After a short hiatus the show has returned! Sam and I discuss using tablets for surveying and deployment of wireless networks. We talk about some of the apps developed by Access Agility for the Apple iOS platform as well as some other misc tools. We also talked about full fledged site survey applications running on the Android platforms. Take a listen, download some apps, and provide feedback on your thoughts about the tools in the comments!

Apple iOS Apps:

WiFiMedic

iPad WiFi Survey App

WiFiPerf

Sensor Pro

Get Console

Mobile TFTP Server

Android Apps:

Wolf WiFi

Ekahau Mobile Survey

Recently I’ve been getting into controlling RC vehicles such as planes and trucks by using what’s called FPV (First Person View) where you have a camera installed in the vehicle with a wireless video downlink to a ground station. [Link] While researching what video frequency to use for the video link I came across this website that would actually help out  anyone doing outdoor deployments. From this website you can enter in an address and see what towers are registered and unregistered in the area. The registered towers also then provide you with the frequencies they are operating in. I dug around my city’s registered towers and found all the public safety band, city wide mesh, a few microwave links, and others. This confirmed my decision to use 900MHz for the video link and was backed up by using Metageek’s Wi-Spy 900x.

This should be on everyone’s bookmark list that does outdoor deployments:

http://www.antennasearch.com/default.asp

These features are not supported on Cisco Flex 7500 Series Controllers code 7.0.116.0, it could change in future versions:

•Local mode AP (However AP joins 7500 initially as local mode and should be converted to Flex Connectmode)

•Mesh

•LAG

•Client and RFID tag location

•CCX CAC

•STP

•7500 as guest anchor

•L3 Roaming (Centrally switched wlan -> same and inter-controller)

•Multicast (Multicast – Multicast and Multicast – Unicast). (ignore – 7500 gui interface may still show multicast-multicast config.)

•VideoStream

•TrustSec SXP

•IPv6/Dual Stack client Support

•WGB

•OEAP

•HotSpot2.0 (802.11u)

•Client rate limiting for centrally switched clients

Cisco Flex 7500 Series Controller does not support the 802.1x security variants on a centrally switched WLAN. For example, the following configurations are not allowed(and TAC does not support) on a centrally switched WLAN

•WPA1/WPA2 with 802.1x AKM

•WPA1/WPA2 with CCKM

•Dynamic-WEP

•Conditional webauth

•Splash WEB page redirect

If you want to configure your WLAN in any of the above combinations, the WLAN must be configured to use local switching.

Note:

•Flex7500 supports 1Gbps central switched data throughput for guest access

•Only Flex connect mode AP is supported for data traffic

•Static AP-manager interface

(Note: For Cisco 7500 Series controllers, it is not necessary to  configure an AP-manager interface. The management interface acts like an  AP-manager interface by default, and the access points can join on this  interface.)

•AP joined on local mode should be converted to Flex/Monitor, TAC does not support local mode AP services.

7.2.103.0 supports 802.1X on Centrally switched wlan unlike 7.0.116.0.

From: Saravanan Lakshmanan – Cisco CSC

https://supportforums.cisco.com/docs/DOC-23474

End-of-Sale and End-of-Life Announcement for the Cisco Unified Wireless IP Phone 7921G Power Supplies

Description: Cisco announces the end-of-sale and end-of-life dates for the Cisco Unified Wireless IP Phone 7921G Power Supplies. The last day to order the affected product(s) is October 19, 2012. Customers withactive service contracts will continue to receive support from the Cisco Technical Assistance Center (TAC) as shown in Table 1 of the EoL bulletin. Table 1 describes the end-of-life milestones, definitions, and dates for the affected product(s). Table 2 lists the product part numbers affected by this announcement. For customers with active and paid service and support contracts, support will be available until the termination date of the contract, even if this date exceeds the Last Date of Support shown in Table 1.

Date: 2012-04-20 15:41:00.0

Url: http://www.cisco.com/en/US/prod/collateral/voicesw/ps6788/phones/ps379/ps7071/end_of_life_notice_c51-706105.html

I wanted to reference these part numbers as a quick reference for anyone that is looking for this information.

WISM 2 HARDWARE w/ SMARTNET

The WISM 2 hardware can be purchased in the available license sizes. They start at 100 and can be maxed out at 1000.  You receive the physical blade and license with the purchase of the below part numbers.

WS-SVC-WISM2-1-K9          100 access point       – CON-SNT-WSM2100 8x5xNBD
WS-SVC-WISM2-3-K9          300 access point       – CON-SNT-WSM2300 8x5xNBD
WS-SVC-WISM2-5-K9          500 access point       – CON-SNT-WSM2500 8x5xNBD
WS-SVC-WISM2-K-K9          1000 access point     – CON-SNT-WSM21K   8x5xNBD

WISM 2 ADDER LICENSES w/ SMARTNET

You can purchase additional licenses as you grow in 100 and 200 increments.

L-LIC-WISM2-100A              100 access point       – CON-SNT-LWSM21A 8x5xNBD
L-LIC-WISM2-200A              200 access point       – CON-SNT-LWSM22A 8x5xNBD

CICSO WISM 1 BUY BACK

Cisco has a great incentive program to purchase back your old WISMs. I would ask your Cisco sales representative for details.

On this episode of the NSA Show we talk with Joel Vincent from Aerohive networks about their Bonjour Gateway product offering. With the “consumerization of IT” and BYOD craze happening today there is a need to be able to utilize technology features such as AirPrint and AirPlay which are geared more towards simple home networks on enterprise networks. Aerohive’s Bonjour Gateway gives enterprise admins a way to solve the issues created by subnets when trying to use bonjour services and also allows you to selectively filter the services presented to the devices through this solution.

For more information check out the following links:

http://www.aerohive.com

Bonjour Gateway Press-Release

While attending Wireless Field Day 2 in San Jose all of the NSA Show team was able to talk with Ekahau regarding their RTLS and Site Survey product lines. After talking with Ekahau we thought this would be a great show to do. So take a listen as Blake, Jennifer, and Sam talk with Jussi Kiviniemi from Ekahau about the RTLS solution and what we have seen after testing their product for a few weeks.

For more details on the Ekahau RTLS solution please see our recent blog post and visit Ekahau.com.

On this episode of the NSA Show Podcast we talk with Chris Lyttle, Jennifer Huber, Sean Rynearson, and Blake Krone about the recent Aruba AirHeads Conference that was in Las Vegas. Chris, Jennifer, and Sean were asked to attend the show as top wireless bloggers. We asked them to come on the show to discuss what they saw and heard at the conference. Get the low down on the Microsoft presentation, Aruba Air Group [PDF] technology, and other banter on Episode 8 of the NSA Show Podcast.

Wireless has become a transport method for various technologies in the recent years that help realize a quicker ROI on their deployment. One of those that has over the past few years gained higher adoption rates is Real Time Location Services, or RTLS. RTLS is a means of joining traditional passive RFID technology with wireless technology. Traditional passive RFID operates on various frequencies and is most commonly known for door access cards. Inside your plastic card is a RFID chip that when it enters a magnetic field operating at the proper frequency “activates” and passes along an identifier that is used by the backend systems to grant access for example. In order for traditional RFID to work you need to have fixed readers or mobile readers located through out your facility. For example you may place a pair of readers on a doorway to know if an item or person entered or exited an area. You can also use mobile readers to quickly generate an inventory count of items located in a room. While this as been a great system for many years greater needs for efficiencies have led to the creation of wireless RFID (RTLS) technologies.

The idea behind RTLS is the same regardless of what tag vendor you choose to go with. Vendors will typically couple a passive style RFID tag with an active wireless component. This wireless component varies from vendor to vendor in how it relays the information to the wireless network. Our first vendor I took a look at was Ekahau. You may know them more so for their wireless Site Survey application they developed, but they are actually an RTLS company at their core. Ekahau started as an RTLS company and their engineers found that they needed to have a way to verify and calibrate a network for RTLS so their wireless Site Survey application was born.

The core of the Ekahau RTLS system is based on the following items:

• Ekahau RTLS Controller (ERC)
• Ekahau Vision
• Ekahau T301, TSc, TS2, and HS1 tags

The Ekahau system is a multi-vendor solution that can work with a number of wireless vendors such as Cisco, Aruba, Meru, and others. There are multiple modes for the tags that allow this to be possible which is configureable by the end installer. Ekahau tags can work in a “blink” mode where they simply pass a small packet up that signals who they are, RSSI levels, and data message packets such as telemetry data for temperature. Their tags can also function in an ELP mode where they actively associate to the wireless network as a client device, this allows bi-directional communication with the tags. The tags can also function in a hybrid mode, combining these two concepts only associating to the network at a configureable interval to do maintenance updates such as configuration changes. As of this writing care needs to be taken though as the tags currently shipping at 802.11b devices and require the lower data rates (1 & 2Mbps) to be enabled. If you use the tags in CCX blink mode you will be required to have a Cisco Mobility Services Engine installed and configured on your network in order to receive the data messages.

The first thing you’ll want to do is setup the ERC. This is a very straightforward process simply following through the wizard answering the questions as you go. You can enable your ERC for multiple data sources such as a Cisco WLC directly, Cisco MSE, Aruba, etc. This allows you to use the same ERC for multiple vendor networks if you are running such as setup as I am in my lab. The ERC is the main database backend that stores all the location data for your tags and or wireless clients (yeah, a wireless client can be tracked as well!). You will use the Ekahau Site Survey software with the RTLS features enabled (File -> Preferences) to upload your building data to the ERC. I did find a downside to using the Cisco WLC directly, it appears that any APs you have in monitor mode only will not assist you in location services. When you use the Ekahau Site Survey tool I did not see a way to add monitor mode APs unless you flip them to local mode, perform a survey, and then flip back to monitor mode. But I’m not sure if flipping them back to monitor mode then removes them from calculations with the ERC.

Getting your Ekahau RTLS system up and running with tags can be cumbersome, during my initial setup I experience multiple issues trying to use the existing T301 activator as well as the new Tag Activator 3. When using the T301 activator you need to use their NIC-300 PCMCIA adapter which is a standard Atheros adapter. The activator will ask you for your ERC IP address, maintenance interval, as well as wireless network settings such as SSID, security (open, WPA2-PSK, and WEP supported), and tag IP settings. When you put the activator into activation mode you simply press the button combination for your tag to start the activation process. On a T301W (wristband tag) for example this is pressing the small button with a pin. If successful you will see the tag in the activator screen and the tag will blink its LED green 3 times. Once the tag is activated you should see it in the ERC console.

If you are using sensor tags the configuration/setup wasn’t as painful but required the use of a flimsy USB adapter. Ekahau provides you with a USB extension cable and a small USB to .1mm pin header. I would much rather see this be the cable with the pin header on one end and standard USB on the other with a 1m length in between. This would work better and hopefully not have random disconnects that I was experiencing with the adapter. On the HS1 and TS2 sensor tags the header is located on the outside of the tag as well as the on/off switch (make sure you turn it on!) making setup fairly quick in terms of connecting. On the TSc cube tag however the header and on/off switch is located inside the unit requiring you to disassemble the housing and pulling the bare PCB boards out. If you wonder why your TSc tag has a magnet attached to the top this is why, as you pull the top off while having the magnet sitting on top the PCB board will be pulled out of the housing for you, bizarre yes!

The final piece that I want to talk about is Ekahau Vision. This is the main GUI application that your end users would use to locate assets and check tag sensor data. This application is Flash HEAVY so it won’t work on Apple iPhone or iPad devices. The overall look and feel of the Vision software is very lacking. There is a lot of potential but it doesn’t seem to flow and I found it a pain to use. I would like to see a rewrite of the application using standard HTML code and not relying on Flash.

A major plus for Ekahau is their API. The ERC features a full access API that allows you to pretty much obtain any and all information regarding the system, this will allow you to create your own HTML based app that would be able to operate on Apple devices for example or Cisco IP Phones. This is something that I am currently looking at and hope to have some sample applications available in the future.

At the end of the day the Ekahau system has a lot of pros but a lot of cons as well that make it hard to operate and deploy efficiently, especially from a VAR side of things where you are trying to make a profit on the install/configuration. Ekahau has some good tags, but they are a mixture of various WiFi chip manufactures cobbled onto their tag boards which could introduce multiple sources of issues. The ERC platform performs well and is easy to setup/configure, if we can get a new Vision app and easier to activate tag process I think Ekahau could have a great product.

*******DISCLAIMER*******

While I was provided with an EDK for review this did not guarantee a positive review or influence the outcome of this blog post in any shape or form. The EDK was merely provided as a way to evaluate the product fully to be able to provide real world experience.

Title: End-of-Sale and End-of-Life Announcement for the Cisco 2100 Series Wireless LAN Controllers
Url: http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps7206/ps7221/end_of_life_notice_c51-691053.html
Description: Cisco announces the end-of-sale and end-of-life dates for the Cisco 2100 Series Wireless LAN Controllers. The last day to order the affected product(s) is May 2, 2012. Customers with active service contracts will continue to receive support from the Cisco Technical Assistance Center (TAC) as shown in Table 1 of the EoL bulletin. Table 1 describes the end-of-life milestones, definitions, and dates for the affected product(s). Table 2 lists the product part numbers affected by this announcement. For customers with active and paid service and support contracts, support will be available until the termination date of the contract, even if this date exceeds the Last Date of Support shown in Table 1.
Date: 2012-03-14 11:40:00.0

Welcome to Episode 7 of the NSA Show Podcast. On this episode Blake Krone and Samuel Clements discuss some of the hardware and software that is recommended for a home Wireless lab. Listen as we discuss number of APs, WLCs, VMware, routers/switches, and software that one should have in their home labs.

Here are the details of what is in my Skeletek rack:

IP Telephony

• Cisco 7985, 7961 (2), 7921G
• Cisco 2801 CME Router

Route / Switch

• Cisco 2600 (4)
• Cisco 3550 24 10/100 Inline Power
• Cisco 3550 24 10/100, 3550 48 10/100 (2)
• Cisco 2500 terminal server
• Linksys SRW2024 24 10/100/1000
• PowerDsine 24 10/100/1000 midspan PoE

Wireless

• Cisco WLC 4402-12
• Cisco WLC 2106
• Cisco 3600, 1142 (3), 3502 (2), 1252, 1242 (3), 1131
• Cisco 2710, MSE (VMware)
• Cisco WCS (VMware), NCS (VMware)
• AeroHive HiveAP 330, BR100
• Aruba Instant 135
• Meraki MR16
• Ruckus ZoneDirector 1100
• Ruckus ZoneFlex 7962
• AeroScout MobileView and T2, T3, T5a tags
• Ekahau Vision and A4, T301BD, T301W, HS1, TS2, TSc tags

Servers

• Whitelabel ESXi
  • Intel DH67GD
  • Intel Core i5-2500K LGA1155 3.3GHz
  • SKill 8GB DDR3 1333 (2)
  • Western Digital Green 1TB SATA
  • IN WIN 1U Rackmount Compact Server Chassis
• Apple G4 Xserve (2)

I was helping another engineer troubleshoot a Cisco access point join problem. To my surprise I discovered the VCI was “Cisco AP c3500-ServiceProvider”

I can appreciate when I end a day with a quick reflection, did I learn anything new today?

Yesterday was one of those days! I was assisting an engineer with an access point join problem. Of course, I took this opportunity to explain the access point join process and what to look for and how to troubleshoot.

We use DHCP option 43 as our means of joining Cisco access points to our network. After peeking at the DHCP configuration, more specifically the option 43 and VCI string, everything looked good. Other 3500s were joining fine, just these handful of access points were not joining.

I do the typical console into the AP. I see nothing of interest. The access point is not getting the controller IP from DHCP. So we span the switch port of the access point to sniff the access point traffic. I am curious as to what the access point is sending in the DHCP request packet.

To my surprise, the VCI 60 is showing “Cisco AP c3500-ServiceProvider”. Oh, there is my problem! Mistakenly a number of “ServiceProvider” access points were mixed in our access point shipment.

If you have access points not joining, just something to add to your troubleshooting check list!

Welcome to Episode 6 of the NSA Show Podcast, on this episode Andrew and I talk with Carlos Gomez Gallego from Aruba Networks about their new ClearPass product. You’ve seen it everywhere lately, this bring your own device, BYOD for short, issue that has created quite a stir. We talk with Carlos about how you can easily manage personal devices on your network and make it easier on your IT staff.

Carlos Gomez Gallego has over 15 years experience in the wireless and security industry and currently serves as Director of Product Management for Aruba Networks in the Network Services division.  Carlos was the co founder of Amigopod, a leading guest access provider which was acquired by Aruba Networks in Dec 2010.  Prior to Amigopod Carlos worked as principal consultant for No Wires Allowed and served as a senior engineer for Bluesocket.  Carlos holds a Bachelor of Engineering from the University of Queensland, Australia

You can also hear more about this BYOD topic over at the Tech Field Day website located here:

http://techfieldday.com/2012/byod-mobile-device-management-panel-wifi-symposium/

We’d also like to thank Aruba Networks for sponsoring the NSA Show Podcast & Blog!

Welcome to the 5th episode of the NSA Show podcast! I’m joined by Samuel Clements, Jennifer Huber, and Dan Cybulskie. Listen as we recap our thoughts from Wireless Field Day 2. Find out who was our favorite vendor, who changed our minds, and what was our favorite moment of the event (that we could publicly state!).

For more information regarding Wireless Field Day please see E03 – Wireless Field Day 2 Preview and Tech Field Day.

Podcast Guests

	Sam Clements	SC-WiFi	@Samuel_Clements
	Daniel Cybulskie	SimplyWiFi	@SimplyWifi
	Jennifer Huber	Wireless CCIE, here I come!	@JenniferLucille

Cisco CCNP Wireless Exam path to v2. May 11, 2012 last day to test on v1.

we’ve been seeing a lot of questions lately about Multiple country codes on the controller in support forums.  To that end George asked me to write up this article.

Listen as Andrew and I discuss the newly launched Cisco 3600 AP with Neil Diener and Walt Shaw from Cisco’s Wireless Networking Business Unit. We talk about some of the great new features of this AP such as the 4×4:3 antenna design and the module slot. This AP features 4 transmit and 4 receive antennas with support for 3 spatial streams. What this means for end users is speeds up to 450Mbps when coupled with a 3 spatial stream client such as the new MacBook Air’s and Intel 6300 cards. Andrew drills down into some of the enhancements for CleanAir with a monitor only radio module and ClientLink 2.0 details.

Neil Diener is a Technical Leader in the CTO and Strategic Initiatives Office of Cisco’s Wireless Networking Business Unit. At Cisco, Neil works on shaping Cisco’s wireless technology and product strategies, with a focus on the areas of Spectrum Intelligence, new RF technologies, and video over Wi-Fi.

Neil came to Cisco through the acquisition of Cognio, Inc. in 2007, where he was co-founder and CTO. Before founding Cognio, he held a series of management level positions at companies including Direct Hit (acquired by Ask.com), Telogy Networks (acquired by Motorola), Sun Microsystems, and Xerox. Neil holds a BS Electrical Engineering from MIT and an MS Computer Engineering from USC. He has been issued 15 patents in the area of Wi-Fi and spectrum management.

Update – Cisco pulled the 7.2.101.0 release notes and has published version 7.2.103.0 as of Feb. 6, 2012. This article has been updated to reflect version 7.2.103.0.

Cisco Systems just announced the release of code version 7.2.103.0 for wireless LAN controllers and lightweight access points. This is the first release since 7.0.220.0 released in Oct. 2011 to include new features, but that version added few enhancements. The last major release to include a significant amount of new capabilities was version 7.0.116.0 back in April 2011.

Version 7.2.103.0 brings a large amount of new features, many of which could be of significant value to customers.  Some of the more significant enhancements include the following:

• WiSM2 Controller Scaling
  The WiSM2 controller now supports more APs (1k up from 500), more clients (15k up from 10k), and increased throughput (20Gbps up from 10Gbps) than previous. This will allow customers with very large deployments to scale to larger size within the same hardware footprint. Additionally, more APs and clients can be supported within a 6500 switch chassis as well.

• Flex 7500 Controller Scaling
  The centralized Flex 7500 controller now supports more APs (3k up from 2k), more clients (30k up from 20k), more Flex Groups (1k up from 500), increases throughput (1Gbps up from 250Mbps), adds support for Office Extend APs (OEAPs) which previously did not exist, and now supports DTLS data tunnel encryption with OEAPs. The scalability in this platform is critical because it is targeted for data center deployment in highly distributed environments to manage hundreds of remote sites. Typically each remote site is configured as a distinct Flex Group (previously called H-REAP Group) which allows coordination among the APs within a single site for local client authentication, client key caching, and fast roaming. Customers deploying the centralized Flex 7500 platform will welcome these scalability improvements to reduce hardware footprint.

• IPv6 Dual-Stack Client Support
  Delivering support for IPv6 is becoming increasingly important for customers as Wi-Fi network utilization increases with mobile device adoption and proliferation as the primary access network for users. IPv6 was previously only bridged across the wireless controller infrastructure, and prevented the use of many features available with IPv4 clients, such as H-REAP local switching, client anchoring on another controller, dynamic VLAN assignment, web authentication (captive portal), DHCP proxy and ARP proxy for intelligent broadcast and multicast filtering to improve RF network performance, and also resulted in some sub-optimal a-symmetric traffic routing when clients roamed between controllers (Layer 3 roaming) which could cause issues with firewall state tables.This release incorporates support for symmetric traffic routing between controllers when performing Layer 3 roaming, IPv6 security features such as RA Guard against rogue router advertisements, source guard to prevent IPv6 address spoofing, DHCPv6 server guard against rogue servers,  and IPv6 access control lists. It also adds complete visibility into client IPv6 addressing in the NCS management platform for better support and troubleshooting.

• FlexConnect / H-REAP Enhancements
  I’ve written previously about some of the limitation of the H-REAP deployment mode. Cisco continues making strides in this area, no doubt because they see the growing need to distribute data forwarding and control-plane intelligence back out to the AP edge with looming Gigabit Wi-Fi standards and high availability requirements becoming more critical in customer Wi-Fi networks. This release brings about the final nail in the coffin of the term “H-REAP”. Good riddance, who could explain that hideous acronym to managers?! All brandingof this feature set is now referenced as “FlexConnect”.One major FlexConnect enhancement is the ability to perform efficient AP upgrades, typically across high-latency and low-bandwidth WAN links. One access point at a remote site will act as a master AP and download a new code image from the central site controller, then distribute it to all the other APs of the same model at the remote site. This should ease traffic utilization and congestion across the WAN and decrease the time required to upgrade remote sites.A few other enhancements include security features that allow dynamic VLAN assignment to clients that have data traffic dropped off locally at the AP rather than tunneled back to the controller, access control list support, and peer-to-peer client blockingwhich is an option to prevent clients on the same WLAN from communicating with one another (especially useful in highly secure environments or guest networks).Lastly, fast roaming has been improved with FlexConnect which removes WAN link latency dependencies between the controller and remote APs. This is because mobility handoffs and key caching previously required communication with the centralized controller across the WAN and could impact the ability to perform fast handoffs between APs. Now the mobility handoff and key caching exchange is handled directly between FlexConnect access points within the same Flex Group without needing to involve the controller.

• Wi-Fi Direct Client Management
  The Wi-Fi Alliance certified Wi-Fi Direct in late 2010, which allows direct client to client communication without traversing an AP or network infrastructure. This can pose security risks in enterprise environments and the certification standard allows network infrastructure administrators visibility and control of Wi-Fi Direct clients in their environment. This feature provides Cisco wireless network administrators control to allow or block Wi-Fi Direct clients from joining a WLAN. As Wi-Fi Direct capable clients expand, this feature will be critical for enterprises to monitor and control the use of this new protocol within their networks.

• Hotspot 2.0 Support
  The new Wi-Fi Certified Hotspot program promises to provide a cellular-like user experience by streamlining Wi-Fi network discovery, selection, and access by clients. This requires service advertisement and roaming provider integration by Wi-Fi infrastructure vendors and network operators. This code release supports  the standardized components specified by the IEEE in the 802.11u amendment, and provides the foundation for interoperability certification under the forthcoming Wi-Fi Certified Passpoint program by the Wi-Fi Alliance.

• Granular RF Controls 
  Previously, many RF controls within the Cisco Unified Wireless Network were global settings that applied to all virtual WLANs and clients. This release provides more granular capability to configure data rates and power settings groups of APs rather than globally. This feature is beneficial for networks where a single controller (or group of controllers) manages disparate environments that require different settings. This is actually quite common with customer environments that need to support some high density areas as well as lower density common use areas. Design and configuration for high density wireless LANs is quite different from an RF perspective, where capacity and minimizing interference become critical to network performance and user satisfaction. The capability to provide different RF controls for areas within the same network should be of benefit to many customers and eliminates the need to acquire separate hardware.

Overall, these enhancements are all worth merit and should be welcomed by customers. Additional features are also provided in this code release which can be found in the release notes.

In addition, the industry gathered to talk about Gigabit Wi-Fi, mobile device proliferation, and Hotspot 2.0 topics at the recent Wi-Fi Mobility Symposium organized by Gestalt IT and Tech Field Day. To learn more about these topics visit the Tech Field Day website and watch all the archived videos!

Cheers,
Andrew vonNagy

This is a side by side by side comparison of the Cisco Spectrum Expert app, AirMagnet Spectrum XT app and Metageek’s WiSpy Chanalyzer 4 application

These are the steps needed to put an AP into SE-Connect mode and tap into and display the live Spectrum Analyzer data collection in a Cisco 3500 series AP.

The Wireless Control System Configuration Guide goes over how to manage RF Calibration Models, but it does not however describe how long the process takes, or what exactly it entails. I will endeavor to describe the process according to how I’ve calibrated RF models. I do not know if how I’m doing this is correct, this has been a matter of trial and error. You don’t get the opportunity to calibrate RF deployments too often, and the number one reason for that is most likely how long it takes to complete the calibration.

Not able to attend live for the WiFi Mobility Symposium? Watch online here!

Recently I had the opportunity to test out WaveDeploy Pro on a fully installed wireless network. Normally the wireless projects I’m assigned aren’t ones where I’m given security credentials to authenticate to the wireless network, but recently I had an exception.

This is how I use AirMagnet Survey Pro to perform a passive site survey of an existing wireless infrastructure deployment.

This is my first run through with the Ekahau Site Survey application. I don’t know how to do a few of the things with it that I can do with the AirMagnet Survey Pro application, but I’m sure they can be done – I just need to figure out how.

Since the very beginning the AP manager on a Cisco WLC would never respond to pings. Well that has all changed if you use LAG and a AP manager with 7.x code!

I like how Cisco hides little nuggets in their documentation. It states, in LAG mode, the management and AP manager uses the same base LAG MAC address.

Note With the 7.0 release onwards, the MAC address of the management interface and the AP-manager interface is the same as the base LAG MAC address.

LAB

A show ARP on the distribution switch you can see the MAC is identical for both the manager and AP manager.

NOTE –

This was tested on 4402,4404 and 5508 model controllers.

AP manager(s) aren’t needed with a 5508.

This only applies to a WLC in LAG mode w/ AP Manager

Additional Reading Material:

http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mint.html#wp1117168

Using Adobe Acrobat Professional we can calculate the square footage of a floor plan once the scale of the floor plan has been set.

Using the steps outlined in the Cisco CleanAir Deployment Guide:http://bit.ly/a9sE9k this video steps you through how to enable CleanAir reporting in your Cisco WCS server.

Advanced protocol analysis is becoming an increasingly important skill for Wi-Fi engineers as networks grow increasingly sophisticated and complex. The wireless LAN market is a tremendously innovative and fast-changing landscape, and the skills necessary to understand and dissect their inner workings are highly valuable.

One of the most important aspects of building a successful enterprise wireless LAN is ensuring adequate Wi-Fi roaming performance. However, Wi-Fi roaming is a complex subject due to the many variations of Wi-Fi security found in the marketplace and the historical difficulty in being able to easily gather and analyze roaming data.

In this series I will provide an overview of Wi-Fi roaming, how it works, and provide readers with guidance on how to capture, measure, and analyze wireless roaming performance of clients within their own environments. In addition, I’ll highlight a few professional tools and tricks of the trade to make this process simpler than manual analysis.

Wi-Fi Roaming Definition
Roaming, in the context of an 802.11 wireless network, is the process of a client moving an established Wi-Fi network association from one access point to another access point within the same Extended Service Set (ESS) without losing connection (e.g. within a defined time interval, usually in the range of a few seconds).

It is also helpful to distinguish between different wireless connection scenarios that may occur. Delineation will provide a better understanding of how and when each scenario will occur, why variations in performance between scenarios exist, and aid in establishing performance baselines.

• Initial Connection - The client has no previous 802.11 association to the ESS (any AP advertising the same SSID). This situation requires the client to perform all required connection and authentication steps defined in the network policy before network access is achieved. The time required for a client to perform an initial connection will be the same as wireless roaming unless fast roaming or session caching techniques are implemented. The length of time required to complete full 802.1X authentication in secure wireless environments is considerably longer than in open or pre-shared key (PSK) networks, making implementation of fast roaming techniques highly desirable. It may even be required depending on the network architecture and applications implemented (e.g. branch / remote office networks with central RADIUS across the WAN increase the time to complete EAP authentication and can render real-time voice applications unusable).

• Wireless Roaming - The client has an established 802.11 association to an infrastructure AP and migrates its connection within the same ESS to another AP. Association to the new AP terminates the previous AP association either implicitly or explicitly (only one association is allowed at a time, per the 802.11 standard). The goal of a wireless roam is to identify an alternate AP that can provide better service to the client than the current AP.Wireless client roaming algorithms are typically optimized to minimize the time required to transition between APs in order to avoid network access disruptions to client applications. This can be accomplished through fast roaming or session caching techniques that eliminate some of the authentication steps. Fast roaming can only occur after an initial connection has been performed to ensure the client has successfully completed all required authentication and authorization required by the network policy.

• Connection Termination & Re-Establishment - The client has an established 802.11 association, but the performance severely degrades to the point that the connection is rendered unacceptable. The client and/or AP is required to recognize the degraded connection, which may not be explicitly apparent, then terminate and re-establish a connection from scratch. A connection could degrade for a number of reasons, including interference, multipath (with older 802.11a/b/g clients), excessive packet error rate, out of range, roam not completed within the client’s time threshold, etc.When analyzing client roaming events it will be necessary to determine if the client performed a wireless roam or if it terminated and re-established its network connection. A terminated connection requires solutions to remediate underlying issues affecting network stability, versus the focus of wireless roaming which is to improve performance.

Additionally, identifying which situation is occurring can be incredibly valuable when performing protocol analysis and troubleshooting in order to determine what may be occurring with a client network connection when the client cannot be directly observed (e.g. remote troubleshooting).

Connection Control
Wi-Fi network connection establishment and roaming is decentralized, being controlled almost entirely by the client. The 802.11 standard explicitly places control of wireless connection establishment in the hands of clients by defining various logical services and breaking implementation out between clients and access points.

Think of the AP as a hotel concierge: "Welcome to the Distribution System! You're requested Association is ready."

Furthermore, the access point is responsible for association services in order to inform the broader network of the STA to AP mapping, and for data delivery between stations across the network. This mapping is also the reason why an 802.11 client station can only be associated to a single AP at a time to ensure that the network can deliver data to the correct AP.Some of these services require integration with external networks (e.g. the distribution system [DS] outside the basic service set [BSS]), which is not defined by the 802.11 standard but is typically an 802.3 wired Ethernet network. These services are only implemented in wireless access points, and include association and dis-association services among others. It is important to understand that although APs provide association services for client stations, it is the client station that invokes the association process. It may be difficult to conceptualize how client stations control connection establishment when the association service is only implemented within APs. However, remember that the 802.11 standard defines “services”, and the AP provides the association service for the client who invokes the service.

Infrastructure Influence
Wi-Fi infrastructure vendors have developed proprietary features to influence client behavior. One example of this is the Cisco Compatible Extensions (CCX) program which includes AP assisted roaming through neighbor reports, fast roaming enhancements, RF scanning, client reporting, and roaming diagnostics. Another example is the band-steering feature provided by many vendors, which typically works by delaying probe responses to dual-band clients in order to influence them to join a 5GHz BSS instead of 2.4GHz BSS (otherwise many clients “stick” to 2.4GHz with high prejudice, although manufacturers are starting to change this preference due to the increasing prevalence of 5GHz Wi-Fi networks). Finally, the IEEE has standardized a set of radio resource enhancements with the 802.11k amendment that allows the infrastructure to send “Neighbor Reports” to the client to aid the client scanning and roaming decision. See the CWNP whitepaper on RSN Fast BSS Transition (free registration required) for more information on 802.11k and neighbor reports.

Proprietary Client Implementations
Since the connection is controlled by the client station, it typically relies on an internal algorithm developed by the manufacturer to determine when a wireless roam should occur. Client roaming algorithms are not standardized and are proprietary intellectual property of each manufacturer. This results in highly variable client roaming performance based on manufacturer implementation approaches and variations.

However, from a high level perspective, all client stations typically perform the same general steps when roaming, which includes:

1. Passive / Active scanning in the background to identify other APs that are within range
2. Client roam triggers (exact algorithms are vendor proprietary, but are commonly based on signal strength thresholds, RSSI heuristics between APs, data rate shifting, retry and error rates)
3. Active scanning to confirm the new AP is still available
4. Roam to the new AP

Comparison to Cellular Networks
For comparison, consider connection control similarities and difference between Wi-Fi roaming and cellular handover mechanisms. Cellular networks may implement a variety of handover protocols to transfer a mobile station between source and target cells, ranging from network-controlled to mobile-station-controlled depending on the standard being implemented (AMPS, CDMA, GSM, etc). Modern cellular networks typically rely on decentralized handover, similar to Wi-Fi, but define key enhancements to ensure connection reliability. Soft-handover in CDMA networks allows a mobile station to establish a connection to the target cell before breaking the connection to the source cell, thereby reducing the chance of service disruption. Standards such as 3GPP, which defines GSM and LTE networks, specifies that handover triggering (section III) is defined by the network core but implemented by mobile stations (user equipment) to improve consistency and performance. Finally, rigorous and thorough testing of every mobile phone is performed by mobile network operators (MNO)  before certification is granted for activation on their networks (the GCF is one example).

Note – Wi-Fi roaming is most comparable to cellular handover. In contrast, cellular roaming refers to service acquisition outside of the subscriber’s home location or network provider, and should not be confused with Wi-Fi roaming.

Wi-Fi engineers should take away a few concepts from this comparison. First, soft-handover is likely not realistic for Wi-Fi networks due to typical enterprise multi-channel architectures based on frequency division of adjacent APs (similar to GSM). Second, standardized handover triggering is within the realm of possibility, and the central definition of trigger mechanisms is feasible with modern coordinated Wi-Fi architectures (typically involving a controller, but not required). However, the need for such standardization will need to become much more apparent before action by the IEEE or Wi-Fi Alliance is considered. Perhaps the industry will begin talking about such measures as MNOs take more prominent roles within the Wi-Fi standard and certification processes due to carrier Wi-Fi adoption.

Perhaps the most important takeaway is the approach to endpoint certification implemented by mobile network operators. By taking control of endpoint certification prior to activation and use on the network, MNOs more tightly control their network ecosystem to achieve desired performance levels. Wi-Fi networks will never be able to achieve such levels of control due to the use of unlicensed spectrum. However, Wi-Fi network administrators can (and should) implement similarly rigorous client testing and verification procedures to optimize network performance.

Importance of Wi-Fi Roaming Analysis
Consider – modern wireless networks require high performance to concurrently support voice, data, and real-time video, high capacity Wi-Fi to support an influx of mobile Internet devices, and ultra-low latency performance to support vertical industry solutions such as automated warehouses, robotics, and medical instrumentation.

Wi-Fi network design and optimization is a complex undertaking, with numerous features, configuration options, and environmental variables that can make achieving a high performance network difficult. Roaming analysis provides insight into how decisions made on wireless architecture, network design, client selection, and configuration impact overall network performance.

Performing Wi-Fi roaming analysis will enable network architects and engineers to:

1. Baseline current client roaming performance
2. Analyze gaps between current network performance and application requirements
3. Identify opportunities to improve and optimize performance
4. Implement changes to infrastructure and client devices to optimize performance
5. Take more active control to ensure network performance matches desired service levels

Be sure to check back in for the next article in this series which will cover the complexity brought about by security protocols and the many resulting variations of wireless roaming.

Cheers,
Andrew

Many thanks to Marcus Burton at CWNP for technical review and contribution to this post!

Okay, that’s an admittedly a sensationalist headline, but several months ago, that didn’t seem out of line with my dilemma. From the top: I, like many other technology-centric folks like to relax with the occasional video game. Owning a few gaming platforms that support wireless connectivity such as the PlayStation 3 and the Wii, and having what you may consider a ‘reasonable’ wireless infrastructure at home, I happily used both to play games online, stream movies via NetFlix, get system updates, and yes – even send the occasional message to my Wii friends. Things were happy go lucky at home. I had finally deployed an autonomous Cisco Access Point at home on the Internet side of my lab to give my family a more consistent connection than what they were getting off of my lightweight lab seeing as I was always screwing around with new controllers, code releases, Access Points, and general configuration mayhem.

Once I bit the bullet and converted one of my 1142 Access Points over to autonomous and vowed to leave it alone, my overall ‘production network’ woes stopped. Fast forward a few months and I was performing some general cleanup on my infrastructure since I was anticipating spending a good chunk of my upcoming future in the lab. I reviewed my autonomous config and realized that on the default configuration all of my data rates were still enabled! Since this is a big no-no in the general world of wireless, I took it upon myself to banish all non 802.11G or better gear from my house and disable those pesky 1 through 11M data rates! Reviewing my associations on the AP revealed:

c1140#show dot11 assoc all-client | inc Supported

Supported Rates   : 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0

Supported Rates   : 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7.

Supported Rates   : 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7.

m8. m9. m10. m11. m12. m13. m14. m15.

Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0

Supported Rates   : 1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3.

 m4. m5. m6. m7.

The bottom two devices are 2.4GHz clients and you can see from the capture that they supported not only my lower data rates, but all the way up to 54M. I was good to go! I happily changed my 2.4GHz radio config to disallow all 802.11b connections – wholesale.

c1140#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

c1140(config)#int dot110

c1140(config-if)#speed 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3.

m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.

I then went about my merry way believing that I was forever rid of those pesky 802.11b data rates- that is until much much later (I did mention I was going to be spending time in the lab, no?). Once I emerged from my studying, I fired up my trusty Nintendo Wii and was going to play some Mario Cart online and school some of my friends that had been pestering me. I tried to connect to NFC to no avail:

I briefly suspected my wireless network but when my Wii failed to connect to my other lab SSIDs (did I mention that I disabled the same data rates on my lab gear?), and all of my other equipment connected to the wireless network just fine, it seemed that my Wii was failing miserably. Having just sent it in a few months back for an optic drive issue, I was confident that my Wii was on it’s last legs. After double checking that my Wii did indeed support 802.11G, why would I suspect anything else?

Dreading the call, I looked up the number for Nintendo and gave them a ring (Yes, I actually called!). After trying to convince the support representative that my Wii was previously working and that I strongly suspected the wireless card – then debating the technical differences between bridging devices and routing devices, I gave up.

Eventually it dawned on me that there was a possibility that something else was going on and I finally spent an afternoon digging on the issue. Come to find out, the Nintendo Wii requires the 1 and 2M data rate enabled for a successful association to the wireless network. After firing up a wireless packet packet capture application, you can see that the wireless network with the 1 and 2M data rates disabled continually loop between Probe Request and Probe Response.

Compare this to the same Access Point with both 1 & 2M data rates enabled and you can see the 802.11 Acknowledgements and the beginning of the WPA2 PSK handshake.

Moral of the story: don’t assume that since ‘everything else works’ that your device should. While this is clearly a problem with the Nintendo Wii, and all signs point to ‘it should work’, you may need to try and try again various configuration aspects of your environment. As for my particular issue, wanting to remain 802.11b free yet still use my Wii, there was a pretty graceful fix ready made.

Welcome to the third episode of the No Strings Attached Show podcast, in this episode Andrew vonNagy and I talk with Marcus Burton and Stephen Foskett about the upcoming Wireless Field Day and the Wi-Fi Mobility Symposium.

The 2nd Wireless Field Day will be happening in San Jose Jan 26th to 27th. For more details check out the Wireless Field Day website located at http://techfieldday.com/2012/wfd2/.

Prior to the Wireless Field Day which is an invite only event there will be the Wi-Fi Mobility Symposium held on Jan 25th 2012 at the Double Tree in San Jose, CA. This event is free to anyone who is in the area or who wants to travel to San Jose for that day. For more details check out the Wi-Fi Mobility Symposium website located at http://techfieldday.com/2012/wifi-mobility-symposium/, to register for the event please go to the Eventbrite page located at http://wifimobilitysymposium.eventbrite.com/.

There. I said it. The big bad ‘M word’. Multicast. If you’re anything like I was, this was that grey area of networking that ‘only those video people’ used. You know it has something to do with some IP addresses you’ve never seen used before and you know it’s a way of sending data to multiple targets at one time. I was there and decided to tackle just how can I get a straightforward multicast setup going on. If you have a touch of networking gear, a few computers and some time, you too can get a basic multicast setup up and running. Even if you don’t have an immediate need to do a deployment anytime soon, I’d encourage you to take an evening and tackle this. It’s fairly straightforward to get a basic setup up and running and you won’t regret the investment in time. First off, let’s get together a list of a few things you’ll need:

1) a router that supports multicast (any reasonable L3 Cisco router for example should do here)

2) one computer to use as a source

3) one computer (or two) to use as targets for receiving our data stream

4) some media to stream

Let’s tackle the media to stream first. For our setup, we’ll be targeting a dense mode Multicast setup with an RTP video stream. Don’t worry about all that at the moment though – head on over to the The Official HD Video Clip List and download/extract one of the many sample videos there. Once you’ve done that, note the place you extracted it to - we’ll need this later. Now that you have a sample movie, let’s move over to your router or layer 3 switch. The first thing we’re going to do is build out some VLANs and DHCP scopes and turn on inter-VLAN routing. There isn’t anything magical here, we just want to get our source on one VLAN and our target(s) onto another.

First let’s make some VLANs:

#conf t

(config)#vlan 100

(config-vlan)#name VLAN100

(config-vlan)#exit

(config)#vlan 200

(config-vlan)#name VLAN200

(config-vlan)#exit

Now let’s give them some IP addresses and bring them up:

(config)#int vlan 100

(config-if)#ip address 192.168.100.1 255.255.255.0

(config-if)#no shut

(config-if)#int vlan 200

(config-if)#ip address 192.168.200.1 255.255.255.0

(config-if)#exit

Now let’s make up some DHCP pools so our clients can get reasonable IP addresses:

(config)#ip dhcp pool 100_net

(dhcp-config)#network 192.168.100.0 /24

(dhcp-config)#default-router 192.168.100.1

(dhcp-config)#ip dhcp pool 200_net

(dhcp-config)#network 192.168.200.0 /24

(dhcp-config)#default-router 192.168.200.1

(dhcp-config)#exit

(config)#ip dhcp excluded-address 192.168.100.1 192.168.100.10

(config)#ip dhcp excluded-address 192.168.200.1 192.168.200.10

Now let’s assign these VLANs to some switch ports and plug in our clients:

(config)#int gi0/2

(you may have to select whatever interface is on your switch)

(config-if)#switchport mode access

(config-if)#switchport access vlan 100

(plug your source computer into this interface)

(config)#int range gi0/4 - 6

(you may have to select whatever interfaces are available on your switch)

(config-if)#switchport mode access

(config-if)#switchport access vlan 200

(plug your client computers into these interface)

Lastly enable IP routing for basic VLAN to VLAN connectivity and make sure your clients get IP addresses and can ping each other (make sure your client’s don’t have firewalls getting in the way if you’re having troubles here):

(config-if)#exit

(config)#ip routing

Now that we have that out of the way, let’s switch back to the computer you’re going to be using as your source for your multicast stream. Now we’re going to use our HD movie source and we’re going to kick off our multicast stream, send it to a multicast address, and loop it. This will give us a stream to join up later on. From a command prompt, use the following command using your path and name of your movie:

“C:\Program Files\VideoLAN\VLaC\vlc.exe” -vvv “C:\Documents and Settings\Administrator\Desktop\T2_1080p.wmv” –sout=#rtp{dst=239.0.0.11,port=5004,mux=ts,ttl=7} –sout-all –sout-keep –loop

This command dissected reads something like: start VLC, open this movie file, send it out to this multicast address on this port, and loop it. This should open up VLC and start moving the progress bar across the VLC screen, but it won’t display the actual movie. I do this to reduce on the video refresh of my source PC since most of my home lab stuff is done over RDP. Video over RDP doesn’t look all that great.

You may be wondering at this point, where in the heck I got the address of 239.0.0.11. This is a valid Orginizational-Local multicast address from the IANA. The multicast addresses are in the range 224.0.0.0 through 239.255.255.255 where the last class C is basically yours for your organization to use.

At this point, you should have basic IP connectivity up and running with multiple VLANs and IP routing along with a source Multicast RTP stream. Congratulations! Next we’re going to tackle actually enabling multicast on your router/switch:

#conf t

(config)#ip multicast-routing distributed

(config)#int vlan100

(config-if)#ip pim sparse-dense-mode

(config)#int vlan200

(config-if)#ip pim sparse-dense-mode

The reason we use sparse-desnse mode is that in reasonable versions of IOS, you will automatically run in dense mode in the absence of an RP (implying sparse mode). This is a good thing. You should now have basic dense-mode multicast routing up and running! Now, let’s go over to our target computers and launch VLC. Once open, goto the File menu and and select Open Network. You should have a box to type an RTP stream into and for our install, this should be:

rtp://@239.0.0.11:5004

Tell it Open and assuming all went well, your multicast streaming movie should start playing! Do this for all of your target computers and you should see the same stream, at the same spot on all of your clients.

If you notice on your switch/router, your VLAN100 source PC should still only be sending a single stream and this is being received and displayed by all of your clients! Now that you’ve made it to the end of the post and you have good ‘wired’ multicast up and running, we’ll tackle what this looks like on a Wireless LAN Controller in a future post. It’s important to have a good fundamental stream up and running to have a successful wireless deployment. We’ll tackle those particulars in a later post. Keep an eye out for those in the near future!

Multicast Quick Start Guide:

http://www.cisco.com/en/US/tech/tk828/technologies_tech_note09186a0080094821.shtml

IANA IPv4 Multicast Address Space Registry:

http://www.iana.org/assignments/multicast-addresses/multicast-addresses.xml

Do you have a Wireless question that you want to ask the NSA Show team? Leave us a message on Skype, nsashow, and we’ll do our best to answer your question!

We are also looking for questions that you may want to ask the Wireless Field Day vendors and Wireless Symposium panelists.

For a list of the vendors for Wireless Field Day check the link here:

http://techfieldday.com/2012/wfd2/

For a list of the panelists for the Wireless Symposium check the link here:

http://techfieldday.com/2012/wifi-mobility-symposium/

Cisco Response

On December 27th, 2011 US-CERT released VU#723755 available here: http://www.kb.cert.org/vuls/id/723755

The US-CERT Vulnerability Note describes a vulnerability that exists in the Wi-Fi Alliance Wi-Fi Protected Setup (WPS) protocol, also known as Wi-Fi Simple Config, when devices are operating in PIN External Registrar (PIN-ER) mode.  Devices operating in PIN-ER mode allow a WPS capable client to supply only the correct WPS PIN to configure their client on a properly secured network.  A weakness in the protocol affects all devices that operate in the PIN-ER mode, and may allow an unauthenticated, remote attacker to brute force the WPS configuration PIN in a short amount of time.

The vulnerability is due to a flaw that allows an attacker to determine when the first 4-digits of the eight-digit PIN are known.  This effectively reduces the PIN space from 10⁷ or 10,000,000 possible values to 10⁴ + 10³ which is 11,000 possible values. The eighth digit of the PIN is utilized as a checksum of the first 7 digits and does not contribute to the available PIN space. Because the PIN space has been significantly reduced, an attacker could brute force the WPS pin in as little as a few hours.

While the affected devices listed below implement the WPS 1.0 standard which requires that a 60-second lockout be implemented after three unsuccessful attempts to authenticate to the device, this does not substantially mitigate this issue as it only increases the time to exploit the protocol weakness from a few hours to at most several days.  It is our recommendation to disable the WPS feature to prevent exploitation of this vulnerability.

Vulnerable Products:

Note: The Cisco Valet product line is maintained by the Cisco Linksys Business Unit. Information concerning the Cisco Valet line as well as information on Linksys by Cisco products will be forthcoming.

Products Confirmed Not Vulnerable:

Additional Information

Workarounds:

Disable the Wi-Fi Protected Setup feature on devices that allow the feature to be disabled, as listed in the Vulnerable Products table.  Cisco Systems has verified that the products that support disabling the WPS feature do indeed disable it and are not vulnerable once the feature has been disabled from the management interface.

Fixed Software:

Note: The Cisco Valet product line is maintained by the Cisco Linksys Business Unit. Information concerning the Cisco Valet line as well as information on Linksys by Cisco products will be forthcoming.

Exploitation and Public Announcements:

Exploit code and functional attack tools that exploit the weakness within the WPS protocol have been released.

This vulnerability was discovered by Stefan Viehböck and Craig Heffner.

Status of this Notice: Final

THIS DOCUMENT IS PROVIDED ON AN “AS IS” BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.

http://www.cisco.com/en/US/products/csr/cisco-sr-20120111-wps.html

Revision History

In episode 02 of the show, Andrew vonNagy hosts and welcomes guests Matthew Gast from Aerohive and Dan Cybulskie from Simply Wi-Fi to the show to talk about the recently announced Wi-Fi Protected Setup vulnerability. Matthew brings Wi-Fi expertise to the show from through his work at Aerohive, participation in the IEEE 802.11 standard, and as acting task chair for Wi-Fi Alliance security task groups. Dan brings extensive Wi-Fi security knowledge and has performed quite a bit of research into the WPS vulnerability since the announcement.

First, we discuss the background of Wi-Fi Protected Setup (WPS) – yet another acronym to remember and/or confuse with so many others – and it’s creation to “ease” security setup for non-technical users, typically in the consumer market. We make the distinction that WPS is not the same as WPA/WPA2 and that Wi-Fi security through use of those protocols is definitely not compromised by this vulnerability. Furthermore, WPS supports various methods of setup, including PIN and Push-Button Configuration, with the PIN mode the only one being affected by the vulnerability.

Matthew brings up a great point, that although this is a protocol design flaw, proper vendor implementations can make the attack much harder to execute. This is because it is a brute-force attack and implementation of user lockout / timeout feature after consecutive failed PIN attempts will slow-down the attack.

Next, we dig into the WPS vulnerability details:

• Independently discovered by two parties: Stefan Viehbock and Tactical Network Solutions
• Does NOT affect WPA/WPA2 enterprise (802.1X) or personal (PSK)
• Only the WPS PIN mode is affected
• Root cause is due to poor protocol design, which is something the Wi-Fi industry is familiar with because of WEP’s well-documented issues
• This is an “active” attack, meaning the attacker must send and receive frames to the target. It cannot be exploited passively.
• All WPS capable routers are affected
• Some vendor implementations reduce attack effectiveness due to the use of a lockout feature after failed attempts
• Static PINs (printed on the equipment) are generally more susceptible because WPS is typically “always-on”. Equipment with user-configurable PINs typically require WPS setup to be activated every time it needs to be used, and are less susceptible.

Then we discuss the impact to consumers, SMBs, and enterprises:

• Consumer and some SMB equipment is vulnerable. No enterprise equipment has been found that supports WPS.
• Enterprises should still be mildly concerned due to rogue APs and home VPNs connecting back into the corporate network.
• Apple’s product focus on good user experience actually serves as a security benefit in this case, because they didn’t need to implement WPS.
• Client devices are technically vulnerable too, but none of the show participants think it’s much of an attack vector and are not too concerned.
• Vulnerability was discovered over 1 year ago by Tactical Network Solutions, which is why their Reaver attack tool was promptly available after the U.S. CERT announcement.
• An exploit is in the wild… home users need to take action NOW by researching their router to see if it’s vulnerable.

Mitigation Steps:

1. Turn off WPS, if possible. Some equipment does not allow it to be disabled.
2. Watch for firmware updates from the vendor. However, given consumer manufacturers historical lack of support and upgrades for existing products, it’s probably best to buy a new router that does not support WPS or allows WPS to be disabled.
3. Switch to open-source firmware, such as DD-WRT. However, this requires more technical knowledge than many home users have.
4. SMBs should consider implementing 802.1X security with WPA2-Enterprise, and buying enterprise-class equipment.

Ultimately, responsibility to fix the vulnerability lies with both the Wi-Fi Alliance and vendors. The WFA needs to fix the protocol and vendors need to implement strong brute-force attack protection mechanisms.

Links to show resources:

• Wi-Fi Alliance page on Wi-Fi Protected Setup
• Wi-Fi Alliance database on WPS certified equipment (use this to research your router)
• U.S. CERT Vulnerability Note on WPS
• Stefen Viehbock’s blog post on the WPS vulnerability
• Tactical Network Solution’s post on the WPS vulnerability and the Reaver tool
• Ars Technica article on the WPS vulnerability
• Dan Kaminsky’s blog post on observed WPS support through wardriving
• Dan Cybulskie’s blog posts on this issue:
• WPS Brute Force Thoughts and Video
• Is My Wireless Router Running WPS
• Reaver, What Does It Look Like In the Air
• Matthew Gast’s blog on what you need to know about the WPS attack
• SmallNetBuilder article with vendor responses

We would love to hear your feedback on today’s show, please leave comments in the show notes and follow us on Twitter at @NSAShow.

The tremendous growth of Wi-Fi that is occurring right now means that many new engineers are getting into Wi-Fi. Our skills are in high demand, and new Wi-Fi engineers need the knowledge to design, build, and deploy successful wireless networks. I’m a firm advocate that it starts with fundamentals. Wi-Fi is a complex technology, and much of the “black-magic” that outsiders attribute to Wi-Fi network operation can be explained with a thorough understanding of underlying physical (PHY) properties.

Let’s start the new year by getting back to fundamentals, and boiling down Wi-Fi to some of its core nuts and bolts. This will provide the basic framework to understand how Wi-Fi works at the physical layer, hopefully in an easy to comprehend fashion. It will also enable newly minted Wi-Fi engineers to have a more complete understanding of Wi-Fi operation at higher layers in the stack, explain many of the “rules-of-thumb” in the industry, and provide background so engineers can properly address unique design requirements. If there is one thing every seasoned Wi-Fi engineer will tell you, it’s that there are no guaranteed methods that work in all situations. Every environment is different, solutions that work in some don’t work in others, and best practices don’t always work. Critical reasoning and problem-solving are a large part of the job, so let’s get you prepared!

First up – Direct Sequence Spread Spectrum as implemented in 802.11 prime and 802.11b

Data Rates Supported

DSSS Spectral Mask Used By 802.11 prime and 802.11b

802.11 prime supports 1 and 2 Mbps, and is often referred to as DSSS.

802.11b supports 5.5 and 11 Mbps, and is often referred to as High-Rate DSSS (HR-DSSS).

Yeah, that was the easy part

Spectral Mask

802.11 prime and 802.11b use Direct Sequence Spread Spectrum (DSSS), which is graphically represented by the typical bell-shaped curve on a frequency vs. amplitude graph you may have seen in other Wi-Fi literature (technically called a Spectral Mask).

Direct Sequence Spread Spectrum (DSSS) is a method of spreading out a serial data stream across a range of frequencies which make up a single “channel”. The channels are referenced by their primary carrier frequency at the center of the channel and each channel is separated by 5MHz. DSSS is designed to be used at low power but spanning a much larger frequency range (bandwidth) than is required to encode the data versus a narrowband transmitter (such as a radio or television transmitter). By spreading the data out over a larger range of frequencies, spread spectrum technologies such as DSSS are less susceptible to narrowband interference. Additionally, due to the low power, DSSS is also less likely to cause interference to other RF systems. This is part of the reason why unlicensed frequency use is permitted by the FCC.

The DSSS spectral mask consists of a primary signal (main lobe) as well as secondary signals (sideband lobes). The main lobe consists of the carrier signal frequency and 11MHz above and below. The first sideband lobe consists of 11-22Mhz above and below the carrier signal and must have power output reduced by 30dB relative to the power output of the primary signal. The sideband lobe power reduction is required to reduce interference with systems on adjacent channels. Additional sideband lobes beyond 22MHz above or below the carrier frequency must have power reduce by 50dB.

DSSS Channels

Due to channels being defined at 5MHz increments and the DSSS main lobe being effectively 22MHz wide, confusion arises between non-overlapping, overlapping and adjacent Wi-Fi channels. For two channels to be non-overlapping they must be separated by 25MHz (5 channels), which is slightly larger than the 22MHz used by the main lobes of two adjacent channels, 11MHz above one channel and 11MHz below the other. Adjacent channels are defined similar to non-overlapping channels for DSSS, which are channels that are separated by at least 25MHz. (The adjacent channel definition is different with OFDM and 802.11a/g, whereby adjacent channels must be exactly 25MHz apart, not less and not greater). Therefore, any channels that are not separated by at least 25MHz are considered overlapping.

This leads to the common practice of only using Wi-Fi channels 1, 6, and 11 during multi-access point deployments because these channels provide the most capacity using only non-overlapping channels.

Let’s take a few examples:

• Channel 1 would be overlapping with channels 2-5 since they are less than 25MHz apart, and non-overlapping / adjacent with channels 6-14 since they are separated by at least 25MHz or more.
• Channel 9 would be overlapping with channels 5-13 since they are less than 25MHz apart, and non-overlapping / adjacent with channels 1-4 and 14 since they are separated by at least 25MHz or more.

Modulation and Coding

Direct Current (DC) Digital Data Modulation Methods onto an Analog Waveform

Digital-to-Analog modulation refers to the process of changing one or more of the characteristics of an analog signal based on information in a digital signal (1′s and 0′s). Typically an analog carrier signal is modified in order to transmit  information. The transmitter performs modulation to achieve digital-to-analog conversion for transmission over the air (an analog medium) and the receiver performs de-modulation to achieve analog-to-digital conversion and recover the transmitted data.

Radio frequency waveforms (sine waves) have three basic properties that can be modified in order to transmit digital data over a analog carrier signal: amplitude, frequency, and phase.

Amplitude Modulation (AM) – amplitude represents the strength of the signal. Amplitude modulation varies the strength of the transmitted analog waveform in order to encode the data being sent. Digital data is encoded by slightly “shifting” the carrier signal strength among pre-determined amplitude levels which each represent different digital data values. When used to encode digital data, amplitude modulation is also referred to as Amplitude Shift Keying (ASK). Amplitude modulation is especially susceptible to outside noise which can corrupt the encoded data transmission.

Frequency Modulation (FM) – frequency represents the periodic nature of an oscillating waveform to complete one cycle. Frequency modulation varies the frequency / wavelength of the transmitted analog waveform in order to encode the data being sent. Digital data is encoded by slightly “shifting” the carrier frequency among a list pre-determined settings which each represent different digital data values. When used to encode digital data, frequency modulation is also referred to as Frequency Shift Keying (FSK).

Phase Shift Keying (PSK) – phase represents the current position (often referenced in degrees) of an oscillating waveform. PSK varies the phase of the current oscillating waveform with reference to an arbitrary position on a reference waveform. Digital data is encoded by shifting the waveform among a list of pre-determined degree offsets from the expected position (for example o°, 90°, 180°, or 270° shifts).

Differential PSK (DPSK) is when the receiver determines the degree of phase shift change using the carrier waveform itself rather than using a reference waveform. DPSK depends on the difference between two successive phases of the same carrier signal, which determines the degree of phase shift. DPSK is commonly used because it is simpler to implement than PSK using a reference waveform.

A fourth method, Quadrature Amplitude Modulation (QAM), combines amplitude shift keying and phase shift keying, and provides a more efficient and resilient modulation technique. However, QAM is only used in subsequent Wi-Fi physical layer specifications such as 802.11a/g/n, and is not used in 802.11 prime or 802.11b.

Differential Binary PSK (DBPSK) is a DPSK modulation technique that is capable of encoding a single bit of digital data per-symbol, by using two distinct phases (typically 180° apart from one another).

Differential Quadrature PSK (DQPSK) is a DPSK modulation technique that is capable of encoding two bits of digital data per-symbol, by using four distinct phases (typically 90° apart from one another).

Modulation rate is roughly analogous to the baud rate, which it the rate at which a signal is modified in order to encode the data bits. It it’s simplest form (such as with DBPSK), one baud encodes one bit. However, in more sophisticated modulation techniques, each baud may encode multiple bits. The fewer baud required to encode the bit stream, the more efficient the transmission and conversely the more susceptible to data corruption by noise and interference. More complex modulation methods require a better signal to interference and noise ratio (SINR). Due to processing gain (explained below), each signal modulation for DSSS and HR-DSSS actually encodes “chips” instead of  ”bits” from the input data stream.

Symbol rate is also usually analogous to baud or modulation rate, in that it a single symbol represents a single waveform change or signalling event. In subsequent Wi-Fi specifications with 802.11a/g/n it is equivalent to one Fast Fourier Transform (FFT). However, with 802.11 prime and 802.11b the concept of a symbol is slightly different than normal, again due to the processing gain where a single waveform change encodes “chips” instead of “bits”. Due to this, one symbol in 802.11b represents the collective waveform changes required to transmit a single set of “chips” which represent one or more “bits” from the input data stream.

As higher order modulation techniques increase data throughput by encoding more bits per-baud, it also reduces resistance to noise. That is why Wi-Fi clients will data-rate shift to lower data rates in the presence of interference, noise, or data corruption, possibly despite a strong link signal.

DSSS Encoding with Pseudonoise (PN) codes and “chips” – in order to provide more reliable transmission and forward error correction (FEC), 802.11 prime and 802.11b use pseudonoise codes which add processing gain to the incoming bit stream from the MAC layer. 802.11 prime at 1 and 2 Mbps uses the 11-bit Barker Code which is XOR’d with each incoming bit. This expands the amount of modulated information sent out over the air. For each incoming data bit from the MAC layer, 11 “chips” as they are called are transmitted. Therefore, the receiving station can still determine the original bit that was transmitted even in the presence of noise or interference that corrupts up to 9 of the 11 chips sent over the air.

HR-DSSS Encoding with Complementary Code Keying (CCK) – in order to provide higher data rates than 2Mbps, 802.11b employs CCK which replaces the 11-bit Barker Code with an 8-bit code. Also, rather than using a single 11-bit chipping sequence, CCK uses a table of various 8-bit sequences that each map to either 4 or 8 data bit sequences. Essentially, CCK uses a chipping sequence lookup table, and the chip sequences have been carefully selected to provide optimal transmission characteristics (such as not having long strings of a single value repeating, and overall direct current symmetry). The shorter chipping sequence reduces data spreading and processing gain to achieve greater data throughput. However, CCK is also more susceptible to narrowband interference than DSSS/Barker Code. CCK is a bit of an esoteric subject; don’t worry about knowing the mathematics behind it.

Frame Format(s)

802.11 prime defined a physical layer frame format consisting of 3 main sections:

1. PLCP Preamble – the physical layer convergence protocol (PLCP) preamble is used to allow the receiving station to recognize and “lock-on” to an incoming Wi-Fi modulated signal and synchronize its clock to accurately determine bit boundaries.
2. PLCP Header – used to inform the receiving station of important physical layer information used to interpret and decode the incoming frame. For example, the SIGNAL field indicates the modulation and data rate at which the MPDU is encoded, and the LENGTH field indicates the number of microseconds required to transmit & receive the MPDU (octets can be derived from this using the modulation type and symbol rate; in subsequent PHY standards such as 802.11a/g/n the length field directly contains the number of octets transmitted).
3. PSDU / MPDU – the physical-layer service data unit (PSDU) is the portion of the frame which contains the 802.11 MAC header, 802.2 LLC header, and higher layer payload (typically TCP/IP). This can also be referred to as the MAC protocol data unit (MPDU) from a layer 2 terminology perspective (they mean the same thing however).

The PLCP Preamble and Header are always encoded at statically defined data rates so the receiver can decode and interpret the incoming data. The PSDU/MPDU is transmitted at a variable data rate, which can be much higher speed.

The original frame format specified a 144-bit preamble. The 802.11b amendment provided optional support for a 72-bit short preamble in order to improve network performance by reducing overhead. It also included restrictions on data rate support for the PLCP header and PSDU.

Long Preamble:

• 144-bit PLCP Preamble – modulated at 1Mbps
• PLCP Header – modulated at 1 Mbps
• PSDU/MPDU – modulated at 1, 2, 5.5, or 11 Mbps as specified within the PLCP Header “Signal” field

802.11 DSSS – Long Preamble Frame Format

Short Preamble:

• 72-bit PLCP Preamble – modulated at 1Mbps
• PLCP Header – modulated at 2 Mbps
• PSDU/MPDU – modulated at 2, 5.5, or 11 Mbps as specified within the PLCP Header “Signal” field

802.11 DSSS – Short Preamble Frame Format

Useful Formulas

You may be interested in performing various calculations, such as how the modulation type and rate equates to the raw data rate, how long a frame of arbitrary size takes to transmit over the air, and how much throughput can be achieved given frames of a specific size.

Data Rate Calculation:

Select a data rate from the table above, then:

Transmission Time of a Frame:

Select a data rate from the table above, then:

*Note – Portions of each frame are transmitted at different data rates. Calculate the PLCP Preamble, PLCP Header, and PSDU/MSDU independently, then sum the results together. Hint – once you calculate the PLCP Preamble and Header for both long and short preambles, those values can be re-used since they are constant.

Maximum Network Throughput:

The easiest method is to calculate maximum network throughput (under ideal circumstances) by using a single frame size. Select a frame size that is representative of the average real-world or observed network traffic in your environment, then calculate the transmission time for that frame using the formula above.

For raw layer 2 throughput, you will then need to add in network overhead due to initial medium contention (DIFS, AIFS), one SIFS inter-frame spacing, and receiver acknowledgement frame (typically 76 bytes of payload at a variable data rate).

For layer 4 TCP/IP throughput, you will also need to add in expected TCP conversation traffic in the reverse direction. At minimum, for a mostly one-way data transfer, this would be TCP acknowledgements. For bi-directional traffic, you will need to understand the application behavior and traffic flow patterns.

Additionally, sophisticated statistical models are usually required to account for the probability of collisions and re-transmissions, but you could get close by analyzing actual re-transmission rates in your environment as a basis for adjusting the throughput calculation downward by a certain percentage.

Throughput calculations are not easy, but just performing the exercise is a great learning tool! For actual throughput analysis it can be easier to simply run some tests on a live network using tools such as iperf, Nuts about Nets NetStress, Ixia QCheck/Chariot, VeriWave WaveDeploy, Ruckus Zap, or TamoSoft Througput Test, or WLANBook’s suite of mobile iperf and zap tools.

Recap

I know this may have been a lot to take in. Don’t sweat it, you don’t need to memorize the specifics. Understand the concepts and refer back as needed. I hope this provides a useful, easy-to-understand overview of the 802.11 prime and 802.11b PHY without going into too much complexity. Understanding these foundational topics will serve you well as you work on designing and troubleshooting real-world networks. Just think, now you know why channels 1, 6, and 11 are a rule of thumb, how enabling or disabling data rates affects the link resiliency and performance, and why some legacy devices may not be compatible with 802.11b short preamble due to a different PLCP header data rate.

Stay tuned for follow-up articles on OFDM with 802.11a/g and High Throughput OFDM with 802.11n.

Cheers,

Andrew vonNagy

Further Reading:

• Wi-Fi physical layer specifications: Certified Wireless Analysis Professional study guide.
• Modulation and encoding background: Data Communications and Networking.
• A deeper explanation of CCK: Complementary Code Keying Made Simple (PDF).

Welcome to episode 1 of the NSA Show Podcast! In this episode we take a look at some of the software tools used by some of the top Wireless engineers on a day to day basis. We start off by looking at Ekahau Site Survey and AirMagnet Survey Pro. Each of these applications have their pros and cons as we explain their differences and how they work. Next we roll into RF analysis tools such as Cisco Spectrum Expert, Metageek Chanalyzer, and finally AirMagnet SpectrumXT. Listen as the discussion goes from what’s the best software tool to use to a hot topic out there today: where is Cisco’s USB adapter to keep up with the ever changing form factors of laptops? Finally we end the show with a brief discussion regarding packet capture tools like Wireshark, WildPackets, and AirMagnet WiFi Analyzer.

We hope you enjoy this first episode, we had a lot of fun recording it and are looking forward to your feedback for future episodes!

The basics of site surveys:
Recently I’ve discovered I’ve been using the wrong nomenclature to describe an ‘active’ site survey. I’ve always described an ‘active’ site survey as one where I’m bringing all of the survey hardware to the customer site to do an ap-on-a-stick site survey for proper access point placement. It seems that my description of an ‘active’ survey is incorrect. An ‘active’ site survey is one where the wireless device used to test the wireless infrastructure makes an active association to an infrastructure SSID. Actively joining the infrastructure BSSID as a wireless client allows the site survey application to test data rates, throughput, packet retries and packet loss as well as the signal-to-noise ratio (SNR) and received signal strength (RSSI). A passive site survey can only monitor a current installation for SNR, RSSI, and only a predictive PHY download rate based on the combination of SNR and RSSI values.
It is of paramount importance for the person performing the site survey to have physical access into all areas of the facility in order to obtain the most accurate snapshot of the current wireless infrastructure. The survey data will be incomplete and of questionable value to the documentation recipient if the information gathered is missing information on key areas where the wireless infrastructure is expected to be utilized.
In order to make the most use of the time available on-site, the surveyor should have at minimum – an extended life battery for their laptop. Ideally, the person surveying should have two batteries and a method for charging the spare laptop battery while it is not in use. The software applications that are used to conduct wireless site surveys and spectrum analysis are very taxing to even the most powerful laptop batteries. Battery life is also important when performing an AP-on-a-stick site survey. Your survey time will be limited to how long the battery pack for the access point lasts. It may be necessary to carry a spare battery for the access point as well, especially if the surveyor is planning on working longer than eight hours a day. Working longer than eight hours a day can sometimes be necessary if the surveyor’s time at the customer site is limited due to travel restrictions, or project deadlines.
Predictive site surveys can be a way to overcome the problem of ‘the building isn’t built yet, but we need to know where to put the cable drops for the wireless network’. Keep in mind, even the most thorough predictive site survey will only be about 80% accurate.  It will get you in the ball park for budgetary purposes, and after the cables are run and the access points are installed a post deployment site survey should be done to validate coverage is as it was originally designed. It may be necessary to make adjustments in the access point installation locations after all the furniture and people are occupying the facility.
Occasionally a small spot-check site survey could be done at a minimal cost, but this type of troubleshooting effort will be focused on solving a singular problem rather than making an overall assessment of the wireless network. It is true that site surveys are labor intensive and a single snapshot in time, but they are very necessary to verify, validate, plan and test wireless networks. No matter how much automation is built into the software running the wireless network, there is no real substitution for an on-site wireless engineer who has mastered their wireless toolset.

Welcome to episode 0 of the NSA Show Podcast! This is a placeholder episode to get the iTunes and other directory links setup.

Did you know ? If you purchased a Cisco 5508 WLC with a 12 access point license you just limited yourself to 487 access points?

The Cisco 5508 is licensed based which means you can add access point licenses as your wireless grows. The Cisco 5508 allows a maximum of 500 access points. This is a new model for Cisco Wireless Lan Controllers.The now legacy 2000,2100,4400 and WISM1 were licensed by the hardware itself.

You can purchase Cisco 5508 WLC with a 12,25,50,100,250 or 500 access point capacity. Or you can purchase what Cisco calls adder licenses in the quantities of 25,50,100, and 250 access points after the fact.

The license limitation becomes an issue with your initial purchase of a 5508 with a 12 access point license.

Since Cisco only resells 25,50,100 and 250 access point licenses the MAX you will ever get on your WLC is 487 access points.

Note: A 5500 Series WLC with a base license of 12 can only support up to 487 total APs because only 25, 50, 100, and 250 adder licenses are supported.

Read:

Understanding Cisco 5508 Wireless LAN Controller Licensing

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080b78104.shtml

p.s. Thanks Patton for the link!

Welcome to the new No Strings Attached Show blog and podcast! So what exactly is this place and why should I follow this blog and listen to the podcasts? Well the No Strings Attached Show, NSA Show for short, is brought to you by some of the brightest and best Wireless engineers from various walks of life. We have two wireless CCIE’s, a couple of CWNE’s, and a handful of other certifications. Here’s a look at who is involved in bringing the NSA Show to life:

Each of us brings a different view on the products that we use on a daily basis to provided Wireless networking to the masses, this will hopefully lead to some interesting discussions on the podcasts! We’ve got some great shows in the work such as talking with Aerohive about their controller-less architecture, Cisco’s new products, a podcast / blog series about the various certifications out there to validate your knowledge, and some deep dive technical sessions on various Wireless concepts. This isn’t a marketing show, this is a technical show!

We hope that you will join us on a regular basis as we publish podcasts on a bi-weekly basis on Wednesday’s of course for #WirelessWednesday on twitter.

I’d also like to let everyone know how we are going to be handling sponsors for the show/blog. We will be allowing vendors to purchase ad space (located in the top banner) as well as a short segment on the podcast episodes, there is also a Google AdWords box in the sidebar. These won’t be obtrusive (no big flashy lights on the site, tastefully done, etc) and will help us cover the costs of hosting the site and blog media. Sponsors will also be helping with equipment purchases. A sponsor may also provide us with demo equipment, but this does not by any means constitute an endorsement by the NSA Show. We will put each product through the paces and provide an unbiased review on a show. If you would like to individually contribute to the show please use the donation link on the sidebar.