I would like to host a happy hour if there’s interest. Let me know!
Thank you very much for your interest in the Cisco #WirelessTuesday podcast! This article is a quick recap of the February 2018 live recording event attendee questions and panel responses.
Questions & Responses
Q. Does this tie into the Cat-9Ks DNA?
R. Yes it does. Today’s demonstration is specific to wireless however DNA Assurance is agnostic to wired/wireless.
Q. How is all this data past through the network and what is the estimated overhead?
R. Assurance telemetry streams from 16 different data sources currently. For wireless Assurance much of the data comes from the WLC over the wired network. I’m unsure about the overhead, but it’s not disruptive per customer and in-house deployments to date.
Q. What was the name of the Cisco Full Bars Spark-room. I tried to find it but failed…
R. Follow this link https://eurl.io/#H10e1EdQZ
Q. Will the location feature require the MSE/CMX?
R. The features being demonstrated require DNA Center. There is no dependency on the MSE/CMX.
Q. Where do I find SW documentation about DNA-C on CCO
Q. Will WPA3 require support for GCMP?
R. WPA3 Enterprise “Suite B” will require GCMP. Suite B will be optional.
Q. Any info on what version of AireOS will WPA3 be supported?
R. This is to-be-determined as the WFA has not formally launched WPA3.
Q. Will there be a need for a mixed mode WPA2/WPA3 will they happily coexist? Autodetect?
R. Yes. The mix of WPA2/WPA3 may depend more on your deployment’s policy.
Q. Will WPA3 have hardware limitations for decryption? For example, AP model x,y,z not supported.
R. Specifically 802.11-2016.
Q. What do the sensor tests run from? Is it initiated from an access point at the site?
R. Sensor tests can be run from a flexible radio in the 2800 and 3800 series APs or from a purpose-built sensor the Aironet Active Sensor that can be mounted at client height for a more accurate representation of actual client experience
Q. Does DNA Assurance tie in with CMX at all? Also, are Heat Maps (currently in Cisco Prime) moving into DNA Assurance?
R. Yes, it ties in with CMX and Operational Insights. Heat maps are able to be migrated from Prime into DNA-Center today.
Q. Could you please repeat how do deploy the DNA feature and what the device do you deploy it to?
R. A DNA Center appliance and DNA Advantage subscription for your APs are all that is required. Your WLC should be running the latest version of AireOS 8.5.
Q. Do you need to buy the entire DNA Center to get Wireless Assurance? Or can you buy separately?
R. You can get access to DNA Assurance for wireless by getting a DNA-C Appliance and DNA Advantage subscriptions for your wireless access points. You do not need to license DNA for your switches if you do not wish to in order to get Assurance for wireless.
Q. Does Prime go away by moving to Wireless Assurance?
R. Prime does not go away, but more and more of the functionality you expect from Prime will be coming to DNA Center and Assurance.
Thank you very much for your interest in the Cisco #WirelessTuesday podcast! This article is a quick recap of the January 2018 live recording event with the associated questions and panel responses.
I would like to make a public thanks Javier Contreras and Salil Prabhu, escalation engineers here at Cisco! They walked us through how to pick the best firmware versions, top TAC issues they are called to address, troubleshooting tools, and how testing is being changed to better reflect real-world conditions.
Recommended Firmware Releases
- For most deployments 18.104.22.168 (also known as 8.0 MR5)
- For deployments requiring new featrues or hardware released after 8.0, use 22.214.171.124 (also known as 8.2 MR7 interim) or 126.96.36.199
- DNA/Assurance features to be released by the end of January, 188.8.131.52 (also known as 8.5 MR2)
Check here for Cisco TAC recommended code releases (this doc is updated often).
Useful Troubleshooting Tools
Wireless Sniffer using Linksys USB600N with Omnipeek
- Wireless Sniffing using a Mac with OS X 10.6 and above
- Wireless Sniffing in Windows 7 with Netmon 3.4
Wired Packet Capture using Wireshark monitoring spanned switch ports of AP, WLC, or client side data.
Questions & Responses
Q1. CSCve39811 8540 WLC running 184.108.40.206 drops OEAP602 APs after upgrade from 220.127.116.11.
R1. Please request escalation or speak to the TAC Duty Manager.
Q2. Does this CSCvg37751 only apply during failover? I’ve had similar happen at sites running AireOS APs during normal operation. APs are behind a Meraki MX 65 or MX100.
R2. No, this bug appears to apply to AP’s connected to Meraki cloud managed switches/firewalls during the connection process to the WLC.
Q3. What did you use to see the data retries when you saw the delay? Did you see this on the AP, controller or sniffing traffic?
R3. A script ran that forces the WAN flap and AP’s to join and drop in a loop then they monitored the number of DTLS session (data & control) to see stale entries and mismatches
Thank you very much for your interest in the Cisco #WirelessTuesday event! This article is a quick recap of the December 2017 event with the associated questions and panel responses.
I would like to make a public thanks to Darryl Sladden, Senior Product Manager here at Cisco! He gave us an update on the innovations we’ve made that perform analysis on the who, how, and where your wireless devices are. Innovations that include something we use here at Cisco to optimize the use of real estate, yielding $20M per year in savings or cost avoidance.
If you’d like to hear the recording you can access it here.
Q1. What do we recommend if customer is coming from Prime 3.1 and wants to upgrade to 3.2 or do we recommend 3.3? Any drawbacks if he uses 3.3 with CMX 10.4?
R1. There is a full compatibility matrix available at https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html. There you will find what is recommended.
Q2. Did you say you can send to max 4 MSEs?
R2. Yes, there is a max of 4 NSMP destinations (ie MSEs/CMX instanance) that a controller can talk to at any one time with WLC 8.6. For FASTLocate, each individual AP talks to a single CMX instance.
Q3. Do you require the Hyperlocation module in order to enable FastPath, or can we use this in the traditional APs with RTLS?
R3. FastPath works with FastLocate which can be configured without Hyperlocation. The difference is that you don’t get angle of arrival without Hyperlocation, but you do compute location based on the data packets. Support for FASTPath extends to 1800/2800/3800 with WLC 8.6.
Q4. Will the presentation/PowerPoint be shared after the meeting?
R4. Yes. As of this week, all #WirelessTuesday sessions with be posted as a Podcast, currently available on iTunes —- soon to be available on Spotify. You’ll be able to visit the archived sessions as well.
Q5. Regarding CMX 10.4; where are the Configuration and Installation guides? The release notes for 10.4 only links to websites that has these guides for versions up to 10.3, but no 10.4.
R4. CMX Installation Guides can be found here:
Q6. Can the HyperLocation Antenna be used on external antenna APs?
R6. Yes, the Hyperlocation module has an option for a being mounted on an 3700e with a patch antenna. CMX 10.4 also supports the new AIR-ANT25-LOC-02= Hyperlocation Antenna, model 2, detached directional antenna
Q7. Will CMX allow you to give clients a friendly name so when you see it on the map you know what it is or better yet search for that client?
R7. This is not supported natively with CMX, however this is supported with Operational Insights, a cloud service that consumes location information from CMX.
Q8. Where can I get more info on Operational insights? Assuming this is a front end where users can access? Or more for IT?
R8. Data Sheet and Guide
For a BETA account, please contact Pushkar Sharma (pushshar) <firstname.lastname@example.org>
Q9. There are antennas with less the 32 elements, correct? What would the difference in accuracy data be?
R9. The Hyperlocation module includes a purpose-built antenna array specific for AoA (Angle of Arrival) calculations — the module / and the antenna are a single unit.
Q10. Will HyperLocation provide accuracy better than 5-7 meters? We have a business use case that requires 1 meter accuracy.
R10. Hyperlocation has the ability to locate WiFi clients that are associated with a 1-3m accuracy provided best practice design for AP placement is used.
Q11. Can CMX engaged rule build for specific user /mac — > like direct marketing for a group of user or specific user?
R11. Yes CMX Engage can tag a specific user if they have specific features that identify the specific user.
Q12. What management do I pick Prime or DNA Center?
R12. DNA Center is primarily for defining intent and allowing automated configuration with Software Defined Access and Fabric Enabled Wired/Wireless. Prime Infrastructure is for lifecycle management and provides the wireless heat maps and hooks in to CMX. Check out video posted here: https://ciscofullbars.com/2017/12/01/wirelesstuesday-se1/
Q13. This is a little off topic but we are running MSE 8.0.140. We were told if we upgrade to CMX 10 then we would have to import all our Prime images into CMX. Is this still an issue with CMX 10.4?
R14. CMX 104. has the ability to pull in maps from Prime 3.1 Infrastructure or later. You can choose to either have the maps synced based when you select to sync in Prime or in CMX.
Q14. So are you saying all the AP’s should be pointing the same way with the light pointing towards the left or right. Or is ok to mount them whichever way but we can document the direction dependent on the light location?
R14. As a best practice, all the AP’s should be “pointed” the same way. In cases where that is not possible, be sure to note the directional difference in Prime Infrastructure. Pointing all AP in the same direction, makes it easier for troubleshooting and future installations, but is not required for the software to function correctly.
Thank you very much for your interest in the Cisco #WirelessTuesday event and thanks to the hundreds of you that migrated with me from what was our #WirelessFriday event! This article is a quick recap of the November 2017 event with the associated questions and panel responses.
I would like to make a public thanks to Stephen Orr, Distinguished SE here at Cisco (LinkedIn, Twitter)! He weighed in on the WPA2 vulnerabilities known as KRACK and Cisco’ (and the industry’s) response. I loved his first piece of advice: #DontPanic. I would also like to thank my panelists Brad Kincaid, Rush Johnson, and Mark Dellavalle.
If you’d like to hear the recording you can access it here.
Links from the Presentation
- To learn more about the WPA2 KRACK vulnerability and Cisco’s response check out this blog article.
- Updated PSIRT Page: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa
- Recommendations from Cisco: https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/212390-wireless-krack-attack-client-side-workar.html
- Only 1 impacts APs using 802.11r (Fast BSS Transition): CVE-2017-13082. The rest of the vulnerabilities impact the client devices.
- CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
- CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
- CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
- CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
- CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
- CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
- CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
- CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
- CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
- CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
- Proposals being submitted week of Nov 6th to TGmd
In-Event Questions and Responses
Q. Can or should both Infrastructure MFP and PMF (802.11w) be implemented together?
R. Steven is a fan of “defense in depth” so the recommendation is yes. 802.11w has 2 modes: MFP required and MFP capable. It’s always good to start with MFP capable until you know for sure your clients support it.
Q. Is it still recommended not to run 802.11r with PMF?
R. If you are using patched code you are good to use 802.11r. Know that both the infrastructure and clients need to be updated.
Q. Does the 5760 have a patched image yet?
R. Yes 5760 updates are available. Please work with TAC on specific recommendations.
Q. Are devices like 800-W series routers/ASAs vulnerable as well?
R. For those SoHo devices where roaming is capable, yes, they would be vulnerable.
Q. With MiTM attack this should be more of an impetus to disable lower data rates…? That should at least shrink the cell size the MiTM attach correct?
R. Not necessarily. This may have a negative effect on coverage and roaming.
Q. So, if AP’s/WLC’s are patched, but clients are not, we’re still vulnerable?
R. The clients not patched would be vulnerable.
Q. So, do either of the 2 threat vectors present vulnerabilities if 802.11r or 802.11ai are not enabled?
R. If they are not enabled on the infrastructure side, then the infrastructure is not exposed, however the client, if using vulnerable code, is exposed.
Q. What are we patching on the client side? Our devices do not use a software to access the AP’s. They just use the wireless app on the device
R. The device itself would need an update from the device manufacturer.
Q. When talking about patching the clients. Are you speaking about patching the workstations clients? For example, if you are using the windows wireless clients?
R. Essentially the supplicant on the device must be update…whether that is separate or part of the OS. Each vendor will need to address the vulnerabilities in their own firmware, drivers, supplicants.
Q. Do any of these vulnerabilities change in a flex-connect mode
R. No, your exposure does not change.
Q. Under WLANS, Security (802.11r) FT = Fast Transition or Authentication Key Management = FT 802.1X / FT PSK boxes checked?
R. On the PSIRT website there is a step-by-step guide to help you determine if you are vulnerable.
Q. I also think it’s important to clarify that the attacker needs to be present for this attack, nearby.
R. Great point… “in RF proximity…”
Q. How about the new Apple Cisco partnership, where apples “turn on” 802.11r
R. That is still the recommendation. The patches are available and should be used.
Q. So, on latest code, 802.11r can be “off” but enabling the Apple-Cisco Best Practices will turn it back “on”?
R. Yes, that is true.
Q. Will the WFA test plan be published and available?
R. For now, the test tool/plan it is available only for manufacturers
Q. Did Wi-Fi Alliance provide a time line to remediate for Infrastructure and all client devices?
R. For those devices that claim support for 802.11r or 802.11ai, mandatory test will be in place, likely by the end of 2017.
Q. Is Cisco publishing all client devices that were remediated
R. Best advice is contact each vendor.