Wired Stuff
WiFi Tablet Corner
My80211 White Papers (Coming Soon!)

Cisco Wireless Compatibility Matrix (Nov. 2011)

WiFi Training


Podcasts / Videos

My80211 Videos

Cisco: 802 11 frames with Cisco VIP George Stefanick

Fluke Networks: Minimize Wi Fi Network Downtime

Aruba: Packets never lie: An in-depth overview of 802.11 frames

ATM15 Ten Talk “Wifi drivers and devices”

Houston Methodist Innovates with Wireless Technology

Bruce Frederick Antennas (1/2)


Bruce Frederick dB,dBi,dBd (2/2)

Cisco AP Group Nugget

Social Links
Revolution WiFi Capacity Planner

Anchor / Office Extends Ports


Peek Inside Cisco's Gear

See inside Cisco's latest wireless gear!

2.4 GHz Channel Overlap




Interference Types


Microwave Oven

Cordless Phone


  • CWSP Certified Wireless Security Professional Official Study Guide: Exam PW0-204
    CWSP Certified Wireless Security Professional Official Study Guide: Exam PW0-204
    by David D. Coleman, David A. Westcott, Bryan E. Harkins, Shawn M. Jackman

    Shawn Jackman (Jack) CWNE#54 is a personal friend and has been a mentor to me for many years.  I've had the pleasure and opportunity to work with Jack for 4 years. Jack is a great teacher who takes complex 802.11 standards and breaks them down so almost anyone can understand the concept at hand. I'm excited for you brother. Great job and job well done! Put another notch in the belt!

IEEE 802.11a/g/n Reference Sheet


LWAPP QoS Packet Tagging





End-of-Sale and End-of-Life Announcement for the Cisco Wireless Services Module 2 (WiSM2)

Cisco announces the end-of-sale and end-of-life dates for the Cisco Wireless Services Module 2 (WiSM2). The last day to order the affected product(s) is April 10, 2017. Customers with active service contracts will continue to receive support from the Cisco Technical Assistance Center (TAC) as shown in Table 1 of the EoL bulletin. Table 1 describes the end-of-life milestones, definitions, and dates for the affected product(s). Table 2 lists the product part numbers affected by this announcement. For customers with active and paid service and support contracts, support will be available under the terms and conditions of customers' service contract.



End-of-Sale and End-of-Life Announcement for the Cisco Flex 7510 Wireless Controller

Cisco announces the end-of-sale and end-of-life dates for the Cisco Flex 7510 Wireless Controller. The last day to order the affected product(s) is April 10, 2017. Customers with active service contracts will continue to receive support from the Cisco Technical Assistance Center (TAC) as shown in Table 1 of the EoL bulletin. Table 1 describes the end-of-life milestones, definitions, and dates for the affected product(s). Table 2 lists the product part numbers affected by this announcement. For customers with active and paid service and support contracts, support will be available under the terms and conditions of customers' service contract.




NETSCOUT AirCheck G2 v1.1 Introduces #13 New Features 

NETSCOUT’s AirCheck G2 is far and beyond the best tool I have in my wireless tool bag and it just got a whole lot better with this latest release.  As an early beta tester I was excited to get my hands on this device. A fan of the original AirCheck the AirCheck G2 raised the bar with added features and touch screen. 

Since getting my hands on the AirCheck G2 I’ve had it in some of the most challenging environments you will find on earth to do WiFi. 


As I mentioned the G2 just got a whole lot better this week with release v1.1. NETSCOUT introduced 13 new features. Sit back because there is a lot more goodness to come! 

My top 3 favorite new features:

#1 Emulate user device received signal levels with custom signal level adjustments.
#3 Focus your testing by selecting which channels to scan.

A Show vs. Exclude option is added for SSID Filtering, so you can view all SSIDs except the ones you specify, or view only the ones you specify. 

New Features   

#1 Emulate user device received signal levels with custom signal level adjustments.

  • Settings >> 802.11 Settings >> Custom Signal Adjustments
  • Adjustments will apply to signal levels but not to noise and SNR levels.
  • Adjustments are applied everywhere except the Locate Access Point / Locate Client screens.
  • Adjusted signal levels are shown with an * indicator: 


#2 Aruba access point names advertised in the beacons are now shown.

Focus your testing by selecting which channels to scan.

  •  Settings >> 802.11 Settings >> Channels and Bands
  • AutoTest will still scan all channels in 2.4GHz so that the Adjacent Channel Interference 
  • Test will be accurate. However, only channels selected for scanning will be listed in CCI 
  • and ACI results.
  • If you view channel details for a channel that is not selected for scan, AirCheck G2 will still dwell on that channel while on the channel details screen. 


#4 Access Point basic and extended supported rates are shown to identify mis-configurations that result in slow performance (Max 11n/ac rates are still shown under 802.11n/ac Capabilities as in v1.0). 

#5 AutoTest Co-Channel Interference and Adjacent Channel Interference tests: view the actual APs that were counted on each channel by touching that result. 


#6 Retry rate, a critical key performance indicator, is added to the Network and Access Point connection tests.

#7 Support for a USB headset for use in the Locate Access Point or Client audio function. These models have been tested:

  •  Logitech ClearChat Comfort/USB Headset H390
  •  Koss Communications USB Headset CS95-USB
  •  iMicro IM320 USB Headset
    Microsoft LifeChat LX-4000 for Business 
  • Plantronics Blackwire C320-M 


#8 Session and screen capture files can now be saved directly to a USB drive.

  • Settings >> Manage Files. “Save to USB” button is at the bottom.
  • FAT32 file format is supported. exFAT or NTFS file formats are not supported. 


 #9 A Show vs. Exclude option is added for SSID Filtering, so you can view all SSIDs except the ones you specify, or view only the ones you specify. 


  • Settings >> 802.11 Settings >> SSID Filter

#10 Touch the Profile name in the display’s status bar to go right to the Profile settings. 

#11 A web proxy to facilitate Link-Live uploads of test results is added.

  •  Settings >> Device Settings >> Link-Live 

#12 AirCheck G2 Manager Reports are now localized in 9 different languages.

#13 When in AirCheck G2 Manager with an AirCheck G2 connected, if you drag one or more profiles from Local Profiles to AirCheck G2 Profiles, the profile that will come up in the AirCheck G2 when it reboots is indicated with a green star. 


End-of-Sale and End-of-Life Announcement for the Cisco Unified Wireless IP Phones 7925G, 7925G-EX, and 7926G

Cisco announces the EOS and EOL for Cisco Wireless handset 7925G, 7925G-EX, and 7926G. The replacement handset is the Cisco 8821. Customers looking for a 7926G scanner replacement Cisco recommends the Spectralink PIVOT:SC 8744.


Cisco Wireless IP Phone 8821 Data Sheet





Cisco Wireless IP Phone 8821-EX Data Sheet





Spectralink PIVOT:SC 8744



Cisco announces the end-of-sale and end-of-life dates for the Cisco Unified Wireless IP Phones 7925G, 7925G-EX, and 7926G. The last day to order the affected product(s) is October 15, 2016. Customers with active service contracts will continue to receive support from the Cisco Technical Assistance Center (TAC) as shown in Table 1 of the EoL bulletin. Table 1 describes the end-of-life milestones, definitions, and dates for the affected product(s). Table 2 lists the product part numbers affected by this announcement. For customers with active and paid service and support contracts, support will be available under the terms and conditions of customers' service contract.


Read the official EOS and EOL:





Apple iOS 10 Beta Sysdiagnose Logging

If you blinked you might have missed Apple’s mention of the new Sysdiagnose logging. While little is known to the general public, there is hope it might include Wi-Fi logs for network troubleshooting and diagnostics. 

 WDC session Unified Logging and Activity Tracking session, Friday 7:00-7:40 pm - 41:00 minute mark.


Read this blog post in its entirety: 



Microsoft changes go in to effect which affect the ability to run older versions of AnyConnect on Windows platforms

Important reminder – Deadline January 1 2017
Microsoft changes go in to effect which affect the ability to run older versions of AnyConnect on Windows platforms (pre 3.1MR13 or 4.2MR1) 

As an important reminder, due to Microsoft code signing changes, old versions of AnyConnect (pre 3.1MR13 or 4.2MR1) will no longer run on Windows platforms as of 1/1/2017. While Cisco always recommends running current versions of AnyConnect for the most recent bug fixes, it is critical that customers upgrade any Windows users prior to this date in order for AnyConnect to still be able to run on those systems.

We always recommend the latest version of AnyConnect (4.x) at the time of updating, which today would be 4.3 or the latest 4.2 MR.

3.1MR14 is currently available for customers and is unaffected by this deadline, but the 3.x release train is no longer eligible for bug fixes.

Customers must have a Plus, Apex or VPN Only license with an active support contract in order to access 4.x software releases.


Release Notes:http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect43/release/notes/b_Release_Notes_AnyConnect_4_3.html#reference_AA75AD8674C4409DBA57F2EBD9CAE3BB

Code Signing Certificates: Windows will no longer trust files with the Mark of the Web attribute that are signed with a SHA-1 code signing certificate and are timestamped after 1/1/2016." Refer to the Microsoft documentation for more details: here


Cisco WLC Release 8.2.111.x Beta

8.2MR2 (Future is now available for beta testing. 

The planned CCO release is July

If you are interested in participate on the beta program, please send email to wnbu-mrbeta@external.cisco.com with your CCO username, and expected tests/network size, thanks!


Resolved Caveats -

















PMIPv6: MAG delivering multiple DNS servers to clients







Controller GUI shows AP's NAT IP instead of private







Ct5508 crashed while disabling Mobility oracle.







8510 WLC crash while accessing the controller crash file info thro GUI







Reaper Reset: Task "SNMPTask" missed software watchdog







Debugging logging quickly falls behind real-time







Threshold MIBs incorrectly set for WSSI modules.







AP1530 WGB Drops Tx used w/ other 1530 WGB in same MAC address range







Mesh instability with fast-convergence when  RF link is unstable







8510 WLC crash in radiusTransportThread system task







WLC per-WLAN client traffic stats accuracy enhancements







Issue with SNMP GetBulk request -  cLAPGroupsHyperlocationEnable







Token Bucket leak with QoS Roles and with WebAuth on







CoA with wlc shows error message on ISE server







WLC and AP out of SYNC for Client Exclusion List







AP3500 crashed due to "LWAPP CLIENT" process.






CSCux47470 controller crash at  openssl_cert_hash_algo_check_callback







Memory leak observerd in EOGRE SNMP task







With New Mobility - Mobility Members Don't survive reload







Radius interface overwrite does not work when chosing "ap group" intf







ATF : Globally configured mode not applied to newly joined APs







No.of Interim Update Sent field is not flushing







Wism2 Silent crash PMALLOC_DOUBLE_FREE on MR3







MAG w/PMIPv6 does not assign secondary DNS to clients via DHCP







Mismatch AP count and unable to add more APs to WLC







WLC crashes in Process Bonjour_Process_Task







Memory Allocation problem with SAP1602







BGL-Alpha: "lbs-ssc" &" sha256-lbs-ssc" missing in WLC web UI







FATAL: Couldnt Send message out prints on 5500/7500 standby console







Rogue containment not starting if no client info on best RSSI AP







AIR-CAP2702 with WLC 8.2 doesnt allow HTTPS client access







Anomalous Fan Speed/Temp reading for 8540







ATF : User allowed to configure ATF on 1600 unsupported platform







AIR-CAP2602I crash on dot11_pmkid_timeout







HA Config Sync failed







Halo module doesn't work with RxSOP after image upgrade/dowgrade







Client detail table view miss alignment for a single client in bar graph







upport of 3G/4G module on 3600E/3700E APs







intf nasid given priority over wlan nasid in default Ap group







AP send disassociation frames twice and Optimized roaming go wrong







WLC crash running at task apfRogueTask_1







5520 / 8540 Crash in Reaper Reset: Task "apfReceiveTask"







Containment to choose AP based on rogue client detected as well as RSSI







DFS scan causes beacon transmission to be stuck on AP







Client leak at anchor controller







Telnet/ssh config for AP is not retaining after upload/download config







Data Plane crash - cvmcs_StaToDS







Acct commands send inconsistently to TACACS server for rapid commands







Time sync failure for mmMsg_HandoffComplete on MC not printed on debugs







CWA broken in beta image







3700/2700 on DFS dont see 3700/2700 as neighbor when Rxsop High/Med/Low







802.1x frames are not marked with DSCP CS4







Traceback apf_site_override.c:2888 Invalid value 0 for WLAN







Webauth acl is not pushed from flexgroup when a new wlan is added to AP







Flex Data DTLS enabled AP gets stranded with WAN link flap







mobility express CORSICA: client not authenticated from 802.1x,wep)







BCAST Queue full causing Clients to stay Multicast-direct Pending status







Local Profiling Not Sorting Correctly, not corrected on 8.0.132







Mem corruption on GUI crash related to hreap avc group page







Anchor WLC does not free Client Sessions - client entries stale







ATF config not applied when no AP joined on controller














SHA256 self-signed cert for WLC web admin







WLAN-VLAN Mapping incorrect when AP moves across AP-Groups of diff WLANs







Evaluation of wlc for OpenSSL May 2016







Client reassoc not happening when central dhcp enabled







Enabling radio after disable/enable admin status,ifno channels available







SNMP AP3800:Clean air on xor radio is not functioning properly







AP3800 SNMP: Need errors for Channel Settings







AP3800 FRA configurations not retained in HA setup







WLC is dropping data packets in Hybrid VoWiFi setup







mDNS snooping drops IPv6 mDNS traffic







WLC crash due to software watchdog for apfMsConnTask_0







NOS: bsnAPIfTable has NULL entries







Flex local auth: 11n clients showing as 11ac







AP3800: XOR Microcell stuck on max power







AP3800: WLC crash while executing XOR radio commands







8500 wlc crash when starting 11v dms on sim clients







AP3800: FRA COF Metrics shows stale value for disabled Radios







1852 AP EAP-TLS client authentication fails







Spartan:2.4G data not shown for AP-Ch.Util,AP-Dist by SS,AP-Model Distr







AP3800: client network preference default is not default







WLC login banner does not show up on GUI. When using CLI it works fine.







AP3800: Issue setting channel for XOR radio in sniffer mode







SNMP:Radio Mode Trap generated when admin status changed for xor







WiSM2 crash in ewaFormServe_multicast_detail







8510 silent crash







AP3800: Beacons stuck seen in radio 0 & 1







1msec delay in processing IGMP packets causing Bcast queue to remain ful







RRM doesn't change channel for mesh APs in 8.1 and 8.2







5508 HA SSO crash on SNMPTask







WLC crashes with task:emweb on changing wlan config







BVI interface is down with latest recovery image







1852 Reject clients association due to "suppRates statusCode is 18"







Ap-list new mobility packets flooding between AirOS WLC







AP3800 CCO image "show inventory" displays incorrect SN & VID format







Client capabilities shown as 160 MHZ even client is not 160MHZ







3802 : DSCP marked as 0 in capwap header with CAC config







Unable to view the client details by clicking on connection rate







AP3800: 160 Mhz throws SNMP error







No netflow records exported for anchored client in Auto Anchor Scenario







SNMP get on device for table cld11nMcsTable returns only 24 indices







DHCP_OPTION_43 functionality broken in AP3800 AP







Unable to handle kernel NULL ptr dereference at virtual addr 00000004







1800 AP crashed - apsw_watchdog about to reboot with reason: capwapd







2800/3800/1800 'show ap summary' displays wrong ip for static ip config







5520 or 8540 may have no Manufacturing Installed Certificates







2800/3800 Cmd timeout, RX Hang seen







2800/3800 DP ERR>22>mv_dp_msg_check_rx:1747>FW Failure Status for opcode:7...







AP 3600+11ac module crash on memory corruption for 8.2







2800/3800/1800 DHCP_OPTION_43 messages not seen on AP console







3802 AP fails to join the WLC after capwap restart







2800/3800/1800 ERROR:receiveWlanMsg(): mgmt subtype:0xf len:1423 - dropped event







5520 Mem Leak %APF-3-LIST_ERR: avc_api.c No entry available in table







WLC ssh host-key generate command not having an effect







2800/3800- Macbook is sometimes using 2SS rate on uplink







3802 AP - cmd_to off channel stuck Tx FSM is not Idle & TCQ Verify zero







2800/3800 -Clients are deauthenticating with EAPOL bcast interval expiry







1800 capwap local bcast discovery stops working on upgrade to







2800/3800 Sniffer Mode set on XOR Band fails







2800/3800/1800 Rx hang detection resulting in multiple radio resets & reboot






Prime AP Migration Tool - Part 3

In the third part of our series of articles on how to seamlessly upgrade your Cisco WLC infrastructure, we'll examine the important thing to think about - the caveats, hints and tips for a smooth upgrade.

If you've not see the other two articles in this series, you can catch up with the two links below:


Caveats, Hints and Tips 

A code upgrade is a MAJOR change in any wireless network. The following notes have been collated on the back of real world experience upgrading large sites with thousands of APs. You must work VERY cautiously on a large or critical site upgrade.


1. Firstly, and most importantly – save and BACK UP the config on your WLC prior to starting any major work.

2. Take care if you have a Primary and Secondary WLC already allocated for your APs – the IPTel script will overwrite this. Run some tests prior to undertaking any changes to confirm if the script works as you expect. The tool is offered without warranty - TEST IT IN THE LAB FIRST!

3. As well as the possibility of a failure during the upgrade requiring a rollback, you might hit new bugs. Make sure you have a well thought out change control process and ideally test a subset area on the new code before rolling out across the site.

4. Lab test your upgrade and new code. If you have any sort of unusual end devcices, they may not operate or roam correctly on the new code. Do some lab testing.

5. Read the release notes. Yes, it is boring, but you'll at least know if any of the bugs might be an issue for you.

6. Make sure your smartness support contract is up to date. Just done an upgrade and its failed? No smartnet and you're on your own - make sure its up to date first!

7. We have come across many new Cisco bugs on the larger sites we work on – treat a code upgrade with great care and be sure to thoroughly test all services on the new code once the upgrade is complete.

8. Only do a batch of APs at a time – or you will take all APs offline at once, which defeats the purpose.

9. Run the script only on one AP first as a test – confirm it moves the AP between the desired WLCs correctly

10. Test all your services on the AP once its on your spare WLC – the spare WLC probably doesn’t get used much, so confirm its working as expected before moving a lot of APs across!

11. There’s a major caveat to note with the use of the spare controller – the last digit of the MAC address of each SSID (i.e. the BSSID) is determined based on the order it was added to the AP group on the WLC (the order the SSIDs were created in the case of the default AP group). If you don’t correctly configure all the WLCs AP groups with the SSIDs in the same order as each other, you will find the last digit on the SSIDs will change when you move APs to the spare WLC. This is not a problem with most applications – but will affect RTLS applications such as Ekahau that rely on the MAC address of the AP.


Liability Disclaimer 

We supply the tools on this website free of charge for the wireless community use. Note with all our tools the liability disclaimer – we do our best to make these tools as useful as we can, but accept no liability for their use or misuse:



Prime AP Migration Tool - Part 2

In this second article on how to seamlessly upgrade your Cisco WLC, we explore the migration process and how to use the free tool IPTel have built for the purpose.

If you've not see the other two articles in this series, you can catch up with the two links below - check the caveats, hints and tips before you start any upgrades:


AP Migration Process

There are caveats later in this blog – familiarise yourself with these – if you are unsure of what you are doing do not run this script on a live network. Practice in your lab environment until you are happy with the process.

Access the tool from the IPTel website – here’s the link: https://www.iptel.com.au/ap-migration-tool.html

You will need to make a choice when moving APs – do you upgrade the spare WLC to the new code and upgrade APs on their way over, or just do a straight move then upgrade the primary WLC and upgrade them on the way back. There’s pros and cons to each method.

At some point you need to upload the new WLC code to your controller – this can be done at any stage prior to, or after offloading all the APs.

A screen shot of the tool is shown below:

Prime AP Migration Tool – Entry Screen

The process is as follows:

  • Select the ‘Move AP Script’ radio button
  • Enter the ‘From’ details in the Controllers section (hostname and IP address of your current Primary WLC)
  • Enter the ‘To’ details for the spare / holding platform WLC to move the APs to
  • In the Access Points box, paste in a list of all your APs
  • Click the generate button


This will generate a list of commands to be pasted to the WLC GUI. When pasted into the GUI, APs will have the order of their Primary controller changed – the commands will then reload the AP and it will move to the secondary platform.

Once all APs are moved, you can upgrade the primary WLC (or HA if its in HA mode) without affecting any of the APs.

When you’re ready to move the APs back to the original WLC, select the ‘Reset AP Script’ button and click the Generate button – this will generate the reverse script to return the APs back to the Primary WLC.



To reduce the impact of the upgrade (speed up the process), pre-download the new AP image to the APs before moving them to a WLC that uses a different code version. Note that without a pre-download, APs will have to download the correct image then reload to boot that image when you move them between WLCs with different code versions! To do a pre-download, you need to download the new code onto the WLC but don't reboot onto it. You will then be able to pre-download that code to all APs (or a single AP at a time if you want to test) either via the GUI or the CLI.


Liability Disclaimer 

We supply the tools on this website free of charge for the wireless community use. Note with all our tools the liability disclaimer – we do our best to make these tools as useful as we can, but accept no liability for their use or misuse:



Prime AP Migration Tool - Part 1

Mark at IPTel is sharing some of his scripts to help with controller upgrades! Check it out and let us know what you think!  

This article is the first in a series dedicated to how to upgrade your Cisco WLCs within the minimum of client impact. This article provides the background and pre-requisites, with further articles detailing the process. In addition, IPTel have provided the AP migration tool to make life easy to transfer APs from one WLC to the next.

If you've not see the other two articles in this series, you can catch up with the two links below - check the caveats, hints and tips before you start any upgrades:

The tool can be found on this link: https://www.iptel.com.au/ap-migration-tool.html


If you don't like having all your eggs in one basket, you'll have deployed your Cisco WLAN controllers in SSO mode and now discovered when you do an upgrade that they both reload, one after another. In this article we explore what you need to do to perform a seamless upgrade, with virtually no client impact on a Cisco WLAN Controller.

Firstly, you need to take into account a couple of pre-requisite factors:
  • Ensure you have a spare controller
  • Use the Prime AP Migration Tool to move APs around

The bad news is that you need some spare hardware - if you have only a single controller or only a HA pair (in SSO mode) then you can’t do a seamless upgrade. 

When you upgrade the HA pair it copies the new code between the WLCs and reloads each in turn – you’re in for a 15 – 20 minute outage.

The process is even worse if you've not done a pre-upload of code to your APs prior to the WLC code upgrade – once the WLCs are operational on the new code, the APs will join, download, reload onto the new code and join again. The network is going to be unstable while this process occurs.

High Availability (HA)

Firstly, let's have a quick segway onto the issue of High Availability. If you've got one WLC and it goes offline, you're, well offline. If you happen to have a spare WLC handy AND a copy of your config, all good. You can restore the failed controller and maybe have 3 - 4 hours of downtime.

Don't have a spare onsite, and oops, don't have the recent config? You're in real trouble - it could be days or weeks until you return to service.

The HA part codes from Cisco are much cheaper than the fully licenced controllers and inherit the licence once connected - you now have completely seamless fail over (depending on the code version you're running).

That's the good news. The bad news is that you essentially have one single unit, just operating across two pieces of hardware. Make a config error on one and you've just made it on both. There's an outside chance of a bug taking both out at once, but in any case, when you do a code upgrade they will both reload.

The answer to this is a spare controller.

Spare Controller

To overcome this for sites which cannot have any interruption in service, we have developed designs and techniques. The first stage is ensuring you have a spare controller in the network. Fortunately due to Cisco licencing, you can buy the minimum priced HA unit and use this as an HA secondary; once in HA secondary mode (with SSO disabled) it will licence itself for the full number of APs – but only for 90 days (after which there’s a ‘nag’ message).

In addition to providing a holding platform during code upgrades, adding a Spare controller also adds to the overall resilience of the network. We normally configure this as the secondary controller on each AP; it can act as a secondary to multiple primary HA pairs of controllers (you need to configure this for each AP though).

Holding Platform

Once the Spare WLC is in place as the holding platform, you’re all set to be able to do seamless upgrades. The basic premise is to gradually move all APs from the current WLC (or HA pair) to the spare platform. Gradually moving the APs mean any clients will just roam when the AP disappears during the move. To reduce the impact even further, randomise the order in which APs are moved, so you only move one AP at a time in a particular area.

The Prime AP Migration tool is designed to perform just this task – work out a randomised list of APs to change their primary controller to be the spare – they are then rebooted and the AP reconnects on the spare WLC.


Liability Disclaimer 

We supply the tools on this website free of charge for the wireless community use. Note with all our tools the liability disclaimer – we do our best to make these tools as useful as we can, but accept no liability for their use or misuse:



802.11 Packet Capture Skillz To Pay The Bills

Digging deep into the Stefanick archives of real world 802.11 issues. I challenge YOU with 4 real world examples. Keep in mind sometimes the obvious is not so obvious. While frames don’t lie understanding 802.11 is important to see the truth. 

These are real customer issues on real networks with real problems.


Customer complained of slow WiFi performance in a specific part of the warehouse. It's always been slow said one worker. It's never really preformed right since it was installed. 

During my packet capture I observed a lot of frames with a similar “bit" being marked. What “bit" could be a clue that might contribute to a slow network ?



If you answered retry bit you would be right. The retry counter was above 30% for channel 6. While the noise reference on channel was within reason the packet capture was a "bit" misleading displaying a -92. No pun intended. I turned on WiSpy, low and behold layer 1 interference. There were old security cameras operating on 2.4 no longer in use but still powered. The cameras were causing interference across channels 1 - 6, causing high retry rates. 





After a recent firmware update a number of Cisco 7925 phones exhibited an odd behavior. They would connect to the wifi network and then disconnect and display Locating Network Services. This happen repeatable.

I open my sniffer and see frames much like this one. 


If you answered duration timer you would be correct. The duration value caught my attention during troubleshooting. In the end it was a firmware bug on the handset due to an interoperability with a specific configuration and 802.11n access points. Note when a client sends a duration value, clients who can demodulate this frame will use this value and reset their clocks to busy. This was impacting the entire cell and not just the phones. 


Read this blog post in its entirety:


30 Random Technical Thoughts by a WiFi Engineer

1) CRC is cyclic redundancy check. This means a radio received a frame and failed the checksum. A normal communication the intended receiver will not ACK and the sender will retransmit the frame. What’s important to understand when sniffing just because you have a high CRC rate in your sniffer window doesn't mean the actual client communication is experiencing the same. In fact while sniffing, if you experience a high CRC rate moving closer to the transmitting radios often solves the problem. It simply means your radio can't interpret the frame. If you want to see the actual client CRC rate, you would need to visit the actual radios.

2) When a client on channel transmits a frame ALL radios on the channel must synchronize to the preamble and demodulate the pending frame. The receiving radios peek at the mac address to see who the intended frame is for. If it doesn't match their mac address they look at the NAV timer to set their clocks and discards the frame. Idle clients are very busy processing frames! 

3) Noise calculations done by an 802.11 radio knows nothing about layer 1 spectrum. They determine the noise floor by various methods. Including retry rate, channel assessment, and energy detect.

4) Placing access points in a hallway, also called a hallway design is so 2007. Hallway designs contribute to excessive CCI (co channel interference). As client density increases and sensitive applications are added these designs fail miserably. Consider room placement during your survey. 

5) One way speech can be caused by a poor link budget. Imagine your on a call and you can hear them but they can't hear you ? If your access point transmit power is at 100mW and your client is at 20mW this imbalance can cause data retires. Your frames don’t have the punch to travel back to the access point. Always consider the lowest client in your wifi design and match their power on the access points.

6) Walls are your friends. Design using walls as attenuation points. Letting RF run amuck and leak into areas cause unnecessary CCI.

7) If you’re a player in WiFi, you better bring the tools and know how to use them. The three S’s. Spectrum, Sniffer and Survey tools. Know them. Know them very well.

8) Channel 165 / UNII2 - 2E  support. While most infrastructure devices support channel 165. Most clients do not. Allowing 165 in your design can cause outages. Same is true for UNII 2 and UNII2E. 

9) UNII2 - 2E DFS is real folks. It can disrupt communications. I’ve been the victim of weather radar and my connection dropped.  Pick your channels wisely my friend! 

10) The WiFi client is the biggest cowboy of them all! There is one thing which is consistent, it’s your wifi network. Your access points should be configured the same. They should be on the same code. You should expect a certainly level of performance from your infrastructure. Your clients on the other hand. What a hand bag of dysfunctional little peeps. Having an understanding of your clients is important. Know that clients aren't created equal. Like humans they all hear, talk and behave differently. 

Read this blog post in its entirety:



802.11 - Reason Codes and Status Codes

802.11 - Reason Codes and Status Codes 

The 802.11 standard section 8.4 comments on reason codes and status codes. I’ve used these myself when troubleshooting frame captures. These codes provide insight to Wi-Fi related problems like stations connecting and disconnecting. Lets dive in and see what the standard says about reason and status code fields. Then lets look at real world frame captures and see these codes at work.

802.11 Standard Overview Reason Code field 

This Reason Code field is used to indicate the reason that an unsolicited notification management frame of type Disassociation, Deauthentication, DELTS, DELBA, DLS Teardown, or Mesh Peering Close was generated. It is contained in the Mesh Channel Switch Parameters element to indicate the reason for the channel switch. It is contained in the PERR element to indicate the reason for the path error. The length of the Reason Code field is 2 octets. The Reason Code field is illustrated in Figure 8-41. Status Code field 

The Status Code field is used in a response management frame to indicate the success or failure of a requested operation. The length of the Status Code field is 2 octets. The Status Code field is illustrated in Figure 8-43.

Reason Code Field 

When conducting frame captures you can find the reason code in some of the management frames like the response and disassociation frames. I like how the 802.11 standard comments:  “unsolicited notification”. 

It’s unsolicited information whereby radios can provide connection information. 

Example: Disassociation frame with reason code 1. This radio is informing the other radio it’s disassociating for unspecified reasons.


Read this blog post in its entirety here:



"Wi-Fi doesn't stand for anything. It is not an acronym. There is no meaning.”

Let's start 2016 with a blog post that will surely get some of you thinking. As a professional who focuses on Wi-Fi communication I’m asked from time to time what does Wi-Fi mean?

The conversation usually goes something like this: What does Wi-Fi stand for?

Is Wi-Fi an acronym for something? Who came up with the term Wi-Fi? Who owns the name Wi-Fi? Is it WiFi or Wi-Fi?"

When I respond that Wi-Fi is a made up word I get the stare, usually followed by, "really?"


I think the biggest misunderstanding or assumption is many folks think Wi-Fi means “Wireless Fidelity”. This is almost always the response I get when I ask, "what do you think it means?"

Another point of interest is the proper term is Wi-Fi with the hyphen. While many of us, myself included, use the term WiFi that would not be the correct registered trademark. Wi-Fi is a registered trademark of the Wi-Fi Alliance. Here is a link to their brands.



Read the entire blog post here: 



802.11 - TIM and DTIM Information Elements  

In this blog post I investigate 802.11 TIM and DTIM.

Read the entire blog post here: 


Traffic Indication Map (TIM) - 

After reviewing what the 802.11 standard says about TIM. Lets discuss in real world terms what a TIM is and how it works. 

You will specifically find TIM in a management frame called a beacon. A beacon is triggered by default on an access point every 102us. Think of a beacon as a network advertisement. The beacon advertises specific <BSSID> wireless network information such as supported PHY rates, security protocols, supported QoS/WMM, vendor specific information and much much more. Included in the beacon is a TIM information element. 


Delivery Traffic Indication Map (DTIM) - 

After reviewing what the 802.11 standard says about DTIM. Lets discuss in real world terms what a DTIM is and how it works. 

You will specifically find DTIM in a management frame called a beacon under the TIM information element. DTIM is to broadcast / multicast traffic as TIM is to unicast traffic.

Under the TIM you will see DTIM count and DTIM period. 






Cisco 8.0 MR3 Beta Open to Public 

Cisco announced public participation in 8.0 M3 beta testing. If you're interested visit Cisco Support Community. 



8.0.122.x Available - 8.0MR3 Beta


We are pleased to announce the availability of 80MR3 beta (Upcoming for general testing

If you are interested in participating on the beta program, please send email to wnbu-mrbeta@cisco.com with your CCO username, network size and planned usage scenario


Resolved List -


"capwap ap hostname" CLI returns "ERROR!!! Command is disabled."


wips alarm detection time stamp is ahead of AP clock


fast Switching SSDi and IPAD Issue


WIPS-Rogue APs are mistaken as infrastructure devices


duplicate mac address issue of Ap Rcv image


"show dtls connection" shows blank in AP Name column for Capwap_Data


HA:-Unable to pair up the active/Standby wlc due to config sync failure.


Flex AP in Standalone mode not triggering ap-primed-join-timeout timer


Stale old DTLS data_encryption session histories are left on WLC


Local eap, local user, created for specific WLAN works for diferent wlan


WLC device sends invalid format "#" in front of syslog message


Stats are carried over when session timeout occurs


5500 on 7.6 does not deauth client when Flex ACL is not present on AP


Default interface takes precedence over foreign VLAN mapping with CWA


Low iMac Tput -supported rate IE in association response has ZERO length


SHA1 key cipher not working between WLC 80 and MSE 80 CCO versions.


5500 anchor running crashed on osapiBsnTimer


WLC adds incorrect class attribute in accounting stop


Rogue APs wrong classification from malicious to unclassified


DHCP Option 82 and Sub Option 5 issue in WLC 8.0


Controller crash on mping command over telnet/ssh


NewMobility Web-Auth on MacFilter Failure always send client to web-auth


WSSI module stops working after Upgrade from to 7.6 MR3


8.1 emWeb crash when adding devices to mDNS policy


Problem in Client Stats Reports and Optimized Roaming


WiSM2 system crash radiusTransportThread aaaRadiusAuth


Client misses to override vlan after shifting wlan.


New mobility web auth on mac filter failure Export Anchor request fails


Name/OID: cLMobilityExtMgrAddress.0; Returning in IP in Reverse Order

CSCur80935 overridden acl is not applied on Guest access controller


AP name unknown in dissoc messages (Intermittent)


T8.0 WLC keeps ghost client entry


MDNS discovery issue with WLC 8.0.100


Controller crashes when issuing command show ap config general


Dataplane crash on 8500 WLC with 7.6


Adding mac filter check when client is changing SSID for webauth


Radius NAC Client auth issues for


OEAP600 not giving ip on remote LAN port in 8.0


Local Policies not working after OUI Update


WLC - Radius multiple UDP source port support for radius protocol


Add 802.11a Philipines country support for 1532I Aps joined to 5760.


DNS ACL on wlc is not working - AP not Send DTLS to WLC


Standby keeps auto rebooting and stays in "STANDBY COLD" state


Multicast configuration issue on 8510 WLC OS


New mobility:Client not deleted on 5508 when it roams at webauth state


controller crashed with task radiusTransportThread


CT5508 crashes at sisfSwitcherTask


WLC: Crash ewaFormSubmit_cell_edit


CAP1530 not forward, send packets to wired side after bootup


AP sends few frames with previous security association's packet number


Need to add AP802 to list of APs that support Flex+Bridge mode


WLC - Memory leak - k_mib_cisco_lwapp_dot11_client.c


default NAS-ID value at the AP-Groups should be empty or "none"


Unused Data DTLS session is remained on WLC running


session ID changes for an intercontroller client roam using EAPFAST


Mobility tunnel down after switchover on 7.6


CSCuwAP: %DTLS-5-SEND_ALERT: Send FATAL; join failure loop


Client unable to get IP when switching wlan on New mobility.


local profile showing wrong stats under Manufacturer Stats


WLC 8510 Failure to collect feature MobilityExtGroupMember on PI 2.2


WLC crash on SNMPtask after doing config audit from PI


PMIPv6 Client Traffic is Sent to the Wrong LMA


Broadcast Key Rotation won't occur after MAC Filtering enabled


Jian WLC crashed with task name 'HAConfigSyncTask'


MAG on AP:AP does not clear bindings after session/user timeout & deauth


WLC sends 1499 bytes MTU switchover


WLC generates SNMP traps to PI 2.2 for AIR-3702 PoE+ getting low power


MSE - NMSP inactive with WLC


AP not send RM IE for 11k in association response; no 11k for iOS > 8.1


WLC crash on spamApTask2


2702 AP requesting as a Type 1 power device instead of Type 2


Packet drops on 2702 AP in flex local auth/local switch mode


EAP Packet does not get encrypted in Re-auth request from client


SXP Crash when running Trust Sec clients on Talwar


Token Bucket leak when QoS Roles setup and when working with WebAuth


WLC8510 crashing while NMSP polling in progress.


dot11 arp-cache does not works well


Cisco Application Visibility and Control UDP Vulnerability


7925 decrypt errors with AP1131 running 8.0 code


Switching between SSIDs fails with FAST SSID enabled on PMIPv6 WLANs


False positive AP sourced AP impersonation on corrupted beacon


Lock crash on radiusTransportThread during CMCC external auth


duplicate radius-acct update message sent while roaming


Silent Crash mmListen process


Clients deauthenticated from OEAP 600 LAN ports


Evaluation of wlc for OpenSSL June 2015


WLC sends bsnRogueAPRemoved Trap when notify configured none


8510: Error enabling global multicast with capwap mode unicast


Netflow record sent without client IP address


EAP-TLS loosing device certificate in standalone mode after reboot


AP 1570, antenna enable config is lost on reboot


WLC crash - DHCP packet content while on new mobility


PMIPv6 Client MAC Address shows up on the mac address table of Switch


Optimized Roaming per WLAN feature


Sanity: AP1700 crashed during multicast client traffic(cont.CSCuu89311)


Anchor crash on New Mobility apf_msDeleteTblEntry


3702 AP sends burst traffic - AMPU/MSDU/Off-channel/RRM disabled


Link local multicast control traffic sent by APs, IGMP Snooping Enabled


Wired clients in 702w AP leaking traffic across ports/vlans


3702 - Voice Queue stuck, with no new clients able to associate.


WLC 5500 Crashes continously in HA Setup@task: apfRogueTask_2 and 3


Wireless Client not able to get IP address on 3650 MA from 5508 anchor


EOGRE and PMIPv6 client fails to move to Run state


8.0 WLC messages flooding cli after debug client


Apple devices failing 802.11r FT roam


Active WLC should send GARPs when HA Re-Paring after Active-Active state


SSID still broadcasted by the AP after the wlan is deleted from wlc


Window DHCP BAD_ADDRESS for Access Points


Need to re-evaludate Algeria if in -E or -I


OEAP600 wired 802.1x remote LAN forward traffic in 802.1x Required State


vWLC: Decrypt errors occurred for client using WPA2 key on 802.11a intf


Mobility Member entries going stale


WLC clears AP MAC before deleting client, sends netflow with Zero AP MAC


8.0/8.1 WLC's fail to send FRAMED-IP attribute to AAA server


Wired clients in 702w AP getting put in mgmt vlan


Pineridge - afpmsConntask flood when running client console debug


readonly user able to change "Telnet Capability" setting


WiSM2 crash AP_DB_CREATE_ERR Message queue MFP-Q is nearing full


WLC crash: "Software Failed while accessing the data"


Silent crash 8.0.120 due to memory leak in CDP Main


unauthorized configuration change for web management


Non authenticated HTTP page allows to logout any connected client


Rate-limiting is causing 500ms gap of traffic when roaming


702w missing interface information on controller after HA failover


Mobility Task Hogs CPU - Reaper Reset in SpamApTask


Increased Ping latency & Reduced traffic on 8510 with QOS rate limiting


Crash due to invalid form field validation on switch_cfg_rw.html


Cisco Wireless LAN Controller Radius Packet of Disconnect Vulnerability


APs show 0 neighbors on 5GHz band and client 802.11 packets are ignored


IP address lost on AAA override+muiltiple subnetworks per vlan+DHCP req


DHCP registration failing when mask from WLC intf does not match client received mask


802.11r client fails auth if self reset before user idle timeout expires


Crash on high CPU for bonjour


C3600 AP crash on am_xml_GetChildCount


Rogue containment not working on for AP3700 with WSM module


WLC System Crash on apfReceiveTask


Rogue rules not applied correctly after upgrade to


Feature "AES Key Wrap" does not work


8510 crashed on Task Name:portalMsgTask.


PI 3.0 - Sync Issue on Flexconnect Native VLAN Configuration


Evaluation of wlc for OpenSSL December 2015 vulnerabilities

CSCux47470 controller crash at openssl_cert_hash_algo_check_callback


HA+802.11r:Post SSO FT PSK/EAP Apple clients fails to connect.


8510 WLC crash in radiusTransportThread system task


1700 AP not encrypting icmp and arp sent from the client over the air


GET on Ap groups Table after set - response missing

CSCus39396 QoS Bronze Profile not marking traffic to AF11 on Flex


WLC crash due to task name RRM-CLNT-5_0


LSC AP provisioning happening after MAP is disconnected for long time


Spectrum Management Bit Should be set to 1 all the time


802.11 - Action Frames

The 802.11 standard section 8.5 comments on action frames. Action frames are interesting. Action frames can be triggered by access points or client stations. The action frame provides information and direction as in what to do. The 802.11 standard comments about action frames in 17 different sections of subsection 8.5. While many of these aren't used by vendors today some important ones are. Lets review some comments about action frames and then head to the frame captures.


Example: DFS event is under way. The access point is sending an action frame to the cell to announce a channel change.

Category - 0 Spectrum Management
Action - 4 Channel Switch Announcement
Element - New Channel 64


Example: In this example TSPEC. Where a client is requesting a TS <traffic stream>.

Category - 17 WNM
Action - 0 ADDTS Reuquest
Status Code: 0 Admission Accepted

 * Note I believe Omnipeek is decoding this wrong. I believe the category code should read WNM.

Click here for the entire blog post:


Field Notice: FN - 64003 - AIR-ANT2568VG-N - Potential Moisture Intrusion to Radome - Replace Antenna


More Power More Problems! When Excessive RF Power Degrades your WiFi Performance!

In the wireless world we often think more power is good. The louder the signal surely higher the performance gain. I’m sorry to say that’s not  true in most cases. RF power is like a delicate flower and should be treated with respect. Simply choosing a higher power output and not properly tuning your radios could cause you more pain than you really know. In this quick blog post, I share a pair of static bridges being bench tested 70 feet apart. The only difference in configuration is simply changing the RF power. While I only share the capacity values, the throughput values have been excluded to keep the focus on power.

Example #1 - (HOTTEST)

In this example we pump up the power @ 30 dBm.

(1) Link @ -17 dBm
(2) Modulation at 16 / 64 QAM
(3) TX Power 30 dBm
(4) Capacity Link TX 205, RX 200


Example #2 - (HOT)

In this example we power down to @ 24 dBm.

(1) Link @ -22 dBm
(2) Modulation at 256 / 256 QAM
(3) TX Power 24 dBm
(4) Capacity Link TX 396, RX 391


Example #3 - (PEACHY)

In this example we power down to @ 18 dBm.

(1) Link @ -27 dBm
(2) Modulation at 1024 / 1024 QAM
(3) TX Power 18 dBm
(4) Capacity Link TX 482, RX 469


Modulate Gain: 16 vs 1024 and 64 vs 1024
Capacity Link Gain: TX 205 vs 481, RX 200 vs 469

Why excessive power gain is bad is because it increases noise and distortion at the receivers radio. In Example #1, both radios can hear each other at -17 dBm! Think of it this way, imagine having someone in your ear with a megaphone yelling today’s lunch specials at you. You can’t hear so well, can you ? Take away the megaphone and step back a few feet and all is peachy.

My quick less-techy blog post for today! 





Which antenna gets deactivated when you provide less than full power to a Cisco 3700 ?

A question was asked on Cisco Support Community (CSC) enquiring about what antenna is deactivated when a Cisco 3700 access point doesn't receive a full 16.1 Watts. 

We have purchased 3702e and some of these access points can only get PoE (802.3af). Which antenna will be activated in this case?

802.3at                 4x4:3 on 2.4/5 GHz                         16,1W
802.3af                 3x3:3 on 2.4/5 GHz                         15,4W

Thats a good question and it had me thinking. So I tapped my Cisco CSE, Carlos. BTW Carlos is one of the best CSE’s you’ll find. I’m very fortunate to have him as our CSE. The guy has memory recall with such precision it’s scary. Not to mention he is a CCIE R/S and W. 

When an access point isn't provided full power it can deactivate some combination of radio chains and spatial streams. Manufactures can dial back the access points performance while still providing reliable WiFi communications. This allows flexibility with power at the switch power level (PoE).

We’ll focus on the Cisco 3700. The data sheet shows 802.3at and 802.3af power combinations. Less power, less chains and streams. More power, more chains and streams.



From a Cisco 3700 access point do:  show controllers dot11Radio X.



In this example you will see the access point is fully powered. We can tell this because of the the number of antennas used for RX and TX. A,B,C and D.

Antenna:                        Rx[a b c d ]
                                    Tx[a b c d  ofdm all]



In this example you will see the access point is not fully powered. The access point was provided .af power. We can tell this because of the the number of antennas used for RX and TX. A,B, and C and the mention “Radio on Low Power Mode due to PoE, restricted to 3 antennas”

Antenna:                        Rx[a b c ]
                                     Tx[a b c  ofdm all]



A,B,C, and D

You might be wondering which antenna port is D. On a Cisco 3700E look closely at the antenna bulk head. Each one is identified with A,B,C, and D. In this case the D antenna, it is located in the lower left of the 3700 access point.