The most useful Prime Infrastructure report

July 21, 2015 4 Comments

Cisco’s Prime Infrastructure has come a long way over the past couple of years. From it’s beginnings as WCS, then to NCS, then through the sordid Prime Infrastructure 1.x versions, we’ve finally arrived at a place where it’s reasonable to dig back into the product. To say that Prime Infrastructure (PI for short) is an overwhelming product is an understatement. I decided to write about an obscure but extremely useful report (yes, a boring report) that I think you should use.

As we all know, in the RF world, performance revolves around Channel Utilization – of which there are several definitions. For simplicities sake, I’m referring to Channel Utilization as reported by the venerable Cognio card (AKA: CleanAir) – the baseline reference that most Wireless LAN Professionals use to call ‘Channel Utilization’. This is the amount of energy detected on a channel during a specific dwell time. This metric is roughly the wired equivalent of ‘link utilization’. Wouldn’t it be nice to see a historic report of the ‘link utilization’ of all of the APs radios in our environment over a period of time? Wouldn’t it be nice to see if a change we made recently (disabling lower data rates for example) made a historic significance to our Channel Utilization? Yes, of course it would! Without further ado, I bring you, the Channel Utilization report that you always wished you had, but never knew was always at a your fingertips:

Reports Launch Pad -> Wireless Utilization -> RadioReport Launch Pad

(that last bit is important!)

Report Details

This gives you a historical report of every radio in your infrastructure (all 2.4 and 5GHz) and a trending of not only their Channel Utilization, but their TX and RX utilization for further correlation/troubleshooting:

Prime Infrastructure CU

What do you think? Do you find this report useful? If so, drop me a comment and let me know how you use it. What other reports do you find yourself favoring in Prime Infrastructure?

Filed under Cisco, Prime, Spectrum

The evolution that will start the revolution

March 3, 2015 10 Comments

You’ve heard it all before, evolutionary technology versus revolutionary technology. Everyone wants their newest technology to be revolutionary – expecting it to be life changing and a wide-sweeping, compelling reason to spend tons of money. This is rarely the case and more often than not marketing fluff to try and get you onto the next big thing. Occasionally we get such an unassuming technology announcement that fits squarely in the ‘no big deal’ from a speeds and feeds perspective that it’s easy to overlook. This is clearly the case with the recent multigigabit announcements from Cisco during Cisco Live, Milan. Multigigabit is a technology that allows your existing cabling to support speeds in excess of 1G, without having to make the jump all the way to significantly more costly 10G. Since we already have technology that address speeds and feeds above what we’re talking about here (how many 10G uplinks have you deployed recently?), it’s easy to overlook the impact this will bring to our daily lives. The ability to move to 2.5G and 5G link speeds without having to make the jump all the way to 10G will allow us to get improved link speeds without having to pay a premium for them. The expected cost increase is estimated to be anywhere from 0% to 15% according to the rumor mill which makes the 250% to 500% speed bump quite attractive!

802.11ac wave 2
The reason I’m taking about it is the fact that this brings with it the promise of addressing the 1G bottleneck that people have been gnashing their teeth over in the wireless space for the past couple of years. While we’ve been able to reasonably deflect the speeds and feeds conversation with 802.11ac wave 1 (speeds approaching 1G wired requirements), there has been no good way to move past that without having a two-cable conversation. The assumption up till now has been that 2x 1G links will be the way forward and many people have been running two copper runs out to their Access Points for the past several years in anticipation of this approach. 802.11ac wave 2 will undoubtedly break the 1G barrier in fairly short order with speeds being promised of (best case) 6,930Mbps PHY rate (about 4,900Mbps on the wire). Multigigabit solutions will allow us to address these concerns without having to invest in 10G links. Better yet, it will allow us to address these concerns without having to consume two 1G ports on our switches. Regardless of the solution you choose (1x 10G or 2x 1G), the cost for deploying a single Multigigabit link supporting up to 5G will be less at scale.

Power
The other unassuming byproduct of this conversation is that Access Points require power to bring up all of those components. It will be nearly impossible to power up a 10G ethernet interface in an AP in the power budgets that we have today. By reducing the link speed requirements to 5G, we can save power at the edge device and still fit in modern negotiation. Multigigabit solutions today will provide PoE, PoE+, and UPoE to ensure that the wave 2 APs that we’re going to be hanging will have ample power for whatever they’re going to bring.

The Revolution
I predict that the incremental cost and intermediary speeds will allow us to start having conversations about the jump to 10G. Multigigabit solutions on Access Points, switch uplinks, and desktop and server nics will be the next big thing. Stackable solutions today promise backwards compatibility so you don’t have to rip and replace – just add a stack member and you’re good to go in that closet/IDF! Regardless of your future proofing plans, enabling faster wireless, or just ensuring that you’re not spending money after (can you believe it?) now legacy 1G infrastructure, make sure you’re having a conversation today about ethernet to bridge the gap to 10G.

For more information about the NBASE-T alliance, go here.
For the Cisco Live, Milan – Tech Field Day Extra event with Peter Jones, go here.

Filed under 802.11ac, Access Points, Cisco, Wireless, Wireless Tech Field Day

You can have my Cognio card when you pry it from my cold dead hands

January 19, 2015 7 Comments

There is a group of WiFi Professionals (me included) that just can’t let go of their Cognio based products. With the Cisco purchase in 2007 (which ultimately manifested itself in the CleanAir product) we have seen a slow but steady decline of high-fidelity PC based spectrum analyzers. We’ve seen people try to compete in a variety of ways; with lower fidelity devices (Metageek) or with the high cost BandSpeed based product (AirMagnet Spectrum XT) but it’s not rare to find a wireless professional still lugging around an old laptop to use their Cognio based (AirMagnet Spectrum Analyzer, Cisco Spectrum Expert, or Cognio Spectrum Analyzer) CardBus Card. It seems unlikely that we’ll see a USB based Cognio product anytime soon (if ever) so I thought it was high time to figure something else out.

Option 1) For years many of the lager laptops from Lenovo (and even Apple!) have sported ExpressCard slots. By using an Addonics ExpressCard34 to CardBus converter, you can load the Cisco Spectrum Expert software on in Windows and your card works just fine!

Pros)

  • It works!

Cons)

  • It requires an ExpressCard34 slot on your PC.
  • There are several converters on the market. Some work, some do not. Make sure you get one that maps the PCIe bus, not the USB bus.
  • It’s bulky the whole card fits outside of the machine and it’s not very pretty.

Cognio adapter in an Addonics converter

Option 2) The Sonnet Echo ThunderBolt to ExpressCard34 adapter will allow you to take the above Cognio/Express card solution and map it to ThunderBolt compatible interface on your laptop. This means that any MacBook past the Early 2011 MacBook Pro (which I’m using) or any PC with a ThunderBolt compatible interface (many modern Lenovo machines) now have a cable-attached (important for flexibility) way to use their Cognio, PC-based Spectrum analyzer on new hardware!

Pros)

  • It works without having a built in ExpressCard slot!
  • It’s cabled so you can move/relocate the whole bulky assembly to the back of your laptop lid easily.

Cons)

  • It requires a ThunderBolt port on your laptop.

Big, but relocatable thanks to the cable!

It should be noted that both of these solutions will not work through a hypervisor (VMWare Fusion or Parallels, for example) and require direct access to the PCIe bus – this means running Windows natively on your hardware. You Mac users, this means BootCamp. It should also be noted that many people call ThunderBolt many things and there are several varieties of the bus. Make sure it’s not a DisplayPort only interface!

In short, if you’re still lugging around an old laptop just for this (or any other wireless CardBus based adapter), you now have a solution that’s cheaper than an new AirMagnet card and far less bulky than carrying around that crusty old XP machine. It’s time to upgrade!

Make sure it's ThunderBolt!

Filed under AirMagnet, Cisco, FCC, MetaGeek, Spectrum

My wireless literally burns me.

January 7, 2015 53 Comments

WARNING: this post includes uncensored pictures of a potentially provocative area of my body. While not Rated R (or even PG-13) you are hereby warned to avert your eyes if you believe that you may be even mildly offended or worse, intrigued.

When I was younger I had a lighter leak in my pocket. Unbeknownst to me, lighter fluid leaked all over my upper thigh and by the time I realized it, I had a hand-sized chemical burn where my pocket normally rests on my thigh. After some time (and discarding an otherwise perfect pair of pants!) the irritation went away.

Fast forward to several years ago and I noticed a similar ‘irritation’ forming on both of my upper thighs underneath my pockets. Since I’m a fairly light skinned guy – not albino, but still pretty light and pretty susceptible to sunburns in general, I wrote it off as pocket irritation. I couldn’t find any reasonable rhyme or reason to the general pocket-sized redness and irritation that I was experiencing but didn’t pay it much attention. Being, what I consider a professional in my industry, I recently decided to ‘up my wardrobe’. As a reasonably tall fellow I opted for custom pants among other things and the particular pants that I received included a right-hand pocket-in-the-pocket that was a perfect fit for my wallet! (Follow me here) When I started wearing said new pants, I consistently kept my wallet in the small right pocket which had the side effect of keeping my left pocket as a perfect place for my phone! I started getting into the habit of keeping my phone in my left pocket even when I wasn’t dressed for work. Then one day I noticed, the light, even, and spread out irritation that I used to carry on on both of my upper thighs started getting really bad on my left side – immediately under where my phone fit and has completely disappeared on the right!

Now, I’ve been around the wireless industry for a while now and I’ve heard it all the way up to wireless gives me headaches, so I’m not one for conspiracy theories, but the skin irritation that has followed my phone (and cleared up where my phone no longer is!) has given me a good reason to re-consider the potential risks that may be involved in wireless networking. My phone has not gotten hot, so I’m left with assuming that the skin irritation I’m experiencing is being caused by nothing short of energy radiation burns (not radioactive, silly!). Maybe it’s WiFi, maybe it’s cellular, maybe it’s bluetooth? Does it matter?

Now, I’ve not been to a doctor to have my burns officially evaluated (trying to not get a ‘don’t stick your finger in your eye if it hurts opinion) but there is a clear correlation between the location of my phone and the burns and irritations I’m personally experiencing.

IMG_6008 FullSizeRender

Having said all of that, I’m curious what you, the reader thinks. What do you think about my burns that have clearly followed my phone? Are short-range, long term exposure issues real? I for one will be distancing myself from my device until my burns go away, and likely for some time to follow.

Filed under FCC, Wireless

Outdoor 802.11ac – doing it right.

October 11, 2014 2 Comments

When you talk about seeing the proliferation of 802.11ac devices, most often it’s with regard to indoor devices or at least ‘under roof’ devices. Until recently, there have been very few options for putting 802.11ac outdoors. One of the very good reasons for this wasn’t because of environmentals (you can put an indoor 802.11ac Access Point in a protective enclosure), it was about getting enough signal to and from your clients to be able to see any actual performance benefits. Cisco just launched their 1572 outdoor 802.11ac Access Point and as you’d expect, it sports many features that make it ‘a cut above the rest’.

I’ve been fortunate enough to play with a unit for the past several weeks and there are two of these features that I’d like to highlight:

Feature 1) Radio performance: These things are loud. I think the phrase ‘hella loud’ is more akin to what is reality. At 30dBm transmit power in UNII-3 (here in the states, FCC), it’s significantly more than what you’d be able to get out of a typical indoor Access Point (usually caps at about 20dBm). This means that more power out gets a cleaner RF signal to your client which means better modulation, which means faster speeds. That’s only half of the story though. What stands out is that Cisco went the extra mile and dramatically improved the receive sensitivity of these radios. This means that the AP can hear the signal coming from the client more cleanly which improves the clients ability to talk faster and get off of the air sooner. In mobile clients, this is the end-game for improving battery life. When you couple both of these things with high-gain antennas, you get significantly larger cell sizes outdoors with the awesome byproduct of actually being able to *use* the AP from a distance.

Screen Shot 2014-10-11 at 6.25.15 PMFor comparison, you can see a sampling of the receive sensitivity values from a competitors outdoor AP. All values represented in dBm. Don’t forget that 3dBm is twice the power so each 3dBm is the equivalent of doubling your receive sensitivity!

Feature 2) PoE out. This is one of the most commonly asked feature that I find lacking in other solutions and it’s a simple one. The ability to hang a PoE powered surveillance camera off of an outdoor AP or even a PoE powered switch gives you the flexibility to take greater advantage of the investment you’re expending on the installation anyway. In short, if you’re going to run power, make it more useful to your infrastructure and business needs than ‘just to support an AP’.

If you couple these features with the other general awesomeness of the AP including ruggidization, real spectrum intelligence, 4×4 transmitters and receivers for 3 spatial streams, Fiber and cable uplink options, and field upgradability makes this the outdoor 802.11ac Access Point that you wish you had.

Filed under Uncategorized

Avaya Wireless is all about SDN

August 13, 2014 2 Comments

After hearing about Avaya’s wireless portfolio recently, I kept coming back around to a common thread that seemed so entrenched in the core of their solution – SDN. Admittedly I’m not a Data Center or Applications kind of guy, but Avaya has an interesting take on positioning their wireless portfolio. Instead of focusing heavily on a unique set of hardware specific features in their Access Points, they focus on a ‘module enabled’ Software Defined Network strategy. Paul Unbehagen, Chief Architect at Avaya accurately describes SDN as meaning something different to everyone.

At its core, regardless of vendor or implementation, SDN is meant to ease network administration and orchestration by way of software (the S in SDN). Avaya enables this by way of software running on their hardware to create Fabric Attach (FA) Elements. These elements use FA Signaling as a way of communicating amongst each other. These modules running throughout your network (on Avaya hardware) automatically discover and become a part of your FA Core through the orchestration suite.

Avaya does this across their entire infrastructure portfolio which includes their core products, edge switching, and Wireless Access Points. These components all orchestrate together to automatically configure and allocate resources in your infrastructure as needed. In one example, they showed an Access Point coming online and auto-registering using Fabric Attach and magically the requisite VLANs for the wireless infrastructure were automatically provisioned on the uplink switch. It’s clear that Avaya has invested significant resources in enabling this FA functionality including going as far as proposing Fabric Attach as a standard to the IEEE but their messaging is clear – when you run an FA enabled network end to end, it ‘just works’.

It was interesting in hearing the Avaya story in their own words including their addressing some of the more interesting corner cases:

  • Running an FA network without FA enabled devices being attached – this is supported using standards based LLDP TLVs but will likely require more effort than having the FA ‘agent’ running natively on your device.
  • Running Avaya wireless on a non-FA infrastructure – this is supported, but Avaya doesn’t bring anything special to that story that someone else doesn’t already do. This is an interesting scenario that could be positioned for transition needs.

In short, Avaya has taken a link-layer protocol, customized it heavily and allowed it to ask for network resources in an orchestrated fashion. It remains to be seen if this meets everyones definition of SDN and is somewhat predicated on the ‘controller bottleneck myth’ that seems so pervasive in the wireless industry. I, for one, am very interested in seeing where this takes us over the next several years. Addressing distributed challenges at scale (such as provisioning resources) is a problem that has been solved in the wireless space for a long time – do it centralized and scale from the inside out. I look forward to seeing how (and if) Avaya can leverage this FA architecture across multiple platforms and vendors to create the foundational panacea that SDN promises.

Filed under Avaya, Wireless, Wireless Tech Field Day

Drag racing the bus

July 8, 2014 2 Comments

Picture it. You’re a school district transportation engineer. You’re in charge of purchasing a fleet of new school busses for your district. The big ones. The expensive ones. The ones that will last you for the foreseeable future. So, you call up Bus Vendor A, B, and C and inform them that you’re in the process of selecting a fleet of new school busses. The following week each vendor dutifully delivers their ‘bus of choice’ to be evaluated. You then grab your intern, put him at the midway point of the bus from ‘Vendor A’ and take it for a spin! You see how fast it goes from 0 to 60. You see how it corners. People hear tires screeching from all over the city as you and your one other occupant sling this bad boy around town ‘evaluating’ the bus. You then repeat the same process for ‘Vendor B’ and ‘Vendor C’. You aggregate your data. You correlated your data. You make pie charts about your data. You do ROI calculations on your data. You do comfort analysis on your data. You do handling analysis on your data. You made your ‘educated’ recommendation and purchased a fleet.

Day 1 of school rolls around and the first thing your brand spanking new fleet of school busses does is immediately do the one thing you neglected to test: they loaded up with kids and trudged along at 20 MPH safely around town. You start getting complaints. They don’t stop well. They don’t handle well. They don’t get good gas mileage. They bounce all over the place and your district has to send 2,000 kids to chiropractic care because you didn’t evaluate the bus under the conditions it’s going to be used in. Instead, you took it for a joy ride. You drag raced it. The one bus that went the fastest with a single guy in it, you bought. When you deployed it, it broke because you didn’t test it using real world scenarios.

Please, don’t drag race your evaluation Access Points. Test them like you’re going to operate them. That way you get a realistic view of how they’re going to behave in the real world. Do your self a favor. Stop joy riding your vendors gear and put it in the real world to test it.

This blog inspiration courtesy of @florwj . Go follow him. He’s awesome.

-Sam

Filed under 802.11ac, Access Points, Aruba, Cisco, Wireless

The FCC.

June 8, 2014 1 Comment

Here in the states, we have a regulatory body called the Federal Communications Commission (FCC). As it pertains to the Wi-Fi world, they tell us what channels we can use how obnoxious we can be (strength) in those channels. We have what you would consider to be a ‘blanket rule’ that basically states ‘within a given number of frequencies, you can do anything you want as long as you limit yourself to a maximum power’. A very intentional byproduct of these rules is the relatively low cost of WiFi components. Since we don’t have to submit everything we operate to the FCC for validation, we have no ‘validation costs’ to pass onto our end users. In short, the FCC, as a regulatory body imposes rules and restrictions on our use of wireless frequencies in the name of the greater good. This generally works very well, creating the ecosystem of ‘small cell’ give and take that we live in today. You are given the choice to make your own determination if analog video cameras, microwave ovens, X-Box controllers, etc should take priority or if your Wi-Fi should. Political challenges aside, we’re masters of our own domain.

So what happens when someone does something outside the norm? What happens when someone violates the FCC specifications? What happens when someone fires up 10 watt outdoor analog video feed in 2.4GHz and points it at the broad side of a hospital?

As it turns out, someone recently did just that. I was asked to assist with locating what was being detected as a whole bunch of analog video cameras that hogging up all of Channel 1 in 2.4GHz along the broad side of a hospital. As you could imagine, with a good 100 or so Access Points all excluding channel 1 (due to interference) from their channel plan, this meant that a two channel plan was all that was left (6 and 11). After much sleuthing, we determined that the signal was traveling well in excess of 10 city blocks! In my book, that certainly fit the bill for ‘obnoxious’. With more than a little hesitancy, I went to the FCC web page for complaints and filed one.

We're concerned with Wi-Fi Jammers.

We’re concerned with Wi-Fi Jammers.

Once my complaint went off into oblivion, I’ll be honest with you, I didn’t expect to hear anything from them at all. Instead, a few weeks later, I got a letter in the mail with the usual FCC ‘devices must accept interference’ text that you’d expect from a Federal entity. I was heartened by the fact that I got a response however, and there was a ‘for more information call this number’. They offered, I did. The nice Federal employee took my call, listened to my acknowledgement of the letter, listened to my insistence the letter was insufficient, and listened to my complaint that there was something going on that the FCC clearly needed to get involved in. She thanked me for my time and stated that she would escalate my case. This was the last I personally heard from them.

I was fortunate enough to have some contacts near the building that we suspected was generating the noise. Sure enough, a couple of weeks later, they informed me that a FCC field agent showed up asking questions. Shortly thereafter, the video camera signatures stopped being detected, the channel cleared up, and things got back to normal at my customer.

The point of all of this is that you do have a friend in the FCC. They’re not the most communicative, timely, or ‘feel good’ organization I’ve ever worked with, but if you have no other choice, and you can prove reasonably that there is a strong need for them to get involved with a neighbor that being obnoxious, they will. Start to finish, once I engaged the FCC, it took roughly 2 months to get back to normal. Don’t expect them to be quick. Don’t expect them to believe you. Don’t expect them to understand what you’re saying. Do be patient. Do be persistent. Do be kind. You don’t want to make a Fed angry.

Here are some good times to engage the FCC:

  • You can prove beyond the shadow of a doubt that something beyond your sphere of influence is causing harmful interference to your Wi-Fi network.

Here are some good times to not engage the FCC:

  • Your ER department won’t buy new Microwave ovens
  • Your security team is installing analog video cameras
  • Your customers are bringing gaming consoles onto your property and using them
  • Your co-worker put a 20dBi antenna on a 200mW radio outside (although, this is a good way to get them called on you!)
  • You believe you have external interference, but don’t have a Spectrum Analyzer to prove it

If you need a Spectrum Analyzer, head on over to the MetaGeek folks and check out their Wi-Spy Mini or their Wi-Spy DBx for a good cost effective way to tackle interference issues. If they get too big, rest assured that Big Brother is out there – just a complaint form and a couple phone calls away…

Filed under FCC, MetaGeek, Spectrum, Wireless

Cisco releases new WLC UI, Changes default values (finally)

May 4, 2014 1 Comment

Cisco released WLC code version 7.6.120.0 which brings with it (among other things) a new User Interface for the 2504 WLC. When you use the new simplified setup, it also changes many of the default values that haven’t yet been enabled by default in the base code. The new default values are:

Aironet IE: Disabled
DHCP Address Assignment (Guest SSID): Enabled
Client Band Select: Enabled
Local HTTP and DHCP Profiling: Enabled
Guest ACL: Applied
CleanAir: Enabled
Event Driven RRM: Enabled
Event Driven RRM Sensitivity, 2.4GHz: Low
Event Driven RRM Sensitivity, 5GHz: Medium
Channel Bonding, 5GHz: Enabled
DCA Channel Width: 40MHz
mDNS Global Snooping: Enabled
Default mDNS profile: Add better printer support, Add HTTP
AVC (no Control, only Visibility): Enabled*
Management via Wireless Clients: Enabled
HTTP/HTTPS Access: Enabled
WebAuth Secure Web: Enabled
Virtual IP Address: 192.0.2.1
Multicast Address: Not configured
Mobility Domain Name: Name of employee SSID
RF Group Name: Default

*AVC stands for Application Visibility and Control. Control means remarking or blocking – for the purposes of the default setup, you’re inspecting only, Control is disabled and must be enabled manually. This also requires a current boot loader which should only be important if you’re setting up an older unit that’s been cleared.

You should note that to get these default values auto-set, you must use the new setup wizard – if you do the regular CLI setup of your controller, or if you just upgrade an existing controller without clearing it’s config, these are not set. You should also note that, for now at least, this only applies to the 2504 controller, not the 5508, WiSM2, 7510, 8510, or Virtual WLC platforms.

Filed under Cisco, WLC

WPA/TKIP only going away in Cisco WLC release 8.0

April 29, 2014 6 Comments

Cisco is readying the next major release of their WLC code, version 8.0. At the advocation of the WFA, this will bring with it a very significant change in security capabilities that you may find impacting if you’re caught unaware. In an attempt to raise awareness, Cisco has approved an discussion of this change first mentioned here. Cisco, in accordance with the new WFA guidelines, will no longer be allowing an SSID configuration with WPA/TKIP only security. If you are currently using an SSID that has WPA/TKIP only security, your configuration will automatically be updated to enable WPA2/AES connectivity as well as WPA/TKIP. You may want to start validation testing now if you are currently supporting legacy devices on a WPA/TKIP only SSID today. The easiest way to ensure you’re not caught by this change is to enable WPA2/AES along with WPA/TKIP and check to make sure your devices still behave as expected. I have confirmed in the lab that this change will be automatic:

WPA-TKIP only configuration pre-8.0

WPA-TKIP only SSID configuration, Pre-8.0

WPA2-AES added post-update

Same SSID with WPA2/AES enabled post-update.

 

To summarize of the variety of allowed and disallowed potential configuration options you have available and if they’ll be supported in WLC 8.0:

WPA1-TKIP (Disallowed due to eliminating TKIP)
WPA1-AES (Allowed by Extension Policy)
WPA1-TKIP/AES (Disallowed since not used in conjunction with WPA2-AES)
WPA2-TKIP (Disallowed due to eliminating TKIP)
WPA2-AES (Certified and allowed)
WPA2-TKIP/AES (Disallowed due to WPA2-TKIP)
WPA1-TKIP + WPA2-TKIP (Disallowed – no AES support)
WPA1-TKIP + WPA2-AES (Certified and allowed)
WPA1-TKIP + WPA2-TKIP/AES (Disallowed due to WPA2-TKIP)
WPA1-AES + WPA2-TKIP (Disallowed due to WPA2-TKIP)
WPA1-AES + WPA2-AES (Allowed by Extension Policy)
WPA1-AES + WPA2-TKIP/AES (Disallowed due to WPA2-TKIP)
WPA1-TKIP/AES + WPA2-TKIP (Disallowed due to WPA2-TKIP)
WPA1-TKIP/AES + WPA2-AES (Allowed by Extension Policy)
WPA1-TKIP/AES + WPA2-TKIP/AES (Disallowed due to WPA2-TKIP)

Other SSIDs and security configurations are not impacted, including Open SSIDs, any SSID that currently has AES enabled, and WEP SSIDs.

 

UPDATE: Due to user feedback, Cisco and the WFA finally settled on making the above restrictions in the GUI only. If you still have a business need for a WPA/TKIP SSID, you can configure it from the CLI. If you were building an SSID on a Cisco WLC with an ID of 6, you would use the following commands for example:

config wlan create 6 TKIP-ONLY
config wlan security wpa wpa2 disable 6
config wlan security wpa wpa1 enable 6
config wlan security wpa wpa1 ciphers tkip enable 6

Using the show commands you can validate that this configuration took at the CLI:

show wlan 6

Wi-Fi Protected Access (WPA/WPA2)…………. Enabled
WPA (SSN IE)…………………………. Enabled
TKIP Cipher……………………….. Enabled
AES Cipher………………………… Disabled
WPA2 (RSN IE)………………………… Disabled

Filed under Cisco, Security, Wireless, WLC

Older posts

Newer posts