#WirelessFriday February 2017 – Questions and Responses

February 24, 2017 was #Wireless Friday and the topic was Wi-Fi Optimization. Clients are using more real-time and higher bandwidth applications. Your Wi-Fi network needs adapt to a constantly changing environment. The webinar will include mini-demos on health dashboards, flexible radio assignment, and application prioritization.

Today, we heard from Patrick Croak, Wireless CCIE, who walked us through areas where we could achieve WiFi optimization.  If you would like to review the event recording, please go to catch the recording.

 There were a number of resources mentioned.  Here they are:

 As a next step I’d like to recommend contacting your partner or Cisco account team to schedule a deep-dive or even a WLAN Tuning session. 

I would like to thank the following panelists:

  • Ben Edwards, Enterprise Networking CSE, Cisco
  • Bill Fulton, Enterprise Networking PSS, Cisco
  • Brad Kincaid, Enterprise Networking PSS, Cisco
  • Christopher Medrano, Enterprise Networking CSE, Cisco
  • Derrick Williams, Enterprise Networking CSE, Cisco
  • John DiGiovanni, Enterprise Networking RM, Commercial West and Central, Cisco
  • Ron Amenta, Enterprise Networking PSS, Cisco
  • Sangita Mahishi, Enterprise Networking PSS, Cisco

Questions and Responses:

Q1.  Does the packet capture only work for CAPWAP clients? What about Flexconnect
A1.  Packet capture should work for Flexconnect clients. In a Flexconnect deployment, the AP’s still maintain a CAPWAP tunnel to the WLC, just over a WAN link.

Q2.  When you are specifying packet captures, are you refering to the actual wireless frames or ethernet frames?
A2.  Wireless. The packets are captured and dumped in the order of arrival or transmit of packets except for beacons and probe responses. The packet capture contains information such as channel, RSSI, data rate, SNR, and timestamp.

 Q3.  Should we broadcast or not broadcast our guest wireless SSID in a multitenant environment? Is there any security gained from not broadcasting as the clients will still call out for it. Or does hiding it help reduce potential DoS attacks on the server?
A3.  Many would suggest there is essential no security benefit to not broadcast. Any sniffer can discover that. Most now understand we need to play nice in the same sandbox.

 Q4.  Do you know when the 8.3 code with be a “star” release?
A4.  If you are referring to 8.3 MR1, it was posted February 27, 2017.  Check out the release notes here.

Q5.  Can you talk about TPC versions or is the name the whole story?
A5.  You can review the differences in the following white paper. TPCv1 is most commonly used. http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-3/b_RRM_White_Paper/b_RRM_White_Paper_chapter_0101.html#id_15224 

Q6.  Is the workstation profiling coming from ISE?
A6.  The workstation profiling is coming directly from the controller.

Q7.  Are the adjustments to the 2800 and 3800 series APs available in Cisco Prime Infrastructure?
A7.  Yes

Q8.  What version is being demonstrated?
A8.  Any Version of code after 8.1 will look like this. This code running here is 8.3.

Q9.  When enabling fast transition does the FT 802.1x option need to be enabled in authentication key management?
A9.  Either FT 802.1x or FT PSK. http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/80211r-ft/b-80211r-dg.html#task_2C619E3A576D474F80D6CB4BA8B4DBA6

#WirelessFriday January 2017 – Questions and Responses

We had a great #WirelessFriday on January 20, 2017!  The topic was all about GUEST ACCESS. We answered questions such as: Is there a technical reason why guest access should be super easy? What kind of self-service guest authorization mechanisms are there? What would the guest experience be and how is that managed on the back-end?  If you weren’t able to join us live, you can watch the recording.  Here’s the questions that came up during the call and the responses from our panelists.

We heard from Robert Roulhac, Cisco Virtual Systems Engineer, Security Focus.

I would like to thank the following panelists:

  • Allan Ross, Enterprise Networking CSE, Cisco
  • Ben Edwards, Enterprise Networking CSE, Cisco
  • AJ Shah, Enterprise Networking CSE, Cisco

Q1.  How does SMS integration work?
A1.  ISE uses an SMS gateway to forward SMS messages to the user.

Q2.  Is there any way Guest can select or put in email address for sponsor ?
A2.  You can utilize a sponsor portal to create guest accounts for users. http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/sponsor_guide/b_spons_SponsorPortalUserGuide_21/Support_Guests.html

Q3.  We have setup guest access in such a way that sponsor has to create account for Guest… Is there any way Guest can enter email add of employee and employee get email to approve guest request ?
A3.  Yes, Sponsors can also receive email notifications requiring their approval for self-registering guests. http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_01110.html#task_1EAD5E171B7849EDA41 

Q4.  What if you don’t use ISE but currently have a guest anchor. Does this merge easily?
A4.  The deployment of ISE would be identical on a primary or a guest anchor controller.

Q5.  To clarify which is easier. Today I have an anchor what’s the advantage of ISE?
A5.  ISE provides the same functionality on a guest anchor as it would on an internal controller.

Q6.  Does ISE integrate with Meraki?
A6.  Yes it does. please see https://communities.cisco.com/docs/DOC-68192

Q7.  The guest service could then be provided on both the Meraki network and Corp HQ WLC?
A7.  Yes, Meraki is just another Network Access Device (NAD) in ISE.

Q8.  Is best practice to keep SSID’s down to a minimum to 3-4 range?
A8.  Yes, the fewer the better.  Each SSID requires management overhead of airtime. Management frames are sent at lowest set data rate and eats valuable airtime for data to clients. https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/Multi-SSID_Deployment_Considerations 

Q9.  In a non-anchor deployment, the ACLs would have to allow guest traffic reach the corporate authentication server (ISE), correct?
A9.  That is correct for redirect.  To clarify, data traffic does not traverse the corporate network, only the webauth redirect for authentication 

Q10.  Does the auto-WLC-configuration script also configure url redirection for https?
A10.  the redirect url is passed from ISE to the WLC via radius when the user associates

Q11.  can the guest provisioning be utilized against an existing SSID?
A11.  Yes once the WLC is integrated with ISE

Q12.  what impact does WLC settings on timeout have?
A12.  Authorization timeouts should be set in ISE and not in the WLC. If you are using ISE, it is advised to remove the session timeout values from the WLC.

Q13.  Isnt there a security concern allowing 80 or 443 to ISE from guest endpoints?
A13.  ISE is a hardened appliance. Access is controlled via the pre-auth ACL to only the ports the ACL allows 

Q14.  does the ISE guest SSID provisioning create the ACL on the WLC also?
A14.  Using the guest wizard in ISE 2.2, it will be provisioned on the WLC via the wizard. Before ISE 2.2 the ACL will have to be manually configured.


Cisco WLAN Controller AP Modes – An Incomplete Guide

An Access Point, as defined by 802.11, can take a packet out of thin air and convert it to ethernet and has the ability to do all the stuff it needs to do to make it all happen. That’s called an “Autonomous” or “Standalone” AP.

The standalone AP is great but it doesn’t scale very well.  Then along come a way to better scale. The controller architecture (split-MAC they called it) and the “lightweight” AP.

Important: It’s not dumb or thin, it’s lightweight, in the same way other protocols were written to a portion of the spec and called the “lightweight” variant of that protocol.
A lightweight AP only does the real-time stuff an “AP” is supposed to do and the controller does all the non-real-time stuff.

The glue that holds the AP to the controller is an IETF standard protocol called CAPWAP.

For this lightweight architecture, an AP grabs packet out of thin air and then only does real-time stuff to it. Encryption/decryption is a good example of real-time stuff an AP does. It then takes that 802.11 packet and puts it in to a CAPWAP envelope and sends it to the controller.

The controller then converts the 802.11 packet to 802.3 (Ethernet), applies the correct policy, and puts it in the right VLAN.

This is the default operational mode of a lightweight AP and it’s called “Local Mode” which also can be called “Connected Mode”.

But what if you have a bunch of small branch offices with just a few AP’s each. You:

  1. don’t want the expense of controllers in each location (or the management burden) and you
  2. don’t want your print-job to go from your mobile device, all the way across your WAN, just to make a U-turn and come back across your WAN and print to a printer you’re physically 5 feet away from.


Flexconnect changes how packets are processed by allowing the AP to convert the 802.11 packet directly in to Ethernet and placing it on the VLAN that is trunked to the AP. This takes the controller out of the data path, even though the controller is responsible for firmware updates, configurations, RRM, and IPS. This default behavior of Flexconnect is called FlexConnect Local Switching.

Please keep in mind there are constraints you need to consider before using Flexconnect.  See the Restrictions on Flexconnect section of the configuration guide.

Now for the “flex” in FlexConnect.

For some SSID’s you may want to change the data path.  For example maybe you want all your employee traffic to stay at a branch but you want your guest traffic to go back to the controller for inspection.

So for that SSID you can use FlexConnect Central Switching. For this SSID (WLAN), it will act like a Local Mode AP, but for other SSID’s (WLANs) it’s in Local Switching.

Data Path vs. Authenticators

The other thing to consider is where 802.1x RADIUS authentications will take place.  By default it uses central authentication, you can also select local authentication.  These are options in the FlexConnect for how 802.1x authentication is done. Even though you may select local or central switching, all 802.1x authentication, by default, is done by the controller.

So what if the controller goes away? Well then your 802.1x authenticator goes away. Unless you have local authentication configured.  If you select local authentication for your FlexConnect AP, then you need to configure your AP as a RADIUS authenticator, which includes telling your RADIUS server about that AP and setting up a RADIUS key.

For more information refer to the FlexConnect section of the Configuration Guide.  Here is the link if you’re using version 8.3 code.  To find the configuration guide for the code version you’re running, click here.