
- 26 
- 26 
- 26 
- 26 
- 28 
- 26 
- 26 
- 26 
-28 
TX Rate 
Data rate (Mb's) 
Source 
Destnaton 
Protocol 
Length 
356 
356 
353 
353 
353 
353 
356 
356 
356 
356 
356 
356 
356 
356 
356 
356 
353 
353 
353 
353 
Colouring Rule Name 
MCS index I 
Expr ession 
Spatial streams 
Tag 
5øø 21.27øø47 
2396 48.918635 
1894 ø6 
1899 ø6 
19ß2 ø6 
2474 
2479 
Frame 
: 52 
: 52 
: 52 
: 52 
3ø .1ß7339 
3ø .123462 
3ø.133592 
33. ø77øg6 
34.717786 
35.153389 
35.162898 
35.177523 
35.18777ø 
% .497571 
5ø.51ß836 
5ø.52582ø 
% .536ß84 
554a 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554ø 
554B 
MHz 
MHz 
MHz 
MHz 
MHz 
MHz 
MHz 
MHz 
MHz 
MHz 
MHz 
MHz 
MHz 
MHz 
MHz 
MHz 
d 8m 
dam 
d 8m 
(2824 
54 , 
6 Mist 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
Mist 
6 
6 Mist 
Matt 
Matt 
Matt 
Matt 
Matt 
Matt 
Matt 
Matt 
Matt 
Matt 
Matt 
Matt 
Matt 
Matt 
Matt 
Matt 
Matt 
Le novo 
Len ovo 
iPhoneX 
iPhoneX 
iPhoneX 
iPhoneX 
Len ovo 
iPhoneX 
iPhoneX 
iPhoneX 
iPhoneX 
iPhoneX 
iPhoneX 
iPhoneX 
iPhoneX 
Len ovo 
iPhoneX 
iPhoneX 
iPhoneX 
iPhoneX 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
Response 
ss1D 
WiFi Ninjas 
Matts Hidden 
Matts Hidden 
Matts Hidden 
Matts Hidden 
wiFi 
wiFi 
wiFi 
wiFi 
wiFi 
wiFi 
wiFi 
wiFi 
wiFi 
wiFi 
Matts 
Matts 
Matts 
Matts 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Ninjas 
Hidden 
Hidden 
Hidden 
Hidden 
Bandwidth 
SSID 
SSID 
SSID 
SSID 
SSID 
SSID 
SSID 
SSID 
PHY type 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
8ß2 
Info 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Probe 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
Response, 
su=2596, 
SN=287ø, 
SN=3ø51, 
SN=3ß52, 
SN=3113, 
SN=3166, 
SN=3175, 
SN=3178, 
SN=3179, 
SN=318ø, 
SN=3426, 
SN=3427, 
SN=3428, 
SN=3429, 
SN=3549, 
SN=3582, 
SN=3583, 
SN=3584, 
SN=3585 , 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
FN=ø 
353 bytes 
on 
wire (2824 bits), 
353 bytes 
ca red 
bits ) 
on 
interface 
Radiotap Header vø, Length 32 
8m.11 radio information 
IEEE 8e2.11 Probe Res rise Flags: . 
IEEE 8e2.11 wireless LAN 
Fixed parameters (12 bytes) 
SSID arameter set: Matts Hidden SSID 
Tag Number: SSID parameter set (e) 
Tag length: 17 
SSID: Matts Hidden SSID 
Tag: 
Tag: 
Tag: 
Tag: 
Tag: 
Tag: 
Tag: 
supported Rates 6(a), 9, 12(a), 18, 24(a), 36, 48, 
DS Parameter set: Current Channel: 
CMbit/ sec) 
Country Information: Country Code 63, Environment Any 
Power Constraint: 
T PC Report Transmit Power: 21, Link Margin. 
RSN Information 
Q8SS Load Element 
: measurement Pilot 
8ø2.11e ccA Version 
Transmission 
aaaa 
aala 
aaaa 
aasa 
eese 
aasa 
aa7a 
ane 
aaga 
aaaa 
aaba 
aaca 
aada 
aaea 
a afa 
aløa 
a12a 
a13a 
a14a 
else 
64 
65 
17 
78 
ø4 
6e 
17 
64 
16 
ø4 
27 
213 
11 
95 
213 
bf 
17 
15 
11 
53 
dd 
17 
68 
2d 
ø4 
32 
18 
be 
11 
49 
34 
23 
la 
42 
65 
44 
ø4 
42 
43 
13 
61 
17 
15 
f2 
213 
58 
74 
38 
17 
øø 
7f 
aa 
øø 
74 
84 
ff 
ff 
62 
73 
12 
17 
713 
14 
47 
ff 
ø4 
32 
5b 
98 
al 
ff 
2f 
213 
35 
48 
24 
88 
04 
ff 
aa 
dd 
69 
17 
74 
46 
ff 
79 
64 
48 
ce 
32 
64 
le 
ac 
•Ma tts Hidd 
en SSID 
• acn

Ooooh not quite so secure anymore is hiding the SSID? 🙂 We can quite clearly see in the SSID parameters the SSID name now! This didn’t take too much effort either did it? There are a few requirements that we need to meet though to be able to see the probe response.

I associated to the SSID whilst capturing the packets but if a client does not associate during your packet capture you won’t see the probe response so you might have to send a de-auth or something like that but that’s for another blog 😉

To summarise then, hiding the SSID is not only not secure, but it can also have a negative impact on roaming – next time I go to a customer site that has the SSID hidden, I will be sending them to this blog 😀

If you are new to Wireshark we did another blog last year on some useful filters which can be found here: https://wifininjas.net/index.php/2019/05/29/wn-blog-002-wireshark-filters/

I also have set up my own custom profiles, using a colour profile, my own custom columns & have added known devices MAC address to name profile so that’s how you can see “Matt_iPhoneX” instead of my MAC address. If you want any help with how to set up your Wireshark like this feel free to give us a shout and we will help you.

Hope you enjoyed the blog post 🙂

x

WN Blog 024 – RF Math

Hey!

Welcome to our latest blog – this time we are taking it back to some RF fundamentals and more specific – RF Math!

Since we started our Podcast & Blog, we have had requests from people to cover beginner level WiFi basics, which we will be doing with a series of blogs & podcasts coming up in the future but today let’s make a start with understanding some RF Maths.

You might be wondering why do I need to learn RF maths? I had enough of Maths when I was at school – I don’t want to have to do it all again! Well RF maths is important in WiFi because we typically measure WiFi in dBm & dBm means dB scale relative to mW. For example, when looking at your RSSI (Received Signal Strength Indicator) in dBm it would look something like this “-50dBm”.

WinFi RSSI

Now I am no maths expert at all, so luckily there is a relatively simple rule we can follow to pretty much work out all RF maths.

This is the rule of “10s & 3s”

Below is a table, on one side we have dBm and on the other we have mW. Now whatever we do on one side of the table we must do on the other side of the table. If you + (add) in dBs, then we X (times) in mW. If we – (minus) in dBs, then we / (divide) in mW. 10 in dBs is 10 in mW and the only thing that is a little bit tricky to remember is 3 in dBs is 2 in mW.

dBm mW
+ X
/
10 10
3 2

This table below might help paint a bit of clearer picture, for example if we increase the signal strength by +3dBs we then have 2 x the power. If our signal strength decreases by -10dBs we then have 1/10th of the power that we had.  

dBm Power
+3dB 2x Power
-3dB ½ Power
-10dB 1/10th Power
+10dB 10x Power

Starting to make a bit of sense? If not, do not worry as we have plenty more examples below that will help you have a better understanding of how this works & we have even thrown in a little quiz for you guys!

When we are doing RF math, we always start with 0dBm & 1mW at our starting point.

In the example below, we are converting dBm to mW & our aim is to work out what 13dBm would be in mW.

Remembering that we always start from 0dBm, we first would add +10db and then add another +3dBs to get to 13dBm. Now to convert that to mW & remembering that we always start from 1mW, we first x 10 and then x 2. Which would mean our calculation would be “1 x 10 x 2” and then equals 20mW.

RF Math Example 1

Let’s move on to another example. This time, how do we convert 36dBm into mW. See in the image below, in dB we +10 +10 +10 +3 +3 to get to 36 so that means in mW we x10 x10 x10 x2 x2 which = 4000mW.

RF Math Example 2

A very strong signal in WiFi & typically the highest you will see is -30dBm. Let’s work out in mW what is considered a very high RSSI if WiFi. Remember we start from 0dBm, so -10 -10 -10 will get us to -30dBm. Which means in mW we / 10 / 10 / 10 – so our calculations will be 1 / 10 / 10 / 10 which equals 0.001mW! Wow, so an extremely good strong signal in WiFi has a power level of 0.001mW?! That’s impressive!

RF Math Example 3

Let’s move on to another example, this time -53dBm (still a very good signal strength in WiFi). To get to -53 from 0 we need to – 10 – 10 – 10 – 10 – 10 – 3. Which in mW would be / 10 / 10 / 10 / 10 / 10 / 2. That means our calculations would 1 / 10 / 10 / 10 / 10 / 10 / 2 which equals 0.000005mW.

RF Math Example 4

Are you starting to see why we do not measure RSSI in mW? Imagine having to go back to the customer and say, “oh yes Mr. Customer your signal strength here is very good, its actually 0.000005mW!” I think being able to say that the RSSI is -53dBm is much easier ????

I have put together another table below of some additional dBm conversions to mW and to Watts for your comparison.  

RF Math Examples Table

Hopefully after those few conversions we have worked out together you guys are ready for a little quiz & to work out some dBm to mW yourselves! Now, I will put the answers to the dBm levels below at the bottom of the blog but do not cheat! Work these ones out yourself using the 10s & 3s rule as well at the examples above and see what answers you come up with!

Quiz dBm to mW:

RF Math Quiz

Now that we are all RF Math WiFi Ninjas lets take this another step & take into consideration what happens when WiFi passes through walls. Some typical wall type materials we see in the wild & how they attenuate the WiFi signal.

If we first look at what wall is most commonly used internally in buildings, which is “drywall”. On average typically drywall will have an attenuation level of 3dBs. So that means when WiFi signals pass through the drywall we will lose -3dBs & losing -3dBs means that we now have half the power we originally did. Looking at the image below we can see an AP on the left-hand side where client A has an RSSI of -49dBm, but on the other side of the drywall, client B has an RSSI of -52dBm.

RF Math Dry Wall Example

Moving on to another type of wall that is commonly used on the exterior of buildings, “brick wall”. A brick wall typically has an attenuation of 10dBs, so this means when WiFi signals pass through a brick wall they will lose -10dBs, therefore we will now have 1/10th of the power we originally had before passing through the brick wall. Looking at the image below we can see an AP on the left-hand side where client A has an RSSI of -49dBm, but on the other side of the brick wall client B has an RSSI of -50dBm. 

RF Math Brick Wall Example

The final concept that we would like to explain to you is something called “Free Space Path Loss) aka – FSPL. What we need to remember with FSPL is that when you double the distance, you quarter the power. That will mean at double the distance we will need to half the original power and then half it again. To half the power in WiFi, we need to -3dB.

In the example image below, we are using the example of at 1m distance from the AP, we have an RSSI of -30dBm, we then move to 2m distance which is double 1m so we need to quarter the power which means -3 + -3 so at 2m our RSSI should be -36dBm. You can see / work out for yourself how we got to that RSSI at 4m & 8m ????

Free Space Path Loss Example

Here are the calculations and answers to the quiz above:

27dBm = 0 +10 + 10 + 10 – 3 = 27 so 1 x 10 x 10 x 10 / 2 = 500mW

45dBm = 0 +10 + 10 + 10 + 3 + 3 + 3 + 3 + 3 = 45 so 1 x 10 x 10 x 10 x 2 x 2 x 2 x 2 x 2 = 32,000 mW

39dBm = 0 – 10 – 10 – 10 – 3 – 3 – 3 = 39 so 1 / 10 / 10 / 10 / 2 / 2 / 2 = 0.000125mW

57dBm = 0 – 10 – 10 – 10 – 10 – 10 – 10 + 3 = 57 so 1 / 10 / 10 / 10 / 10 / 10 / 10 x 2 = 0.000002mW

How many did you get right? Let us know 😀

That concludes our RF Maths blog, we hope you found it useful if you are a WiFi beginner or even if you are more experienced and just needed a little refresh ????

Tons of Love,

WiFi Ninjas x

WN Blog 021 – Getting Started with Python Coding

Hey!

Welcome to our very first blog on our journey to learn some coding.

I decided it was finally time to stop burying my head in the sand & to make a start with taking a dive into the world of coding.

This is my very first time trying to properly understand what is required to even make a start with learning how to code – so disclaimer, this is going to be a very simple first step into Python coding.

If like me you didn’t even know where to start, what version of Python to go with, what you need to write your first piece of code, any apps required, what training material should I look at first – then this blog is probably for you as I will take you through everything I have done to write my first piece of very simple Python code.

If you already have even an intermediate level of coding or Python knowledge – then this blog probably is not for you but you are welcome to read on anyway and if you have any useful feedback for anyone else about to embark on their first journey into coding, please feel free to leave some comments below.

Let’s start with what training material I have decided to go with. I reached out to a few people that I knew who was pretty good with coding for what they would recommend as a starting point. I will list out a few of the recommendations:

  1. Cisco DevNet learning labs: https://developer.cisco.com/learning/tracks/app-dev
  2. Learn Python the hard way: https://learnpythonthehardway.org/python3/?__s=2fqytpgbriphaxjuruo3
  3. Kirk Byers “Learn Python Course” – https://pynet.twb-tech.com/
  4. Udemy Python Videos – https://www.udemy.com/course/python-complete/

I took a look at all these options and they all seemed like a great place to start but I have decided to go with the Kirk Byers “learn Python Course” – you sign up to the course on his website and then when the course starts each week he will email you about an hours’ worth of videos to watch along with some exercises. Kirk comes from a networking background so even from the very beginning when he is teaching you the Python basics – it is still cantered around networking which I like.    

Moving on to which version of Python do I start to learn – version 2 or version 3? Great question I didn’t know either, so I reached out to some guys & they all said well it depends on your environment but if you are making a start now its probably best just to jump straight in with version 3. The way it was explained is that Python v2 is kind of like IPV4 & Python v3 is IPV6 – there will still be support for v2 till the end of 2020, but everything is moving towards v3.

Ok so now I made my decision to go with Python v3 you need to install Python on your device. You can download here:

Python Download: https://www.python.org/downloads/

If you are downloading Python for the first time, make sure when you are going through the installer you check the box “Add Python to PATH”.

Python Add to PATH

If you already have Python installed here are the steps to add Python to PATH:

Steps:

  1. Right Click on ‘This PC’
  2. Click ‘Advanced system settings’
  3. Go to the ‘Advanced’ tab
  4. Click ‘Environment Variables’
  5. Select ‘Path’
  6. Click ‘Edit’
  7. Click ‘New’
  8. Add paths to Python home (example: C:\Users\macd\AppData\Local\Programs\Python\Python38-32) dir and your .py scripts dir (example: C:\Users\macd\OneDrive\WiFi Ninjas\Mist API)
  9. Click ‘OK’
Python PATH 2
Adding Python to PATH after install

After you have downloaded the version of Python relevant to your operating system we now need to install some sort of tool/ application to use to write our Python code. There are quite a few out there such but the one that I have gone with and seems to be quite popular is an application called ATOM. You can download ATOM from here:

ATOM download: https://atom.io/

Once you have installed ATOM on your device, you can install additional packages & themes to make ATOM more relevant for what you are coding. I found some recommendations online for some packages to use on ATOM specifically for Python coding which I will share with you guys what I have installed – I will be totally honest I am not 100% sure what all of them do but some are pretty self-explanatory. 

  1. “Autocomplete-python” – Python completion for packages, variables, methods, functions, with their arguments.
  2. “file-icons” – Assign file extension icons & colors for improved visual grepping.
  3. “kite” – Python coding assistant featuring AI-powered auto-completion, advanced function signatures, and instant documentation.
  4. “python-autopep8” – Formats Python code using autopep8
  5. “script” – Runs code in ATOM.
  6. “linter-flake8” – ATOM linter plugin for Python using flake8.

There was also a recommendation to use the “Predawn” theme which styles the text in ATOM in a certain way that might make it easier for you to understand different aspects of the code.

Now that we have Python v3 installed and ATOM + the additional packages for an application to use to write Python code it was time to get started!

In ATOM your first line of code needs to be a “shebang” line (not sure if I have got that correct but it certainly sounded like shebang so I am going with it!). This tells your computer that you want Python to execute this program. The shebang line begins with #! but the rest depends on your operating system. I am using a Windows laptop, so my shebang line is:

Windows shebang line: #!/usr/bin/env python3

My very first piece of code was going to a super simple one where I wrote some “strings” where a user would then input some text & then that text would be “printed” out.

Staying on the networking theme I went with some basic IP information. Here is the code that I had written in ATOM:

ATOM Code

The “ip_addr” “sub_mask” & “def_gw” are my strings and the “= input” means that is what will be seen & what a user types into here are what will the be printed which is called out from the “print” lines. I saved this piece of code as “test1.py” in my one drive.

Now I wanted to run this piece of Python code that I had written on my laptop, you can do this directly from your Windows command prompt. When you launch the command prompt you will need to change the directory first, so it knows where to execute the Python code from. As my file was in my one drive this was the command line that I needed to enter.

Change directory: “cd C:\Users\mstarling\OneDrive\Python\Python Files”

Once the directory has been changed you can then execute your Python file by using this command.

Execute Python command: “python ./test1.py”

Which should look something like this:

:estl .py — Files — Atom 
Edit View Selection Find Packages eelp 
test2.py 
Python Files 
testl. py 
test2.py 
2 
4 
6 
7 
8 
S! python3 
ipßidr = input("Enter a IP addres: ") 
sub_mask = a Subnet Mask: ") 
def_gw = Input("Enter a Default Gateway: ") 
print(ip_addr) 
print(sub_mask) 
print(def_gw) 
icrosoft Windows [Version 18.8.17134.1138] 
(c) 2818 microsoft Corporation. All rights reserved . 
: \Users\mstar1ing d C: Files 
Users mstarlin OneDrive P hon P hon Files python . /testl . py 
Enter a IP addres: 18.18.18.18 
Enter a subnet mask: 255.255.255.8 
Enter a Default Gatewa 
. 18.18.18.1 
18.18.18.18 
255.255 . 255.8 
18.18.18.1 
: \Users\mstar1ing\OneDrive\Python\Python Files>_
ATOM Code & CMD

We can see here the code in ATOM, then changing the directory in my windows command prompt, then executing the Python file & I then entered some IP-SM-DG info which then got printed out! I know this is a super simple piece of code but within 1 hour of watching my first Python training videos, I was able to install everything I needed, write my first piece of code & then execute it – which I found very exciting!

I then wrote another piece of simple code which was a little bit more relating to us 😀

thon\Pythcn Files — Atom 
2 
4 
testl.py 
Welcome 
podcast = input("Enter your favourite wireless networking podcasters: ") 
prmt(podcast) 
icrosoft windows [Version 18.8.17134.1138] 
(c) 2818 microsoft Corporation. All rights reserved . 
: \Users\mstar1ing>cd C: \Users\mstar1ing\OneDrive\Python\Python Files 
Enter our favourite wireless networkin 
IFI Ninjas 
dcasters: WiFi Nin •as 
: \Users\mstar1ing\OneDrive\Python\Python Files>_
ATOM Code & CMD WiFi Ninjas

What you can see here is you could get creative with any kind of info you wanted to input here.

There you go guys, all the first steps that it took to get me off the ground and running with Python coding. Our aim is to really push on & learn as much as possible over the next year with coding & automation so we will do our best to keep you updated along our journey with anything we think might be useful to help you guys.

I hope you enjoyed the blog & I would recommend anyone thinking about taking the plunge into making a stat with learning to code to do it – as I strongly believe that going forward as a network engineer we will really be required to have at least some knowledge and coding skills as well.

Thanks!

X

WN Blog 018 – WiFi Design Day 2019 Experience

Hey!

I have just recently attended the Ekahau & Open Reality WiFi Design Day 2019 at the ICC in Birmingham and thought I would do a blog post to summarise my experience and thoughts.

This was my 3rd year in a row attending from the 1st one back in 2017 at the Churchill War Rooms, to the Barbican centre and then the ICC in Birmingham  – this year I was attending as a speaker for the first time.

I really feel that there is no other event like this in the UK where you get the exposure to such a wealth of fantastic speakers, the opportunity to network with like-minded individuals & they throw in food + beers! For what is very little expense in comparison.

Big thanks to all the people over at Ekahau & Open Reality for the event but I want to say to Sam Cobley and Matt Cavill imparticular a huge thanks to these guys as I know how much personal time & effort they put into this event to make sure it’s always a massive success.  

I will cover & highlight some of the presentations from the day below but disclaimer – I have not included every presentation from the day here as I did not attend them all!

When I first arrived at the ICC in Birmingham it wasn’t too difficult to work out where I needed to go from this nice display.

Arrival Display
Arrival Display

The line up for the day’s action, we took the liberty of highlighting what the people were saying was the most exciting & anticipated presentation of the day:

Presentation Timetable
Presentation Timetable

My 3rd year attending, first time speaking lanyard – a special day for me personally 🙂

Matt Lanyard
Matt Lanyard

I took this photo at what is arguably the most important part of the day – coffee time! We WiFi pros need that coffee first thing in the morning but it was equally as great to see that so many people were in attendance given the typically bad English weather that had caused extensive flooding & travel nightmares.

Coffee Time
Coffee Time

With nearly 300 tickets sold, we can see a packed crowd here and just how popular these WiFi Design days are becoming!

WDD Crowed Shot
WDD Crowed Shot
Mikko Lauronen
Mikko Lauronen

Anssi & Mikko kicked off the day by showing us some extremely cool & exciting new features that will be coming out very soon with Ekahau. You will now be able to moonwalk, drink a beer and survey – all at the same!

Ekahau never fails to amaze me with the innovations of the products they offer to us as WiFi Engineers and there is absolutely no way I would be able to do my job as effectively without having Ekahahu in my tool kit. 

Anssi Presenting
Anssi Presenting
David Corbett
David Corbett

David Corbett gave us an interesting insight into the NHS Free WiFi rollout and how important WiFi really is seen now and no more as a “nice to have”.  How much of a benefit & positive experience it brings to not only patients that use the WiFi extensively whilst at the hospital to stay in contact with loved ones but also for staff how much it is helping them also.

David Corbett Presenting
David Corbett Presenting
Keith Parsons
Keith Parsons

Next up to present was the original WiFi Legend himself, Mr. Keith Parsons! Keith took us through some tips, techniques, tools for troubleshooting WLANs. I have been lucky enough to be on one of Keith’s’ training courses, as well as seeing him present in person. There are few better in the WiFi industry than Keith and for him to share his knowledge and tips with us is one of the best parts of the day for me.

A couple of tips if you are at one of Keith’s presentations – make sure to put your phone on silent and ask permission if you want to record him, personally I would just suggest you sit back, enjoy and try to take in as much information as possible!

Keith Parsons Presenting
Keith Parsons Presenting

Keith also revealed some new training courses that are going to be available from the ECSE / WLAN Pros next year. ECSE Troubleshooting & ECSE Advanced – as well as offering the original ECSE Design still.

If like me you wanted to know when the next opportunity would be to go on one of these amazing training courses – here are some of the dates for 2020:

ECSE Training Dates
ECSE Training Dates
Mark O'Leary
Mark O’Leary

Mark gave us an insight into Eduroaming, from how it is deployed to how many unique devices they are seeing on the Eduroam network – Pretty impressive. This is a great concept and something I personally really want to see more of in the WiFi industry. Cisco is doing something very similar called “Open Roaming” where the handoff from 4/5G to WiFi is completely seamless and requires no interaction from the end-user – just how WiFi should be in my opinion.

Mark O'Leary Presenting
Mark O’Leary Presenting

Keeping up with the theme from last year where I featured on the WiFi design day YouTube video for feedback on the day – I was more than happy to get back in front of the camera again to tell everyone what a great day I had and why.

Matt Youtube
Matt YouTube Video

This was now after the lunch and the two breakout sessions or “tracks” started.

I attended track 2 as this was also where we would be presenting 🙂

First up was Nick Turner / Dick Burner – giving us a live demo of some of the new Ekahau features.

Nick Turner Presenting
Nick Turner Presenting
Andrew McHale
Andrew McHale

Next up in track 2 was the voice master, Andrew McHale. It is always a pleasure and insightful to listen to Andrew’s tips on voice for wireless – there is no doubt that he is one of the leading experts in the industry when it comes to the subject – so even though this was the 327273th time we had heard Andrew talk about voice over wireless – it was still amazing & extremely mind-blowing hearing Andrews knowledge of this subject.

I have highlighted my favourite tip from Andrews slide here 😀

Andrew McHale Presenting
Andrew McHale Presenting
WiFi Ninjas
WiFi Ninjas

This was mine & Mac’s first time presenting at the WiFi design day and we decided to talk about what we think is the most exciting thing about WiFi – RTLS! (Real-time location services) We first went through some theory on what is RTLS, different methods & techniques, etc and then had some real-world demos + testing that we had been doing throughout the year.

WiFi Ninjas Presenting
WiFi Ninjas Presenting
WiFi Ninjas Presenting 2
WiFi Ninjas Presenting 2
Jim Vajda
Jim Vajda

We then headed back into the main hall where Jim took us through an alternative view of what the 7Signal portfolio could bring to us by not using the WiFi monitoring tool for monitoring the WiFi – but using it to help us with designing WiFi. 

Jim Vajda Presenting
Jim Vajda Presenting
Peter MacKenzie
Peter MacKenzie

The last presenter of the day was the Magician himself, Mr. Perter Mackenzie. The topic for Peter’s presentation was roaming analysis – where Peter covered the different methods & amendments available to help clients roam whilst giving us a deep dive view into the packets of how all of this happens.

This would have seemed like quite a dark art to me if I hadn’t have had the pleasure of sitting one of Peter’s CWAP courses this year so thankfully I could understand at least some of what Peter was saying :D.

Anyone thinking about going for their CWAP or just want to get a better understanding of how this fantastic protocol works, then I highly recommend you take one of Peters’s courses if you get the chance to.

Peter MacKenzie Presenting
Peter MacKenzie Presenting

Peter finished his presentation off by mentioning the WLA, all the great things they have coming up but also about the UK WiFi Guys Slack Chat.

This a great form of community and communicating with fellow WiFi pros in the UK – if you are not in the UK WiFi Guys Slack chat and would like to be, you can reach out to @WiFiNigel on twitter to get added.

This was a fantastic selfie that WiFi Nigel took, really catching his best angle here I think :D.  

WiFi Nigel Selfie 2
WiFi Nigel Selfie

We finished the day off with a round table where some of the presenters were invited back on stage to take questions from the crowd & any questions that came in online. We were extremely honored to be invited back up to be on the round table to sit up there with some true WiFi legends and, Andrew McHale ;).

WiFi Round Table
WiFi Round Table

The only slightly negative feedback / constructive criticism was, and this is my completely unbiased opinion but I think that next year Open Reality / Ekahau should give the WiFi Ninjas a longer time slot and be on the main stage 😉

One final warning/ tip:  if you go out with Alan Blake the night before a conference, you will have one of the best nights out you have ever had, but prepare appropriately for the hangover the next day. I would still highly recommend this experience to anyone as Alan is one of the most fun & nicest people I have met – who I always look forward to seeing at these events.

Alan Blake & Co.
Alan Blake & Co.

I hope you enjoyed my summary of the 2019 WiFi Design day, if you were there and would like to leave your feedback also – please feel free to post a comment below as I am sure the guys at Open Reality & Ekahau would love to know.

Lots of love,

Matt

x

WN Blog 017 – Cisco Catalyst 9800 – Local Web Auth Configuration Guide

Hey!

Welcome to another one of our Cisco C9800 configuration blogs!

This time we will be covering Local Web Authentication (LWA), where guest sessions are managed by the WLC itself.

We can authenticate against RADIUS, TACACS, LDAP or local WLC Guest Users database. In this guide we will use local WLC Guest Users.

As I was preparing for deployment for a customer that would be using 2 x foreign C9800CLs in HA SSO & 2 x anchor C9800CLs in HA SSO I had my lab set up in this configuration also. In this scenario, the WLAN that I will be using is being guest anchored via a tunnel from the foreign WLC to the Anchor.

This meant that all the configuration you see below had to be replicated across both the foreign and the anchor WLCs.

We will include the steps we used from the official Cisco config guide but will add screenshots from our lab WLCs to hopefully make it a bit easier to follow.

Official Cisco guide:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/wireless-web-authentication.html

Below are the steps to configure LWA.

1. Configuring AAA Authentication (GUI)

Procedure

Step 1 Choose Configuration Security AAA.
Step 2 In the Authentication section, click Add.
Step 3 In the Quick Setup: AAA Authentication window that is displayed, enter a name for your method list.
Step 4 Choose the type of authentication you want to perform before allowing access to the network, in the Type drop-down list.
Step 5 Choose if you want to assign a group of servers as your access server, or if you want to use a local server to authenticate access, from the Group Type drop-down list.
Step 6 To configure a local server to act as a fallback method when servers in the group are unavailable, check the Fallback to local checkbox.
Step 7 Choose the server groups you want to use to authenticate access to your network, from the Available Server Groups list and click > icon to move them to the Assigned Server Groups list.
Step 8 Click Save & Apply to Device.

As we are using local WLC Guest Users database to authenticate against, we will specify ‘local‘ Group type for ‘login‘.

AAA Config

2. Creating Parameter Maps

Procedure

1 Choose Configuration Security Web Auth.
2 On the Web Auth page, click Add.
3 In the Create Web Auth Parameter window that is displayed, enter a name for the parameter map.
4 In the Maximum HTTP Connections field, enter the maximum number of HTTP connections that you want to allow.
5 In the Init-State Timeout field, enter the time after which the init state timer should expire due to the user’s failure to enter valid credentials on the login page.
6 Choose the type of Web Auth parameter.
7 Click Apply to Device.
8 On the Web Auth page, click the name of the parameter map.
9 In the Edit WebAuth Parameter window that is displayed, choose the required Banner Type. If you choose Banner Text, enter the required banner text to be displayed. If you choose File Name, specify the path of the file from which the banner text has to be picked up.
10 Enter the virtual IP addresses as required.    
11 Set appropriate status of WebAuth Intercept HTTPSCaptive Bypass Portal, and Watch List Enable.
12 In the Watch List Expiry Timeout field, enter the time in seconds after which the watch list should time out.
13 Set appropriate status for Disable Success WindowDisable Logout Window, and Login Auth Bypass for FQDN.
14 Check the Sleeping Client Status checkbox to enable authentication of sleeping clients and then specify the Sleeping Client Timeout in minutes. The valid range is between 10 minutes and 43200 minutes.
15 Click the Advanced tab.
16 In the Redirect for log-in field, enter the name of the external server to send a login request.
17 In the Redirect On-Success field, enter the name of the external server to redirect after a successful login.
18 In the Redirect On-Failure field, enter the name of the external server to redirect after a login failure.
19 To configure external local web authentication, perform these tasks: Under Redirect to External Server in the Redirect Append for AP MAC Address field, enter the AP MAC address. In the Redirect Append for Client MAC Address field, enter the client MAC address. In the Redirect Append for WLAN SSID field, enter the WLAN SSID. In the Portal IPV4 Address field, enter the IPv4 address of the portal to send redirects. In the Portal IPV6 Address field, enter the IPv6 address of the portal to send redirects, if IPv6 address is used.
20 To configure customized local web authentication, perform these tasks: Under Customized Page, specify the following pages: Login Failed Page Login Page Logout Page Login Successful Page
21 Click Update & Apply.

Here you can choose a certificate that you want to present guests with when they hit the Captive Portal:

Normally, we would want to have a cert signed by a trusted public CA, but since we don’t have one we won’t select anything in the ‘Trustpoint’ field.

Another thing to point out here is that the Virtual IPv4 Address and Trustpoint certificate must be specified in the global Web Auth Parameter Map. Adding new map won’t even have that options.

Web Auth Config 2

For simplicity, we have just used ‘global‘ Web Auth Parameter Map.

3. Configuring the Web Authentication WLANs

Follow the procedure given below to configure WLAN using web auth security and map the authentication list and parameter map:

Procedure

  Command or Action Purpose
1 enable Example:
Device> enable
Enables privileged EXEC mode. Enter your password if prompted.
2 configure terminal Example:
Device# configure terminal
Enters global configuration mode.
3 wlan profile-name wlan-id ssid-name Example:
Device(config)# wlan mywlan 34 mywlan-ssid
Specifies the WLAN name and ID. profile-name is the WLAN name which can contain 32 alphanumeric characters. wlan-id is the wireless LAN identifier. The valid range is from 1 to 512. ssid-name is the SSID which can contain 32 alphanumeric characters.
4 no security wpa Example:
Device(config-wlan)# no security wpa
Disables the WPA security.
5 security web-auth {authentication-list authentication-list-name | parameter-map parameter-map-name} Example:
Device(config-wlan)# security web-auth authentication-list webauthlistlocal Device(config-wlan)# security web-auth parameter-map sample
Enables web authentication for WLAN.Here, authentication-list authentication-list-name : Sets the authentication list for IEEE 802.1x. parameter-map parameter-map-name : Configures the parameter map. Note  When security web-auth is enabled, you get to map the default authentication-list and global parameter-map . This is applicable for authentication-list and parameter-map that are not explicitly mentioned.
6 end Example:
Device(config)# end
Returns to privileged EXEC mode.
WLAN 1
WLAN Config 1

Layer 2 security we will select none here:

WLAN 2
WLAN Config 2

Foreign WLC policy to Anchor the SSID:

Foreign WLC SSID Policy

Anchor WLC policy for the SSID:

Anchor WLC SSID Policy

4. Configuring Pre-Auth Web Authentication ACL (GUI)

Before you begin

Ensure that you have configured an access control list (ACL) and a WLAN.

Procedure

Step 1 Choose Configuration Tags & Profiles WLANs.
Step 2 Click the name of the WLAN.
Step 3 In the Edit WLAN window, click the Security tab and then click the Layer3 tab.
Step 4 Click Show Advanced Settings.
Step 5 In the Preauthenticaion ACL section, choose the appropriate ACL to be mapped to the WLAN.
Step 6 Click Update & Apply to Device.
WLAN 3
L3 WLAN

We use the pre-auth ACL here that only allows guests access to DNS and DHCP while blocking access to the network until they have authenticated.

Pre-Auth ACL
Pre-Auth ACL

5. Configuring a Local Banner in Web Authentication Page (GUI)

Procedure

1 Choose Configuration > Security > Web Auth.
2In the Webauth Parameter Map tab, click the parameter map name. The Edit WebAuth Parameter window is displayed.
3In the General tab and choose the required Banner Type: If you choose Banner Text, enter the required banner text to be displayed. If you choose File Name, specify the path of the file from which the banner text has to be picked up.
4 Click Update & Apply.

6. Create Local WLC Guest Users Credentials

What was not covered in the Cisco guide was how to add a guest user. To create a new guest user:

Navigate to Configuration > Security > Guest User:

Guest User

Now we have everything configured and a guest user account set up we are ready to connect to the guest LWA WLAN – Woohoo!

iPhone Captive portal
iPhone Connected

Successfully connected client via LWA and anchored to the anchor WLC from the foreign WLC:

Foreign WLC Client

Successfully connected client via LWA and anchored on anchor WLC:

Anchor WLC Client

I was just using the default captive portal in my lab – if you or your customer would like to customise the captive portal here is the Cisco guide and a screenshot of where you can download the webauth bundle from Cisco for your C9800! The bundle is very dated and has a proper vintage feel to it but it’s certainly possible to adjust it so it looks OK 🙂

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html#anc8
Web Auth Bundle

Hopefully, this post helps and saves you guys a bit of time if you need to configure a Local Web Authentication (LWA) WLAN in the future.

As always any feedback or comments are always welcome.

X

WN Blog 016 – WiFi Tools

Hey!

I am putting this blog together to cover some of the wireless tools that we use or are highly recommended in the wireless community.

Many of you might already be aware of some of the tools in this blog but there might be some in here that you have not come across before that you could find quite useful.

We will kick things off with the WiFi tool we use the most, which is Ekahau.

Ekahau

If you are a wireless engineer then this is a must-have in your tool bag – we use it for everything – from designing wireless networks to troubleshooting them.

Ekahau is certainly rich in products & features so we will just cover them here quickly:

Ekahau Pro™ Site Survey Tool

“The industry standard tool for designing, analyzing, optimizing and troubleshooting Wi-Fi networks. It combines professional grade features with unprecedented ease of use and features a new, ultra-fast user interface which works on macOS and Windows. Ekahau Pro site survey supports all Wi-Fi access points, thousands of antennas and every Wi-Fi standard including 802.11ax (Wi-Fi 6).”

Ekahau Sidekick®

“All-in-one, precise Wi-Fi diagnostic and measurement device that contains two Wi-Fi radios and a spectrum analyzer used for professional Wi-Fi site surveys and troubleshooting. It delivers 2x faster site surveys, 4-10x faster spectrum analysis (compared to other Wi-Fi spectrum analyzers) and uses seven factory tested antennas which are placed in the optimum orientation to deliver precise and consistent measurement accuracy. It’s plug-and-plan, works with iPad, MacOS and Windows and supports all Wi-Fi standards, including the new 802.11ax (Wi-Fi 6).”

Ekahau Survey™ for iPad

“Ekahau Survey is the first professional grade Wi-Fi site survey tool for iPad. This solution is 70% lighter than using a laptop which helps you keep going all day. It’s intuitive and easy to use which means both Wi-Fi experts and IT professionals can now perform site surveys with ease. It automatically locates all nearby access points and places them on a map and delivers instant post-survey analysis with easy-to-read, beautiful crystal-clear heatmaps.”

Ekahau Capture™

“With Ekahau Capture you no longer have to invest into dedicated and expensive equipment or fallback on complex and unreliable methods to perform packet capture. Easily collect the data you need to conduct advanced troubleshooting and in-depth analysis of tough to diagnose Wi-Fi problems without waiting for a Wi-Fi expert. Ekahau Capture makes it possible for anyone to quickly capture Wi-Fi packets using Ekahau Sidekick.”

Ekahau Cloud™

“Choose a collaboration method that works best for you and your customers and easily switch between offline and cloud modes. Enjoy seamless collaboration between central office and field sites and make project sharing with your entire team simple and easy. Multiple people in the field can now work concurrently on the same project while critical data can be quickly shared with Wi-Fi experts anywhere in the world so they can help troubleshoot tough to solve problems without ever leaving the office.”

Ekahau works on both Windows & Mac.

With Ekahau Connect you can survey on iPad – iOS.

Link to Ekahau website – https://www.ekahau.com

Ekahau does cost money – to get a quote from a reseller in the UK contact Open Reality – https://www.openreality.co.uk/

Twitter

  • @Ekahau
  • @OpenRealityUK

Protocol Analysis Tools

Wireshark

Wireshark

 

“Wireshark is the world’s foremost and widely-used network protocol analyzer. It lets you see what’s happening on your network at a microscopic level and is the de facto (and often de jure) standard across many commercial and non-profit enterprises, government agencies, and educational institutions. Wireshark development thrives thanks to the volunteer contributions of networking experts around the globe and is the continuation of a project started by Gerald Combs in 1998.”

Wireshark works on both Windows & Mac.

Wireshark is a free tool

Wireshark website – https://www.wireshark.org/

Twitter – @WiresharkNews

OmniPeek

OmniPeek

 

Omni Peek is also a protocol analyser and a very nice wireless tool for protocol analysis – but unlike Wireshark this is not a free tool.

Omni Peek Overview:

Real-Time Network Protocol Analyzer

  • Decoding over 1,000 protocols, Omnipeek provides real-time analysis for every type of network segment – 1/10/40/100 Gigabit, 802.11, and voice and video over IP – and for every level of network traffic.

Real-Time Network Protocol Analyzer

  • Intuitive Graphic Displays and Visualization
  • Intuitive Graphic Displays and Visualization
  • Omnipeek network protocol analyzer delivers intuitive visualization and effective forensics for faster resolution of network and application performance issues and security investigations.

Best-In-Class Network Analysis Workflow

  • Widely recognized as the best network analysis workflow in the industry, Omnipeek makes it easy to drill down, look across, compare, discover, and ultimately reduce mean-time-to-resolution (MTTR).

Network Analysis Workflow

  • 3K-top-view
  • Monitor Distributed Networks Remotely
  • Using LiveCapture with Omnipeek extends network monitoring and visibility for troubleshooting of application-level issues at remote sites and branches, WAN links, and data centers.

Easy WiFi Troubleshooting

  • The Omnipeek WiFi adaptor is a USB-connected WLAN device designed for wireless packet capture. The 802.11ac adapter supports 802.11ac capture up to 2 transmit/receive streams (866Mbps wireless traffic) and supports 20MHz, 40MHz, and 80MHz channel operation.

Omnipeek only works on Windows.

Omnipeek Website: https://www.liveaction.com/products/omnipeek-network-protocol-analyzer/

Twitter:  @omnipeek

WinFi

WinFi

 

WinFi Lite is a new networking program and app for Microsoft Windows devices designed to monitor, analyze, and manage wireless networks. The application is available as a Microsoft Store application and as a classic desktop application.

WinFi Lite Overview:

Perfect for quick Wi-Fi troubleshooting. Your dreams of doing Wi-Fi analysis while mobile have come true. WinFi and a Windows 10 tablet of your choice, makes convenient on-the-go analysis.

Familiar element decoding. No steep learning curve. WinFi leverages familiar structure and naming guidelines found in Wireshark.

Networks are analyzed for standards violations and malformed elements. WinFi will let you know if there are inconsistencies. Plus, you can open networks from WinFi directly in Wireshark.

Outstanding grouping, filtering and sorting capabilities. WinFi has powerful and best in class grouping, filtering and sorting capabilities.

Group, filter and sort by any information you want. Set filter and grouping thresholds for signal values, use regular expressions for text searches, and much more.

WiniFi Lite works on Windows only.

There are free & paid versions of this tool.

Twitter: @HelgeKeck

Website: http://www.helge-keck.com/

WiFi Explorer

WiFi Explorer

 

WiFi Explorer gathers configuration and capability information about all the networks it discovers and presents it on an easy-to-use, intuitive user interface. Information includes network name (SSID), BSSID, vendor, country code, channel, band, security configuration, supported data rates, number of streams, and much more.

Additional viewing options in WiFi Explorer Pro let you organize scan results by SSID, access point or access point radio to better visualize multiple networks per access point.

Simple, intuitive user interface

  • WiFi Explorer gathers configuration and capability information about all the networks it discovers and presents it on an easy-to-use, intuitive user interface. Information includes network name (SSID), BSSID, vendor, country code, channel, band, security configuration, supported data rates, number of streams, and much more.

  • Additional viewing options in WiFi Explorer Pro let you organize scan results by SSID, access point or access point radio to better visualize multiple networks per access point.

Resolve Wi-Fi issues

  • With WiFi Explorer, you can find the best channel for your network or determine a better placement for your access point. You can also identify channel conflicts, overlapping or configuration issues that may be affecting the connectivity and performance of your wireless network.

  • Expert information, available in WiFi Explorer Pro, such as per-channel beacon overhead, gives you a general overview of the Wi-Fi environment to better plan your network installation or mitigate existing problems.

Get a full insight into Wi-Fi networks

  • WiFi Explorer has been developed with the support and feedback of Wi-Fi experts. Its ease of use and advanced features, such as the ability to decode network information, access point name discovery or enhanced filtering, give you a full insight into the capabilities and configuration details of wireless networks.

  • Other advanced features include the ability to find and display information about hidden networks, support for external Wi-Fi adapters, Zigbee integration, and much more.

Spectrum Analysis Integration

  • WiFi Explorer Pro’s spectrum analysis integration lets you visualize RF information and correlate it with Wi-Fi data to identify non-802.11 energy sources and better understand the effects of interference and channel utilization on your wireless network. Compatible spectrum analyzers:

  • MetaGeek’s Wi-Spy 2.4x (Version 2) & Wi-Spy DBx
  • Ekahau Spectrum Analyzer
  • RF Explorer Wi-Fi Combo
  • Ubertooth One
  • HackRF One (Experimental)

WiFi Explorer works only on Mac.

There are free & paid versions of this tool.

Download link for WiFi Explorer: Here

Twitter:  @adriangranados 

Wireless Sensors / Packet Capture devices

Kubicon

Kubicon

 

Kubicon system consists of two components- cloud based dashboard and a hardware Wi-Fi sensor which basically mimics end user Wi-Fi  behaviour.

All that needs to be done in order to deploy the solution is to perform configuration on cloud console which is central point of management and reporting and to deploy sensors across desired environment. 

 The solution monitors number of important factors such as Wi-Fi signal quality , bandwidth capacity, network service, web applications, etc. from wireless end user perspective. Additionally it calculates overall Wi-Fi client experience score, based on these values. All metrics are available in real-time on cloud dashboard or on demand in form of reports which in turn can  be exported to multiple easy to read/use formats. Based on the mentioned architecture and  features, we are able to detect current issues and predict possible problems in the future. 

 

 One of the most frequent issues we have experienced in Wi-Fi environments was related to Guest Wi-Fi networks, particularly lack of (proactive) monitoring and analytics of Captive Portals.

 

That’s why we are very proud that we managed to develop comprehensive Wi-Fi captive portal testing and monitoring, with the features such as:

 

  1. Landing page responsiveness
  2. Identification of excessive time taking to load the landing page
  3. Real time Authentication – which helps to identify backend issues during constant client authentication checks

Website: https://kubicon.io/

WLAN-Pi

WLAN-Pi

 

“The WLAN Pi project started in 2016 at WLPC. The goal was to create a portable, ready-to-use device that could function as a network endpoint for measuring network performance and throughput.

Since then, it has been widely embraced in the awesome wireless community and after many contributions, this tiny box has evolved well beyond a network performance testing device.

Today, it can also be used as a remote Wi-Fi scanner, packet capture tool, portable Wi-Fi signal generator and much more! These capabilities assist wireless professionals with designing better wireless networks, troubleshooting issues more quickly, and validating wireless network performance.”

WLAN Pi | Handheld Edition

What’s included:

  • NanoPi Computer
  • Comfast CF-912AC NIC
  • USB -Micro to USB-C cable
  • USB-C to USB-A Adapter
  • Handheld – custom 3D Printed Case
  • Preloaded with WLAN pi version 1.8.3
  • Assembled and tested
  • Support for WLAN pi team

Websites:

Twitter:

  • @wlanpi
  • @wifinigel
  • @jolla

Net Ally AirCheck G2

AirCheck G2

 

AirCheck G2 offers a one-button AutoTest function that quickly provides a pass/fails indication of Wi-Fi network quality and identifies common problems.

Test the latest Wi-Fi standards (including 802.11ax), with a rugged, handheld, purpose-built wireless tester.

See all networks and devices in your location immediately upon power-up.

View test results, including network availability, connectivity, utilization, throughput, security settings, possible rogues, and interferers.

Automate reporting and enable collaboration with upload and management test results via Link-Live Cloud Service.

Twitter: @NetAlly

Website – https://www.netally.com/products/aircheck/

Metageek – Wi-Spy

Wi-Spy

 

Powerful Dual-Band Spectrum Analysis

Chanalyzer Essential includes Wi-Spy DBx, a powerful dual-band spectrum analyzer that measures WiFi and non-WiFi activity in both the 2.4 GHz and 5 GHz bands. Chanalyzer utilizes radio frequency data from Wi-Spy DBx to provide you with a real-time visual overview of your WiFi network environment.

Locate Sources of Interference

Once you’re able to see interference, the next step is to eliminate it. Unlike the omnidirectional WiFi antenna in your laptop or wireless adapter, a directional antenna is highly focused to pinpoint non-WiFi sources of interference. This allows you to actively seek out and remove loud transmitters from your WiFi environment.

Monitor Channel Saturation and Intermittent Interferers

By graphing every access point within reach and pairing it with the raw RF information provided by Wi-Spy, Chanalyzer provides you with all the information you need to monitor and manage saturated channels. The built-in recording feature even allows you to track the most frustrating WiFi problem – intermittent interference – and come up with a plan to eliminate it for good.

Twitter: @metageek

Website: https://www.metageek.com/products/wi-spy/

Mobile devices

iOS


WiFi diagnostics with Apple iOS13:

WiFi Diagnostics

 

We found this through Dan Jones so thank you to Dan! His twitter is: @UKDanJones

You need to install the developer profile from here:  https://developer.apple.com/bug-reporting/profiles-and-logs/

  • Scroll to bottom
  • Find Wi-Fi for iOS
  • log in “as a developer” but you can use your usual Apple account
  • Once you’ve loaded the profile you connect to an SSID, click the ‘i’ icon next to it & choose Diagnostics.

This profile gives you access to previously hidden/inaccessible menus & functions in your iOS.

  • BSSID
    • Identifies the Access Point the iPhone is currently connected to
  • Channel
    • Tells you on which channel the Access Point operates and with which channel width (e.g. 80 MHz)
  • Signal Strength
    • Signal Strength (RSSI in dBm) with color indication and written indicator (e.g. Strong, Moderate, Weak)
    • Below you’ll see an indication of how the channel utilization is being rated/seen
  • Security
    • Information on how the wireless network is secured e.g. „WPA3 Personal“
  • Captive
    • Information if you go through a Captive Portal to connect to the network
  • Deployment
    • Information if the Wireless LAN operates with multiple Access Points (Multi AP) or a single AP (Single AP)
  • Motion
    • Stationary (the iPhone doesn’t move e.g. stationary on the desk)
    • Moving (the iPhone is being held in hand)
    • Walking (the iPhone moves with walking speed)
    • Running (the iPhone moves with running speed (also happens if you jump with the device))

Connectivity

  • Gateway
    • Information on how much time it takes to get to your Gateway
  • Internet
    • Information on how much time it takes to get to the internet (apple.com)

Coexistence

  • AWDL Mode
    • AWDL stands for Apple Wireless Direct Link“ and is used for AirDrop
    • Active or Inactive
  • Bluetooth
    • Idle
  • Scan
    • Active or Inactive
    • Directly below you’ll find an indication which application triggered the last scan e.g. location and when this happened

Website: https://dokuwiki.alu4u.com/doku.php?id=stellar-wireless-apple-ios-ios13-wireless-diagnostics

Airport Utility

This is a great app on iOS to show you the RSSI from the device perspective but once you have installed the application you need to go into the settings and enable the WiFi scanner:

Airport Utility Settings

Example of the information we can see using Airport Utility: 

Airport Utility

Android

Aruba utilities

Aruba Utilities

 

Aruba Utilities includes a number of tools useful for characterizing and troubleshooting wireless LANs from Aruba Networks. Some tools work with any WLAN, others are clients for Aruba’s AirWave management system, Analytics & Location Engine (ALE) and Mobility Controllers.

Aruba Utilities includes:

• A Wi-Fi Monitor showing the Wi-Fi environment, including the current access point, dynamic signal strength and RSSI measurements, other access points audible to the device and handover events.

• A Telnet/SSH client that works with Aruba mobility controllers, allowing network configuration and monitoring from a mobile platform.

• An AirWave client that downloads the floorplan image and AP details from the network’s AirWave WLAN management system. See where APs are located relative to your position, and touch AP icons for details of current loading, channels and power.

• The AirWave client also offers a locally-generated estimated heatmap and a site survey function that links actual coverage measurements to locations on the floorplan.

• Device information (Wi-Fi, IP, DHCP, cellular status) is displayed along with an implementation of the Airwave Management Client (AMC) that reports device information and scanned APs to your AirWave WLAN management system.

• A Bluetooth Low Energy (BLE) scanner reports nearby iBeacons and other BLE devices with UUID, index values and signal strength measurements.

• Android versions of iPerf, Ping, DNS and mDNS offer network test functionality.

• Measurements are written to a plain-text log file and various csv report files that can be emailed for use later.

WiFi Manager

WiFiMan

 

WiFi Manager is ideal for analyzing nearby Wi-Fi networks and Bluetooth LE devices, device discovery, and network speedtests. These features are conveniently accessed through the sleekly designed UI created by Ubiquiti Networks. WiFiman contains no ads and is free of charge.

WiFiman helps you locate a less crowded channel for your Wi-Fi Access Point. It lists nearby Wi-Fi channels and Bluetooth LE devices and shows you the details of those channels.

With the app, you can easily list and analyze devices connected to your current network. WiFiman scans the whole network subnet and shows you all of the available devices with the applicable details, using Bonjour, SNMP, NetBIOS, and UBNT discovery protocols.

Another core feature is the network speed test. You can test the speed of your internet connection and save the results for later comparison – or quickly share the results.

Revolution WiFi

Capacity Planner

‘How Many APs Do I Need?’

No more guessing based on device counts
or rule-of-thumb cell sizing
 

 
wificlientweb



Quickly Analyze ‘What-If’ Scenarios

Determine the best design for your network by adjusting AP and client device types, channel width, client mix, and applications on-the-fly
 

 
analysis-graphs.png

Capacity Analysis (new in version 2.0!)

Visualize capacity utilization and the impact caused by client devices with varying capabilities. Data is shown by:

  • Protocol version

  • Frequency band

  • Application type (data, voip/real-time)

  • Spatial streams

  • Channel width

 

 
mesh-performance.png

Mesh Network Planning


Plan 5 GHz single-channel mesh networks to determine how many root nodes are necessary to meet capacity requirements and the per-hop mesh network performance. Use an existing client capacity plan or manually configure mesh network capacity requirements.

 
wlanlifecycle




Multiple Uses

Use the Capacity Planner for predictive WLAN design, Wi-Fi training and education, RFP proposals, project scoping, and creating a bill of materials (BOM)

 

Airtime vs Association

Forecast WLAN capacity based on
either client airtime demand or association limits per-AP radio

contention
 
iterativedesign


Iterative Design Approach

Use Capacity Planner in conjunction with RF planning tools in an iterative approach to derive a design that meets both coverage and capacity requirements

 

 

Website: https://www.revolutionwifi.net/capacity-planner 

Twitter: @revolutionwifi

 

#######################################################################################################

That’s all the WiFi Tools for now that we are going to cover – if you use any WiFi Tools that we have not included in this blog post please leave a comment or reach out to us and we will update the post to include!

🙂

WN Blog 011 – Cisco Catalyst 9800-CL – Redundancy HA SSO (GUI and Basics)

Hey!

Welcome to another one of our blogs on configuring the new Cisco Catalyst 9800 WLC.

This time we are going to take you through configuring 2 x C9800-CLs for redundancy HA SSO. 

First here is an overview of my home lab setup:

Matts Lab

I currently have 2 x ESXi servers and a C9800CL on each of them – what it is important to point out below here is that I have VLAN 12 configured to use for my L2 redundancy ports between the WLCs.

ESXI Servers vSwitch Config

Interface Gigabit Ethernet 3 will be used for the L2 HA in this setup:

ESXI C9800 Network adapters

Just want to point out here that at this stage we have 3 x interfaces – Gigabit Ethernet 1 – 3:

C9800s Ethernet Interfaces

I then began the redundancy configuration on both of the WLCs.

On the primary WLC I specified the “local IP” as the IP address I had just set up on VLAN 12 and the remote IP address of the secondary WLC that I had just created on VLAN 12.

HA interface I have used Gigabit Ethernet 3.

I wanted the WLC on the left to be the primary WLC so I set the active chassis priority to higher than the secondary WLC on the right:

C9800s Redundancy Config

After I applied the configuration I then saved the config and reloaded both of the WLCs at the same time, crossed my fingers and prayed to the wireless networking gods! 😀

C9800s Save & Reload

A few minutes later…

C9800s Successfully in Redundancy HA SSO 1

We can see now that the WLCs have rebooted and successfully formed an HA SSO pair. You can now also see a new dropdown on the dashboard to flip between active and standby stats:

C9800s Successfully in Redundancy HA SSO 2

Standby stats:

C9800s Successfully in Redundancy HA SSO 3

Note the G3 interface is gone after forming a HA:

C9800 No Gigabit Ethernet 3
C9800 No Gigabit Ethernet 3 GUI

Also note that HA/SSO is required to take advantage of a very nice new featur of the C9800 series WLCs, which is the “always on” feature from its hitless upgrades.

Here is how it works:

  • The controller automatically selects groups of APs that can be upgraded, while other nearby APs will still provide coverage to the clients
    • RRM is used to determine AP neighbors that can provide redundant client coverage
    • The aggressiveness of these groupings is configurable.
      • You can have many groups (few APs per group), with very minimal coverage impact, but it will take a long time to complete.
      • Or you can have fewer groups (more APs per group) with a greater chance for coverage impact but will complete much more quickly
  • The secondary Controller is upgraded to the new software version and rebooted
  • The controller uses 802.11v to shuffle clients away from the APs in the first group so that they can be rebooted without impacting the clients
    • Clients not supporting 802.11v will get ungracefully kicked off the AP
  • The controller moves those APs to the new controller, thus upgrading the AP code when they join
    • Once upgraded and controller-joined, clients may join these APs
  • The same process is automatically repeated for all successive groups of APs
  • Once all APs are moved to the N+1 controller, the code is upgraded on the primary controller and it is rebooted
  • Once the primary controller is back online, the APs can optionally be moved back to the primary controller

There you go – that is how you set up and configure your virtual C9800CLs for HA/SSO – hopefully this blog saves you a bit of time if you ever need to do something similar!

PS. Shout out to Ashley Georgeson who helped with this 🙂

WN Blog 009 – Cisco Catalyst 9800 – Guest MAB CWA ISE Config

Hey!

Welcome to another one of our blogs on the configuration of the new series of WLC from Cisco the C9800!

In this post, I want to go through with you an issue that I ran into when configuring a Guest SSID which was using MAB with a CWA to redirect to a portal on ISE. 

A high-level overview of the C9800 -40 + 3800i APs – Local mode, Central Switching & Authentication. ISE was configured correctly and was working correctly as it should of the AireOS 5508 that I was replacing and was still working.

I had followed all the steps & configured everything in this Cisco guide apart from the BYOD flow as that was not a requirement for this project.

Cisco guide: https://community.cisco.com/t5/security-documents/ise-and-catalyst-9800-series-integration-guide/ta-p/3753060

But I was hitting two scenario issues – the first one was that I was not being redirected to the portal when connecting to the SSID but I was authenticated on ISE and had internet. The second was that I was being redirected and could authenticate with ISE by inputting the code but then not getting any internet after.

The configuration for the first scenario where I was not getting redirected but I was authenticated and had internet was that I had created the “Redirect_Webauth_ACL” and that was applied globally on the WLC – very much the same as you would on AireOS.

The configuration for the second scenario where I was being redirected but then not getting any internet was that I had applied the “Redirect_Webauth_ACL” to the “WLAN ACL” in the “Access Policy” of the Guest “Policy Profile”

So even though I had followed the documentation neither scenario was working how I would expect it to. I am going to take you through below in some screenshots the config I had applied and where as well as show you how I managed to get it working even though what I did was not clear from the Cisco guide.

One thing to call out here for when you come to write an ACL on the C9800 is to remember that they use the IOS syntax instead of what you would be used to on the AireOS WLCs.

Cisco 9800 Guide Notes
Cisco 9800 Guide Notes

From the Cisco guide this is an example of how to write the web auth redirect ACL – Cisco ACL example for the C9800:

Cisco Guide ACL
Cisco Guide ACL Example

This is where you configure the ACLs and can see that the ACL that I had configured for the web auth redirect is called “GUEST_REDIRECT_ACL”

9800 ACL Overview of all ACLs highlighting the Guest
9800 ACL Overview of all ACLs highlighting the Guest Redirect

We can have a look at the redirect ACL rule here and can see that I have specified the two ISE servers and DNS (I had previously made the ACL more specific but after many hours of troubleshooting I decided to make it bit more open)

Guest Redirect ACL
Guest Redirect ACL

Now I want to show the WLAN config where you can see the Authorisation & Authentication lists that have been specified are the two ISE servers:

Guest WLAN Security 1
Guest WLAN Security 1
Guest WLAN Security 2
Guest WLAN Security 2

Now in this scenario where I was being authenticated but not redirected, in the policy profile for the guest I had not specified the redirect ACL here.

Guest Policy Profile without ACL
Guest Policy Profile without ACL applied

When I did specify the redirect ACL in the access policy above I was now being redirected but then was not getting any internet.

Checked the guide again to make sure everything was correct which it seemed it was so left me scratching my head at this point as to why was not working as expected.

So I reached out to my security friend Aref who skills far surpass mine when it comes to security & ISE to double-check ACL config & ISE policies for the Guest Wireless MAB.

Here are a few screenshots of how ISE is configured:

ISE Config 1
ISE Config 1
ISE Config 2
ISE Config 2
ISE Config 3
ISE Config 3
ISE Config 4
ISE Config 4
ISE Config 5
ISE Config 5

So Aref confirmed that all looked good from an ISE configuration perspective – so how did we get it working I hear you ask, great question! What we had to do was to specify another ACL which we called “DENY_GUEST_INTERNAL” which in this rule we basically blocked any access to RFC 1918 but then allowed anything else and we applied this ACL to the Guest “access policy” in the “policy profile” with the redirect just applied at a global level and now we finally got redirected as well as internet!

Here are some screenshots of the other ACL, its configuration and where we applied it:

C9800 ACLs overview highlighting Deny Guest Internal
C9800 ACLs overview highlighting Deny Guest Internal
Deny Guest Internal ACL
Deny Guest Internal ACL
Policy Profile with ACL applied
Policy Profile with ACL applied

It was quite a long day of troubleshooting and trying different scenarios before we managed to finally get it working as expected and I feel that the way we did finally manage to get it working was not clear from the Cisco documentation so hopefully this can help save you guys some time if you have to configure a guest network with CWA + MAB and run into the same scenarios as I did.

Hope you enjoyed this blog on another configuration gotcha from the C9800 – as we deploy more of these and find anything else that we think may help others who will be implementing these for the first time we will post more blogs with our findings!

🙂

WN Blog 007 – Cisco Catalyst 9800 – Internal DHCP Server Config

Hey!

A quick short blog on some internal DHCP configuration for the C9800 WLC!

As we are starting to implement the new generation of the wireless controller for customers, we anticipate that we will stumble over a few gotchas with config and plan to share through short blogs with you guys to hopefully save you some time.

One of the requirements for this customer was to use the C9800 as a DHCP server for the guest network. After I had configured the DHCP pool, WLAN, Policy, VLANs, TAGs, etc and I went to test connectivity to the guest WLAN – the 9800 was not giving out DHCP IP address’.

Took me longer than I would have liked to troubleshoot but I eventually found out what was causing the C9800 to not be handing out DHCP IP address’ – it was one button that was enabled by default when creating the DHCP pool! “Reserved only – Enabled” after I disabled the “reserved only” my clients were being given DHCP from the C9800.

I re-created the config for you guys in my lab at home as an example and got some screenshots below for you just in case you have a similar requirement for a customer ????

9800 SVI Example
SVI example for guest VLAN

This is an example of how to and how I have set my SVI for the guest network on the C9800 WLC

9800 DHCP Pool Example
C9800 DHCP pool Reserved only enabled

This is the option on the DHCP pool that caused me hours of troubleshooting why guests were not being given out DHCP IP address 😀

C9800 DHCP pool Reserved only disabled

So I would recommend having this option disabled if you have a requirement to use the internal DHCP server on the C9800

DHCP Pool Advanced
DHCP Pool Advanced Tab

In the DHCP pool advanced tab is where you add the default router and DNS servers

9800 Policy 1
9800 Policy profile and VLAN

This is where you assign the VLAN to your policy profile

9800 Policy
9800 DHCP Server IP

When using the C9800 WLC as an internal DHCP server make sure you use the management IP address here of the C9800

9800 Policy tag
9800 Policy tag

This is where you tie the WLAN profile and policy profile together with a policy tag

9800 DHCP Client
9800 DHCP Client

In this screenshot can see that my client device has been given a DHCP IP address from the DHCP pool successfully

9800 client
9800 client

So remember guys when you are configuring an internal DHCP Server on the C9800 if you are having issues with clients not getting a DHCP IP address make sure “DHCP reserved” is disabled!