This year WLPC was another great event. If you missed it and would like a recap, listen to the ClearToSend podcast episode #111 Rowell and I recorded.

​Glenn Cate and I proposed a talk on Warehouse Wi-Fi and we were fortunate enough to be selected as one of the main sessions.

Here is how our presentation turned out:

We talked about how it is sometimes required to think outside of the box when designing Wi-Fi for a warehouse.

Do you have any experience working in a warehouse? Did you find any other ways of thinking outside of the box to implement your Wi-Fi design?

PDF version of the presentation: https://d2cpnw0u24fjm4.cloudfront.net/wp-content/uploads/Session-3_-Francois-Verges-Glenn-Cate-The-Wild-Wacky-Weird-World-of-Warehouse-Wi-Fi.pdf
​
All other WLPC presentations: https://www.wlanpros.com/resource/?wpv-category=2018-phoenix&wpv_aux_current_post_id=2623&wpv_view_count=464-TCPID2623

I would like to thank Glenn for giving me the opportunity to work with him.

Thank you!

written by François​ Vergès

This blog article describe the process of upgrading an Aruba controller. It provide a checklist of tasks to perform in order to prepare, perform and validate the software upgrade. You can also download the PDF version of this checklist.

You can get the full detailed procedure in each Aruba OS release notes.

Thank you for reading.

Cheers'


written by François Vergès

This article will explains how to convert a CAPWAP AP to a Cisco Mobility Express AP. The AP model used as an example in this article is a Cisco Aironet 2802i.

Note: if you are planning on doing an AP-on-a-stick site survey with a Cisco Aironet 2800 or 3800, you will have to convert the AP to mobility express first.  Then, read this article on how to configure the mobility express AP for an APoS site survey.
​

The first thing that you will need to do is download the proper software images.

Here are the different software images you will need: 

• The latest AireOS image available for the AP you are using (​Ex: ap3g3-k9w8-tar.153-3.JF1.tar)  (Optional: not required if AP is running v8.3 and up)
• The latest Mobility Express image available for the AP you are using (Ex: AIR-AP2800-K9-ME-8-3-133-0.tar)

Note: If your CAPWAP AP is currently running a AireOS code lower than 8.3, you will need to upgrade to a version 8.3 or higher before converting the AP to Mobility Express.

Use the “show version” command in order to find out which AireOS version your AP is running. In my case, the AP was running version 8.2.151.0:

Here is my setup:

​The AP was powered on by a power injector and was directly connected to my laptop via an ethernet cable. This will be used to establish the network connectivity between the laptop and the AP for the TFTP transfer.
The AirConsole unit was connected to the console port of the AP. This will be used to establish the console connection to the AP for initial configurations.

Here is how I configured my wired NIC on my laptop:

The AP will later be configured with the 192.168.88.10/24 IP address.

But first, we need to connect to the AP using the console connection.
In order to do so, I have to connect to the AirConsole Unit via Bluetooth. I have detailed how I do this on this following article: www.semfionetworks.com/blog/easily-use-airconsole-on-macosx

You should then be able to login into the AP using the default credentials:

• Username: Cisco
  
• Password: Cisco

Note: I like using the logging console disable command as soon as I login in order to keep the log messages away from the console interface. Therefore, they won’t get in my way while I configure the AP and upgrade the software images.

You now can configure the network interface of the AP so it can establish connectivity with your laptop on the 192.168.88.0/24 networks. In order to do so, enter the following command:

• capwap ap ip 192.168.88.10 255.255.255.0 192.168.88.1

You can validate this configuration by using the show ip interface brief command:

You can validate that you have network connectivity with your laptop using ping: ping 192.168.88.1.

At this point, you are ready to upload the new software images and convert the AP.

You will need a TFTP server to transfer these software images to your AP. In my case, I am using the application called  tftpServer on macOS.

Here is what you need to do regarding the TFTP server setup:

• Star the application
  
• Once the application is started, validate that it is listening on the 192.168.88.1 IP address
  
• Validate what is the TFTP root directory (Ex: /private/tftpboot/)
  
• Place the software images that you download in the TFTP root directory

If you want to double check that the TFTP server is up and running and listening on the right port, issue the following command in a terminal session: netstat -an | grep LISTEN | grep .69.

From the console connection, via CLI, enter the following command:
ap-type mobility-express tftp://<IP_TFTP_SERVER>/<IMAGE_FILENAME>

Here is an example: ap-type mobility-express tftp://192.168.88.1/ap3g3-k9w8-tar.153-3.JF1.tar

​The AP will reboot and install the new version.
Once the AP is back up, log back in using the default credentials (Cisco/Cisco) and issue the show version command in order to validate that the new version has been installed:

From the console connection, via CLI, enter the following command:
ap-type mobility-express tftp://<IP_TFTP_SERVER>/<ME_IMAGE_FILENAME>

Here is an example: ap-type mobility-express tftp://192.168.88.1/AIR-AP2800-K9-ME-8-3-133-0.tar

You will now need to reboot the AP in order to install the new code using the following command:
reload

The AP will reboot and install the mobility express version.
Once the AP is back up, log back in using the default credentials (Cisco/Cisco) and issue the show version command in order to validate that the new version has been installed:

You can now see that the Mobility Express code version 8.3.133 has been installed on this AP.
The AP Image type is now MOBILITY EXPRESS IMAGE
The AP Configuration is now MOBILITY EXPRESS CAPABLE

Depending on what you will use this AP for, these following articles will help you configure your Mobility Express AP and controller:

• Configure the AP for an APoS site survey: https://www.semfionetworks.com/blog/configure-a-cisco-mobility-express-ap-for-an-apos-site-survey
• Cisco Wave2 site survey how-to by Sam Clements: https://sc-wifi.com/2017/03/20/cisco-wave2-site-survey-how-to/
• Configure the AP and ME controller for production by Rowell Dionicio: https://www.packet6.com/deploying-cisco-mobility-express/

• Cisco Mobility Express Deployment Guide–Release 8.3.102.0: https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-3/b_Cisco_Mobility_Express_Deployment_Guide/b_Cisco_Mobility_Express_Deployment_Guide_chapter_010.html

Thank you for reading!

Cheers'



written by François Vergès

This article explains how to configure a Cisco Mobility Express AP for an AP-on-a-Stick site survey using the CLI (Command Line Interface). It is also possible to do it using the provisioning SSID.

Right before configuring the AP for the survey, I had to convert it from the CAPWAP mode to the Mobility Express mode.

​When the AP boots for the first time in the Mobility Express mode, you are presented with a setup wizard. We will use the wizard to configure the following parameters:

• IP address of the Mobility Express management interface: 192.168.88.11/24 (Note: The IP address of the Mobility Express controller has to be different from the AP IP address!!)
• IP address of the gateway: 192.168.88.1
• DHCP server for the Wi-Fi clients: 192.168.88.100-200
• Time
• Host name of the controller: surveyWLC
• Admin credentials: Admin / Cisco123

You will notice that I am not configuring any WLAN profile yet. This will come later.

​Here is how I configured mine (these parameters can be changed to match your environment):

Wait for the AP to reboot. You will be able to login into the controller using the admin username and the Cisco123 password.

When I do AP-on-a-stick site surveys I like to configure the following SSIDs:

• Open SSID called survey24 on the 2.4GHz band only
• Open SSID called survey5 on the 5GHz band only

Here is how you can configure them on the Mobility Express controller via CLI:

I also like to keep control on the channel and transmit power used for the survey on both frequency bands. In this example, we are configuring the 2.4GHz radio on channel 1 with a transmit power level of 4 and the 5GHz radio on channel 36 with a transmit power level of 2.
Use the show config ap 802.11b ap_name and show config ap 802.11a ap_name commands to find out which power level corresponds to which dBm value for your AP.

First, you need to make sure that the AP joined the controller using the show ap summary command. In our case the name of the AP was surveyAP. If the AP didn't join, make sure that you are using different IP addresses for the AP and the Mobility Express controller. Also, check out this article from Packet 6: Troubleshoot AP Joining Issues - Cisco Mobility Express.

Here is how you can configure these radio settings on the Mobility Express controller via CLI:

Now, if you are using a Cisco Aironet 2800 or 3800 series AP, you will not have the 802.11b radio available. Instead, you will configure the 802.11-abgn radio.
If you try to configure the 802.11-abgn radio the same way we configured the 802.11b radio above, you will get the following error:

This is because, by default, the 802.11-abgn radio is set to the auto role.
We need to change the role to manual client-serving in order to be able to configure the custom transmit power. 

Here is how to configure the 802.11-abgn radio:

Once everything is configured, here are a couple of useful show commands that you could use to validate your configurations:

• show ap summary
• show advanced 802.11b summary
• show advanced 802.11-abgn summary
• show advancde 802.11a summary
• show ap config 802.11b ap_name
• show ap config 802.11-abgn ap_name
• show ap config 802.11a ap_name

You should now see both SSIDs being broadcasted by the AP.
As a validation, I try to associate to both SSIDs and wait to receive an IP address.

Here are a few commands that you could use on the Mobility Express controller to validate the client connections:

• show client summary
• show dhcp leases

Don't forget to save your configurations using the save config command.
You are all set!

Here are a few useful and related links:

• Complete guide from Cisco: https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-3/b_Cisco_Mobility_Express_Deployment_Guide/b_Cisco_Mobility_Express_Deployment_Guide_chapter_01101.pdf
• Mobility Express Command Line Interface document: ​https://www.cisco.com/c/en/us/td/docs/wireless/access_point/mob_exp/83/cmd-ref/me_cr_book.html
• Troubleshoot AP Joining Issues – Cisco Mobility Express: https://www.packet6.com/troubleshoot-ap-joining-issues-cisco-mobility-express/

Thank you for reading. Let me know how you do it!

Cheers'


written by François Vergès

Visiting the IEEE website, we can find the details about the IEEE 802.11 standards and amendments displayed on a table: http://grouper.ieee.org/groups/802/11/Reports/802.11_Timelines.htm

In order to put them into perspective, I have displayed them on a timeline. 
As the new amendments and standards are released, this timeline will be updated.

Feel free to download and use the timeline as much as you want. As always, please feel free to share your feedbacks so we can make it better together.

The process made me realize that the 802.11 standard is 20 years old this year!

Click on image to open the PDF version:

Note: the timeline only displays the published amendments and standards. This is why you won't find 802.11ax for now!


written by François Vergès

The Magic Quadrant for the Wired and Wireless LAN Access Infrastructure has been released by Gartner on October 17th:

Just like last year, the same companies have been identified as leaders: Cisco and HPE Aruba. To me, this is no surprising at all, they lead and dominate the market. However, we can note that they are positioned a little closer to the visionaries section than last year.

Talking about the visionaries, we can see that Extreme Networks is clearly catching up and getting closer and closer to the leaders. Gartner has recognized the successful acquisitions made by Extreme over the past few months. If you want to learn more about it, Rowell Dionicio and I recorded a Clear To Send podcast episode about it with Mike Leibovitz from Extreme.

Among the new comers, Mist Systems has been positioned as a visionary by Gartner. I believe this was expected knowing that the startup has been growing at a fast pace over the past couple of years. They also focus heavily on AI and, therefore, I am not surprised to see them as visionaries.

The appearance of Mojo Networks as a new comer is also interesting, I believe. Mojo decided to advocate the open networking standards and is actively part of the Open Commute Project. This has modified their business model and impacted the company in a good way. They also focus on AI and machine learning.

We can also note that Ubiquiti Networks is not included in this Magic Quadrant. Having following their progress on the Uni-Fi brand, I believe that they are offering good products. However, according to Gartner, they “do not currently meet our inclusion criteria, but they can address enterprise access layer connectivity in certain usage scenarios. In some cases, these vendors sell to customers outside the traditional IT organization”. I would be interested to see how the company reacts to this MQ knowing the difficult times that they are experiencing right now.

The trend is clearly around software defined networks, artificial intelligence and machine learning. Gartner believes that more and more automation will happen at the access layer of our networks. Here is their prediction: "By 2022, more than 60% of IT organizations will use access layer network automation, up from less than 5% today."

Earlier this year, the Mobility Field Day 2 outlined this trend with presentations from vendors such as Mist Systems, Mojo Networks, Cape Networks and Nyansa.

I believe that, as Network Engineers, we need to prepare for the future and learn more about network automation, scripting and programming.

These are a series of videos and documents which will help you to technically understand KRACK. All you need is about 2 hours.

First, you need to understand the 4-way handshake. Marcus Burton is doing a great job explaining it in this video (6mins):

The following videos will have Hemant Chaskar and Vivek Ramachandran explain all of the KRACK vulnerabilities in technical details. Please watch them in order (79 mins).

Finally, read the research paper from Mathy Vanhoefm explaining his findings in details (25-30mins). 

At the end of this 2h KRACK learning session, you should have a better technical understanding of the different vulnerabilities.

Thank you!


​Written by François Vergès

By now you have probably heard that some WPA2 vulnerabilities have been discovered and made available to the public by Mathy Vanhoel on www.krackattacks.com.
This article will explain the implication of these vulnerabilities on enterprise WLAN networks.

Nine vulnerabilities has be revealed. Eight of them are client related and one of them is AP related.
Let's begin by explaining the client related vulnerabilities.

When a Wi-Fi network is configured using WPA or WPA2, different group of keys are used between the client device and the access point:

• PTK or Pairwise Temporal Key: keys used to protect unicast traffic
• GTK or Group Temporal Key: keys used to protect broadcast and multicast traffic
• IGTK or Integrity Group Temporal Key: keys used to protect management frames

These keys are generated and installed by the client and the AP during the 4-way handshake.  The 4-way handshake is happening right after the WPA2 authentication phase. The authentication phase is when the client is authenticating using a pre-shared key or 802.1X.
​Here is what a 4-way handshake looks like:

The vulnerabilities discovered are exploiting the fact that these keys (PTK, GTK, IGTK) can be re-installed by either the client or the AP. The attacks are, therefore, focusing on messages 3 and 4.

The fact of re-installing already-in-use keys will force some variables such as the Packet Number and the Nonce to be reset. This is important because these variables are used to generate the key stream ultimately used to encrypt data. If the keys are re-installed, the same key stream could be used more than once to encrypt data. The attacker will then be able to retrieve the plain text by applying a simple mathematical formula to encrypted packets transmitted using the same encryption key stream.

This means that all WPA2 networks are impacted (WPA2-Personal and WPA2-Enterprise).

This is a high level description of the following CVE:

• CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
• CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
• CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
• CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
• CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.​
• CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
• CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
• CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.​

For more details on each of them, I would encourage you to watch these really thorough videos produced by Mojo Networks and Pentester Academy: ​http://blog.mojonetworks.com/wpa2-vulnerability.

Now, let's go over the AP related vulnerability.
​
These keys (PTK, GTK, IGTK) are also installed by the client and APs during the 802.11r (or FT) handover. This is not done using the EAPOL packets used during the 4-way handshake. Instead, it is done using the 802.11 management packets used when a client roams:

• Authentication Request
• Authentication Response
• Re-Association Request
• Re-Association Response

 
Here is an example of these packet exchanges:

Unlike what the KRACK attacks website is stating, I don't believe that these weaknesses are in the Wi-Fi standard itself. I believe they are all implementation issues. This is a good news because it means that they can be fixed by applying patches!

You remember the 8 client related vulnerabilities? Is it easy to exploit them?
Well, a man in the middle (MiTM) attack is required in order for an attacker to be able to take advantage of these vulnerabilities. This involves the attacker creating a fake AP with 2 radio interfaces:

• One radio interface to talk to the AP on channel x
• One radio interface to talk to the client on channel y

The fake AP will need to spoof the MAC address of the real AP when talking to the client device in order for this attack to succeed.
Moreover, in order to have the victim client device connecting to the fake AP (rather than connecting to the real AP), the attacker would need to place the fake AP close to the victim client device.
These facts increase the complexity of executing such an attack.

Now, how could we fix these vulnerabilities?
The fix would be to have the client NOT re-installing keys if they are already installed. This can be done by updating the implementation of WPA2 on the client device by applying a patch (no hardware change required). This can be tedious if you are supporting a lot of Wi-Fi devices and need to apply patched to all of them. However, it is doable over time.

The issue arise if the vendor do not release any patch to fix this issue. What could you do then, to mitigate KRACK?
In order to mitigate KRACK, you can upgrade the code of your APs and controllers in order to have them mitigating the issue. The AP could stop re-transmitting packets during the 4-way handshake, therefore avoiding the attack to ever take place. The side effect of this mitigation technique could be the generation of false positives. In order to avoid them, you could have the AP de-authenticating the client and forcing the client to go through a full new connection.

Moreover, you could use WIPS (Wireless Intrusion Prevention System) to detect the MiTM attacks and prevent the client devices to connect to these fake APs.

Now, what about the AP related vulnerability (802.11r handover)? Is it easy to exploit it?
It is actually much easier to exploit this vulnerability. No MiTM attack is required. The attacker will be sniffing the packets and replaying them later. This is called a replay attack.

How could we fix this issue?
Since there is no way for the AP to know if the traffic received is traffic coming from a replay attack, the only way to fix is to have the AP NOT re-installing keys if they are already installed.
This can be done by changing the implementation of WPA2 on the controller or AP applying a patch.
Some vendors have already released their patch code and the rest of them will in the coming days.

Following the arguments presented in the previous section, I don't believe this is the end of WPA2. In the coming days, we will see vendors starting to roll out patches in order to avoid these type of vulnerabilities to be exploited.

Most companies have acknowledged the KRACK vulnerabilities and some of them have already released their patches. See this really good article from Andrew Von Nagy for more details: http://www.revolutionwifi.net/revolutionwifi/2017/10/wpa2-krack-vulnerability-getting-information

Patches will be able to fix most of the devices out there. But now, what about these IoT devices that you will never patch? What about these devices that will never receive patches? 8 out of the 9 vulnerabilities revealed will be able to be exploited against them.

So what is next? Do we need a WPA3? 
I believe that, for now, these patches will protect most of the enterprise WLAN networks. However, sooner or later, we will need to provide better security for IoT devices connecting to Wi-Fi networks. Does it mean WPA3? Does it mean that the IEEE will release a new security 802.11 amendment? I guess we will have to wait and see.

To be honest, I am a little worried by the way Mathy Vanhoel concluded his article: 

Here is a list of additional ressourses used to write this article or useful to learn more about KRACK:

• The KRACK attacks website:  https://www.krackattacks.com/
• The detailed research paper:  https://papers.mathyvanhoef.com/ccs2017.pdf
• The series of videos from Mojo Networks:  http://blog.mojonetworks.com/wpa2-vulnerability
• The great summary from Andrew Von Nagy:  http://www.revolutionwifi.net/revolutionwifi/2017/10/wpa2-krack-vulnerability-getting-information
• A security point of view from WiFiTraining.com:  https://wifitraining.com/blog/wpa2-vulnerability-krack-know/
• A great summary from Alex Hudson: https://www.alexhudson.com/2017/10/15/wpa2-broken-krack-now/
• Cisco's security advisory message: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa
• Aruba's security advisory message: http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-007.txt

Thank you!

Cheers,


​written by François Vergès

​Wi-Fi, as most of us know, operates on the 2.4GHz or 5 GHz band. But there are, actually, others 802.11 protocols utilizing other frequency bands (900MHz, 60GHz,...). Today, we will be talking about the regulations of using the 60GHz frequency band in Canada. This band is used for the 802.11 protocols known as 802.11ad (now 802.11-2016 Clause 20) and 802.11ay.

In Canada, ISED (previously Industry Canada) is in charge of regulating frequencies. The information you will find in this blog article are coming from the following document published by ISED called RSS-210 — Licence-Exempt Radio Apparatus: Category I Equipment.

The section we are interested in today is called Annex J — Devices Operating in the Band 57-64 GHz.

​There are 3 channels available in the 60GHz band in Canada. These channels are 2.16GHz wide:

• 1st channel: from 57.24 GHz to 59.40 GHz
• 2nd channel: from 59.40 GHz to 61.56 GHz
• 3rd channel: from 61.56 GHz to 63.72 GHz

Below is a graphic showing which other channels are used in this 60 GHz band across the world. You will notice that channel 2 is available everywhere:

Here are the power regulations for indoor devices:

• Output power: max. 500 mW
• Average EIRP: max. 40 dBm (10 W)
• Peak EIRP: max. 43 dBm (20 W)

The regulations for outdoor devices are more complicated and you can find them under section J.2.2. However, I believe that most of the 802.11ad and 802.11ay products will be intended to be used indoor.

Here are a few links to learn more about the subject:

• 802.11ad white paper from IEEE: http://ieeexplore.ieee.org/document/6979964/?reload=true
• IEEE 802.11ay task group: http://www.ieee802.org/11/Reports/tgay_update.htm
• Dragos Mihai Amzucu' blog: http://nextwirelessstandard.blogspot.ca/
• ISED document: http://www.ic.gc.ca/eic/site/smt-gst.nsf/eng/sf01320.html
• Ekahau Webinar: WiGig and Ha-Low – Wi-Fi at New Frequency Bands

Thank you for stopping by and reading the blog.

Cheers!


written by François Vergès

A while back, I worked on a reference sheet on the most useful Cisco AireOS commands. It was well received and Cédric Terrier from WattisWiFi contacted me to build a similar reference sheet for the ArubaOS. He has a lot of experience with Aruba and came up with a list of all the commands he uses on a regular basis. I recently worked on an Aruba deployment and thought it would be the perfect time to work on building this reference sheet. So this reference sheet is a result of our collaboration.

Feel free to download and use the reference sheet as much as you want. Don't hesitate to tell us what you think. This is the first version and we are hoping to improve it with your feedbacks.

​Click on the image to open the PDF version:

written by François Vergès