MY80211.com

This notice is from May 11, 2010. 

A little aged, yes. But if you're upgrading your wireless network and you have older Carefusion (Alaris) pumps take note of this notification, as it could impact you. Ask your Biomed group what code rev your pumps are on. Code revs prior to 9.5 may not be supported. You should contact your Carefusion rep for a firmware upgrade.

These features are not supported on Cisco Flex 7500 Series Controllers code 7.0.116.0, it could change in future versions:

•Local mode AP (However AP joins 7500 initially as local mode and should be converted to Flex Connect mode)

•Mesh

•LAG

•Client and RFID tag location

•CCX CAC

•STP

•7500 as guest anchor

•L3 Roaming (Centrally switched wlan -> same and inter-controller)

•Multicast (Multicast - Multicast and Multicast - Unicast). (ignore - 7500 gui interface may still show multicast-multicast config.)

•VideoStream

•TrustSec SXP

•IPv6/Dual Stack client Support

•WGB

•OEAP

•HotSpot2.0 (802.11u)

•Client rate limiting for centrally switched clients

Cisco Flex 7500 Series Controller does not support the 802.1x security variants on a centrally switched WLAN. For example, the following configurations are not allowed(and TAC does not support) on a centrally switched WLAN

•WPA1/WPA2 with 802.1x AKM

•WPA1/WPA2 with CCKM

•Dynamic-WEP

•Conditional webauth

•Splash WEB page redirect

If you want to configure your WLAN in any of the above combinations, the WLAN must be configured to use local switching.

Note:

•Flex7500 supports 1Gbps central switched data throughput for guest access

•Only Flex connect mode AP is supported for data traffic

•Static AP-manager interface

(Note: For Cisco 7500 Series controllers, it is not necessary to  configure an AP-manager interface. The management interface acts like an  AP-manager interface by default, and the access points can join on this  interface.)

•AP joined on local mode should be converted to Flex/Monitor, TAC does not support local mode AP services.

7.2.103.0 supports 802.1X on Centrally switched wlan unlike 7.0.116.0.

From: Saravanan Lakshmanan - Cisco CSC

https://supportforums.cisco.com/docs/DOC-23474

End-of-Sale and End-of-Life Announcement for the Cisco Unified Wireless IP Phone 7921G Power Supplies

Description: Cisco announces the end-of-sale and end-of-life dates for the Cisco Unified Wireless IP Phone 7921G Power Supplies. The last day to order the affected product(s) is October 19, 2012. Customers with active service contracts will continue to receive support from the Cisco Technical Assistance Center (TAC) as shown in Table 1 of the EoL bulletin. Table 1 describes the end-of-life milestones, definitions, and dates for the affected product(s). Table 2 lists the product part numbers affected by this announcement. For customers with active and paid service and support contracts, support will be available until the termination date of the contract, even if this date exceeds the Last Date of Support shown in Table 1.

Date: 2012-04-20 15:41:00.0

Url: http://www.cisco.com/en/US/prod/collateral/voicesw/ps6788/phones/ps379/ps7071/end_of_life_notice_c51-706105.html

I wanted to reference these part numbers as a quick reference for anyone that is looking for this information.

WISM 2 HARDWARE w/ SMARTNET

The WISM 2 hardware can be purchased in the available license sizes. They start at 100 and can be maxed out at 1000.  You receive the physical blade and license with the purchase of the below part numbers.

WS-SVC-WISM2-1-K9          100 access point       - CON-SNT-WSM2100 8x5xNBD
WS-SVC-WISM2-3-K9          300 access point       - CON-SNT-WSM2300 8x5xNBD
WS-SVC-WISM2-5-K9          500 access point       - CON-SNT-WSM2500 8x5xNBD
WS-SVC-WISM2-K-K9          1000 access point     - CON-SNT-WSM21K   8x5xNBD
 

WISM 2 ADDER LICENSES w/ SMARTNET

You can purchase additional licenses as you grow in 100 and 200 increments.

L-LIC-WISM2-100A              100 access point       - CON-SNT-LWSM21A 8x5xNBD
L-LIC-WISM2-200A              200 access point       - CON-SNT-LWSM22A 8x5xNBD

CICSO WISM 1 BUY BACK

Cisco has a great incentive program to purchase back your old WISMs. I would ask your Cisco sales representative for details.

We recently upgraded from 7.0.116.0 to 7.0.220.0 to resolve a bug we were experiencing with connectivity. After upgrading, we hit a new bug in 7.0.220.0. This new bug only became apparent, because we have WCS Email alerts configured.

After we upgraded to 7.0.220.0 we almost immediately started to receive the following WCS Email alerts. We had random access points going offline. After closer inspection, the access points showed the "AP Crashed Due To Software Failure"

Message: Access Point 'AA-1131' associated to controller 'xx.xx.xx.xx' on port number '0'. Reason for association 'AP Crashed Due To Software Failure '.
Message: Access Point 'AB-1131' associated to controller 'XX.XX.XX.XX' on port number '0'. Reason for association 'AP Crashed Due To Software Failure '.
Message: Access Point 'AC-1131' associated to controller 'XX.XX.XX.XX' on port number '0'. Reason for association 'AP Crashed Due To Software Failure '.
Message: Access Point 'AD-1131' associated to controller 'XX.XX.XX.XX' on port number '0'. Reason for association 'AP Crashed Due To Software Failure '.

We opened a ticket only to learn 7.0.220.0 has a bug specific to Cisco 1130/1131 access points. TAC mentioned this bug is resolved in 7.0.230.0.

Webinar Dates & Times - Click the date and time you prefer to register:

• Tuesday, Mar 27, 2012 from 4:00pm - 7:00pm, Eastern
• Wednesday, Mar 28, 2012 from 7:00am - 10:00am, Eastern
• Wednesday, Mar 28, 2012 from 4:00pm - 7:00pm, Eastern
• Thursday, Mar 29, 2012 from 7:00am - 10:00am, Eastern
• Thursday, Mar 29, 2012 from 4:00pm - 7:00pm, Eastern

Description:
Please join us for this 1/2 day virtual webinar covering the latest Cisco Unified Wireless LAN Release 7.2 code. This webinar will provide participants an overview of the key new features and enhancements, implementation considerations, and high-level configuration information.

You will learn:
An overview of the key new features and enhancements, implementation considerations, and high-level configuration information, including RRM enhancements, Alloy QoS, FlexConnect enhancements, Wi-Fi Direct, WebAuth scalability enhancements, MSE Virtual Appliance and High Availability, and 802.11u Hotspot and MSAP.

The primary intended audience is customers considering upgrading their network to WLC 7.2/NCS 1.1, and the technical staff responsible for implementing this latest WLAN code.

Title: End-of-Sale and End-of-Life Announcement for the Cisco 2100 Series Wireless LAN Controllers
Url: http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps7206/ps7221/end_of_life_notice_c51-691053.html
Description: Cisco announces the end-of-sale and end-of-life dates for the Cisco 2100 Series Wireless LAN Controllers. The last day to order the affected product(s) is May 2, 2012. Customers with active service contracts will continue to receive support from the Cisco Technical Assistance Center (TAC) as shown in Table 1 of the EoL bulletin. Table 1 describes the end-of-life milestones, definitions, and dates for the affected product(s). Table 2 lists the product part numbers affected by this announcement. For customers with active and paid service and support contracts, support will be available until the termination date of the contract, even if this date exceeds the Last Date of Support shown in Table 1.
Date: 2012-03-14 11:40:00.0

I was helping another engineer troubleshoot a Cisco access point join problem. To my surprise I discovered the VCI was “Cisco AP c3500-ServiceProvider”

I can appreciate when I end a day with a quick reflection, did I learn anything new today?

Yesterday was one of those days! I was assisting an engineer with an access point join problem. Of course, I took this opportunity to explain the access point join process and what to look for and how to troubleshoot.

We use DHCP option 43 as our means of joining Cisco access points to our network. After peeking at the DHCP configuration, more specifically the option 43 and VCI string, everything looked good. Other 3500s were joining fine, just these handful of access points were not joining.

I do the typical console into the AP. I see nothing of interest. The access point is not getting the controller IP from DHCP. So we span the switch port of the access point to sniff the access point traffic. I am curious as to what the access point is sending in the DHCP request packet.

To my surprise, the VCI 60 is showing “Cisco AP c3500-ServiceProvider”. Oh, there is my problem! Mistakenly a number of “ServiceProvider” access points were mixed in our access point shipment.

If you have access points not joining, just something to add to your troubleshooting check list!

Cisco announced multiple WLC vulnerabilities this week.

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120229-wlc

Cisco Wireless LAN Controllers HTTP Denial of Service Vulnerability

The Cisco Wireless LAN Controller (WLC) product family is affected by a denial of service (DoS) vulnerability that could allow an unauthenticated, remote attacker to cause the device to crash by submitting a malformed URL to the administrative management interface.

This vulnerability is documented in Cisco bug ID CSCts81997 (registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2012-0368.

Cisco Wireless LAN Controllers IPv6 Denial of Service Vulnerability

The Cisco Wireless LAN Controller (WLC) product family is affected by a denial of service (DoS) vulnerability where an unauthenticated attacker could cause a device reload by sending a series of IPv6 packets.

This vulnerability is documented in Cisco bug ID CSCtt07949 (registered customers only) and has been assigned CVE ID CVE-2012-0369.

Cisco Wireless LAN Controllers WebAuth Denial of Service Vulnerability

The Cisco Wireless LAN Controller (WLC) product family is affected by a denial of service (DoS) vulnerability where an unauthenticated attacker could cause a device reload by sending a series of HTTP or HTTPS packets to an affected controller configured for WebAuth.

This vulnerability can be exploited from both wired and wireless segments. A TCP three-way handshake is needed in order to exploit this vulnerability.

This vulnerability is documented in Cisco bug ID CSCtt47435 (registered customers only)and has been assigned CVE ID CVE-2012-0370.

Cisco Wireless LAN Controllers Unauthorized Access Vulnerability

The Cisco Wireless LAN Controller (WLC) product family is affected by an unauthorized access vulnerability where an unauthenticated attacker could view and modify the configuration of an affected Cisco WLC.

This vulnerability exists if CPU based access control lists (ACLs) are configured in the wireless controller. An attacker can exploit this vulnerability by connecting to the controller over TCP port 1023. Only the Cisco 4400 Series WLCs, WiSM version 1, and Cisco Catalyst 3750G Integrated WLCs are affected by this vulnerability.

This vulnerability is documented in Cisco bug ID CSCtu56709 (registered customers only) and has been assigned CVE ID CVE-2012-0371.

Cisco CCNP Wireless Exam Path. Last day to test on v1 is May 11, 2012.

Since the very beginning the AP manager on a Cisco WLC would never respond to pings. Well that has all changed if you use LAG and a AP manager with 7.x code!

I like how Cisco hides little nuggets in their documentation. It states, in LAG mode, the management and AP manager uses the same base LAG MAC address.

Note With the 7.0 release onwards, the MAC address of the management interface and the AP-manager interface is the same as the base LAG MAC address.

LAB

A show ARP on the distribution switch you can see the MAC is identical for both the manager and AP manager.

NOTE --

This was tested on 4402,4404 and 5508 model controllers.

AP manager(s) aren't needed with a 5508.

This only applies to a WLC in LAG mode w/ AP Manager

Additional Reading Material:

http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mint.html#wp1117168

Note the WPS vulnerability is with home and soho devices and not with Cisco enterprise gear. Note the models below:

Cisco Response

On December 27th, 2011 US-CERT released VU#723755 available here: http://www.kb.cert.org/vuls/id/723755

The US-CERT Vulnerability Note describes a vulnerability that exists in the Wi-Fi Alliance Wi-Fi Protected Setup (WPS) protocol, also known as Wi-Fi Simple Config, when devices are operating in PIN External Registrar (PIN-ER) mode.  Devices operating in PIN-ER mode allow a WPS capable client to supply only the correct WPS PIN to configure their client on a properly secured network.  A weakness in the protocol affects all devices that operate in the PIN-ER mode, and may allow an unauthenticated, remote attacker to brute force the WPS configuration PIN in a short amount of time.

The vulnerability is due to a flaw that allows an attacker to determine when the first 4-digits of the eight-digit PIN are known.  This effectively reduces the PIN space from 10⁷ or 10,000,000 possible values to 10⁴ + 10³ which is 11,000 possible values. The eighth digit of the PIN is utilized as a checksum of the first 7 digits and does not contribute to the available PIN space. Because the PIN space has been significantly reduced, an attacker could brute force the WPS pin in as little as a few hours.

While the affected devices listed below implement the WPS 1.0 standard which requires that a 60-second lockout be implemented after three unsuccessful attempts to authenticate to the device, this does not substantially mitigate this issue as it only increases the time to exploit the protocol weakness from a few hours to at most several days.  It is our recommendation to disable the WPS feature to prevent exploitation of this vulnerability.

Vulnerable Products:

Note: The Cisco Valet product line is maintained by the Cisco Linksys Business Unit. Information concerning the Cisco Valet line as well as information on Linksys by Cisco products will be forthcoming.

Products Confirmed Not Vulnerable:

Additional Information

Workarounds:

Disable the Wi-Fi Protected Setup feature on devices that allow the feature to be disabled, as listed in the Vulnerable Products table.  Cisco Systems has verified that the products that support disabling the WPS feature do indeed disable it and are not vulnerable once the feature has been disabled from the management interface.

Fixed Software:

Note: The Cisco Valet product line is maintained by the Cisco Linksys Business Unit. Information concerning the Cisco Valet line as well as information on Linksys by Cisco products will be forthcoming.

Exploitation and Public Announcements:

Exploit code and functional attack tools that exploit the weakness within the WPS protocol have been released.

This vulnerability was discovered by Stefan Viehböck and Craig Heffner.

Status of this Notice: Final

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.

Revision History

Did you know ? If you purchased a Cisco 5508 WLC with a 12 access point license you just limited yourself to 487 access points?

The Cisco 5508 is licensed based which means you can add access point licenses as your wireless grows. The Cisco 5508 allows a maximum of 500 access points. This is a new model for Cisco Wireless Lan Controllers. The now legacy 2000,2100,4400 and WISM1 were licensed by the hardware itself.

You can purchase Cisco 5508 WLC with a 12,25,50,100,250 or 500 access point capacity. Or you can purchase what Cisco calls adder licenses in the quantities of 25,50,100, and 250 access points after the fact.

The license limitation becomes an issue with your initial purchase of a 5508 with a 12 access point license.

Since Cisco only resells 25,50,100 and 250 access point licenses the MAX you will ever get on your WLC is 487 access points.

Note: A 5500 Series WLC with a base license of 12 can only support up to 487 total APs because only 25, 50, 100, and 250 adder licenses are supported.

 Read:

Understanding Cisco 5508 Wireless LAN Controller Licensing

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080b78104.shtml

p.s. Thanks Patton for the link!

Special Guest Post By: Steven Rodriguez
Since Cisco is locking down software downloads, you may have a need to pull code off your existing access points. Here is a quick recap showing how to process the code with the archive command!

Ever lost the code you were running on an AP?  Then need to load that code to another?  What if that codes not available for download from CCO anymore?  Well, there's a pretty easy process to get through to get the image from an AP, and onto your TFTP server.

In this example, I am using a 1131, running 12.4(21a)JY

The first thing you need, is a TFTP server.  There are plenty of free ones out there.  I tested this with TFTPd32 on a PC, and with TFTPServer on a Mac(10.6).

So on the PC, it's pretty easy.  Configure your TFTP Server

Once you've stopped then started the server, you simply need to issue the command

archive upload-sw tftp://192.168.15.11/c1130-k9w7-mx.124-21a.JY.tar

As this command is running, it extracts the current running IOS, including the HTML files, and tar them as it's sending to the TFTP server.  <Term mon if you want to watch the process run.>


On the Mac, I found it to be a little bit different.  With my Mac, even though I did a chmod 777 on my tftp directory, I had to do the following before I attempted to upload the software.

Once the file is 'created' in my target directory it becomes the same as the PC version.

archive upload-sw tftp://192.168.15.6/c1130-k9w7-mx.124-21a.JY.tar


Now, if you have multiple versions of code that have been extracted to your AP, there is a switch that can be used, /version

archive upload-sw /version c1130-k9w7-mx.124-21a.JY tftp://192.168.15.6/c1130-k9w7-mx.124-21a.JY.tar
                                                 ^this would be the version you wanted to upload.

A more recent bug found on 1.4(1) 792x handset code. Something to take note if you're on this code and using voice on 802.11a

CSCtk58591 Bug Details

792x phone may not reconnect when invalid 5 GHz beacon received
Symptom: 792x phone may not reconnect when invalid 5 GHz beacon received. Conditions: 792x phone going out of range then comes back in range when set to scan 5 GHz. Workaround: Power cycle the phone. Use 802.11b/g only mode.	Status Open Severity 3 - moderate Last Modified In Last 3 Days Product Cisco Unified IP Phone 7900 Series Technology Wireless, Mobile 1st Found-In 1.4(1)
Interpreting This Bug Bug Toolkit provides access to the latest raw bug data so you have the earliest possible knowledge of bugs that may affect your network, avoiding un-necessary downtime or inconvenience. Because you are viewing a live database, sometimes the information provided is not yet complete or adequately documented. To help you interpret this bug data, we suggest the following: This bug has a Moderate severity 3 designation. Things fail under unusual circumstances, or minor features do not work at all, or things fail but there is a low-impact workaround. This is the highest level for documentation bugs. (Bug Toolkit may not provide access to all documentation bugs.) Severity levels are designated by the engineering teams working on the bug. Severity is not an indication of customer priority which is another value used by engineering teams to determine overall customer impact. Bug documentation often assumes intermediate to advanced troubleshooting and diagnosis knowledge. Novice users are encouraged to seek fully documented support documents and/or utilize other support options available.

Salil Prabhu from Cisco TAC did a great post on how to recover WEP, ADMIN and Guest account passwords. Note this will not yield the PSK key. As you can not pull the PSK from a WLC.

Procedure to Recover WEP,Admin,Guest account Password from WLC

Step 1 :

1. (Cisco Controller) >show switchconfig

802.3x Flow Control Mode......................... Disable
FIPS prerequisite features....................... Disabled
secret obfuscation............................... Enabled

(Cisco Controller) >config switchconfig secret-obfuscation disabled

Secret (de-)obfuscation may take a few minutes.

Please wait...  Done!

(Cisco Controller) >config passwd-cleartext enable

The way you see your passwds will be changed

You are being warned.

Enter admin password: ***********

Enabling cleartext viewing of passwords

Step 2:

2. Download config from the WLC. Commands --> Upload configuration from
WLC to tftp server.

Step 3:
3. Open the file in notepad :

WEP :

config wlan security static-wep-key encryption 4 40 hex encrypt 0 0 0 128 313233343500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000  1

40 = 40 bit key

ADMIN :

config mgmtuser add encrypt admin1 0 0 0 8 436973636f31323300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 read-write

Guest-Account :

config netuser add encrypt username guest-1 password 0 0 0 7 67756573742d310000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000  wlan 0 usertype guest lifetime 86400

Step 4:

4. Use this tool to convert to Ascii : ( Use red colour digits ..)

http://www.dolcevie.com/js/converter.html

WEP : Key size = 40bit.
HEX :3132333435 
Ascii : 12345 ( using the tool ) 


ADMIN : Username : admin1 
HEX : 436973636f313233 
Ascii : Cisco123 

Guest-Account: Username: guest-1 
HEX: 67756573742d31  
Ascii : guest-1 

From Aaron Leonard - Cisco

All Cisco Aironet wireless access points and bridges currently being shipped run IOS.  The only exception is the OEAP602.  (Some older Cisco access points did not run IOS, such as the Aironet 340 which ran only VxWorks, and the 1000 series lightweight APs.)

Access Point IOS is distributed as a tar file.  These tar files can be downloaded from cisco.com SDS; lightweight IOS images (k9w8) are also bundled in the WLC software images (.aes.)

The IOS image names include the following components:

platform-featureset-tar.version.tar

• platform- the access point hardware model or family supported by the image       
  • examples: c1250; ap3g1 - 3500/1260; ap801- AP embedded in 881W; c1520 - 1520/1550
• featureset- the set of software features supported by the image - one of:      
  • k9w7 - autonomous IOS
  • k9w8 - full lightweight IOS (this is what is bundled in the WLC .aes image, and is factory installed on "mesh" APs)
  • rcvk9w8 - lightweight recovery image - this is factory installed on lightweight APs, unless a "mesh" image is specified; it lacks radio firmware
• version- the IOS version       
  • There is a 1:1 mapping between the lightweight IOS software version (such as 12.4(23c)JA) and the CUWN version (such as 7.0.98.0)  
    • see the Wireless Solutions Software Compatibility Matrix on CCO

Example: c1240-k9w7-tar.124-25d.JA1.tar

• Platform: c1240: 1240 series AP
• Featureset: k9w7: autonomous IOS
• Version: 124-25d.JA1: 12.4(25d)JA1
  

As AP IOS is always distributed as a tar file, the AP cannot directly execute such a file (thus, if you were to copy c1240-k9w7-tar.124-25d.JA1.tar directly onto AP flash, and then try to boot it, this could not work.)  The tar file contains, in addition to the IOS image proper, the radio firmware files, the HTML GUI files (if present), and various other files.  The AP IOS tar file must be unbundled into AP flash using the archive exec command (this is done in an automated fashion when a lightweight AP is upgraded after joining a WLC.)  After unbundling, the IOS image itself be in a file called flash:/platform-featureset-mx.version/platform-featureset-mx.version - for example, flash:/c1240-k9w7-mx.124-25d.JA1/c1240-k9w7-mx.124-25d.JA1.  The AP is configured to boot this image if the bootloader BOOT environmental variable is set accordingly.

From Tac:

Cisco TAC does not support running autonomous IOS (aIOS) on the 3500 or 3600 Series Access Points.  These access points are  supported only when running in lightweight mode (Cisco Unified Wireless Network.)

The 12.4(25d)JA1 aIOS image for the 1260 series access point (ap3g1-k9w7) will load on a 3500 series AP, and may be used on an "as-is" basis.  Cisco will provide no support for this use case, and will not warrant that future 1260 aIOS images will continue to load on 3500 series APs.

The 1260 series AP aIOS images will not load on a 3600 series AP, which requires an ap3g2 image.  There are no aIOS images available for the 3600 series.