Not too long ago I was assigned to a troubleshooting and remediation project for a hospital here in the SF bay area. The problem, after much troubleshooting and lab recreations, was determined to be due to an unique issue with client roaming and authentication. During the course of troubleshooting my coworker and myself often found ourselves explaining 802.1X and 802.11i to others working on the troubleshooting effort, or requesting technical updates. So based on that experience, I started thinking this might a be a good topic to cover here.
Let’s review the some of typical components of the enterprise wireless security model.
What is 802.1X?
802.1X is not a protocol, but rather a framework for a “port-based” access control method. 802.1X was initially created for use in switches, hence the port-based terminology, which really doesn’t fit too well in wireless since users don’t connect to a port. In the end it’s meant to be a logical concept in the 802.11 world. 802.1X was adopted for wireless networks with the creation of 802.11i to provide authenticated access to wireless networks. At a high level. the framework allows for a client that has connected to the WLAN to remain in a blocked port status until it has been authenticated by a AAA server. Essentially the only traffic allow through this virtual blocked port is EAP traffic, things like HTTP would be dropped.
What is EAP?
EAP (Extensible Authentication Protocol) is the authentication method used by 802.1X. It can take on various forms, such as PEAP, EAP-TLS, EAP-FAST, to name a few. There is one thing to remember when determining what EAP type to use in your network, is that it is dependent upon what your client and AAA server supports. This is it, your AP or AP/Controller hardware or code version will play no part in version is supported. Unless your AP/controller is acting as the AAA server, but I’ll stay away from that in this post. I think this can be a point of confusion for people who haven’t read much or anything about EAP methods. So, if some one asks what version of EAP the AP will support, all you need to do is ask them, what does their Client and AAA server support.
What is 802.11i?
Simply put, 802.11i is an amendment to the original 802.11 standard to address the well documented security short comings of WEP. It incorporates WPA as a part of the 802.11i amendment and adds the fully approved WPA2 with AES encryption method. 802.11i introduces the concept of a Robust Security Network (RSN) with the Four-way handshake and the Group key Handshake.
Video compression formats typically use a technique known as ‘difference coding’ by comparing the difference between the current video frame with the preceding frame. This ensures that information which does not change (e.g. static background) is not repeatedly transmitted. To reduce network bandwidth, video is highly compressed, but losses affect quality. Watch this short video and see the impact of packet loss, jitter and delay on video.
In my last blog, I wrote about HP’s disturbing pattern of suing non-California employees under ‘non compete’ clauses, often imposed years after employment began. Apparently it’s relatively recently that HP decided to abandon its Silicon Valley roots and tie up its non-California employees in legal knots. HP is in fact the only large Silicon Valley-based company to have two classes of employees and try to impose mobility restrictions on those who live outside California. HP’s efforts have gone so far as to sue an employee who took a buyout after having his salary cut, and one who didn’t even work in an area related to HP’s products that compete with Cisco’s.
Two recent actions since that blog posting are stunning. First, HP renewed legal action in Texas, where one of the employees used to live, trying to get a judge there to schedule a court date on a day’s notice and to apply Texas law even though the California judge in the case is going to hold a hearing, as is certainly appropriate, to verify that the employee has in fact moved to California. (Yes, he came to work for Cisco after he arrived in California, rented an apartment, got a drivers license, etc.) Once again the Texas court refused to intervene, and in fact effectively “stayed” HP’s legal actions indefinitely. HP also tried in Texas to raise another bar to employee freedom, claiming that the employee would ‘inevitably’ use HP’s trade secrets to do his job at Cisco, and therefore should be barred from continuing his new job. Just as California law bars enforcement of non-compete clauses, California courts won’t recognize this doctrine either, seeing it for what it is — an effort to impose de facto non competition clauses.
We had so much fun last year…and so far, they are letting us come back. We had fun doing a little promo for the trip…an excuse really…to let Jimmy Ray play dress up, let me work on my Alfred Molina impression and most of all…let Producer Steve Ewertz loose so he can shoot/edit/compose the way he likes!
Forbes Magazine is famous for its lists — think “The World’s Most Powerful Celebrities” or “America’s Best Small Companies.”
Recently, the magazine issued a new list that is particularly relevant to Cisco’s Corporate Social Responsibility (CSR) efforts: “The Impact 30,” a list of the world’s top social entrepreneurs.
Forbes defines a social entrepreneur as “a person who uses business to solve social issues.” Here in Cisco CSR, we encounter social entrepreneurs every day. In fact, a few people on the Impact 30 list work for educational organizations we’ve partnered with over the years. Read More »