Wired Stuff
WiFi Tablet Corner
My80211 Videos

DHCP Option 43 Nugget


Cisco AP Group Nugget


Phwn a Cisco WLC w/ a Rogue WCS Server

Wireless NIC 4201-4202

The OTAP Packet Vulnerability- What isn't being reported and you need to know!


Hack WEP / WPA Keys from your Windows Zero Config


My80211 White Papers (Coming Soon!)

Cisco Wireless Compatibility Matrix (Nov. 2011)

Consulting Services

Social Links
Revolution WiFi Capacity Planner

Anchor / Office Extends Ports


Peek Inside Cisco's Gear

See inside Cisco's latest wireless gear!

2.4 GHz Channel Overlap




LWAPP QoS Packet Tagging



IEEE 802.11a/g/n Reference Sheet


  • CWSP Certified Wireless Security Professional Official Study Guide: Exam PW0-204
    CWSP Certified Wireless Security Professional Official Study Guide: Exam PW0-204
    by David D. Coleman, David A. Westcott, Bryan E. Harkins, Shawn M. Jackman

    Shawn Jackman (Jack) CWNE#54 is a personal friend and has been a mentor to me for many years.  I've had the pleasure and opportunity to work with Jack for 4 years. Jack is a great teacher who takes complex 802.11 standards and breaks them down so almost anyone can understand the concept at hand. I'm excited for you brother. Great job and job well done! Put another notch in the belt!

Interference Types


Microwave Oven

Cordless Phone




Client Debug Macro Change - Cisco code: -

A quick blog post on an observation I made while debugging in the lab. The command debug client enables a set variable of commands which enable muliple debugs. You can see what these commands are with the “show debug” command. 

Notice the change in the commands enabled between 7.6 and 8.0. 



Revolution WiFi Capacity Planner 

Did you miss Andrew von Nagy's Capacity Planner webinar ? No worries because the links are below. It's one of those sessions you will want to watch a few times and let it soak in. This session will be a guaranteed "classic". A staple of sorts for WiFi engineers to use in the future. 

What makes this even more special. Andy didn't get paid to create this calculator. It's his way of giving back to the community. Andy is a true master at his craft. Really honored to call him a friend. Someone who always answers your emails, takes your calls and willing to explain a subject 10 different ways till you understand it.

If you're new to WiFi or a veteran this session is packed with nuggets! 

Revolution WiFi Capacity Planner 


Revolution WiFi Recorded Webinar Capacity Planner 




Top 10 Sessions From Interop Las Vegas 2015

Interop Las Vegas 2015 was a blast! Few conferences bring together a rich mix of vendors, products, solutions and attendees all in one place. I was particularly interested in Cisco's Hyperlocation, which just so happen to win Best of Interop Award - 2015 Mobility. Interop was a gathering of old friends and meeting new ones. I thought the mobility track was exceptional this year. 

Cisco Hyperlocation:

I was also a panel guest at Cisco's Mobility lunch where WiFi Mobility, 802.11ac and our AWO (All Wireless Office) was topic of discussion. It was 60 minutes of great discussion and guest interaction. I would like to thank Cisco's Bill Rubino for the invite. 

I spoke at my own session "Designing Todays WiFi Network for Tomorrow's Applications". I always enjoy sharing my real world hands on experience with others. WiFi is still black magic to many IT folks in the industry. The goal in my session, take 2 things away that you didn't know before. I think the attendees agreed. My session made Interop's Top 10 Sessions and ranked #6 in the standings as voted by attendees. I would like to thank Andrew Murray for the invite and having me back at Interop. 

Interop Top 10


In closing three articles were published from my Interop session. 

Remember The Restroom When Deploying Wireless


What happens if you remove an acceptable use policy from guest Wi-Fi?


Diversity of connected devices in hospitals poses unique challenge for going fully wireless




TAC Recommended AireOS 7.6 and 8.0 - 2Q CY15

TAC code recommendations for AireOS 7.6 and 8.0 customers. 

Folks on 7.6 and 8.0 or who might be thinking about going to these versions Cisco is recommending the following releases:

7.6 -

8.0 - 


NOTE: Above links to release notes for and


Field Notice: FN - 63916 AireOS or Cisco IOS-XE 3.6.0E - AP Unable to Join WLC or AP Stuck in Downloading State - Software Update Required



Revision History

Initial Public Release

Products Affected

Products Affected
Cisco Aironet 1530 Series
Cisco Aironet 1550 Series
Cisco Aironet 1600 Series
Cisco Aironet 1700 Series
Cisco Aironet 2600 Series
Cisco Aironet 2700 Series
Cisco Aironet 3500 Series
Cisco Aironet 3600 Series
Cisco Aironet 3700 Series

Problem Description

Some Wireless Access Points (APs) manufactured between August 2014 and October 2014 might have an incorrectly programmed SHA-2 certificate.

The affected product families are:

  • Cisco Aironet 1530 Series
  • Cisco Aironet 1550 Series
  • Cisco Aironet 1600 Series
  • Cisco Aironet 1700 Series
  • Cisco Aironet 2600 Series
  • Cisco Aironet 2700 Series
  • Cisco Aironet 3500 Series
  • Cisco Aironet 3600 Series
  • Cisco Aironet 3700 Series

Issue 1

After you upgrade a Wireless LAN Controller (WLC) to software version or 3.6.0E


after the Wireless APs download the new software version, any Wireless AP with an incorrectly programmed SHA-2 certificate disconnects from the WLC and is not able to rejoin the WLC if the WLC has a SHA-2 certificate.

Issue 2

Any new Wireless AP with software version and with an incorrectly programmed SHA-2 certificate fails to validate the image downloaded from the WLC. The result is that the AP is unable to establish a connection to a WLC with version software.

If the AP has an incorrectly programmed SHA-2 certificate and the WLC has version or 3.6.0E, the likelihood of this issue being observed is 100%.


Between August and October 2014, a manufacturing change was added to support SHA-2 certificates. In the certificate chain transition, some APs were manufactured with incorrect certificate information. Prior to this change, the APs only had a SHA-1 device ID certificate. After the change the APs had both SHA-1 and SHA-2, but the SHA-2 was incorrectly programmed on the affected units.

The available fixed code ensures that the APs continue to function as APs that were manufactured prior to August 2014.

The affected APs are fully functional and equivalent to APs manufactured prior to August 2014.

In the future, Cisco will provide support for SHA-2 authentication between APs and more recently manufactured WLCs.

Problem Symptoms

New Aironet APs with factory installed recovery Cisco IOS® are able to join the controller that runs software version or 3.6.0E and download version 15.3(3)JA or 15.3(3)JN IOS. However after the AP reload, the APs are unable to join the controller. On the AP, logs similar to these are seen:

*Oct 16 12:39:06.231: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Oct 16 13:14:56.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: ***.***.***.*** peer_port: 5246Peer certificate verification failed FFFFFFFF

*Oct 16 13:14:56.127: DTLS_CLIENT_ERROR: ../capwap/base_capwap/capwap/base_capwap_wtp_dtls.c:496 Certificate verified failed!
*Oct 16 13:14:56.127: %DTLS-5-SEND_ALERT: Send FATAL : Bad certificate Alert to ***.***.***.***:5246
*Oct 16 13:14:56.127: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to ***.***.***.***:5246

Another symptom of this issue is that the AP might be able to join the software version controller, download a new Cisco IOS code, and boot up and join the controller correctly; however when it goes to upgrade to the newer 8.x code it gets stuck in a loop and fails the download.

*Nov 11 10:13:53.003: Currently running a Release Image
*Nov 11 10:13:53.027: Using SHA-2 signed certificate for image signing validation.
*Nov 11 10:13:53.091: Image signing certificate validation failed (FFFFFFFF).
*Nov 11 10:13:53.091: Failed to validate signature
*Nov 11 10:13:53.091: Digital Signature Failed Validation (flash:/update/ap3g2-k9w8-mx.v153_80mr.201410311616/final_hash)
*Nov 11 10:13:53.091: AP image integrity check FAILED Aborting Image Download
Download image failed, notify controller!!! From: to, FailureCode:3 archive download: takes 339 seconds
*Nov 11 10:14:02.399: capwap_image_proc: problem extracting tar file



In order to avoid this issue, if the WLC runs software version 7.6 or earlier and you have APs affected by this issue, do not upgrade to version 8.0.100.x train. Wait for the next Cisco Connection Online (CCO) release.

Workaround for AireOS

If the WLC has been upgraded to version 8.0.100.x and the APs are supported in AireOS 7.6, downgrade to this version.

Solution for AireOS

If the WLC has software version 7.6 or earlier, upgrade the WLC to version

If the WLC has software version 8.0.100.x, follow these steps:

  1. Upgrade the WLC to software version
  2. Allow all APs to join the WLC and upgrade to software version
  3. Upgrade the WLC to software version
    Note: Step 2 is required to push the special software version onto the APs in order to allow all future upgrades.

Cisco IOS-XE

In order to avoid this issue, if the WLC has software version 3.3.x or earlier and you have APs affected by this issue, do not upgrade to version 3.6.0E.

Workaround for Cisco IOS-XE

If the WLC has been upgraded to version 3.6.0E and APs are supported in Cisco IOS-XE Version 3.3.x, downgrade to this version.

Solution for Cisco IOS-XE

If the WLC has software version 3.6.0E, follow these steps:

  1. Upgrade to version 3.6.1 or 3.7.0 or later.
  2. Enter the wireless security certificate force-sha1-cert command from the prompt.


To follow the bug ID link below and see detailed bug information, you must be a registered customer and you must be logged in.

CSCur43050 (registered customers only)
APs mfg in Aug./Sept./Oct. 2014 unable to join an AireOS controller
CSCur50946 (registered customers only)
APs mfg in Aug./Sept./Oct. 2014 unable to join an IOS-XE controller

How To Identify Hardware Levels

From the AP CLI, enter the show version command and look for the "Top Assembly Serial Number". An example of a Top Assembly Serial Number is FTX1613GJGA.

If the AP is joined to an AireOS controller:

  • From the CLI, enter the  show ap inventory APNAME command.
  • From the GUI, select  Wireless > All APs > APNAME > Inventory in order to view the serial number.

If the AP is joined to a Cisco IOS-XE controller:

  • From the controller CLI , enter the show ap name APNAME inventory command and look for the "Cisco AP" serial number.
  • From the GUI, select Configuration > Wireless > Access Points > All APs > APNAME > Inventory in order to view the serial number.

Alternately, the serial number can be found on the back/bottom of the AP:


Confirm that your serial number is affected with the Serial Number Validation Tool.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods: 


Cisco Access Point Models Not Supported On 8.1 Code

If you're like me you may have hundreds or even thousands of Cisco 1131, 1242 and 1250 access points deployed in your wireless network today. 

Take special care and attention to the information below. A number of legacy access point models will no longer be supported past 8.0 code. 

This is reminiscent of 1000 series access points. I can recall the horror stories, people upgrading to 5.0 only to realize that the 1000 series would not join the WLC. #DontBeThatGuy!

Ask your Cisco rep about buy back programs and bundle purchases; buy X and get 5-10 free access points!


Are you the next WiFi Rockstar ??

The No Strings Attached Show is sponsoring a tremendous giveaway to one lucky winner! If you’re new to WiFi and someone who is just starting out this giveaway is your ticket to wifi stardom.

This prize pack includes hardware, software, study material and MORE! 


You need site survey software —- CHECK
You need enterprise class hardware to lab —- CHECK
You need spectrum analysis equipment — CHECK
You need study CWNP study material —- CHECK
and more ……

The deadline for this contest is December 12th, 2014. 

For the rules visit http://thenextwifirockstar.com/    


*Certain Rules and Restrictions Apply  


Clear your schedule and mark your calendars WFD#7 is this week! 

WFD#7 is a sponsored event that brings WiFi vendors also called sponsors and WiFi subject matter experts also called delegates together to discuss technology. WFD#7 sponsor list has returning vendors like Fluke AirMagnet, Wildpackets, AirTight, Aruba, Extreme Networks and Cisco. Avaya is a first time sponsor to WFD. Welcome! 

I understand a few of the sponsors will be unveiling some exciting news. Only one way to learn about these unveilings first, tune into the live stream! 

I’m interested in WFD newcomer Avaya. Avaya has been around since the early days when WiFi was just 802.11, no fancy task groups are the 11. They seem to have fallen by the way side in the early 2000’s. To date I can’t say I’ve seen their new WiFi solution in the wild. I’ve seen many customers using their communication suite of products. They have a nice suite that pulls together end to end communication and collaboration. Looking forward to learning more about their solutions. 

Over the years and after many of the WFD events you build relationships with vendors.You collaborate together. You troubleshoot together. You test new widgets together.  You share in successes together. Can’t wait to see my old friends at Wildpackets, Airmagnet, Cisco and Aruba.

Presentation Calendar

Most presentations are streamed live on this page, at TechFieldDay.com, and at some delegate and presenter web sites. After the event, the following pages contain video recordings of these presentations.

Wednesday, Aug 6 10:00-12:00
Fluke Networks Presents at Wireless Field Day 7

Wednesday, Aug 6 13:30-15:30
AirTight Networks Presents at Wireless Field Day 7

Wednesday, Aug 6 16:00-18:00
Extreme Networks Presents at Wireless Field Day 7

Thursday, Aug 7 8:00-10:00
Avaya Presents at Wireless Field Day 7

Thursday, Aug 7 10:30-12:30
Aruba Networks Presents at Wireless Field Day 7

Thursday, Aug 7 14:30-16:30
WildPackets Presents at Wireless Field Day 7

Friday, Aug 8  9:30-11:30
Cisco Presents at Wireless Field Day 7

WFD#7 delegates 


Blake Krone @BlakeKrone

Blake Krone is Cisco CCIE Wireless and CWNA certified Wireless Network Architect with experience designing and deploying enterprise class networks supporting hundreds of APs and multiple controllers for Voice, Data, and RTLS.

Craig Schnarrs @The_WiFi_Guy

Craig Schnarrs, is senior wireless network operations engineer and WiFi blogger

George Stefanick @WirelesssGuru

George Stefanick is a Wireless Architect employed by a large healthcare system in the Texas Medical Center.

Glenn Cate @GRCate

Glenn Cate is a senior IT analyst who is passionate about all things Wi-Fi!

Jake Snyder @JSnyder81

Jake is a Systems Engineer focused on designing and deploying wireless networks in the Pacific Northwest.

Jennifer Huber @JenniferLucille

Jennifer has over 10 years of experience in the networking and wireless engineering industry.

Keith R. Parsons @KeithRParsons

Keith is Managing Director of Wireless LAN Professionals, and focuses his energy on providing great WLAN education, design and consulting to global customers.

Lee Badman @WiredNot

Lee Badman currently writes for Network Computing Magazine as Wireless and Mobility blogger, and has over twelve years of professional industry analysis under his belt.

Peter Paul Engelen @PPJM_Engelen

Peter-Paul Engelen is a technical consultant with advanced (pre) sales experience and business development skills in multi-vendor Cloud-based (W)LAN and Wholesale ISP/Carriers.

Richard McIntosh @CiscoTophat

Network engineer at a higher education institute with a focus in wireless networking.

Sam Clements @Samuel_Clements

Sam Clements is an avid wireless technologist with a passion for all things mobility.

Stewart Goumans @WirelessStew

Stewart is a Mobility Consultant helping customers and fellow WiFi'ers with wireless design in Vancouver British Columbia, Canada

Buckle in and get your WiFi on!


Aruba AirWave - Wireless Field Day 4 #WFD4

The WFD#4 delegates were excited to have Aruba participate in WFD4. If you missed the presentation, no worries the entire presentation was recorded and can be viewed at the below link. 


I was one of the delegates. I walked away with a better appreciation of Aruba's management platform called AirWave. AirWave was an acquisition by Aruba back in 2008. You can read more about the purchase by viewing the below link. The value proposition for non Aruba infrastructure folks is AirWave’s vendor neutrality. Aruba calls it the multivendor management approach. Allowing real time visibility into wired and wireless infrastructures regardless of vendor gear.


The location tracking caught my attention. Its a very inexpensive solution which allows mobile client tracking without the use of expensive boxes or licenses *cough* Cisco MSE *cough*. Another take away is the open XML API. Allowing for integration into other applications allowing you to port the location data. 

AirWave allows for wired switch monitoring. As a WiFi engineer who focuses primarily on WiFi, we all know that 802.11 frames will eventually hit the wired switch fabric. Having one software solution to monitor both my wireless and my wired switches is very appealing. It allows the WiFi engineer the ability to interact with just one console, instead of pulling in data from different sources, which is always a pain. 

Airwave also supports rouge ap detection, proactive alerts, historical reporting, client troubleshooting, floor plan maps and much much more. 

You can learn more about Aruba AirWave here:




Peek inside Cisco's 802.11ac 3702i Access Point 

Cisco latest 802.11ac offering, 3702i (AIR-CAP3702i-A-K9) model access point 

(Click on image to enlarge)  














CSCui69732: Platinum 802.1p tagging defaulted to 5 after upgrade to

CSCui69732: Platinum 802.1p tagging defaulted to 5 after upgrade to


Platinum 802.1p tagging changed to 5


Platinum 802.1p tagged at 6 and upgrading to


Disable networks and change tagging back to 6


Cisco Appliance Light Path Diagnostics #ISE #NCS #PRIME 

My Cisco appliance was showing the amber color exclamation point. While I did the typical show and tech commands I could not find anything wrong with the box. I checked the Light Path Diagnostics on the appliance, it quickly pointed out a power supply problem. 



Figure 1-3 Light Path Diagnostics Panel



Figure 1-4 shows the LEDs and controls on the light path diagnostics panel.

Figure 1-4 Light Path Diagnostics Panel Components




Light Path Diagnostics Panel Components

Remind button: This button places the system-error LED on the front panel into Remind mode. In Remind mode, the system-error LED flashes once every 2 seconds until the problem is corrected, the NCS appliance is restarted, or a new problem occurs.

By placing the system-error LED indicator in Remind mode, you acknowledge that you are aware of the last failure but will not take immediate action to correct the problem.

NMI button: This button is used to force a nonmaskable interrupt to the microprocessor. This button is not currently used by the Cisco Prime Network Control System appliance. Press this button only when directed by the Cisco TAC personnel.

Checkpoint code display: This display provides a checkpoint code that indicates the point at which the system stopped during the boot block and POST. A checkpoint code is either a byte or a word value that is produced by UEFI. The display does not provide error codes or suggest components to be replaced.

Reset button: Press this button to reset the NCS appliance and run the power-on self-test (POST). You might have to use a pen or the end of a straightened paper clip to press the button. The Reset button is in the lower-right corner of the light path diagnostics panel.


Table 1-3 Light path diagnostics panel LEDs 

Follow the suggested actions in the order in which they are listed in the Action column until the problem is solved.

None, but the system error LED is lit.

An error occurred and cannot be isolated. The error is not represented by a path.

Contact Cisco TAC for assistance.


The power supplies are using more power than their maximum rating.

Contact Cisco TAC for assistance.


An error occurred.

Contact Cisco TAC for assistance.





Power supply 1 or 2 has failed.

1. Check the power supply that has a lit amber LED (see Power-supply LEDs).

2. Make sure that the power supplies are seated correctly.

3. Remove one of the power supplies to isolate the failed power supply.

4. Replace the failed power supply.


An error has occurred on a PCI bus or on the system board. An additional LED is lit next to a failing PCI slot.

Contact Cisco TAC for assistance.


A service processor error has been detected.

1. Shut down the system and remove the power cords from the NCS appliance; then, reconnect the NCS appliance to power and restart it.

2. If the problem does not go away, contact Cisco TAC for assistance.


A fan has failed, is operating too slowly, or has been removed. The TEMP LED might also be lit.

Contact Cisco TAC to replace your Cisco Prime Network Control System appliance and for further assistance.


The system temperature has exceeded a threshold level. A failing fan can cause the TEMP LED to be lit.

Contact Cisco TAC for assistance.


When only the MEM LED is lit, a memory error has occurred. When both the MEM and CNFG LEDs are lit, the memory configuration is invalid or the PCI Option ROM is out of resource.

Contact Cisco TAC for assistance.


A nonmaskable interrupt has occurred, or the NMI button was pressed.

Check the system-error log for information about the error.

Contact Cisco TAC if further assistance is needed.


A hardware configuration error has occurred.

Contact Cisco TAC for assistance.


An invalid microprocessor configuration or a microprocessor has failed (both the CPU LED and the CNFG LED might be lit).

Contact Cisco TAC for assistance.





A hard disk drive has failed or is missing.

1. Check the LEDs on the hard disk drives for the drive with a lit status LED and reseat the hard disk drive.

2. If reseating the drive does not resolve the issue, then the failed hard disk drive must be replaced. Contact Cisco TAC for assistance.





An error has occurred on the system board.

Contact Cisco TAC for assistance.


AirMagnet 802.11ac Beta - #WFD5

Time is running out. If you're an existing AirMagnet Survey PRO customer who is under Gold support and maintenance at this time. Beta will be available in the next 2-3 weeks. AirMagnet will contact you directly with more details. 

Link to sign up 





Mark Your Calendars - Wireless Field Day 5 (Aug 7th-9th, 2013) #WFD5

I’m headed to WFD5 being held in San Jose, August 7th-9th. The sponsor line up is one to get excited about! A total of 9 sponsors in all are presenting during this event. Of which, four sponsors are new to Wireless Field Day -  AirTight, 7signal, Xirrus and Meru. We also have the return of past sponsors Fluke, Aerohive, Wildpackets, MetaGeek and Motorola. 



As always the delegate gene pool is a who's who in wireless social blogging and subject matter experts in their own right. Each delegate brings their own level of experience to each event. This always makes for great conversation and sponsor interaction.




MetaGeek - 

I’m particularly interested in hearing about MetaGeeks integration with Cisco. MetaGeek demoed their WiSpy integration with Cisco Clean Air access points at Cisco Live. Interested in learning about the backend mechanics and added flexibility this new offering will bring. Hanging with the MetaGeek guys is always a blast. Good group of folks. My kind of people. 

7Signal - 

Interested in hearing about their Sapphire solution and business model. They seem like an interesting company for network optimization. No prior experience with these folks so my ears are wide open! I want to hear about their healthcare optimization experience. Might be something I can leverage. 

AirTight -

I’ve had the opportunity to work with AirTights offerings in the past. I found them to be highly competent. Most WiFi vendors today offer similar security solutions already built into their products. I want to hear how AirTight is positioning their value ad to customers and their new cloud base offering. I’m not a big overlay guy myself. Keeping my ears open. 

Xirrus - 

I have no experience with Xirrus. Looking forward to meeting the Xirrus team and learning about their offerings. I’ve heard good things about their product line. Looking forward to some good take aways from the meeting.

Meru - 

Meru is the awkward kid on the bus. They do things differently and their solution is based around single channel architecture. I’m keeping an open mind and looking forward to meeting team Meru. 

Wildpackets -

Boy do I love me some Wildpackets. I can wrap up Jay and his team in one word, OUTSTANDING. When you meet a vendor that has equally or more passion about WiFi than you do that is a vendor I want to do business with. Looking forward to the 11ac update and any new announcements that may be coming our way during the meeting.

Aerohive -

Nothing but love for my friends at Aerohive. They’re knocking down doors and making their presence known. Rightfully so, they have solid offerings and as Devin likes to always mention their “controller LESS”.They have a WiFi team that is a who’s who. Collectivity outside of Aerohive their team is responsible for the majority of 802.11 published material feeding the minds of WiFi engineers around the world. Looking forward to their presentation. When I return from WFD I have a scheduled POC using Aerohive's Branch Office product.  Looking forward to it! 

Fluke -

Not sure what Fluke will be presenting. Interesting in learning about Airmagnet 11ac road map. BTW did anyone get the AirCheck from the Aussie ? 

Motorola - 

The Motorola team had a solid presentation last WFD. Looking forward to the same this go around. 



Wednesday, Aug 7


Fluke Networks Presents at Wireless Field Day 5 

Wednesday, Aug 7


Aerohive Networks Presents at Wireless Field Day 5 

Wednesday, Aug 7


WildPackets Presents at Wireless Field Day 5

Thursday, Aug 8


AirTight Networks Presents at Wireless Field Day 5

Thursday, Aug 8


MetaGeek Presents at Wireless Field Day 5

Thursday, Aug 8


Motorola Solutions Presents at Wireless Field Day 5

Friday, Aug 9


7signal Presents at Wireless Field Day 5

Friday, Aug 9


Xirrus Presents at Wireless Field Day 5

Friday, Aug 9


Meru Networks Presents at Wireless Field Day 5


Want to follow along on Twitter ? 

Simply follow Twitter hash tag #WFD5 or follow the delegates. 


Do you have a question for a sponsor ? 

Post your question via Twitter with hash tag #WFD5 and one of the delegates will ask for you! 

What if I miss the event ? 

Gestalt IT has you covered. Each live event is recorded and posted shortly after the event for your later consumption. 


Your feedback was heard loud and clear ..  

PrimeImage Media who does an unbelievable job capturing the live dynamics of each Field Day event will be using a new Delegate Microphone System (DMS).  Now you'll be able to hear each delegate better than ever before. 



End-of-Sale and End-of-Life Announcement for the Cisco Identity Services Engine


Cisco announces the end-of-sale and end-of life dates for the Cisco Identity Services Engine. The last day to order the affected product(s) is December 24, 2013. Customers with active service contracts will continue to receive support from the Cisco Technical Assistance Center (TAC) as shown in Table 1 of the EoL bulletin. Table 1 describes the end-of-life milestones, definitions, and dates for the affected product(s). Table 2 lists the product part numbers affected by this announcement. For customers with active and paid service and support contracts, support will be available under the terms and conditions of customers' service contract.


Table 1. End-of-Life Milestones and Dates for the Cisco Identity Services Engine





End-of-Life Announcement Date

The date the document that announces the end of sale and end of life of a product is distributed to the general public.

June 25, 2013

End-of-Sale Date

The last date to order the product through Cisco point-of-sale mechanisms. The product is no longer for sale after this date.

December 24, 2013

Last Ship Date:

The last-possible ship date that can be requested of Cisco and/or its contract manufacturers. Actual ship date is dependent on lead time.

March 24, 2014

End of Routine Failure Analysis Date:

The last-possible date a routine failure analysis may be performed to determine the cause of hardware product failure or defect.

December 24, 2014

End of New Service Attachment Date:

For equipment and software that is not covered by a service-and-support contract, this is the last date to order a new service-and-support contract or add the equipment and/or software to an existing service-and-support contract.

December 24, 2014

End of Service Contract Renewal Date:

The last date to extend or renew a service contract for the product.

March 21, 2018

Last Date of Support:

The last date to receive applicable service and support for the product as entitled by active service contracts or by warranty terms and conditions. After this date, all support services for the product are unavailable, and the product becomes obsolete.

December 31, 2018



HW = Hardware OS SW = Operating System Software App. SW = Application Software

Table 2. Product Part Numbers Affected by This Announcement

End-of-Sale Product Part Number

Product Description

Replacement Product Part Number

Replacement Product Description

Additional Information


Cisco Identity Services Engine 3315 Hardware Appliance


Small Secure Network Server for ISE, NAC, & ACS Applications



Cisco Identity Services Engine 3315 Appliance Migration SKU


SNS 3415 Migration Server: Loaded with ISE Software



Cisco Identity Services Engine 3355 Hardware Appliance


Large Secure Server for ISE and NAC Applications



Cisco Identity Services Engine 3355 Appliance Migration SKU


SNS 3495 Migration Server: Loaded with ISE Software



Cisco Identity Services Engine 3395 Hardware Appliance


Large Secure Server for ISE and NAC Applications



Cisco Identity Services Engine 3395 Appliance Migration SKU


SNS 3495 Migration Server: Loaded with ISE Software




Cisco 802.11ac Certified by the Wi-Fi Alliance 

Cisco's 3602 and the RM3000 AC Module certified by the Wi-Fi Alliance! 

Read about it here ... 



Aruba 802.11ac Announcement 


Since the very beginning WiFi clients have been a challenge and they still are today. There is no standard for WiFi client vendors to follow. Vendors implement their own roaming algorithm (triggers), interpret their own signal, SNR and noise levels. Vendors almost never publish these triggers. In the industry we call this “vendor client secret sauce”. I blogged about this very subject on Aruba AirHeads forum. 


Aruba introduced ClientMatch an innovative way of managing clients. Aruba’s believes their approach to client management is unique. So unique that Aruba has filed a patent, US20130036188. Aruba takes an active approach steering clients to access points. 

Chris Lyttle @ WiFi Kiwi did an exceptional job outlining Aruba’s ClientMatch. Pay close attention the blog responses. 


You can see more from Aruba about ClientMatch here



My take on ClientMatch. Client steering isn’t at all new. Typically vendors will direct clients with reason code 17 or by managing clients by ignoring probe request on a specific radio to trick the client to go where the WiFi network thinks its best. These are more active approaches. Meaning a client must interact - do THIS and the WiFi network will do THAT. Aruba’s systems appears to be more proactive in nature. 

Aruba Access Point Model - AP-220

I couldn’t believe my eyes and ears when I seen and heard that the new Aruba 802.11ac access point is VENT FREE. Finally, Aruba got the memo and environmental departments in healthcare systems around the world are rejoicing! You have no idea how many times the subject of  Aruba Access Points and open vents have come up in discussion in healthcare opportunities. Cleaning a vented access point presents challenges of course. 

The AP-220 packs a punch of sheer speed and throughput. It’s also the best looking access point in the Aruba access point stable. 

Another Interesting approach is the dual GIG NIC. Not sure how this will be accepted when its deployed. It’s not typical to pull 2 cables per access point. There will be obvious needs for extra wired side bandwidth options. Makes me wonder why they cant tap a 10 GIG port on the back of the ap ?

802.11ac Pros / Cons (Voodoo)

The next generation wireless is not without its challenges. These challenges are industry wide and every vendor will have the burden of educating customers on proper design and deployment. Expect to see design and deployment documents released or updated specific for 802.11ac best practices.  

Customers looking at 802.11ac need to have a firm understanding of the technology and how to properly deploy it. Customers who don't, 802.11ac could hinder their wireless network. 

80/160 Mhz channels 

The 802.11n standard introduced channel bonding for the first time. It allows us the ability to take (2) neighboring 20 MHz channels and by bonding them together to make a single 40 MHz channel.Thus allowing higher speed and throughput from improvements in the PHY, MAC and extra RF real estate.  802.11n also introduced a new level of troubleshooting. The frame structure is different and requires knowledge to interpret the traffic.  Analysis tools and hardware require updating to read 802.11n traffic. 

802.11ac will be no different. You will need to update your tool box, brush up on 802.11ac frame structure. Test, lab and practice.

The issue is 80/160 MHz bonding. Aruba hasn't addressed how to deploy this monster. For that matter, Cisco hasn't either. The 5 GHz medium is known for it’s 24 non overlapping channels. Some customers only deploy UNII1 and UNII3 to avoid DFS (802.11h). This could present challenges for these folks. 

Your deployment strategy of 802.11ac needs to be defined and deployed in areas to meet specific bandwidth, throughput, density, application or business needs. Proceed with caution and consult an expert before deploying 802.11ac. 

Wave1 / Wave 2 

Wave 1 will support SU-MIMO. (SU) stands for SINGLE USER. This simply means that wave 1 technology will support sending multiple streams of data from an access point with multiple antennas downstream to a client at a high rate of speed.

Wave 2 will support MU-MIMO. (MU) stands for MULTI USER. This simply means that wave 2 technology will support sending multiple streams of data from an access point with multiple antennas downstream to multiple clients at a high rate of speed to give a “full duplex” like experience.

Wave 1 hardware is not upgradeable to Wave 2. 

Client Support 

Like all previous 802.11 advancements client support seems to be spotty the first year or so till vendors iron out the bugs and settle in. 

Legacy Devices

Once 802.11ac is deployed, how will legacy devices react to the 802.11ac IE ? There could be a percentage of clients in your enterprise who may have issues. Know your network and bench mark your clients. Keep a close eye on your legacy clients.

802.11ac Frame Analysis

Get up to speed on capturing 802.11ac frames


Did you miss the announcement?

No worries. Tech Field Day covered the event live. Check out the link below


Tech Field Day Delegates Blog Post 

Daniel Raaaaaaar! Cybulskie 



Jennifer huber - 



Chris Lyttle - 





Cisco client debug - 802.11 Association Status Code 

When you enable client debug you can be hit with a ton of information. One of the things I look at is the 802.11 association status code. The status code is very telling. It can provide information about your client and if there is a connection issue. Another tool to add to your bag of tricks. 

Lets take a peek at a debug log

*apfMsConnTask_0: May 11 23:31:21.186: b4:f0:ab:e3:19:6a 8021X_REQD (3) DHCP Not required on AP 08:1f:f3:e1:8f:c0 vapId 4 apVapId 4for this client

*apfMsConnTask_0: May 11 23:31:21.186: b4:f0:ab:e3:19:6a Not Using WMM Compliance code qosCap 00

*apfMsConnTask_0: May 11 23:31:21.186: b4:f0:ab:e3:19:6a 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 08:1f:f3:e1:8f:c0 vapId 4 apVapId 4

*apfMsConnTask_0: May 11 23:31:21.186: b4:f0:ab:e3:19:6a apfMsAssoStateInc

*apfMsConnTask_0: May 11 23:31:21.186: b4:f0:ab:e3:19:6a apfPemAddUser2 (apf_policy.c:223) Changing state for mobile b4:f0:ab:e3:19:6a on AP 08:1f:f3:e1:8f:c0 from Idle to Associated

*apfMsConnTask_0: May 11 23:31:21.186: b4:f0:ab:e3:19:6a Stopping deletion of Mobile Station: (callerId: 48)

*apfMsConnTask_0: May 11 23:31:21.186: b4:f0:ab:e3:19:6a Sending Assoc Response to station on BSSID 08:1f:f3:e1:8f:c0 (status 0) ApVapId 4 Slot 0

*apfMsConnTask_0: May 11 23:31:21.186: b4:f0:ab:e3:19:6a apfProcessAssocReq (apf_80211.c:5272) Changing state for mobile b4:f0:ab:e3:19:6a on AP 08:1f:f3:e1:8f:c0 from Associated to Associated


Our debug shows a status code of 0. Referencing our chart below we will find our association was a success. 

802.11 Association Status Codes



Code 802.11 definition Explanation
0 Successful
1 Unspecified failure For example : when there is no ssid specified in an association request
10 Cannot support all requested capabilities in the Capability Information field Example Test: Reject when privacy bit is set for WLAN not requiring security
11 Reassociation denied due to inability to confirm that association exists NOT SUPPORTED
12 Association denied due to reason outside the scope of this standard Example : When controller receives assoc from an unknown or disabled SSID
13 Responding station does not support the specified authentication algorithm For example, MFP is disabled but was requested by the client.
14 Received an Authentication frame with authentication transaction sequence number
out of expected sequence
If the authentication sequence number is not correct.


Authentication rejected because of challenge failure
16 Authentication rejected due to timeout waiting for next frame in sequence
17 Association denied because AP is unable to handle additional associated stations Will happen if you run out of AIDs on the AP; so try associating a large number of stations.
18 Association denied due to requesting station not supporting all of the data rates in the
BSSBasicRateSet parameter
Will happen if the rates in the assoc request are not in the BasicRateSet in the beacon.
19 Association denied due to requesting station not supporting the short preamble
20 Association denied due to requesting station not supporting the PBCC modulation
21 Association denied due to requesting station not supporting the Channel Agility
22 Association request rejected because Spectrum Management capability is required NOT SUPPORTED
23 Association request rejected because the information in the Power Capability
element is unacceptable
24 Association request rejected because the information in the Supported Channels
element is unacceptable
25 Association denied due to requesting station not supporting the Short Slot Time
26 Association denied due to requesting station not supporting the DSSS-OFDM option NOT SUPPORTED
27-31 Reserved NOT SUPPORTED
32 Unspecified, QoS-related failure NOT SUPPORTED
33 Association denied because QAP has insufficient bandwidth to handle another
34 Association denied due to excessive frame loss rates and/or poor conditions on current
operating channel
35 Association (with QBSS) denied because the requesting STA does not support the
QoS facility
If the WMM is required by the WLAN and the client is not capable of it, the association will get rejected.
36 Reserved in 802.11 This is used in our code ! There is no blackbox test for this status code.
37 The request has been declined This is not used in assoc response; ignore
38 The request has not been successful as one or more parameters have invalid values NOT SUPPORTED
39 The TS has not been created because the request cannot be honored; however, a suggested
TSPEC is provided so that the initiating QSTA may attempt to set another TS
with the suggested changes to the TSPEC
40 Invalid information element, i.e., an information element defined in this standard for
which the content does not meet the specifications in Clause 7
Sent when Aironet IE is not present for a CKIP WLAN
41 Invalid group cipher Used when received unsupported Multicast 802.11i OUI Code
42 Invalid pairwise cipher
43 Invalid AKMP
44 Unsupported RSN information element version If you put anything but version value of 1, you will see this code.
45 Invalid RSN information element capabilities If WPA/RSN IE is malformed, such as incorrect length etc, you will see this code.
46 Cipher suite rejected because of security policy NOT SUPPORTED
47 The TS has not been created; however, the HC may be capable of creating a TS, in
response to a request, after the time indicated in the TS Delay element
48 Direct link is not allowed in the BSS by policy NOT SUPPORTED
49 Destination STA is not present within this QBSS NOT SUPPORTED
50 The Destination STA is not a QSTA NOT SUPPORTED
51 Association denied because the ListenInterval is too large NOT SUPPORTED


Unspecified, QoS-related failure.
Not defined in IEEE, defined in CCXv4
Unspecified QoS Failure. This will happen if the Assoc request contains more than one TSPEC for the same AC.
TSPEC request refused due to AP’s policy configuration (e.g., AP is configured to deny all TSPEC requests on this SSID). A TSPEC will not be suggested by the AP for this reason code.
Not defined in IEEE, defined in CCXv4
This will happen if a TSPEC comes to a WLAN which has lower priority than the WLAN priority settings. For example a Voice TSPEC coming to a Silver WLAN. Only applies to CCXv4 clients.
Association Denied due to AP having insufficient bandwidth to handle a new TS. This cause code will be useful while roaming only.
Not defined in IEEE, defined in CCXv4

Invalid Parameters. The request has not been successful as one or more TSPEC parameters in the request have invalid values. A TSPEC SHALL be present in the response as a suggestion.


Not defined in IEEE, defined in CCXv4



This happens in cases such as PHY rate mismatch. If the TSRS IE contains a phy rate not supported by the controller, for example. Other examples include sending a TSPEC with bad parameters, such as sending a date rate of 85K for a narrowband TSPEC.

Aruba 802.11ac coverage tomorrow @ 10:00 PDT! Follow on Twitter #11ac

Aruba Networks will be announcing their 802.11ac (wave 1) offering next week 5.21.2013 @ 10:00 PDT.

This is an exciting time for Aruba Networks. Aruba's been pretty tight lipped about their 802.11ac access point up to this point. At the last Tech Field Day the delegates, myself included, received a sneak peek of Aruba's new flag ship offering.  I am looking forward to this live event to hear exactly Aruba's deployment strategy, marketing approach and more importantly how Aruba's 802.11ac will operate in the enterprise. 



Join us for an in-depth 802.11ac discussion live on Twitter hash tag #11ac

Questions that will be covered #11ac 

1.            Higher data rates, better access point reliability: How important are these and other 802.11ac Features to your organization?

2.            What are the use cases for 802.11ac in your organization - eg. video over Wi-Fi?

3.            In your organization, what issues will be solved, or addressed by the 802.11ac standard?

4.            When are you planning to invest in the 802.11ac technology?

5.            What's your WLAN deployment strategy with 802.11ac - eg. only deploy in high density areas?

Tech Field Day event schedule


10:00 am PDT Aruba 802.11ac Announcement with Keerti Melkote, Aruba CTO and Founder

10:45 am Microsoft Lync over 802.11ac Wi-Fi with Pascal Menezes, Sr. Program Manager at Microsoft

11:45 am Tech Field Day 802.11ac Roundtable

2:00 pm Designing Wi-Fi for Voice & Video with Mike Kail, Netflix VP of IT

3:00 pm Next-gen Access Network Design with Arun Kanchi, Exafort CEO



WLC: AP Managers Are Pingable - 7.x onwards

Since the very beginning the AP manager on a Cisco WLC would never respond to pings. Well that has all changed if you use LAG and an AP manager with 7.x code!

I like how Cisco hides little nuggets in their documentation. It states, in LAG mode, the management and AP manager uses the same base LAG MAC address.


Note With the 7.0 release onwards, the MAC address of the management interface and the AP-manager interface is the same as the base LAG MAC address.


A show ARP on the distribution switch you can see the MAC is identical for both the manager and AP manager.


This was tested on 4402,4404 and 5508 model controllers.

AP manager(s) aren't needed with a 5508.

This only applies to a WLC in LAG mode w/ AP Manager

Additional Reading Material: