#WirelessFriday February 2017 – Questions and Responses

February 24, 2017 was #Wireless Friday and the topic was Wi-Fi Optimization. Clients are using more real-time and higher bandwidth applications. Your Wi-Fi network needs adapt to a constantly changing environment. The webinar will include mini-demos on health dashboards, flexible radio assignment, and application prioritization.

Today, we heard from Patrick Croak, Wireless CCIE, who walked us through areas where we could achieve WiFi optimization.  If you would like to review the event recording, please go to catch the recording.

 There were a number of resources mentioned.  Here they are:

 As a next step I’d like to recommend contacting your partner or Cisco account team to schedule a deep-dive or even a WLAN Tuning session. 

I would like to thank the following panelists:

  • Ben Edwards, Enterprise Networking CSE, Cisco
  • Bill Fulton, Enterprise Networking PSS, Cisco
  • Brad Kincaid, Enterprise Networking PSS, Cisco
  • Christopher Medrano, Enterprise Networking CSE, Cisco
  • Derrick Williams, Enterprise Networking CSE, Cisco
  • John DiGiovanni, Enterprise Networking RM, Commercial West and Central, Cisco
  • Ron Amenta, Enterprise Networking PSS, Cisco
  • Sangita Mahishi, Enterprise Networking PSS, Cisco

Questions and Responses:

Q1.  Does the packet capture only work for CAPWAP clients? What about Flexconnect
A1.  Packet capture should work for Flexconnect clients. In a Flexconnect deployment, the AP’s still maintain a CAPWAP tunnel to the WLC, just over a WAN link.

Q2.  When you are specifying packet captures, are you refering to the actual wireless frames or ethernet frames?
A2.  Wireless. The packets are captured and dumped in the order of arrival or transmit of packets except for beacons and probe responses. The packet capture contains information such as channel, RSSI, data rate, SNR, and timestamp.

 Q3.  Should we broadcast or not broadcast our guest wireless SSID in a multitenant environment? Is there any security gained from not broadcasting as the clients will still call out for it. Or does hiding it help reduce potential DoS attacks on the server?
A3.  Many would suggest there is essential no security benefit to not broadcast. Any sniffer can discover that. Most now understand we need to play nice in the same sandbox.

 Q4.  Do you know when the 8.3 code with be a “star” release?
A4.  If you are referring to 8.3 MR1, it was posted February 27, 2017.  Check out the release notes here.

Q5.  Can you talk about TPC versions or is the name the whole story?
A5.  You can review the differences in the following white paper. TPCv1 is most commonly used. http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-3/b_RRM_White_Paper/b_RRM_White_Paper_chapter_0101.html#id_15224 

Q6.  Is the workstation profiling coming from ISE?
A6.  The workstation profiling is coming directly from the controller.

Q7.  Are the adjustments to the 2800 and 3800 series APs available in Cisco Prime Infrastructure?
A7.  Yes

Q8.  What version is being demonstrated?
A8.  Any Version of code after 8.1 will look like this. This code running here is 8.3.

Q9.  When enabling fast transition does the FT 802.1x option need to be enabled in authentication key management?
A9.  Either FT 802.1x or FT PSK. http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/80211r-ft/b-80211r-dg.html#task_2C619E3A576D474F80D6CB4BA8B4DBA6

#WirelessFriday January 2017 – Questions and Responses

We had a great #WirelessFriday on January 20, 2017!  The topic was all about GUEST ACCESS. We answered questions such as: Is there a technical reason why guest access should be super easy? What kind of self-service guest authorization mechanisms are there? What would the guest experience be and how is that managed on the back-end?  If you weren’t able to join us live, you can watch the recording.  Here’s the questions that came up during the call and the responses from our panelists.

We heard from Robert Roulhac, Cisco Virtual Systems Engineer, Security Focus.

I would like to thank the following panelists:

  • Allan Ross, Enterprise Networking CSE, Cisco
  • Ben Edwards, Enterprise Networking CSE, Cisco
  • AJ Shah, Enterprise Networking CSE, Cisco

Q1.  How does SMS integration work?
A1.  ISE uses an SMS gateway to forward SMS messages to the user.

Q2.  Is there any way Guest can select or put in email address for sponsor ?
A2.  You can utilize a sponsor portal to create guest accounts for users. http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/sponsor_guide/b_spons_SponsorPortalUserGuide_21/Support_Guests.html

Q3.  We have setup guest access in such a way that sponsor has to create account for Guest… Is there any way Guest can enter email add of employee and employee get email to approve guest request ?
A3.  Yes, Sponsors can also receive email notifications requiring their approval for self-registering guests. http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_01110.html#task_1EAD5E171B7849EDA41 

Q4.  What if you don’t use ISE but currently have a guest anchor. Does this merge easily?
A4.  The deployment of ISE would be identical on a primary or a guest anchor controller.

Q5.  To clarify which is easier. Today I have an anchor what’s the advantage of ISE?
A5.  ISE provides the same functionality on a guest anchor as it would on an internal controller.

Q6.  Does ISE integrate with Meraki?
A6.  Yes it does. please see https://communities.cisco.com/docs/DOC-68192

Q7.  The guest service could then be provided on both the Meraki network and Corp HQ WLC?
A7.  Yes, Meraki is just another Network Access Device (NAD) in ISE.

Q8.  Is best practice to keep SSID’s down to a minimum to 3-4 range?
A8.  Yes, the fewer the better.  Each SSID requires management overhead of airtime. Management frames are sent at lowest set data rate and eats valuable airtime for data to clients. https://documentation.meraki.com/MR/WiFi_Basics_and_Best_Practices/Multi-SSID_Deployment_Considerations 

Q9.  In a non-anchor deployment, the ACLs would have to allow guest traffic reach the corporate authentication server (ISE), correct?
A9.  That is correct for redirect.  To clarify, data traffic does not traverse the corporate network, only the webauth redirect for authentication 

Q10.  Does the auto-WLC-configuration script also configure url redirection for https?
A10.  the redirect url is passed from ISE to the WLC via radius when the user associates

Q11.  can the guest provisioning be utilized against an existing SSID?
A11.  Yes once the WLC is integrated with ISE

Q12.  what impact does WLC settings on timeout have?
A12.  Authorization timeouts should be set in ISE and not in the WLC. If you are using ISE, it is advised to remove the session timeout values from the WLC.

Q13.  Isnt there a security concern allowing 80 or 443 to ISE from guest endpoints?
A13.  ISE is a hardened appliance. Access is controlled via the pre-auth ACL to only the ports the ACL allows 

Q14.  does the ISE guest SSID provisioning create the ACL on the WLC also?
A14.  Using the guest wizard in ISE 2.2, it will be provisioned on the WLC via the wizard. Before ISE 2.2 the ACL will have to be manually configured.