THE BLOG ★ Ramblings on WiFi & stuff.

En Route to the 1St CWNP Conference 2014

Estimated reading time: 1 minute, 21 seconds. Contains 273 words

I’m on my way to the CWNP Conference in Raleigh, North Carolina, and I’m currently stuck in Charlotte for two hours waiting for my connection. :-( But, it gives me a little time to make this blog post, so at least there’s that!   :-)

I’m really looking forward to this first of hopefully many CWNP conferences. The biggest thing I’m looking forward to is catching up with friends from WLPC and making new ones there in Raleigh. Putting faces to Twitter handles is becoming a new hobby!

One thing I’ve found is that the wireless community is very generous with their knowledge (and their opinions) :-). Most of the people I’ve met via Twitter, conferences, and various projects have been very supportive of me and my ignorance as I make my way through the labyrinth of 802.11. It’s been this support that has helped me grow in knowledge and confidence as I voyage through my chosen profession.

Of course I’m also looking forward to the sessions that will be going on - particulary the sessions on stadium design, healthcare, Zaib’s session on cloud Wi-Fi performance testing, and whatever GT Hill will be talking about!

I encourage anyone who’s involved in wireless - be it as a VAR, if you work for a vendor, or it’s part of your job responsibility - to not just look at the CWNP certification path, but also get involved in the community. Questions can be answered, ideas validated, methods questioned, and techniques shared. Whether it’s through social media, or conferences, I can only see it as a plus for anyone looking at a career in wireless.

See you at CWNP 2014!


* Posted on iPhone 6, Silver. ™ 😜

What’s been impossible on iOS, but easy on Android for years, has finally come (back) in iOS 8.

Wi-Fi scanning can now be performed. You can see SSIDs, even hidden ones, and view RSSI. For now, it’s only available via the Apple Airport Utility and it needs to be manually enabled in settings.

Sorry, no API access for 3rd party developers (yet), but at least WLAN aficionados can finally scan wi-fi on iOS devices!

Download Apple Airport Utility:

https://appsto.re/us/YJ7Dz.i

802.11ac Analysis Webinar from CWNP

Presented by Tom Carpenter.

In this webinar, CWNP offers suggestions and information on the hardware and software available in the fall of 2014 to perform analysis of 802.11ac WLANs. Hardware demonstrated includes the Linksys WRT1900ac, the Cisco WAP371, the Edimax EW-7822UAC, the NETGEAR A6200 and the Wi-Spy DBx. Software includes Omnipeek, Commview for WiFi, Airmagnet, and Wireshark.

Leverage DHCP Fingerprinting in ArubaOS

image

Estimated reading time: 6 minutes, 16 seconds. Contains 1254 words

I was recently at a customer site upgrading an Aruba controller and doing some basic WLAN “best-practices”. During this I was asked by the customer if there was a way to keep mobile devices off the corporate network. Without something like Aruba’s ClearPass it’s not easy to identify and restrict these devices

My initial thought was with their current solution (Microsoft NPS) they couldn’t easily keep 802.1X capable devices from connecting to the corporate WLAN if they had valid AD credentials. Then as I was working it occurred to me that Aruba mobility controllers use DHCP fingerprinting to profile devices. I could leverage that ability to help keep mobile devices off the corp WLAN. It’s not 100% accurate *(and should not be considered a complete security solution), and I let the customer know this, but it identifies iOS and Android devices pretty well.

Essentially, a DHCP fingerprint is an “almost” unique identifier for OSes, or device types. The DHCP protocol (RFC 2132) allows for information other than just IP requests and acknowledgments to be sent. These DHCP “options” includes vendor specific information which makes it possible to identify devices and even OSes by their unique signature. That being the case we can use the fact the ArubsOS supports this to create roles for these various devices and OSes and thus provide some level of management of these devices.

For example, we can create a rule that says if a device is an iPhone it will be placed in the “Mobile_Device” role. This role can than be restricted to Internet only with no access to internal resources, placed in another VLAN, or just sandboxed altogether. *Not the best overall solution, but it works well enough.

Step one is to identify the DHCP fingerprint for that specfic device. There are several ways to do this and a simple Google search will give you plenty of options. You can also search for the specific fingerprint as well and hopefully someone will have posted it. In this post we’ll just focus on using Aruba OS to find the fingerprint. But here is a list I’ve compiled so far from various blog-posts and from the Aruba Airheads community:

 

  • Android_device - (3C64686370636420342E302E3135)
  • Android 2.X - (3c6468637063642034)
  • Android 2.2 - (3701792103061c333a3b)
  • Android 2.3.X - (0c616E64726F69645F)
  • Android 4.0.X - (37012103060f1c333a3b)
  • Android 4.0.X(2) - (37012103061c333a3b)
  • Blackberry 2 - (3C426C61636B4265727279)
  • Blackberry(2) - (370103060F775ffc2c2e2f)
  • iOS Device - (370103060F77FC)
  • iPad - (37011c02030f06770c2c2f1a792a)
  • OS X 10.6 - (370103060f775ffc2c2e2f)
  • OS X 10.7 - (370103060f775ffc2c2e)
  • Win Mobile6 - (370103060f2c2e2f)

 

How To Find A DHCP Fingerprint

Step 1

Log in to the CLI of your Aruba controller and go to enable mode. Once there go to configure mode and enable logging level debug for DHCP by entering:

(config)# logging level debugging network

Step 2

Connect your device to the appropriate WLAN and then use the show command to view all the recent network entries. Search for the MAC address of the device and locate the DHCP option:

(config)#show log network all | include options

You should then see a output like this:

Sep 7 12:54:43 :202536: |dhcpdwrap| |dhcp| Datapath vlan10: REQUEST b8:e8:56:xx:xx:xx Transaction ID:0xb78173e6 reqIP=192.168.15.6 Options 37:0103060f77fc 39:05dc 3d:01b8e856f1e09c 33:0076a700 0c:46697265666c79 Sep 7 12:55:15 :202536: |dhcpdwrap| |dhcp| Datapath vlan1: REQUEST 00:60:2e:xx:xx:xx Transaction ID:0x464bcafb reqIP=192.168.15.248

Options 3d:0100602e024a08

3c:756468637020302e392e392d707265 

37:0103060c0f1c Sep 7 12:57:20 :202536: |dhcpdwrap| |dhcp| Datapath vlan10: REQUEST b8:e8:56:xx:xx:xx Transaction ID:0xb78173ef reqIP=192.168.15.6 Options 37:0103060f77fc 39:05dc 3d:01b8e856f1e09c 33:0076a700 0c:46697265666c79

You’re looking for options that start with 37, 0C, 32, or 33. These are hex for DHCP options 12, 55, 60, and 81. In the above example the fingerprint for my device is 37:0103060f77fc, an iPhone. So, what I would use is that value without the colon (:) - just 370103060f77fc. Now that we have found the DHCP fingerpring we can create our rules and start enforcing policy.

Create a User Role

A user role us just a set of policies for the user/device in that role. This role can simply be an “allow-all” policy that does not restrict access, or it can be very specific like only allowing DHCP, DNS, and http/hhtps to the Internet. Or, as stated previously, placing the device in a different VLAN. It can even just be a role that denies access altogether. Regardless, the role needs to be created first so we can apply it in the User Rules for the devices later on. Since roles are pretty common usage in ArubaOS I’ll just say create the roles you want how you want. You can call it “iPhones”, or “MacBooks”, or “Android”, etc. If don’t know how to create roles page 265 in the Aruba OS User Guide walks you step-by-step.

Create A User Rule for the DHCP Fingerprints

  1. In the controller UI go to Security > Authentication > User Rules.
  2. Click on “Add” to create a new User Rule. Give it a name like “Mobile_devices.” You will be able to add multiple fingerprints in one rule so you don’t have to create multiples if don’t need to.
  3. Now click on your newly created rule and then click “Add” to start adding your rules. Here’s an example of adding iOS signature:
  • In this image the “set-type” is Role since we want a specific role to be assigned this device when it connects.
  • "Rule Type" says we’re looking at the DHCP options.
  • "Condition" is what condition is met to trigger this rule - so "equals" is what we want.
  • "Value" is what the condition of "equals" will match. This will be your DHCP fingerprint.
  • "Role" is the role you created earlier.
  • And lastly the description of the this rule. (i.e. iOS Device, Android Phone, AppleTV, etc.)

Finally, click “add” and you’ve created your first rule!

Apply The New User Rule

So, now we have the User Role that will be assigned to devices matching the DHCP fingerprints we have added in the User Rule. So, to make the magic happen we need to apply the User Rule to the AAA profile assigned to the specific VAP (Virtual AP) that you want this rule to function on.

  1. In the controller UI navigate to Configuration > Security > Authentication > AAA Profiles.
  2. Click on the profile for the WLAN/SSID you want to apply the User Rules to.
  3. On the right you should see an option called "User derivation rules". From the drop-down select the User Rule you created. Click "Apply" to save you changes.

Now connect your fingerprinted device to the appropriate SSID. If your device was recently connected it may still have same role it had before. This is because it has not yet aged out of the database. To ensure that the device gets the correct role you should delete it from the database. The best way to do this is from the CLI. SSH into the controller, go to enable mode, and enter the following:

(Master-7010) #aaa user delete mac [device mac address]

Now you should reconnect and see that your device has been given the new mobile device role that you assigned in your User Rule for that specific devices DHCP fingerprint. The controller matched the DHCP fingerprtint of your device with the rule you created and assigned the appropriate User Role.

Now, as I said in the beginnig this isn’t 100% fool-proof, but it catch most modern devices. It’s already part of the OS and short of purchasing ClearPass this is a great way to manage devices on your WLAN.

*UPDATE: As one reader has already mentioned this should not be considered as a high-security solution. At best it allows you maybe keep some devices off, or keep others from using ip DHCP space, etc. For a more comprehensive way to secure and manage BYOD you should look at products such as Aruba’s ClearPass.

In any case, if all you have is an Aruba WLAN this is another useful tool to have in your tool bag.

Concerns on LTE-U and Wi-Fi Co-Existance

Estimated reading time: 4 minutes, 22 seconds. Contains 874 words

 

A few days ago Andrew Von Nagy tweeted an article by Patrick Moorhead on Forbes.com, "How LTE-U In Unlicensed Spectrum Helps Carriers Make Money". He was not positive on the article:

After I read the article I replied on Twitter about the apparently one-sided nature of the article and went on to make insinuations of being in the industry's pocket and such. Mr. Moorhead was not amused and replied with his assertion that we were just trolls.

Well, such is the life on the Interwebs. I felt bad and replied assuring him the intent wasn't to troll. We were just venting our frustration that there was no real mention of the concerns regarding LAA-LTE co-existing with Wi-Fi. And that it seems that all we see in the media about LAA-LTE is how it's going to solve all the carriers problems and will even improve everyone's wi-fi. So, after some back and forth - he DM'd me his e-mail and asked me send him my concerns and I took him up on it. I'm thankful the rather than dismissing me he was genuinely interested in my opinion.

So, here is the gist what I put together in the e-mail explaining why as a wireless guy I have serious concerns about the this:

Wi-Fi/802.11 is a "polite", but inefficient protocol. It's half-duplex, only one client can transmit at a time, has inherent overhead that will only be exacerbated by non-wifi interference, etc. Sometimes I'm amazed it works at all! 

Here are the main concerns I have with the introduction of LAA-LTE:

  • Does not play by 802.11 rules.
     
  • LBT (Listen Before Talk/Transmit) is not a given in the US.
     
  • Wi-Fi clients deal with interframe spaces, physical carrier sense (sensing for energy on the medium), Virtual Carrier Sense (NAV timer, based on the duration field in MAC header), and finally let's add a random back off timer to. Unlike 802.11 clients LAA-LTE radios don't know about the timers, random, or otherwise. This can lead to LAA causing delay and decrease in throughput. Carrier sense is not enough.
     
  • In wi-fi, voice and other latency sensitive frames are given weighted opportunity to access the medium. We already have to deal with contention from devices that follow the protocol. Now we add LAA-LTE and we have to deal with devices that don't, and will be deployed on a large scale.
     
  • LTE duty-cycles are an issue as well. CableLabs has done research showing the delay and reduction of throughput cause by varying duty cycles. When duty cycles are small wi-fi clients don't have enough time to contend for the medium. When the duty-cycle increases latency for wi-fi client follows.
     
  • We are already starting to see usage increase in 5GHz and it is difficult enough when 802.11 is contending with itself. Adding another technology that does not follow the rules will only make it more difficult for WLANs to operate effectively. 
     
  • Another issue I wonder about is how will devices choose between LAA-LTE and Wi-Fi? Right now most devices choose wi-fi over cellular for data traffic when available. When LAA and Wi-Fi are co-located how is the decision made?
     
  • Also, why now? More than half of all mobile data is over wi-fi. This will only increase. Where is the benefit for the carriers/users? Because of the power restrictions in 5GHz LAA-LTE will most likely only be deployed using small cells - just like Wi-Fi. So, the most likely places that LAA will be deployed will be areas already served (and probably over-served) by wi-fi. 
     
  • The control plane for LAA-LTE lies in the carriers licensed spectrum where they have full control of the medium. They will now have easy access to unlicensed spectrum for free and also their own licensed spectrum to fall back on. Wi-Fi users don't have that advantage and have nowhere to go. So, LAA starts off with an inherent advantage over wi-fi.
     
  • Healthcare already has a difficult time with wi-fi. Most healthcare WLAN designs do not support DFS channels (UNII-2, UNII-2e) due to the scanning and channel change requirements if RADAR detected. Because of this I'm guessing LAA will not be deployed in those channels. LAA could become even more disruptive in those environments due to the limited number of channels. This, and other dense enterprise deployments may be at risk.

The mobile carriers are looking to grab all the spectrum they can possibly use. There is nothing that will keep them from running over any other users. In the end it's all about making money for the carriers. The same ones that spend billions on licensed spectrum that is theirs alone to use as they please. Nothing wrong with making money, but not at the expense of a useful and expanding technology that is now - even in the nascent stages of 802.11ac - growing rapidly.

04-06-2015 UPDATE:

​Tell me again how we can trust the carriers to make LAA-LTE work as a "good neighbor" with Wi-Fi?

Wireless Partners, Learn Your Craft! It's on You.

Estimated reading time: 3 minutes, 18 seconds. Contains 662 words

Cisco sucks! Aruba sucks! Ruckus sucks! [Insert vendor name] sucks!

How many times has good product been pulled because of a bad design? Doesn’t it make sense that bad installs are bad for business?

"Why don’t wireless manufactures require their partners to have a bare minimum of RF knowledge before they are allowed to sell their products?" - Me

It just dawned on me while having a small Twitter conversation with my fellow wireless peeps that the vendors that I’ve partnered with have never even asked about my qualifications to install their stuff. They absolutely insisted that we get “certified” on their particular product to remain in good standing, but I don’t ever remember them asking about what we knew about RF, wireless design, or even switching & routing.

I was installing wireless networks for over a year before I was running into situations where I had no idea what the proper solution, or design was for the customer. By this time I started following various people on Twitter like @KeithRParsons, @DevinAkin, @WiFiKiwi, etc. and started to quickly realize I did not have a clue about what I was doing, or what I was talking about.

Coming from a voice and switching background, and working with large PBXs, Windows Server (Exchange, SharePoint, etc.) I thought I was pretty smart. I mean, just put an AP over there, and over there, and one more over there for good measure! How hard could it be? Yes, I was brilliant.

Thank God for David Westcott (no twitter handle, c’mon, Dave!). I first ran into him when he taught an Aruba training class (don’t remember which one I had him in several) and he just stopped the class one day when he realized how clueless we were and starting teaching us about antennas patterns and the Rule of 10s & 3s.

It was then and there that I realized I had no business being in the wireless business. I was doing my customers a grave disservice in deploying the “wireless design” I had cobbled together on my laptop. And by design I mean floor plans with round circles denoting where the APs should be placed according to whatever whim hit me.

Thanks to Mr. Wescott my shame turned to curiosity, which then turned into a voracious appetite to learn everything I could about wireless. I started following more and more people on Twitter, reading more blogs, buying more books, eventually landing at the CWNP Web site.

It’s been a long road just to get to the first step of the ladder (CWNA in Dec. 2013) with a goal of CWNE. I know I’m still lightyears away from where I need to be, but at least I KNOW IT and doing everything in my power to get there.

The little knowledge I have gleaned so far from the generous wireless community, self-study, and CWNP training has reaped huge rewards. And not just financially, but more importantly for my customers. Not only are my designs better and much more carefully considered, I have even gone back to existing clients and done free “wifi tuneups” where I tried my best to fix there errors I had committed.

Sadly, the one place I haven’t seen any recognition of the huge change in myself and the company I own is from our wireless vendor. The money and time we’ve put in to get our team trained (all CWNAs now), and set aside time for paid study, and with a real plan for continued education isn’t even a blip on their radar.

So, now I’m back to my initial question: “Why don’t wireless manufactures require their partners to have a bare minimum of RF knowledge before they are allowed to sell their products?”

Hell if I know.

UPDATE: Aruba Networks is now encouraging users to get “Mobility Certified” which includes getting a CWNA - via their Airhead Community blog. While not a requirement for partners it’s refreshing to see major manufacturer actively encourage end-users and partners to go through the CWNP program. Way to go Aruba!

So, I got my ACCP

Estimated reading time: 4 minutes, 10 seconds. Contains 836 words

Today I passed my ACCP v6.0 Exam (Aruba Certified ClearPass Professional). I’ve been working on ClearPass Policy Manger (CPPM) since early 2013 and I have to say I really enjoy deploying this solution, but I totally forgot about the exam this Monday. I was a little nervous on Friday after I got back from the Wireless LAN Professionals Conference. I never test well, so even though I have several deployments under my belt I was still wondering how many questions I’d miss just from not reading them correctly, or pure nerves. Well, fortunately I passed with a pretty decent grade and can add another bunch of letters to my name!

I have to say CPPM is quite a large beast to tangle with and the first training class I took did not instill confidence. I remember taking this class in late 2012 and thinking after we were done that I spent a week on a product and I still don’t know anything about it. I mean I had an idea of what it did, but it felt more like a week-long sales training class than a technical deep dive.

So, along comes my first deployment and it’s for a large non-profit with a pretty complex network. Also, very smart people so it’s not like I could pull the wool over their eyes! :-) I honestly had no idea how to move ahead with this project. But, sometimes those are the projects that force you to focus and get the job done. And I did. I dug through some really limited not-so-great documentation (at the time), and even had support from the great Matt Sidhu, and Kaveh Mehrjoo at Aruba (Matt’s no longer there).

Fortunately, Aruba had figured out that their existing training was wholly inadequate for getting qualified implementers out on the streets. They started an advanced CPPM Workshop that was invite only (I think - could be wrong) to get partners up to speed. The class was a week long at their Sunnyvale campus. It was in the ClearPass engineering department so we literally had direct access to them. I mean we could call over the cubicles to them of we needed to. And of course they had several on hand just for the training. So, in the midst of the project we postponed for a week so I could go to the workshop.

The workshop consisted of all of us arriving for a briefing on Monday morning. The briefing was a faux school district that was presenting their requirements for the CPPM (802.1x, OnBoarding, Integrating Cisco WLC and IP Phones, Guest Access, OnGuard, AirGroup sharing, etc.). Our job - in groups of two - was to complete a successful working deployment by the end of the week. So, that’s what we did. We would start on each piece, have a break-out session to go over the deliverables and best practices and then, BOOM! You’re off!

It was the hardest training class I think I’ve ever taken. Most of us worked until 8, 9, sometime 10pm each night (Aruba was kind enough to leave the lights on for us) and we loved it! So, basically without using a customer as our lab (as I had begin to do) each of us were able to go through the pain and glory of a full deployment. Not only did I meet some awesome people there among the trainees and Aruba employees I got deep into CPPM in a way you normally can’t in a standard training course.

I have to hand it to Aruba. They were in a pickle. They had this fantastic product that was so deep, so powerful, so complex that partners couldn’t do the deployment on there own. Believe me - as a partner - professional services is where it’s at. If you have to bring in the manufacturer to deploy you’ve already lost a big chunk of your income (and stake) in the project. But, Aruba’s Advanced Workshop was exactly what they needed to do. A real “deep-dive” into a product where you not only get hands-on, but you get access to the people who built it, and work on it everyday. At the end of the week you really felt like you had a handle on CPPM. Not experts mind you, but at least you knew you were ready to tackle an enterprise project and come out the other end alive.

Coming back to the customer site afterwards was night and day. I had a mental handle on what we were doing. It wasn’t easy as it was still my first deployment, but at least now I had the tools to figure out what and how things needed to be done. Talk about trial by fire!

I would love to see this kind of approach across other products and vendors. Especially with deep, complicated products like ClearPass. I don’t know if this approach works with every product, but I can say I’ve never been to anything like that class and it would be a shame if I never did again.

How to Perform a PCAP with Aruba Instant AP

Estimated reading time: 1 minute, 7 seconds. Contains 224 words

So, this guy at WLAN Pros Conference says, “I wish I could do a packet capture on Aruba Instant”. This other guy says, “I don’t think they can do that”. I say, “Oh, yes, they can.” The other guy say, “Really? Are you sure?” And I say, “Absolutely. I think. Hold on.”

So, I proceed to login to my knowledge base, download, and then e-mail the first guy this PDF that PROVES - beyond a shadow of a doubt - that I am nobody’s fool!

I was wrong.

Wrong, wrong, wrong, wrong, wrong…

Or, so I thought! I sent him the wrong document. Turns out you CAN do pcap on Aruba Instant I just didn’t know that I didn’t know what I was talking about.

Anyways. here’s how it’s done. I stole it from Aruba AirHeads.

- - - - - - - - - - - - - - - - -

Make sure you’ve upgraded to the latest version of Instant OS so you can use the pcap command to do the wireless packet capture on the IAP.

Run the Aruba version of Wireshark on the PC, on the capture interface, select ARUBA udp-port=5555

SSH into IAP

Use “pcap start <base bssid> <ip address of PC with Aruba version of Wireshark installed> <port> 0 1518”

Use “show pcap” to check the active pcap session

Use “pcap stop <base bssid> <pcap-id> to stop the capture