Not too long ago I was assigned to a troubleshooting and remediation project for a hospital here in the SF bay area. The problem, after much troubleshooting and lab recreations, was determined to be due to an unique issue with client roaming and authentication. During the course of troubleshooting my coworker and myself often found ourselves explaining 802.1X and 802.11i to others working on the troubleshooting effort, or requesting technical updates. So based on that experience, I started thinking this might a be a good topic to cover here.
Let’s review the some of typical components of the enterprise wireless security model.
What is 802.1X?
802.1X is not a protocol, but rather a framework for a “port-based” access control method. 802.1X was initially created for use in switches, hence the port-based terminology, which really doesn’t fit too well in wireless since users don’t connect to a port. In the end it’s meant to be a logical concept in the 802.11 world. 802.1X was adopted for wireless networks with the creation of 802.11i to provide authenticated access to wireless networks. At a high level. the framework allows for a client that has connected to the WLAN to remain in a blocked port status until it has been authenticated by a AAA server. Essentially the only traffic allow through this virtual blocked port is EAP traffic, things like HTTP would be dropped.
What is EAP?
EAP (Extensible Authentication Protocol) is the authentication method used by 802.1X. It can take on various forms, such as PEAP, EAP-TLS, EAP-FAST, to name a few. There is one thing to remember when determining what EAP type to use in your network, is that it is dependent upon what your client and AAA server supports. This is it, your AP or AP/Controller hardware or code version will play no part in version is supported. Unless your AP/controller is acting as the AAA server, but I’ll stay away from that in this post. I think this can be a point of confusion for people who haven’t read much or anything about EAP methods. So, if some one asks what version of EAP the AP will support, all you need to do is ask them, what does their Client and AAA server support.
What is 802.11i?
Simply put, 802.11i is an amendment to the original 802.11 standard to address the well documented security short comings of WEP. It incorporates WPA as a part of the 802.11i amendment and adds the fully approved WPA2 with AES encryption method. 802.11i introduces the concept of a Robust Security Network (RSN) with the Four-way handshake and the Group key Handshake.
Missed the first two parts of our guest series with Andrew vonNagy, Technical Architect of a Fortune 50 Retail organization and CCIE Wireless #28298? Read Part 1 and Part 2 to get the full picture.
Trend 4: Expanding Branch Office Services In order to remain competitive, retail organizations must deliver better customer service in their physical stores. This is accomplished by migrating away from traditional lean-branch operational models focused on cost reduction to a more sophisticated service-rich operational model within the store. Deploying integrated and context-aware services into the store for both sales associate and customer use will translate into a better shopping experience, return visits, and brand loyalty.
New services such as robust wirelesstelephony solutions can enable better availability and improve responsiveness of sales associates for customer assistance by tying service desks to every associate in real-time, as well as provide push-to-talk integration for integrated in-store communications. Digital video services over wireless enable increased security by providing real-time video feeds to in-store security personnel, and can enable videoconferencing for merchandise planning and collaboration with headquarters staff. Location based services allow retailers to provide relevant services to customers, such as targeted promotions that appeal to today’s cost-conscious consumer or in-store navigation (wayfinding) to improve the customer shopping experience. Location services will also require the Wi-Fi network to be deeply integrated with back-end marketing systems, making it more integral to core retail business operation.
Earlier this week, we kicked off special customer guest blog series with Andrew vonNagy, author of the blog Revolution Wi-Fi, and active on Twitter @revolutionwifi. Join us today as Andrew explores the next two major retail trends changing the Wi-Fi industry, and catch up with the first part if you missed it.
Trend 2: Empowering Sales Associates Given the increasingly connected and smart shopper, consumers now have more product information than in-store sales associates in many cases. Yet sales staff are key to providing a great consumer experience in-store. Retailers need to empower sales associates with the depth of product information that consumers have, and to provide additional tools that facilitate existing and new services offered by the retailer.
Historically, only a fraction of retail sales associates have been provided with mobile devices, and those devices have enabled only a limited set of capabilities such as stocking, inventory management and product availability. One reason for this is the high cost of ruggedized mobile devices for use in retail. A typical high-speed scanner PDA can cost well over $1,200 each. In order to provide every sales associate with more information to help consumers, retailers are adopting lower-cost, feature-rich, smartmobile devices that provide more robust capabilities than specialized scanners. Mobile platforms built by Apple, Android, and third-party manufacturers are enabling this shift, along with a retail IT focus on enabling business processes in a more flexible, consistent, and re-usable fashion.
This is the type of post that gets me excited. Today, I’m happy to feature a special customer guest author: Andrew vonNagy, CCIE #28298 (Wireless), and currently Technical Architect for a Fortune 50 retail company. Many of you may know Andrew from his active blog, Revolution Wi-Fi, or his Twitter feed: @revolutionwifi. Stay with us over the next two weeks as Andrew offers his take on the intersection of Retail and the Wireless LAN industry.
Retail Wi-Fi networks have long been dominated by inventory management applications and services that enabled a more productive workforce and leaner operations. However, brick-and-mortar retail is being disrupted due to the explosive growth from pure e-commerce competitors offering [often] lower prices and a more personalized shopping experience. In addition, the e-commerce sales channel offers deeper product information, community reviews, and greater levels of localization and customization that resonate with consumers.
Brick and mortar retail must adapt to compete in this new environment. A key component of this adaptation is delivering new IT solutions while leveraging the physical assets of the storefront, mixing the benefits of in-store product “touch-and-feel” with the personalization of e-commerce shopping. Merging these two worlds together will create an enhanced shopping experience through the use of mobile Internet devices, often connected through Wi-Fi networks.
This week, we will cover the first of 5 trends driving Wi-Fi growth and new capabilities in retail organizations:
Trend 1: Consumer Interaction and Business Analytics
Physical retailers have the most influence over consumer purchase decisions in the store, when they are standing in front of the product they are weighing whether or not to buy. Historically, this has been through in-aisle marketing and signage. However, customers are increasingly equipped with mobile Internet access and turning to external sources of information in real-time while within a retail store. This has been coined the emergence of the “smart shopper”. These external sources of information are much more comprehensive than what the retailer can provide through traditional in-aisle marketing and signage, and this leaves the physical retailer at a big disadvantage.
If you happened to have your Thanksgiving meal last week with a person of Greek heritage, you may have heard them toast “Yia mas”, that literally means “to our health”. And that is exactly what I am thankful for each day, my family’s health.
I am also thankful for the health of our wireless business, which is going great thanks to professionals such as doctors, and nurses that want to want to use their personal devices (smartphones and tablets) at work.
At Cisco we have long been talking about how we enable this proliferation of devices in the workplace and how we make it easier for IT to onboard and troubleshoot these “un-managed” devices. We also provide a robust wireless infrastructure that enables these professionals by providing the best possible mobile experience. But the trend of personal devices in the workplace does pose a valid concern: “As more and more doctors start using their personal iPads at work, will my patient data be secure?”
Curiosity got the better of me, and I decided to look at some data over the long weekend to better understand how healthcare data breaches occur. This is by no means a scientific analysis, I just crunched some data I downloaded from the U.S. Department of Health and Human Services website (hss.gov), so the findings are not conclusive, but rather indicative of what is happening. The data represents HIPAA breaches of 500 or more records per incident over the past 2-year period.
At Interop New York last month, Cisco’s Sujai Hajela, VP/GM of Wireless Networking Business Unit, said “people are falling in love with their mobile devices,” during his keynote. He was right. People are so in love with their mobile devices that they’ll choose mobile device flexibility over salary.
Consider this. According to the second chapter of the 2011 Cisco Connected World Technology Report, one in three college students and young employees under the age of 30 would prioritize device flexibility and social media freedom over salary in accepting a job offer. In fact, 40 percent of college students and 45 percent of young employees said they would accept a lower-paying job that had more device flexibility and social media access, than a higher-paying job with less flexibility. Wow!
People are so in love and attached to their mobile devices that half of college students and young employees said they would rather lose their wallet or purse than their mobile device, according to the study. And their mobile devices are multiplying – 77 percent of employees have multiple devices and one in three employees globally uses at least three devices for work.
Their attachment to their mobile devices goes a step further. More than half of college students and young employees want to use their own devices to access corporate networks, and two in five consider it a critical function of their job to be able to connect to the network from any location at any time.
So, what does this mean for businesses? People will want to continue their love affair with their mobile devices at work, so it’s better to be prepared to support employee-owned devices as the “bring your own device” trend is only becoming more prevalent.
It is no longer a question of “if” your organization will face the new reality of mobile device proliferation, just an ever closer “how soon.” Users expect the network to enable trends like Bring Your Own Device (BYOD), and they aren’t just using smartphones and tablets to be more productive, they are falling in love with them. For businesses, simply allowing access isn’t the answer. It’s a question of relevant, secure access across the entire network, while protecting corporate assets and delivering an optimal user experience. Cisco focuses on exactly that -- how to enable a simple and secure mobility experience, with a consistent end-to-end architecture across wired, wireless and VPN access.
As a cornerstone of this wired-wireless access architecture, the Cisco Identity Services Engine (ISE) has already been helping customers like Whittier Union High School, San Antonio Water System and BlueWater Communications Group apply consistent security across the entire network through a centralized, single policy source.
Whittier Union High School District, a California high school district serving more than 13,600 students, was facing the challenge of mobile devices. Both faculty and students were bringing their personal devices on campus, many for educational apps and tools.
“It’s becoming increasingly critical to provide employees, students, and visitors access to our network and extensive educational resources given the growing expectations of our tech-savvy population,” stated Karen Yeh, Director of Information Technology, Whittier Union High School District.
Whittier needed a way to apply differentiated policy across their student and staff populations, somehow managing access for both personal and corporate devices, all without increasing IT resources. Karen called Cisco, and two weeks later her team was deploying the Cisco ISE, implementing a single point of security policy for their networks across wired, wireless and VPN. Considering that Richard Nixon, the 37th president of the US went to Whittier High School, the flexible network access enabled by Cisco ISE may be empowering the next generation of leaders, scientist or artists. But, mobile devices aren’t confined to education. San Antonio Water System, a public utility owned by the city of San Antonio, is seeing surprisingly similar issues.
Lately I had been spending a lot of time in the office rather than on the road. Which isn’t all bad, as it gives me some semblance of a routine rather than living out of a suitcase. It has also has given me some spare time to come up with another blog topic, which actually stems from some of the work I have been doing for customers lately.
Typically when a site survey is being done, we will do spectrum analysis work as well, part of my job entails creating and reviewing documents from this work, prior to delivering them to customers, which means I have been watching a lot of spectrum analysis lately. Most of the customers I have worked with recently have been with CleanAir APs, so they will be able to monitor their environment in real time, once the WLAN is up and running. However it’s always a good idea to perform some spectral analysis while you are walking around doing a site survey. And really why not? If you are there and you have a few minutes, fire up the old spectrum card and get a capture of whats going on with your RF. This helps make sure there aren’t any major layer 1 surprises when you go to install the new WLAN. It doesn’t mean things won’t change, and they often will, due to the dynamic nature of RF. It’s an ever changing environment, so what wasn’t there on Monday, might show up on Tuesday and be gone again by Wednesday.
Before jumping into particular types of interferes let’s talk about some of the data that Cisco Spectrum Expert can show you. Two of the things I like to look at when looking at the RF in Cisco Spectrum Expert, are Real Time FFT and Duty Cycle plots, as pictured below.
The Real Time FFT is showing you is the RF energy in real time measured in dBm, so how loud or quiet the device is. The next is the FFT Duty Cycle, which simply put it’s how utilized the RF is. Let’s say you have a device that is being captured as having a 1% duty cycle. This means it’s using a very small amount of the available ‘air time’ to transmit its data. Conversly if there is a device that is showing a 100% duty cycle it is using up all the ‘air time’ and not allowing other devices to use the RF medium to transmit.
Two other views I find helpful are the Spectrogram views. These display the same info as the plots above, but are plotted out over time. I use them in a few of the examples below.
In a classic performance, captured here on Youtube, Steve Balmer does a pretty good job of illustrating his feelings on the importance of developers. We share his enthusiasm.
You have probably already heard that we have an enterprise tablet, the Cius, with corporate telepresence, baked-in security/encryption, VXI, docking stations, display out and a bunch of other features that make it the ideal corporate citizen. One of those features of particular note to developers is the enterprise app store, AppHQ. The AppHQ makes it easier for Cius owners to find apps, while providing an easy route to market for developers. Of course, things like the AppHQ are far more interesting when well stocked with interesting apps, which brings us to the next point…
Cius Developer Program
Speaking of developers, Cisco has a substantial developer network, not surprisingly called the Cisco Developer Network. Better yet, part of that larger effort is the Cius Developer program. We make it easy. Cius uses the popular Android OS, the apps you write will appear in the Cisco AppHQ (if you charge for your apps, you get 70%) and we will help you along the way, with forums, extensive documentation including a solid API reference, and sample code and apps. By the way, did you know what 85% of the Fortune 500 use Cisco Unified Communications?
Droidcon
To help get the word out on the Cius Developer program, Cisco will be at Droidcon London. Participate in our “Crack the Code” breakout session with Marcus O’ Sullivan, Business Development at Cisco on the first day at 2:40 PM in room two. Then, have a drink on us; we’ll be sponsoring drinks later in the exhibit hall. On the second day, Tim Stone, Cisco Business Development Director will give a key note on the insights on enterprise mobility strategies first day at 9:35 AM in the auditorium.
If you miss some of these events, that’s okay, you can always drop by our booth, [booth number] any time—you wouldn’t be able to miss it. Bring some ideas, we’ll be glad to chat with you about the possibilities that are out there for you.
We are also giving away two Cius tablets at Droidcon—just drop your business card off at one of the events or at our booth and we will pick two winners!
So, if you can, please join us at Droidcon – we look forward to hearing from you. If you can’t make it to Droidcon, we certainly encourage you to join the Cius Developer Program.
Remember, there are lots of ecosystems out there but the good ones all have one thing in common…
We all see a growing trend of using wireless technologies in hospitals due to its benefits in cutting healthcare costs and increasing accessibility for patients and healthcare providers. Wireless applications have the potential to improve care by providing real-time access to a patient’s medical history including treatments, medications, laboratory tests, insurance information and more.
Our customer, Children’s Mercy Hospitals and Clinics – one of the leading children’s hospitals in the U.S.—works tirelessly to help ensure healthcare providers, administrators, and patients have access to leading technologies. So when it came to managing the hospitals’ wireless network, IT managers knew they needed a best-in-class solution. Deploying the right wireless technologies is not only a matter of adopting reliable solutions – it’s also about putting the systems in place to identify and mitigate wireless interference, which can be a major challenge at a busy hospital.
To combat this, the hospital deployed the Cisco Aironet 3500 Series access points throughout the campus to enable high-performance 802.11n wireless services and Cisco CleanAir technology to both troubleshoot problem areas and optimize the wireless environment. The IT team quickly identified and addressed many areas of interference, including pinpointing that some interference was coming from public buses changing traffic lights at a nearby bus stop. With the powerful Cisco environment, Children’s Mercy Hospitals is moving to a “self-healing” wireless network that will automatically fix itself when interference is encountered.
Listen to what the customer has to say about their deployment and Cisco CleanAir: Watch now. You can also read and download the PDF version.
During last month’s Cisco Live event in Las Vegas, we invited a few guests to take a tour of the data center of one of our customers, Switch Communications Group. Switch hosts data and servers for several casinos and government agencies, among other high-profile customers, and they take security VERY seriously.
As Don Clark of the Wall Street Journal described, once the guests passed through security – which included a holding room and confiscated IDs – armed guards monitored every step the guests took while inside the data center, and strictly enforced all policies that disallowed any photography and basically touching anything.
My first project at Cisco was a wireless site survey at a large hospital complex. The hospital wanted a new 802.11n network with CleanAir APs and the ability to track hospital equipment, make Vo-Fi calls and provide guest access for devices like the iPad. The scope was to survey an estimated 3 million square feet of the facility, which wasn’t even all of the buildings! My retail background consisted of either stores or distribution centers, mostly with fairly large square footage, so my first thought was this shouldn’t take long. What is 3 million square feet, when an average distribution center was 1.5 million square feet?
What didn’t occur to me initially, but did very shortly after looking at a floor plan, is the huge difference in the purpose of the buildings. For starters there are a lot of rooms in a hospital, where as in retail there is primarily just large open spaces. Having to walk in and out of room after room, really adds a lot of time to a survey. Additionally many of the rooms have been re-purposed over time to meet the changing needs of the hospital. For example, rooms now used as administrative or doctor offices were at one time used as isolation rooms for patients, or various other uses that make RF propagation less than ideal. Another challenge was restricted pharmaceutical areas where badge and key access is tightly controlled. This doesn’t necessary pose a challenge in terms of providing coverage, but it does when you are walking your survey and you suddenly find yourself locked out of a room!
After many trips to the hospital and countless number of hours roaming hallways and going in and out of room, I have found that a few things have become almost second nature when I am getting things prepped or planning for a return trip. Below I have a few things that might help WLAN Engineers when planning for their next survey project. While none of these are directly related to the finer technical points of a survey, like configuring your survey APs power level importing floor plans into tools like Air Magnet, they will make life much less frustrating!
Last week’s blog highlighted ways you can improve the user experience by preparing your network to meet the challenges associated with the sea of devices entering the corporate networks. Ultimately however, productivity is not only going to be depended on the freedom to choose a device, or the ease of access to information, or the quality of the connection when consuming bandwidth intensive content. It will largely be depended on the tools available on those devices – in other words “the apps”.
Most desk-bound knowledge workers will be quite content using existing productivity tools such as word processing, spreadsheet, or presentation software already available in the various app stores. There will however be many other types of workers that can tremendously benefit from having applications that are turbo-charged with network intelligence.
What do I mean by that? Well, you will just have to watch the video where Jagdish Girimaji, product manager for the Mobility Services Engine (MSE), outlines what network information can be exposed to make tablet applications more intelligent.
Ok, so maybe you are starting to give in to the idea that, employees bringing personally owned tablets at work, is indeed not a fad and you have to deal with it. You have decided on a BYOD strategy that protects company and network resources, while (mostly?) satisfying user appetite for connectivity anywhere from any device.
Great! Now. Is your 802.11n wireless network capable of delivering the user experience that is associated with these new sleek gadgets?
If you thought your network is “good enough”, then think again. This client wave is about to disrupt everything in multiple ways.
First, more devices on the network translate to significantly higher demands for bandwidth. In many cases bandwidth requirements can grow exponentially because the ratio of user to devices is no longer 1:1 but 1:2 and often 1:3. We therefore expect to see network utilization significantly rise over time.
Second, tablet form factor now allows users to truly be mobile. Unlike laptops, users can now walk/move and be productive at the same time. This new type of behavior will increase the number of clients roaming between access points.
Finally, it has been observed that tablets are primarily used for content consumption (as opposed to creation), and video is one of the predominant types of content being consumed, which further complicates bandwidth issues, but also creates new challenges.
Hello and thanks for reading! My name is Travis Schlafke, and I am a new member of Cisco’s Advanced Services Wireless Team. I’ve been at Cisco a little over 2 months now and I can say it has been a crazy fun ride thus far. My first day I went into the office, picked up my laptop and set up my email and day 2 I was out on a flight to work on a survey of a hospital in Houston, Texas. My primary job task involves working with customers on a wide variety of projects providing wireless network solutions. As a side project I get to share my experiences through this blog. Through my work, during my (hopefully!) long career at Cisco, I hope that I can find some fun and unique things to share with everyone and give back to the Wi-Fi community.
To give you an idea of my background, I grew up in Central Wisconsin and pursued a degree Information Technology Management at the University of Wisconsin – Stout. I lived in Minneapolis the past few years working as a Wireless Engineer for a large retailer. Less than a week ago I packed up and moved to San Jose, California to be part of the AS Wireless team located there. I’m looking forward to the change of weather and the change of scenery (tech companies on every block, etc). I learned a lot in my previous job, but found the opportunity to come work at Cisco and expand my knowledge and career experience too exciting to pass up. Although it’s hard to pack up and be so far away from friends, family and my Green Bay Packers, I’m really excited for the opportunity to work with some of the brightest Wi-Fi guys in the industry.
That is a little bit about my background and how I joined the Cisco Team. But what I want to share in one of my first blog posts is why I am excited to have the opportunity to use social media here. I grew up at the right time for social media to play a huge role in how I interact with people in all the facets of my life. Being a millennial, some of my first memories of computers were playing Oregon Trail on the Apple IIGS’s in my elementary school classrooms. I still remember when my parents bought a computer that had a modem and I didn’t have to go to the library anymore to use the internet. Some of the early forms of social networking I recall using, although that term didn’t exist yet, were yahoo chat rooms and instant messaging programs like ICQ and MSN. It was pretty cool to talk to my friends all the time on the internet and not have to call their landline at their parent’s house.
