Wired Stuff
WiFi Tablet Corner
My80211 White Papers (Coming Soon!)

Cisco Wireless Compatibility Matrix (Nov. 2011)

Podcasts / Videos

My80211 Videos

Cisco: 802 11 frames with Cisco VIP George Stefanick

Fluke Networks: Minimize Wi Fi Network Downtime

Aruba: Packets never lie: An in-depth overview of 802.11 frames

ATM15 Ten Talk “Wifi drivers and devices”

Houston Methodist Innovates with Wireless Technology

Bruce Frederick Antennas (1/2)


Bruce Frederick dB,dBi,dBd (2/2)

Cisco AP Group Nugget

Social Links
Revolution WiFi Capacity Planner

Anchor / Office Extends Ports


Peek Inside Cisco's Gear

See inside Cisco's latest wireless gear!

2.4 GHz Channel Overlap




  • CWSP Certified Wireless Security Professional Official Study Guide: Exam PW0-204
    CWSP Certified Wireless Security Professional Official Study Guide: Exam PW0-204
    by David D. Coleman, David A. Westcott, Bryan E. Harkins, Shawn M. Jackman

    Shawn Jackman (Jack) CWNE#54 is a personal friend and has been a mentor to me for many years.  I've had the pleasure and opportunity to work with Jack for 4 years. Jack is a great teacher who takes complex 802.11 standards and breaks them down so almost anyone can understand the concept at hand. I'm excited for you brother. Great job and job well done! Put another notch in the belt!

IEEE 802.11a/g/n Reference Sheet


LWAPP QoS Packet Tagging



Interference Types


Microwave Oven

Cordless Phone




WiFi Security Paint !?!? Are you kidding me ! LOL

Have you heard about the "WiFi Security Paint Protocol", no no its not a new EAP type or a new type of encryption.  You won’t find this security posture in any of the IOS or LWAPP commands. Researchers at the University of Tokyo have blended paint with aluminum iron oxide. This paint mix has been found to resonate at the same frequencies used by Wi-Fi, thus canceling out any electromagnetic waves in that frequency.  I don’t know how practical the is for the mass, because you wont be panting your windows and floors (not likely anyway). But it would be interesting to lab to see the actual attenuation. I suppose 5 coats are in order for my home office! If anyone knowns were i can purchase it, I will test it !



Oct122009 on iTunes Podcast

I received a number of request about adding the tutorials to iTunes Podcast. So here it is ... Enjoy!  I will be ramping up on the tutorials in coming weeks. We will be deep diving on 802.11 fundamentals.... If you are on iTunes search "my80211".



Field Notice: FN - 63258 - WLC 44xx Potential Power Failure

Description: Cisco has observed that certain identified serial numbers of WLC 4400 series controllers may fail to boot on a subsequent power cycle. Few 4400 series controllers that are built between November 2008 and March 2009 have experienced lower test during power cycles due to a bad part.
Date: 2009-10-06 10:00:00.0



My article about hacking a Cisco WLC / Rogue WCS Attack “All your base are belong to us” published by Author Brandon Carroll on Cisco Unwired - 

My article about hacking a Cisco WLAN with a Rogue WCS/RRM packet exploit was published by and on Author and CCIE Brandon Carroll’s blog @


Read about it here:


Cisco WLC / Rogue WCS Attack “All your base are belong to us”

Geo - “I blogged on my site about the unencrypted RRM packet just a few weeks ago. The RRM packet got little attention, but I seen this as a much bigger issue. I seen this as more than just an IP address in the clear but rather a gold mine of information, but just how could it be exploited. “


In this tutorial I will share with you an attack using the recently identified and less talked about security vulnerability with the Cisco RRM packet in conjunction with SNMP. I would like to emphasize --- this video is to educate network engineers,  system administrators and security professionals of the potential risk of a enterprise wide attack on your Cisco Unified Wireless Network if Cisco best practices are not followed.

The foundation of this attack is to use the less talked about RRM and widely known SNMP vulnerabilities.  There isn’t  anything new that isn’t already known about these vulnerabilities, but what I will share  is the concept of an attack and the real world potential it may have in your enterprise especially if you use default strings or and more importantly if an attacker knows your strings on the WLC. The concept of the attack is simple, sniff the RRM packet, discovery the WLC, and then join the WLC to the rogue WCS server. After which point your wireless network is at the complete mercy of the hacker. The hacker could create a “rogue” ssid for later outside attack over wireless, complete DOS attack of your wireless network enterprise wide, delete admin accounts on the controllers to prevent you from logging into the controllers while an attack is underway.


Sep272009 OTAP Article picked up at picked up my article "There is more to the recent Cisco Wireless OTAP issue that isn’t being widely reported." about the controller information being sent in the clear when OTAP is disabled.

Read more about it here:



SouthWest goes WiFi!

Geo "I was on the road for the last 6 years and recently settled into a cube position and NOW SouthWest goes WiFi!. I love their comment about price points. Makes me wonder if they will charge by data use or speed. For all you hackers out there.... Rogue AP works great in Air Ports and even better on plans. On a flight not long ago I exchanged files in Adhoc @ 30,000 feet"

From South West:

As you know, we’ve been testing Wi-Fi on four aircraft since March.  I’m happy to announce we have concluded our testing for inflight Wi-Fi and we are very happy with both the technical performance of the system and the response of Customers who have used it. We are pleased to be continuing with our plans to offer satellite-enabled broadband access through California-based Row 44.

This fall we will be moving to the next step of certifying Southwest’s full fleet with plans to begin fleetwide rollout of the Row 44 satellite service in the first quarter of 2010.  Southwest is ready to have this service up and running as soon as possible and we are excited about these next steps.
Over the testing phase Customers have been utilizing the service for anything from e-mail to streaming video.  Those interested in using the service during the test period have had the opportunity to log on to the service via their own personal Wi-Fi enabled device (laptops, iPhones, Wi-Fi enabled smart phones, etc).  Additionally, Southwest has been testing a variety of price points for the service and will continue testing price points through the end of 2009.

The technology works, the product is great, and we look forward to offering more Customers Wi-Fi service in 2010.

Leeched from


Disable your Wireless NIC when plugged into a wired connection!?!?

I am often asked, "Is there away to disable a wireless NIC when I connect my laptop into a wired connection?". The answer is, YES!  In fact it is advisable to only have one NIC on at a time. When both NICs are enabled *Wired and Wireless" PCs can become confused. In fact there is a "costing" that is suppose to happen when you have both NICs enabled, but this doesn’t always work well and most of time doesn’t work at all!.

There is security concerns as well. Suppose you are wired into a corperate network and you have your wireless NIC on. Now suppose someone has a rogue access point and your PC connects to it. Once you are connected to the rogue access point the rogue AP can pass you a DHCP and you will then have a layer 3 adjacency with the attacker. It is possible one could then exploit your laptop and breach over into the corperate network.I have never tested this, but perhaps in the near future I may give it a spin.There are a number of options you have to accomplish this ... I will share with you 4 of them

1) BIOS change

2) Intel Supplicant

3) Juniper Odyssey Supplicant

4) Cisco Cssc Supplicant

1) BIOS - Newer PCs come with BIOS options that allow you to modifiy how your wireless and wired NIC operate when both connections are present. For example if you own a HP laptop and you drop into the BIOS you will see LAN/WLAN switching. When enabled, your wireless NIC will disable itself when plugged into a wired connection.

The downside to the BIOS option, suppose you have to roll out hundreds of PCs. Making BIOS changes isn’t as easy as just making a change to an image.

 2) Intel Supplicant - Intel is everywhere and its likely you have Intel wireless NICs in most of your PCs. Intel calls this functionality  ADAPTER SWITCHING.

Click on your Intel wireless icon in your system tray--> Tools --> Admin Tools --> Application Settings --> Adapter Switching

3) Juniper Odyssey  Supplicant - This supplicant is one that you have to pay for, but I am a big fan of the juniper client, I've used it for years and allows for easier administration of devices. Juniper calls this functionality WIRELESS SUPPRESSION.

Click on your Juniper wireless icon in your system tray--> Tools --> Options --> Wireless Suppression 

4) Cisco CSSC - If you use CSSC you will find the NIC option under Advance Settings.

From client mode--> Advance settings -->Simultaneous Connection portion of the Security Settings pane --> Only allow one connection at a time to restrict the Client to creating only a single connection (prevent multihomed configurations).Note: the preference of the media type is fixed for wired/Ethernet, when both types are available within a network.



Cisco: Wireless data use will double every year


George - I came across this from another blog and found it interesting... I agree, wireless data is expanding leap and bounds.

The worldwide demand for wireless data capacity is enormous and growing at an incredible rate. Between 2008 and 2013, Cisco says wireless data traffic will double every year, reaching more than 2 exabytes per month by 2013.

Mobile data traffic will grow from its current 1 petabyte per month to 1 exabyte per month in half the time it took fixed data traffic to do so, Cisco reported. The internet grew from 1 petabyte per month to 1 exabyte per month in 14 years.

Keeping up with this data traffic is enormously expensive for the network carriers like AT&T, Verizon Wirless and Sprint, which have invested billions of dollars upgrading their systems to 3G standards. The next leap to 4G will be even more expensive.

The reason for this huge surge in demand for data is super fast connections on smartphones like BlackBerry and iPhone, which have turned the consumer cell phone market into a competition for which carrier and device can offer more features.

A BlackBerry generates more data traffic per user than 30 feature cell phones, Cisco said. Imagine if 4 billion mobile phone users all had data demand as high as that and you can see why telecom expense management is a challenging proposition.ADNFCR-2628-ID-19368816-ADNFCR


802.3at-2009 Power over Ethernet (PoE) Plus Standard Ratified


Geo – “Another ratified standard indirectly related to wireless this week. Those of us who have used the Cisco 1252 “brick” access points know these puppy’s require the additional power also known at 802.3at, when running both radios.  “

The IEEE recently ratified 802.3at, a new Power over Ethernet Plus standard. The IEEE 802.3at-2009 Power over Ethernet (PoE) Plus standard defines the technology for powering a wide range of powered devices at up to 25W over existing CAT5e and above cables.

Mike McCormack, Chair of the IEEE P802.3at Task Force said, "IEEE 802.3at uses the Link Layer Discover Protocol (LLPD) from IEEE Std 802.1AB, which allows dynamic power allocation and negotiation down to 1/10th of a Watt, and associated technology including Type, Length, Values (TLVs) from IEEE 802.3bc, which was also recently approved. This will allow equipment manufactures to manage their power supply costs and efficiencies at levels not possible with previous standards, and to cut their costs in the process."

Click to read more ...


International Hacker Pleads Guilty for Massive "Wireless" Hack of U.S. Retail Networks

Geo - " This hack rippled through the security community and the general public by and large. Reportable over 40 million credit cards were exposed during this hack. This single event is the cause for the new PCI regulations and policies being implemented today. Those of us in wireless knew it was only a matter of time before such a hack of this magnitude would occur.Just last week I noticed a very large retail chain still using WEP, Apparently they didn’t get the memo!" LOL

According to the indictments to which Gonzalez pleaded guilty, he and his co-conspirators broke into retail credit card payment systems through a series of sophisticated techniques, including "wardriving" and installation of sniffer programs to capture credit and debit card
numbers used at these retail stores.  Wardriving involves driving around in a car with a laptop computer looking for accessible wireless computer networks of retailers. Using these techniques, Gonzalez and his co-conspirators were able to steal more than 40 million credit and debit card numbers from retailers.  Also according to the indictments, Gonzalez and his co-conspirators sold the numbers to others for their fraudulent use and engaged in ATM fraud by encoding the data on the magnetic stripes of blank cards and withdrawing tens of thousands of dollars at a time from ATMs.  According to the indictments, Gonzalez and his co-conspirators concealed and laundered their fraud proceeds by using anonymous Internet-based currencies both within the
United States and abroad, and by channeling funds through bank accounts in Eastern Europe.

Based on the terms of the Boston plea agreement, Gonzalez faces a minimum of 15 years and a maximum of 25 years in prison.  Based on the New York plea agreement, Gonzalez faces up to 20 years in prison, which the parties have agreed should run concurrently.  He also faces a fine of up to twice the pecuniary gain, twice the victims' pecuniary loss or $250,000, whichever is greatest, per count for the Boston case and a maximum fine of $250,000 for the New York case.  Gonzalez
also agreed to an order of restitution for the loss suffered by his victims, and forfeiture of more than $2.7 million as well as multiple items of real estate and personal property, including a condo in Miami,
a 2006 BMW 330i, a Tiffany diamond ring and Rolex watches.  Included in the forfeited currency is more than $1 million in cash, which Gonzalez had buried in a container in his backyard.  Sentencing
is scheduled for Dec. 8, 2009.

Thanks to Reuters


OTAP UPDATE 9.12.09: OTAP to be removed from future code releases and RRM packet encrytped !

OTAP UPDATE 9.12.09: This week Cisco released a plan to follow up with a patch update to 6.x, which REMOVES OTAP discovery method and encrypts the information element in the RRM discovery packet.

I like this move and something I stated from the early release of this vulnerability. The RRM packet sending controller IP information in the clear to share RRM neighbor information is not necessary for access points that have already joined a controller. This infromation should be encrypted.This is comforting news for ANY enterprise or healthcare security team.

I am disappointed the release will be 6.x. Many users are on harbor code 4.2.x who won’t be able to take advantage of this patch. I suspect Cisco will release a 4.2 fix as well, we shall see!


802.11n WiFi Standard Finally Approved!

Has it been really 7 years!? There were early leaks posted on various sites the IEEE was close to an approval. Sites are reporting a formal announcement from the IEEE next week. 802.11n will bring 160+ mbps actual throughput to wireless users. This is 7x’s faster than the current 802.11a/g technology. I expect to see more enterprise customers taking full advantage of 802.11n in future deployments with this final approval.

Specific to Cisco 802.11n – Things to note:

1252 – Requires 802.3at power for dual radio operation and can operate in LWAPP and Autonomous modes.

1242 – Requires 802.3af power to operate and currently in LWAPP mode only. There is a prerequisite of 5.2 firmware or greater on the controller code. Cisco offers 802.11a/g/n and 802.11g/n radio options.

 802.11n - Did you know?

  • It has real world throughput that clocks in at 160 Mbps or faster—seven times faster than older 802.11g networks.

  • At 300 feet, 802.11g performance plummets to 1 Mbps. 802.11n networks operate at up to 70 Mbps—70 times faster than 802.11g.

  • The key to this speed is MIMO (multiple input/multiple output) which uses multiple antennas to send and receive digital data in multiple simultaneous radio streams, thus multiplying total performance.

  • The approved standard isn’t expected to cause any hardware changes for the larger manufactures.

  • 802.11n is backward compatible with legacy device 802.11a,b,g
  • 802.11n can live in the 5GHz and 2.4 GHz spectrums; ideally 5 GHz to allow for channel bonding

  • 802.11n can be deployed with 20 or 40 MHz OFDM channels

  • To take full advantage of  802.11n wireless speeds, you need to have gig to the access point!


There is more to the recent Cisco Wireless OTAP issue that isn’t being widely reported.

In the last week you heard about the OTAP issue. OTAP stands for Over The Air Provisioning. It is a means whereby a Cisco access point can find a Cisco controller to initiate a join process.

OTAP when enable, by design , sends the controller mac and ip information in the clear every 60 seconds in the multicast RRM packet. This aids access points to join the network.

Cisco recommends you disable OTAP during normal production. OTAP should only be deployed during the deployment phase of a wireless network.

What isn’t being reported, when disabled the RRM packets still includes the controller mac and ip address!

 Enjoy the video



WLC Safe Harbor Code, what is it?? What does it mean to you ?

In your travels you may hear the term safe harbor code, or Cisco’s validated code. So you probably wonder what it is and what does it mean to you.

Cisco has identified 3 WLAN controller code releases and has elevated their status designated by Cisco. The code versions are 4.2.176, 4.2.205 and 4.2.207. Cisco has defined three programs; AssureWave, Cisco Validated Design and Safe Harbor. These three programs are a collaborative effort of sorts.

Read more about it ...


Click to read more ...


8/5/2009 11:30 am (PST) - Free Guide to CCNA Wireless Certification w/ Brandon Carroll

If you are studying for your Cisco Wireless Certification, specifically the CCNA Wireless. You don't want to miss this 30 minute web-x by Brandon Carroll, author of Cisco Press CCNA Wireless Certification Guide!

Topic:   Guide to CCNA Wireless Certification
Session dates:   Wednesday, August 5, 2009
Starting time:   11:30 am, Pacific Daylight Time (San Francisco, GMT-07:00)
Duration:   30 minutes
Presenters:   Ascolta 2

This webinar provides information on other resources recommended for CCNA Wireless study as well as a look at what one can expect if taking a self-study path, a self-study path with some practice using production equipment, or an instructor-led course with dedicated lab equipment.

Who Should Attend: Those beginning the CCNA Wireless or considering the CCNA Wireless Certification track would benefit from attending as well as those that want a look at the technical content in the IUWNE v1.0 course.



Use your IPOD Touch or IPhone as a flashcard deck! (Study, Study, Study)

I can’t tell you how much time I devote to study. The hours are countless and the nights are long. If you are in the technology field you know my pain. I needed to find a way to maximize my study efforts, take advantage of downtime and more importantly repetition of the details so that I would have them ingrained into my brain.

I was recently introduced to a Mental Case ( ), no no it’s not your girlfriends ex-husband or some stalker girl you dated, it’s a software program that runs on your IPOD Touch or IPhone.

Mental Case allows you download customizable flash decks from Flash Card Exchange, ( There are thousands of slide decks currently being shared on Flash Card Exchange. What is really cool, for a small fee you can create your own Flash Decks which you can download to your POD. You can also share your deck with the world if you like.

Currently, there is a pretty wide selection of Cisco and some CWNP decks available. But again, create your own decks and study exactly what you need to! I would also warn you if you choose to use someone else’s flash deck make sure there answers are correct! LOL




7/27/09 - Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers


Multiple vulnerabilities exist in the Cisco Wireless LAN Controller (WLC) platforms. This security advisory outlines the details of the following vulnerabilities:

  • Malformed HTTP or HTTPS authentication response denial of service vulnerability
  • SSH connections denial of service vulnerability
  • Crafted HTTP or HTTPS request denial of service vulnerability
  • Crafted HTTP or HTTPS request unauthorized configuration modification vulnerability




Do you have smartnet on your Cisco LWAPP/CAPWAP access points? Save yourself the dough. You can save THOUSANDS. You do the math!



You have wireless client issues? What is your Wireless NIC system event log telling you?

 I have an interesting nugget this week on the NIC system events. I was surprised to find this a few years ago and I’ve used it as another tool to troubleshoot wireless client problems.

Did you know when you associate to an access point your wireless NIC reports to the OS a 4201 code? Or, when your wireless NIC loses connectivity it reports a 4202 code?