INTEL WIRELESS
Wired Stuff
WiFi Tablet Corner
My80211 White Papers (Coming Soon!)

Cisco Wireless Compatibility Matrix (Nov. 2011)

Podcasts / Videos

My80211 Videos

Cisco: 802 11 frames with Cisco VIP George Stefanick

Fluke Networks: Minimize Wi Fi Network Downtime

Aruba: Packets never lie: An in-depth overview of 802.11 frames

ATM15 Ten Talk “Wifi drivers and devices”

Houston Methodist Innovates with Wireless Technology

Bruce Frederick Antennas (1/2)

 

Bruce Frederick dB,dBi,dBd (2/2)

Cisco AP Group Nugget

Social Links
Revolution WiFi Capacity Planner

Anchor / Office Extends Ports

 

Peek Inside Cisco's Gear

See inside Cisco's latest wireless gear!

2.4 GHz Channel Overlap

EXAMPLE 1  

EXAMPLE 2

EXAMPLE 3  

LWAPP QoS Packet Tagging

 

 

IEEE 802.11a/g/n Reference Sheet

 

CWSP RELEASE DATE 2/08/2010
  • CWSP Certified Wireless Security Professional Official Study Guide: Exam PW0-204
    CWSP Certified Wireless Security Professional Official Study Guide: Exam PW0-204
    by David D. Coleman, David A. Westcott, Bryan E. Harkins, Shawn M. Jackman

    Shawn Jackman (Jack) CWNE#54 is a personal friend and has been a mentor to me for many years.  I've had the pleasure and opportunity to work with Jack for 4 years. Jack is a great teacher who takes complex 802.11 standards and breaks them down so almost anyone can understand the concept at hand. I'm excited for you brother. Great job and job well done! Put another notch in the belt!

Interference Types

BLUETOOTH
 

Microwave Oven
 

Cordless Phone

JAMMER!
 

  

Thursday
Aug232012

Converting a LDPE controller image to non LDPE

From Cisco's Kangupta

Many times we see instances where the RMA controller is shipped with an LDPE image.

 (Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.Product Name..................................... Cisco Controller
Product Version.................................. 7.0.116.0
Bootloader Version............................... 1.0.1
Field Recovery Image Version..................... 6.0.182.0
Firmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27
Build Type....................................... DATA + WPS + LDPE

 

An upgrade to an non LDPE code fails with this error-

"ERROR: Incompatible SW image.ERROR: Please install the Data Payload Encryption licensed image"

The LDPE image is used for Customers who are not legally allowed to use DTLS Data encryption within their regulatory domain (Russia-specific).

 

Conversion from LDPE to a non LDPE image

1)      Upgrade WLC to 7.0.230.0 LDPE image- e.g.  AIR-CT5500-LDPE-K9-7-0-230-0.aes for a 5508

2)      Download and install a free DTLS license from Cisco.com (if one is not already installed):

 

To Obtain a Data DTLS License:

 

Step 1 Browse to http://cisco.com/go/license

Step 2 Under Get New, choose IPS, Crypto, Other Licenses

Step 3 Choose the controller platform, enter the product ID and serial number.

Step 4 Complete the remaining steps to generate the license file.  The license will be provided online or via email.

Step 5 Copy the license file to your TFTP server.

Step 6 Install the license by browsing to the WLC Web Administration Page:

Management --> Software Activation --> Commands -->Action: Install License

 

3)      Once the DTLS license is installed, you will be able to upgrade/downgrade to any WLC code (including Non-LDPE).

(Cisco Controller) >show license summary 

License Store: Primary License Storage
StoreIndex:  0  Feature: base                              Version: 1.0
License Type: Permanent
License State: Active, Not in Use
License Count: Non-Counted
License Priority: Medium

License Store: Primary License Storage

StoreIndex:  1  Feature: base-ap-count                     Version: 1.0
License Type: Permanent
License State: Active, In Use
License Count: 500 /1 (Active/In-use)
License Priority: Medium
License Store: Primary License Storage

 

StoreIndex:  2  Feature: data_encryption                   Version: 1.0

 

        License Type: Permanent

 

       License State: Active, In Use

 

        License Count: Non-Counted

 

        License Priority: Medium

 

If the controller is on 7.0.116.0 LDPE code; you installed the DTLS license and then try to migrate to non LDPE code version of 7.0.116.0, it would fail with the following error-

 

*Transfer: Mar 28 11:32:56.609: RESULT_STRING: Transfer failure :

Upgrade from LDPE to non LDPE software is not allowed.

 

So, you will need to get on to 7.0.230.0 LDPE image (e.g.  AIR-CT5500-LDPE-K9-7-0-116-0.aes for a 5508) first before you can move to a non LDPE code.

 

This capability was introduced via CSCtw78061; meaning after installing the DTLS license you can download normal image from LDPE code just fine.

Symptom: No upgrade/downgrade is allowed from LDPE image to NON_LDPE image.

Conditions: transfer download of non-ldpe image from ldpe image

Workaround: if there is a dtls license installed and active, then upgrade/downgrade of non-ldpe image from a ldpe image is allowed.

 

This is addressed in 7.0.230.0 and 7.2.104.24

Thursday
Aug162012

Cisco Wireless Phone Deployment Guide Update 1.4(2) - 8/14/2012

UPDATED Cisco Wireless Handset Deployment Guide

 

7921G Deployment Guide – 1.4(2) Update

http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7921g/6_0/english/deployment/guide/7921dply.pdf


7925G, 7925G-EX, and 7926G Deployment Guide – 1.4(2) Update


http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7925g/7_0/english/deployment/guide/7925dply.pdf

Click to read more ...

Monday
Jul232012

Web auth (redirect) doesn't work when client uses a https url: CSCar04580 Bug

Issues with your Cisco Wireless Guest Network not doing a web redirect ?

This is very good to know, incase you get calls that your wireless guest network is broken. The WLC will not redirect HTTPS urls.

Assume for a moment your guest has a browser home page that is https:// (443) or he / she attempts to open a https:// page, prior to the AUP. The user is expecting to get redirected, but nothing happens.

The Guest will sit and spin giving the impression the guest network is not working properly, but in fact the WLC is not redirecting HTTPS traffic, only HTTP traffic to the AUP.

 

CSCar04580 Bug Details

web auth (redirect) doesn't work when client users a https url
Symptom:

A client whose home page is an HTTPS (HTTP over SSL, port 443) one will never
be redirected by Web Auth to the web authentication dialog. Therefore, such
a client will not know to authenticate, and will fail to connect to the
network.

Workaround:

The client should attempt to open any HTTP (port 80) web page.




Status Status
Terminated

Severity Severity
2 - severe

Last Modified Last Modified
In Last Year

Product Product
Cisco 5500 Series Wireless Controllers

Technology Technology


1st Found-In 1st Found-in
3.2(78.0)
6.0(182.0)
7.0(98.0)
Related Bug Information
Webauth redirection doesn't happen with HTTPS URL
Symptom: Redirect of https traffic on webauth does not work in any version of code. The 'network web-auth-port #' does nothing. Workaround: The business unit considers this an enhancement.
Tuesday
Jul172012

ACS 5 gives alert after 20,000 radius probes: Bug CSCtj69797

Ive been meaning to blog about this bug on the ACS 5.x platform, but forgot until this week when the alert surfaced again.

This bug is cosmetic only and doesn't impact performance. ACS sends a nice orange alert when 250,000 cached sessions are cumulated and should delete 20,000 sessions. I was worried at first, when I think “sessions” I think EAP.


I opened up a TAC case and got a rockstar ACS TAC engineer.  Sorry, but I cant share his name, somethings need to be kept confidential, especially a great resource !  In short, a “probe” counts as a session.

Say for example a device wants to authenticate it will send a probe and sometimes it will send multiple probes. Not to be confused with 802.11 probe request / response frames.  Rather, its a radius probe.


A wireless example would be a client that doesn't support PMK cache / OKC. Every time this client would roam, he would probe the radius server again to re-authenticate. So you can see, you could rack up the session pretty quickly in a large environment.


What happens is that every time a user tries to authenticate using radius the device will send a probe in order to see if the ACS is up and running we can also have this configured to happen even if there is no authentication going by doing radius-server retransmit command. So if for example 20 user try to authenticate using radius than 20 radius probes are send to the ACS. It is not dependent on the amount of devices it more with the amount of user and the amount of authentication request they generate.
 
Remember that the reason you are receiving the alarm is because the ACS doesn’t delete the 20000 sessions which he should do automatically therefore the bug was opened.

                                                                                                                          -TAC



CSCtj69797 Bug Details

ACS 5 gives alert after 20000 radius probes

Symptom:

ACS View giving alert when 20 000 sessions are reached.
The problem is that it seems to be triggered also with "radius probes", i.e. authentication packets with no accounting done.
So for example with several ACE appliances doing radius probes, this alert is reached very quickly

Conditions:

Radius authentication packets with no accounting happening in a frequent way

Workaround:

Only an alert.

**** There is another work around whereby you make a filter so that you no longer get the alerts. Consult TAC *** - George

Status  
Terminated

Severity  
3 - moderate

Last Modified  
In Last month

Product  
Cisco Secure Access Control Server Solution Engine

Technology  

1st Found-In  
5.1(0.44)


Tuesday
Jul102012

VOCERA B2000 MANUFACTURER DISCONTINUATION ANNOUNCEMENT

Received this in the mail box today!

Correction Notice:

In a previous email, the Vocera B2000 Discontinuation Notice below contained a typo which incorrectly stated the last date of purchase for the B2000 1-year warranty extension. The date is June 30th, 2013 and the information has been corrected below. We apologize for any inconvenience.

VOCERA B2000 MANUFACTURER DISCONTINUATION ANNOUNCEMENT


With the introduction of the B3000 Communication Badge in October 2011, we feel it is appropriate to ensure our customers understand the plan for the discontinuation of the B2000 Communication Badge and support. Our goal is to provide you with the information necessary to ensure you continue to enjoy the value of the Vocera solution and allow you ample opportunity to plan for the transition to our latest technology.

Note: This discontinuation notice does not apply to the FIPS 140-2 certified Vocera badge designed specifically for Federal or DoD customers.

The following are the key milestone dates:

 

B2000 orders/shipments

  • June 30, 2013; Final date to order a B2000
  • September 30, 2013; Customers must take shipment no later than September 30, 2013.

Extended warranty

  • December 31, 2012; Final date to purchase a 2 year extended warranty with a B2000
    purchase
  • June 30, 2013; Final date to purchase a 1 year extended warranty with a B2000 purchase

Batteries, chargers, lanyards & universal clips

December 31, 2015; last date to order B2000 accessories, batteries, chargers, lanyards and universal clips

Firmware support

June 30, 2016; last date for firmware support, this will only include bug fixes related to overall Badge stability or network interoperability. Beyond June 30, 2016, Vocera will make a best effort to address firmware issues but may be limited by the engineering support we receive from component manufacturers.

Hopefully you have had a chance to discuss the B3000 with your local sales or support representatives. The B3000 introduces significant enhancements to the B2000 based on direct feedback from customers such as you. These include a highly ruggedized design, acoustic noise reduction technology, smart battery to just name a few. Additionally, we have introduced a number of programs to help you more easily transition to the B3000 Communication Badge. We would encourage you to contact your local Vocera sales representatives or call 1-877-790-4190 to discuss which options would best support your goals to continue to provide the best possible experience for your patients and staff.

Sincerely,

Debashis Pramanik
Director, Hardware Product Management

Friday
Jun292012

Cisco Guest Anchoring and Office Extends (PORTS) 

Quick visual ~ Cisco Guest Anchoring and Office Extends Ports

 

Let me know if I missed any!

ENJOY!

DOWNLOAD

 

 

 

 

 

Sunday
Jun172012

Passing the CWSP (Certified Wireless Security Professional) - My 2 cents

Last week I sat the CWSP exam and passed on my first attempt. My overall score was 91%. I want to share my insight into the exam and what I used to prepare.

 

CWSP VALUE

The CWSP study material sets the foundation of 802.11 security. Its the building blocks to understanding how 802.11 security works from encryption, EAP, dynamic key generation, security policy, roaming and the 802.11 standard. For anyone who  troubleshoots, designs, deploys or debugs 802.11, the CWSP compliments your abilities.

There is a tremendous amount of value contained in the CWSP study guide, should you choose not to actually go for the certification itself. I can not tell you how many times, over and over again where I referenced martial in the CWSP for colleagues and customers. There is instant creditability when you can speak confidently in great detail about the inner workings of 802.11.  

FOUNDATION LEARNING

If I can offer one valuable piece of advice. Never skimp on foundation learning. Understanding, in detail, how the different 802.11 security components and mechanics work are critical. Cause, as you will learn, may of the new and future standards are almost always applied to the existing mechanics. A solid foundation lends to better comprehension of future advancements in 802.11.

CWSP EXAM OBJECTIVES

Taking any exam, its importance to read the exam objectives. Objectives are the clear definition of what you will be tested on. There should be no surprises, if your study efforts are inline with the objectives. Also, don’t start carving up the objectives and think that this section is only worth 5% and not give it your all, when it comes to studying. All objectives should be studied.

It is also important to take these objectives, break them out and reference other authored material for a different perspective on the subject. I used the following:

802.11-2007 Standard

Cisco Wireless LAN Security ISBN: 1-58705-154-0

CWNP White Papers

- 802.11i Authentication and Key Management (AKM) White Paper
http://www.my80211.com/storage/online-pdf-downloads/Chicken_Egg.pdf

Robust Security Network (RSN) Fast BSS Transition (FT) White Paper
http://www.my80211.com/storage/online-pdf-downloads/802.11_RSN_FT.pdf

CWNP Website - CWSP
http://www.cwnp.com/certifications/cwsp

CWNP Forums - CWSP
http://www.cwnp.com/bbpress/forum.php?id=10

CWNP Self Study Material - CWSP
http://www.cwnp.com/training/selfstudy

TAP RESOURCES

If you’re studying a topic and something just doesn't make sense, tap a knowledgeable source. I always enjoy talking geek details with my friends to get a different spin on things.

TAKE NOTES

Its simple, to pass the CWSP, it requires a great deal of attention to detail. Take notes often and frequently on all subjects. I used mental case and flashcardexchange.com to store and reference my notes.

You can find a few of my notes here for reference:
http://www.my80211.com/8021x/
http://www.my80211.com/security-labs/
http://www.my80211.com/cwsp-george-stefanick/


READ READ READ

You probably will not believe me when I tell you I read the CWSP study guide over 20 times, cover to cover, but I did. Read a book over and over is much like watching a move a number of times. You catch little things you missed the first, second or third time around. I got into a habit of reading a chapter a night.

PRACTICE EXAMS

CWNP.COM has a number of CWSP practice exams. The CWSP study guide includes a CD with exam questions as well. Do them often and pay very close attention to the questions being asked. Don't study the questions, rather study the content of the question being asked.

MULTIPLE CHOICE

The CWSP exam is multiple choice. In almost all cases, if you are confident in your studies, you can quickly exclude one or more possible answers from your choices.

 

REAL WOLD EXPERIENCE

If you have experience with radius server configuration, 802.11 captures, and exposure to wireless equipment you will certainly improve your odds of passing. It would be a stretch to say, you NEED this hands on in order to pass, but it certainly helps!

 

Exam Score Card - Break Down

Note passing is 70% Overall

  • Wireless Network Attacks and Threat Assessment 85%
  • Monitoring & Management 85%
  • Security Design and Architecture 93%
  • Security Policy 100%
  • Fast Secure Roaming 100%

 

Thank you CWNP

I want to thank all the good folks at CWNP for putting together a great exam and study guide. Also the fine authors - Coleman, Westcott, Harkins and Jackman for a job well done on great material.

CWSP is by far my personal best 802.11 security book ever read. Ive read it over 20+ times. Great read ...

I also want to mention --- thanks to Marcus for answering my, "HUH" questions and letting me bounce  random and sometimes confusing thoughts off of him. I really appreciate it.

I also want to thank Kevin for keeping CWNP relevant and restructuring the certification path and keeping the exam material relevant and up to date. I appreciate your dedication to the WiFi community.



Wednesday
Apr252012

Wireless Notification to Alaris Server and Cisco Systems Customers

This notice is from May 11, 2010. 

A little aged, yes. But if you're upgrading your wireless network and you have older Carefusion (Alaris) pumps take note of this notification, as it could impact you. Ask your Biomed group what code rev your pumps are on. Code revs prior to 9.5 may not be supported. You should contact your Carefusion rep for a firmware upgrade.

Saturday
Apr212012

Features Not Supported on Cisco Flex 7500 Controller

These features are not supported on Cisco Flex 7500 Series Controllers code 7.0.116.0, it could change in future versions:

•Local mode AP (However AP joins 7500 initially as local mode and should be converted to Flex Connect mode)

•Mesh

•LAG

•Client and RFID tag location

•CCX CAC

•STP

•7500 as guest anchor

•L3 Roaming (Centrally switched wlan -> same and inter-controller)

•Multicast (Multicast - Multicast and Multicast - Unicast). (ignore - 7500 gui interface may still show multicast-multicast config.)

•VideoStream

•TrustSec SXP

•IPv6/Dual Stack client Support

•WGB

•OEAP

•HotSpot2.0 (802.11u)

•Client rate limiting for centrally switched clients

Cisco Flex 7500 Series Controller does not support the 802.1x security variants on a centrally switched WLAN. For example, the following configurations are not allowed(and TAC does not support) on a centrally switched WLAN

•WPA1/WPA2 with 802.1x AKM

•WPA1/WPA2 with CCKM

•Dynamic-WEP

•Conditional webauth

•Splash WEB page redirect

If you want to configure your WLAN in any of the above combinations, the WLAN must be configured to use local switching.

Note:

•Flex7500 supports 1Gbps central switched data throughput for guest access

•Only Flex connect mode AP is supported for data traffic

•Static AP-manager interface

(Note: For Cisco 7500 Series controllers, it is not necessary to  configure an AP-manager interface. The management interface acts like an  AP-manager interface by default, and the access points can join on this  interface.)

•AP joined on local mode should be converted to Flex/Monitor, TAC does not support local mode AP services.

7.2.103.0 supports 802.1X on Centrally switched wlan unlike 7.0.116.0.

 

From: Saravanan Lakshmanan - Cisco CSC

https://supportforums.cisco.com/docs/DOC-23474

Saturday
Apr212012

End-of-Sale and End-of-Life Announcement for the Cisco Unified Wireless IP Phone 7921G Power Supplies

End-of-Sale and End-of-Life Announcement for the Cisco Unified Wireless IP Phone 7921G Power Supplies

Description: Cisco announces the end-of-sale and end-of-life dates for the Cisco Unified Wireless IP Phone 7921G Power Supplies. The last day to order the affected product(s) is October 19, 2012. Customers with active service contracts will continue to receive support from the Cisco Technical Assistance Center (TAC) as shown in Table 1 of the EoL bulletin. Table 1 describes the end-of-life milestones, definitions, and dates for the affected product(s). Table 2 lists the product part numbers affected by this announcement. For customers with active and paid service and support contracts, support will be available until the termination date of the contract, even if this date exceeds the Last Date of Support shown in Table 1.

Date: 2012-04-20 15:41:00.0


Url: http://www.cisco.com/en/US/prod/collateral/voicesw/ps6788/phones/ps379/ps7071/end_of_life_notice_c51-706105.html

Wednesday
Apr112012

Cisco WISM 2 Part Numbers: Quick Reference

I wanted to reference these part numbers as a quick reference for anyone that is looking for this information.

WISM 2 HARDWARE w/ SMARTNET

The WISM 2 hardware can be purchased in the available license sizes. They start at 100 and can be maxed out at 1000.  You receive the physical blade and license with the purchase of the below part numbers.

WS-SVC-WISM2-1-K9          100 access point       - CON-SNT-WSM2100 8x5xNBD
WS-SVC-WISM2-3-K9          300 access point       - CON-SNT-WSM2300 8x5xNBD
WS-SVC-WISM2-5-K9          500 access point       - CON-SNT-WSM2500 8x5xNBD
WS-SVC-WISM2-K-K9          1000 access point     - CON-SNT-WSM21K   8x5xNBD
 

WISM 2 ADDER LICENSES w/ SMARTNET

You can purchase additional licenses as you grow in 100 and 200 increments.

L-LIC-WISM2-100A              100 access point       - CON-SNT-LWSM21A 8x5xNBD
L-LIC-WISM2-200A              200 access point       - CON-SNT-LWSM22A 8x5xNBD

CICSO WISM 1 BUY BACK

Cisco has a great incentive program to purchase back your old WISMs. I would ask your Cisco sales representative for details.

Tuesday
Apr102012

Cisco 1130/1131 AP Crashes: Bug CSCtw56233 (7.0.220.0)

We recently upgraded from 7.0.116.0 to 7.0.220.0 to resolve a bug we were experiencing with connectivity. After upgrading, we hit a new bug in 7.0.220.0. This new bug only became apparent, because we have WCS Email alerts configured.

After we upgraded to 7.0.220.0 we almost immediately started to receive the following WCS Email alerts. We had random access points going offline. After closer inspection, the access points showed the "AP Crashed Due To Software Failure"

Message: Access Point 'AA-1131' associated to controller 'xx.xx.xx.xx' on port number '0'. Reason for association 'AP Crashed Due To Software Failure '.
Message: Access Point 'AB-1131' associated to controller 'XX.XX.XX.XX' on port number '0'. Reason for association 'AP Crashed Due To Software Failure '.
Message: Access Point 'AC-1131' associated to controller 'XX.XX.XX.XX' on port number '0'. Reason for association 'AP Crashed Due To Software Failure '.
Message: Access Point 'AD-1131' associated to controller 'XX.XX.XX.XX' on port number '0'. Reason for association 'AP Crashed Due To Software Failure '.

We opened a ticket only to learn 7.0.220.0 has a bug specific to Cisco 1130/1131 access points. TAC mentioned this bug is resolved in 7.0.230.0.

 

 

Thursday
Mar152012

Fast Lane CUWN Release 7.2 Delta Webinar

Webinar Dates & Times - Click the date and time you prefer to register:

 

Description:
Please join us for this 1/2 day virtual webinar covering the latest Cisco Unified Wireless LAN Release 7.2 code. This webinar will provide participants an overview of the key new features and enhancements, implementation considerations, and high-level configuration information.

You will learn:
An overview of the key new features and enhancements, implementation considerations, and high-level configuration information, including RRM enhancements, Alloy QoS, FlexConnect enhancements, Wi-Fi Direct, WebAuth scalability enhancements, MSE Virtual Appliance and High Availability, and 802.11u Hotspot and MSAP.

The primary intended audience is customers considering upgrading their network to WLC 7.2/NCS 1.1, and the technical staff responsible for implementing this latest WLAN code.

 

 

Thursday
Mar152012

End-of-Sale and End-of-Life Announcement for the Cisco 2100 Series Wireless LAN Controllers

Title: End-of-Sale and End-of-Life Announcement for the Cisco 2100 Series Wireless LAN Controllers
Url: http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps7206/ps7221/end_of_life_notice_c51-691053.html
Description: Cisco announces the end-of-sale and end-of-life dates for the Cisco 2100 Series Wireless LAN Controllers. The last day to order the affected product(s) is May 2, 2012. Customers with active service contracts will continue to receive support from the Cisco Technical Assistance Center (TAC) as shown in Table 1 of the EoL bulletin. Table 1 describes the end-of-life milestones, definitions, and dates for the affected product(s). Table 2 lists the product part numbers affected by this announcement. For customers with active and paid service and support contracts, support will be available until the termination date of the contract, even if this date exceeds the Last Date of Support shown in Table 1.
Date: 2012-03-14 11:40:00.0

Saturday
Mar032012

Cisco AP VCI 60 – “ServiceProvider”

I was helping another engineer troubleshoot a Cisco access point join problem. To my surprise I discovered the VCI was “Cisco AP c3500-ServiceProvider”

I can appreciate when I end a day with a quick reflection. Did I learn anything new today?

Yesterday was one of those days! I was assisting an engineer with an access point join problem. Of course, I took this opportunity to explain the access point join process and what to look for and how to troubleshoot.

We use DHCP option 43 as our means of joining Cisco access points to our network. After peeking at the DHCP configuration, more specifically the option 43 and VCI string, everything looked good. Other 3500s were joining fine, just these handful of access points were not joining.

I do the typical console into the AP. I see nothing of interest. The access point is not getting the controller IP from DHCP. So we span the switch port of the access point to sniff the access point traffic. I am curious as to what the access point is sending in the DHCP request packet.

To my surprise, the VCI 60 is showing “Cisco AP c3500-ServiceProvider”. Oh, there is my problem! Mistakenly a number of “ServiceProvider” access points were mixed in our access point shipment.

If you have access points not joining, just something to add to your troubleshooting check list!

Thursday
Mar012012

Multiple Vulnerabilities in Cisco Wireless LAN Controllers - 2/29/2012

Cisco announced multiple WLC vulnerabilities this week.

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120229-wlc

Cisco Wireless LAN Controllers HTTP Denial of Service Vulnerability

The Cisco Wireless LAN Controller (WLC) product family is affected by a denial of service (DoS) vulnerability that could allow an unauthenticated, remote attacker to cause the device to crash by submitting a malformed URL to the administrative management interface.

This vulnerability is documented in Cisco bug ID CSCts81997 (registered customers only) and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2012-0368.

Cisco Wireless LAN Controllers IPv6 Denial of Service Vulnerability

The Cisco Wireless LAN Controller (WLC) product family is affected by a denial of service (DoS) vulnerability where an unauthenticated attacker could cause a device reload by sending a series of IPv6 packets.

This vulnerability is documented in Cisco bug ID CSCtt07949 (registered customers only) and has been assigned CVE ID CVE-2012-0369.

Cisco Wireless LAN Controllers WebAuth Denial of Service Vulnerability

The Cisco Wireless LAN Controller (WLC) product family is affected by a denial of service (DoS) vulnerability where an unauthenticated attacker could cause a device reload by sending a series of HTTP or HTTPS packets to an affected controller configured for WebAuth.

This vulnerability can be exploited from both wired and wireless segments. A TCP three-way handshake is needed in order to exploit this vulnerability.

This vulnerability is documented in Cisco bug ID CSCtt47435 (registered customers only)and has been assigned CVE ID CVE-2012-0370.

Cisco Wireless LAN Controllers Unauthorized Access Vulnerability

The Cisco Wireless LAN Controller (WLC) product family is affected by an unauthorized access vulnerability where an unauthenticated attacker could view and modify the configuration of an affected Cisco WLC.

This vulnerability exists if CPU based access control lists (ACLs) are configured in the wireless controller. An attacker can exploit this vulnerability by connecting to the controller over TCP port 1023. Only the Cisco 4400 Series WLCs, WiSM version 1, and Cisco Catalyst 3750G Integrated WLCs are affected by this vulnerability.

This vulnerability is documented in Cisco bug ID CSCtu56709 (registered customers only) and has been assigned CVE ID CVE-2012-0371.

Tuesday
Feb212012

Webauth stops redirecting after some time: CSCtx00942

We hit this bug a few weeks ago. I love the work around -- Reboot your controller for another week or so. I understand Cisco is working on this bug.

As a side note. Software will have bugs and I appreciate the fact Cisco will publish these in a timley fashion and not hide their issues like some "other" vendors I know.

 

Webauth stops redirecting after some time

Symptom:
It is seen on 7.0.220 4404 WLC that users in the webauth SSID are not redirected to the login page anymore after 1 week or so.

This message appears :
sshglue.c:7009 WebAuth HTTP Redirect rule creation failed for peer 192.168.1.8

Conditions:
webauth, 4404 running 7.0.116/220
Workaround:

A reboot solves the problem for another week or so
Status Status
Open

Severity Severity
2 - severe

Last Modified Last Modified
In Last 3 Days

Product Product
Cisco 5500 Series Wireless Controllers

Technology Technology


1st Found-In 1st Found-in
7.0(116.0)
7.0(220.0)
Interpreting This Bug
Bug Toolkit provides access to the latest raw bug data so you have the earliest possible knowledge of bugs that may affect your network, avoiding un-necessary downtime or inconvenience. Because you are viewing a live database, sometimes the information provided is not yet complete or adequately documented. To help you interpret this bug data, we suggest the following:
  • This bug has a Severe severity level 2 designation. Important functions are unusable but the router's other functions and the rest of the network is operating normally.
  • Severity levels are designated by the engineering teams working on the bug. Severity is not an indication of customer priority which is another value used by engineering teams to determine overall customer impact.
  • Bug documentation often assumes intermediate to advanced troubleshooting and diagnosis knowledge. Novice users are encouraged to seek fully documented support documents and/or utilize other support options available.
  • Sunday
    Feb052012

    CCNP Wireless Exams & Recommended Training v2

    Cisco CCNP Wireless Exam Path. Last day to test on v1 is May 11, 2012.

    Monday
    Jan232012

    WLC: AP Managers Are Pingable - 7.x onwards

    Since the very beginning the AP manager on a Cisco WLC would never respond to pings. Well that has all changed if you use LAG and a AP manager with 7.x code!

    I like how Cisco hides little nuggets in their documentation. It states, in LAG mode, the management and AP manager uses the same base LAG MAC address.


    Note With the 7.0 release onwards, the MAC address of the management interface and the AP-manager interface is the same as the base LAG MAC address.

    LAB

    A show ARP on the distribution switch you can see the MAC is identical for both the manager and AP manager.

    NOTE --

    This was tested on 4402,4404 and 5508 model controllers.

    AP manager(s) aren't needed with a 5508.

    This only applies to a WLC in LAG mode w/ AP Manager

    Additional Reading Material:

    http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mint.html#wp1117168

    Friday
    Jan132012

    Cisco Field Notice: Wi-Fi Protected Setup PIN Brute Force Vulnerability

    Note the WPS vulnerability is with home and soho devices and not with Cisco enterprise gear. Note the models below:

    Cisco Response

    On December 27th, 2011 US-CERT released VU#723755 available here: http://www.kb.cert.org/vuls/id/723755

    The US-CERT Vulnerability Note describes a vulnerability that exists in the Wi-Fi Alliance Wi-Fi Protected Setup (WPS) protocol, also known as Wi-Fi Simple Config, when devices are operating in PIN External Registrar (PIN-ER) mode.  Devices operating in PIN-ER mode allow a WPS capable client to supply only the correct WPS PIN to configure their client on a properly secured network.  A weakness in the protocol affects all devices that operate in the PIN-ER mode, and may allow an unauthenticated, remote attacker to brute force the WPS configuration PIN in a short amount of time.

    The vulnerability is due to a flaw that allows an attacker to determine when the first 4-digits of the eight-digit PIN are known.  This effectively reduces the PIN space from 107 or 10,000,000 possible values to 104 + 103 which is 11,000 possible values. The eighth digit of the PIN is utilized as a checksum of the first 7 digits and does not contribute to the available PIN space. Because the PIN space has been significantly reduced, an attacker could brute force the WPS pin in as little as a few hours.

    While the affected devices listed below implement the WPS 1.0 standard which requires that a 60-second lockout be implemented after three unsuccessful attempts to authenticate to the device, this does not substantially mitigate this issue as it only increases the time to exploit the protocol weakness from a few hours to at most several days.  It is our recommendation to disable the WPS feature to prevent exploitation of this vulnerability.

    Vulnerable Products:

    Product Name
    Is the WPS feature enabled by default?
    Can the WPS feature be permanently disabled?
    Access Points
    Cisco WAP4410N
    Yes Yes
    Unified Communications
    Cisco UC320W
    Yes
    No
    Wireless Routers/VPN/Firewall Devices
    Cisco RV110W
    Yes Yes
    Cisco RV120W
    No Yes
    Cisco SRP521W
    Yes Yes
    Cisco SRP526W
    Yes Yes
    Cisco SRP527W
    Yes Yes
    Cisco SRP541W
    Yes Yes
    Cisco SRP546W
    Yes Yes
    Cisco SRP547W
    Yes Yes
    Cisco WRP400
    Yes Yes


    Note: The Cisco Valet product line is maintained by the Cisco Linksys Business Unit. Information concerning the Cisco Valet line as well as information on Linksys by Cisco products will be forthcoming.

    Products Confirmed Not Vulnerable:

    Product Name
    Not Affected Reason
    Access Points/Wireless Bridges
    Cisco AP541N
    Does not support WPS
    Cisco WAP200
    Does not support WPS
    Cisco WAP200E
    Does not support WPS
    Cisco WAP2000
    Does not support WPS
    Cisco WET200
    Does not support WPS
    Unified Communications
    Cisco UC500 Series
    Does not support WPS
    Wireless Cameras
    Cisco WVC210
    Does not support WPS
    Cisco WVC2300
    Does not support WPS
    Wireless Routers/VPN/Firewall Devices
    Cisco SA520W
    WPS not enabled by default
    Does not support PIN-ER configuration Mode
    Cisco RV220W
    Does not support WPS
    Cisco WRV210
    Does not support WPS
    Cisco WRVS4400N
    Does not support WPS

    Additional Information

    Workarounds:

     

    Disable the Wi-Fi Protected Setup feature on devices that allow the feature to be disabled, as listed in the Vulnerable Products table.  Cisco Systems has verified that the products that support disabling the WPS feature do indeed disable it and are not vulnerable once the feature has been disabled from the management interface.

    Fixed Software:

    Product Name
    Fixed Software
    Cisco WAP4410
    To Be Released
    Cisco RV110W
    To Be Released
    Cisco RV120W
    To Be Released
    Cisco UC320W
    To Be Released
    Cisco SRP521W
    To Be Released
    Cisco SRP526W
    To Be Released
    Cisco SRP527W
    To Be Released
    Cisco SRP541W
    To Be Released
    Cisco SRP546W
    To Be Released
    Cisco SRP547W
    To Be Released
    Cisco WRP400
    To Be Released


    Note: The Cisco Valet product line is maintained by the Cisco Linksys Business Unit. Information concerning the Cisco Valet line as well as information on Linksys by Cisco products will be forthcoming.

    Exploitation and Public Announcements:

    Exploit code and functional attack tools that exploit the weakness within the WPS protocol have been released.

    This vulnerability was discovered by Stefan Viehböck and Craig Heffner.

    Status of this Notice: Final

    THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

    A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.

     

    Revision History

     Revision  Date  Notes
    1.0 01-11-2012 Initial Public Release
    Page 1 ... 3 4 5 6 7 ... 16 Next 20 Entries »