![Crack Crack](http://1.bp.blogspot.com/-Xu1fgmh6JVA/UEYZ8gIL_UI/AAAAAAAAAGI/GGEGCaSIyhE/s1600/VM+Properties.png)
Let's start 2016 with a blog post that will surely get some of you thinking. As a professional who focuses on Wi-Fi communication I’m asked from time to time what does Wi-Fi mean? The conversation usually goes something like this: What does Wi-Fi stand for? Is Wi-Fi an acronym for something? Who came up with the term Wi-Fi?
Who owns the name Wi-Fi? Is it WiFi or Wi-Fi?' When I respond that Wi-Fi is a made up word I get the stare, usually followed by, 'really?' I think the biggest misunderstanding or assumption is many folks think Wi-Fi means “Wireless Fidelity”. This is almost always the response I get when I ask, 'what do you think it means?' Another point of interest is the proper term is Wi-Fi with the hyphen. While many of us, myself included, use the term WiFi that would not be the correct registered trademark.
Wi-Fi is a registered trademark of the Wi-Fi Alliance. Here is a link to their brands. Read the entire blog post here. I was helping another engineer troubleshoot a Cisco access point join problem. To my surprise I discovered the VCI was “Cisco AP c3500-ServiceProvider” I can appreciate when I end a day with a quick reflection. Did I learn anything new today?
Yesterday was one of those days! I was assisting an engineer with an access point join problem. Of course, I took this opportunity to explain the access point join process and what to look for and how to troubleshoot. We use DHCP option 43 as our means of joining Cisco access points to our network.
WLC 5520 KRACK Attack WPA2 Vulnerability (Fast Transition configured). Cisco will be releasing a fix very soon. On the AP/WLC side is an effective workaround to the AP side vulnerability, and the client-side vulnerabilities will need to be addressed on the client side.
After peeking at the DHCP configuration, more specifically the option 43 and VCI string, everything looked good. Other 3500s were joining fine, just these handful of access points were not joining. I do the typical console into the AP. I see nothing of interest.
The access point is not getting the controller IP from DHCP. So we span the switch port of the access point to sniff the access point traffic. I am curious as to what the access point is sending in the DHCP request packet. To my surprise, the VCI 60 is showing “Cisco AP c3500-ServiceProvider”. Oh, there is my problem!
Mistakenly a number of “ServiceProvider” access points were mixed in our access point shipment. If you have access points not joining, just something to add to your troubleshooting check list! Did you know?
If you purchased a Cisco 5508 WLC with a 12 access point license you just limited yourself to 487 access points? The Cisco 5508 is licensed based which means you can add access point licenses as your wireless grows. The Cisco 5508 allows a maximum of 500 access points. This is a new model for Cisco Wireless Lan Controllers. The now legacy 2000,2100,4400 and WISM1 were licensed by the hardware itself. You can purchase Cisco 5508 WLC with a 12,25,50,100,250 or 500 access point capacity. Or you can purchase what Cisco calls adder licenses in the quantities of 25,50,100, and 250 access points after the fact.
The license limitation becomes an issue with your initial purchase of a 5508 with a 12 access point license. Since Cisco only resells 25,50,100 and 250 access point licenses the MAX you will ever get on your WLC is 487 access points. Note: A 5500 Series WLC with a base license of 12 can only support up to 487 total APs because only 25, 50, 100, and 250 adder licenses are supported. Read: Understanding Cisco 5508 Wireless LAN Controller Licensing p.s. Thanks Patton for the link! Did you go HUH?, like I did when I seen the LDPE code rev for the Cisco WLC?
I opened a TAC case to find out what this was and this is what I was told. Client data encryption is normally not done. LDPE feature is Licensed Data Payload Encryption (LDPE).
Data Payload Encryption allows for the data that travels between the Access Point and the WLC to be Datagram Transport Layer Security (DTLS) encrypted. Note: Non Russian customers using Cisco 5508 Series Controller do not need data DTLS license. If your controller does not have a data DTLS license and if the access point associated with the controller has DTLS enabled, the data path will be unencrypted AIR-CT5500-K9-7-0-116-0.aes (Regular image) AIR-CT5500-LDPE-K9-7-0-116-0.aes (LDPE image) It would appear that Russia has some requirements to encrypt their AP to WLC traffic internally.
NOTE: I came across a post by blogger/friend Sam C. @ sc-wifi.com that covers this subject in more detail. I should have called and opened a ticket with you instead!
Cisco is running a special for a while now which is not well advertised. If you purchase Cisco Access Points model 3500 in ECO packs you will receive a WCS PLUS+ 100 access point license for FREE!
I understand when ordering the ECO pack, there is a special order number so you will need to ask your reseller. KEEP IN MIND! The PAK license for your 100 access point PLUS+ is actually in EACH ECO pack. So if you have someone install your access points, make sure you pull the PAK from each box.
If you are like me and did not know the PAK was in each box. Talk to your Cisco Sales Rep. He can have all your PAKs converted to a single PAK, if you ask him/her nicely LOL LINKS: Q.
Are 10-packs available? Yes, the Cisco Aironet 3500 is delivered in 10-access point eco-packs that reduce packaging waste by more than 50% and can reduce shipping and installation costs. Additionally, the eco-pack includes a WCS PLUS Upgrade license for 100 access points at no cost. I sat the 8 hour CCIE Wireless session at Cisco Live on Sunday. Talk about brain swell.
![Cisco wlc 5508 Cisco wlc 5508](/uploads/1/2/4/1/124133090/619293744.jpg)
I was in good company with the likes of Blake Krone, Jason Boyers and others. During the session I used twitter for my note taking, so if you’re following me then you may have noticed an abundance of tweets on Sunday with the #CCIEW and #CL11 hash tags.
The session was very focused on most lab topics and lab v2 changes, expected on Nov 18 th of this year. CCIE WIRELESS BULLET POINTS What made this event unique is the fact that the presenters have either wrote or participated in lab development content. You weren’t getting second hand information from someone else. There were MANY notable items and I will only share a few here. Again, I would recommend stopping by Blake’s and Jason’s blogs. Internal Anchoring - Thinking outside of the box Cisco’s unified guest architecture, also referenced as ‘anchoring or auto anchoring’ is a common way to provide a secured wireless guest solution in an enterprise environment. What makes this secure and unique is the native frame generated by the wireless guest never touches the network switch fabric, until it egresses the anchors outside controller port where the encapsulated frame is unwrapped.
At which point, the 802.11 header is stripped and 802.3 headers are installed and the frame is placed on the wire. You can read more about anchoring here: Commonly, when the term ‘anchoring’ is mentioned, guest access comes to mind. However, recently I was presented with a challenge where I leveraged Cisco’s anchoring capability to solve a VRF problem. I coined it as, “internal anchoring”. We have a very large network and deploy VRFs around our campus to segment a certain user group. We were presented with a problem where we could not access the VRF for testing purposes at our IT office, because we did not have our VRF network configured at the IT office location. We could have dragged the VRF to our office, which would have involved a good deal of configuration and since it was only going to be used for testing by a handful of network engineers it would have been a lot of work.
So, we did the next best thing The location (building), where the VRF user group lives also lives a number of Cisco WLCs supporting wireless connectivity for this VRF building. For sake of this post the WLCs living in this building will be called the VRF/WLC. An SSID was created on one of the VRF/WLC as WLAN: VRFTEST. This WLAN was then anchored to itself, as normal anchoring procedure. On the other end, at the IT office also lives a WLC. This WLC was providing wireless connectivity to the IT office. For sake of this post the WLC living in the IT office will be called the IT OFFICE/WLC.
The WLAN: VRFTEST was created on the IT OFFICE/ WLC and then anchored to the VRF/WLC. This anchoring process will allow us to simply connect to the VRFTEST at the IT office and have access to the VRF at the VRF building just like if we were physically there in person. This configuration effort took less than 5 minutes. Note: Mobility Group configuration was also required. Our goals were relatively simple.
We wanted it to be cheap enough that we wouldn't go broke building it. Not wanting to scratchbuild every component, it needed to use as much off-the-shelf equipment as possible. It needed to fly long enough to be able to do something interesting. One person should be able to load it in and out of a station wagon without any special equipment.
Finally, and most importantly, we wanted anyone to be able to follow in our footsteps without needing to be a PhD, electrical engineer, or aeronautical engineer. It communicates with a ground station for real-time tracking, payload interaction, flight operations, and data download. An ArduStation in the base station receives the telemetry data. The base station runs on a 1 GHz Via Pico ITX PC with 1 GB of RAM. It allows us to establish a Secure Shell link via a PPP tunnel. Additionally, it can serve as a network router for connecting additional workstations to the payload system.
The UAV also contains an Edge/3G connection, giving the aircraft onboard Internet connectivity. This connection allows the operator to control the payload from anywhere in the world - including mobile devices.
It also allows for processor-intensive applications, such as WPA attacks and password cracking, to be offloaded securely in real-time to a remote computing powerhouse utilizing CUDA technology, for mind-blowing performance.
Attention, Internet Explorer User Announcement: Jive has discontinued support for Internet Explorer 7 and below. In order to provide the best platform for continued innovation, Jive no longer supports Internet Explorer 7. Jive will not function with this version of Internet Explorer. Please consider upgrading to Internet Explorer 8, 9, or 10, or trying another browser such as Firefox, Safari, or Google Chrome.
(Please remember to honor your company's IT policies before installing new software!).