Have you seen this video?
For those of you who are not familiar with the technology, Bonjour is a multicast DNS(mDNS) based protocol used to advertise and connect to network services such as printers, file servers, TV’s. With the BYOD explosion and increased use of mobile devices for work in the office and classroom, Bonjour is applicable not only at home, but also in enterprise. Last Christmas with the 7.4 release, Cisco introduced the Bonjour Services Directory optimized for enabling enterprise campus environments to share Bonjour services across Layer 3 networks. In this blog, I will share some details about how a K-12 school successfully deployed Cisco wireless solution to provide Bonjour Services. As a special treat, I will also discuss some details on Bonjour enhancements included with the upcoming 7.5 release.
St. Margaret’s Episcopal School (SMES) is a K-12 school based in Orange County California serving about 1200 students. The wireless deployment consisted of 30 Cisco 1140 Series Access Points , a Cisco 1260 Series Access Points and some Cisco 1130 Series Access Points managed by a Cisco 5508 Series Wireless LAN Controller. The wired access deployment included various Catalyst 3750, 2960 and 2950 Series Access Switches. Cisco Networking Assistant(CNA) allows them to keep a bird’s eye view on all the equipment.
Read More »
Tags: application, Bonjour, cna, controller, mac based filtering, network, services directory, SMEs, wi-fi, wifi, wireless, wireless controller
Last fall, I blogged about No SSID Outage or Access Point Stateful Switchover introduced with the AireOS 7.3 release whereby if your wireless LAN Controller fails due to some hardware failure, thousands of Access Points fail over sub-second to the standby controller! This is possible due to continuous synchronization of CAPWAP states, Configuration Changes, Radio Channel and Power, Roaming Keys and Access Point licenses between the two Controllers. This means even if the administrator changes the configuration, channel plans or the clients roam and the primary controller fails; the Access Points will simply fail over in a stateful fashion to the secondary. In this blog, I will share details on the upcoming enhancements to High Availabilty with the 7.5 release.
In the upcoming AireOS 7.5 release, we take High Availability to the next level with two critical enhancements.
1. Today, after Access Points fail over from the primary to the standby controller, each client tries to re-authenticate and the standby controller then checks against its CCKM database whether the client has already authenticated. At the rate of several tens of authentications per second, it can take anywhere from zero to a few hundred seconds for the tens of thousands of clients that are connected to a controller to re-authenticate. The client stateful essentially eliminates this downtime with sub-second failover. Thus the total downtime that any user running a voice-call or Citrix session experiences is 2-3 seconds that the application requires to reconnect.
Read More »
Tags: 7.3, aireOS, Cisco, client, client reauthentication, controller, l2, redundancy, release, SSID, wi-fi, wifi, wireless, wireless controller, wlan, WLC
Not too long ago I was assigned to a troubleshooting and remediation project for a hospital here in the SF bay area. The problem, after much troubleshooting and lab recreations, was determined to be due to an unique issue with client roaming and authentication. During the course of troubleshooting my coworker and myself often found ourselves explaining 802.1X and 802.11i to others working on the troubleshooting effort, or requesting technical updates. So based on that experience, I started thinking this might a be a good topic to cover here.
Let’s review the some of typical components of the enterprise wireless security model.
What is 802.1X?
802.1X is not a protocol, but rather a framework for a “port-based” access control method. 802.1X was initially created for use in switches, hence the port-based terminology, which really doesn’t fit too well in wireless since users don’t connect to a port. In the end it’s meant to be a logical concept in the 802.11 world. 802.1X was adopted for wireless networks with the creation of 802.11i to provide authenticated access to wireless networks. At a high level. the framework allows for a client that has connected to the WLAN to remain in a blocked port status until it has been authenticated by a AAA server. Essentially the only traffic allow through this virtual blocked port is EAP traffic, things like HTTP would be dropped.
What is EAP?
EAP (Extensible Authentication Protocol) is the authentication method used by 802.1X. It can take on various forms, such as PEAP, EAP-TLS, EAP-FAST, to name a few. There is one thing to remember when determining what EAP type to use in your network, is that it is dependent upon what your client and AAA server supports. This is it, your AP or AP/Controller hardware or code version will play no part in version is supported. Unless your AP/controller is acting as the AAA server, but I’ll stay away from that in this post. I think this can be a point of confusion for people who haven’t read much or anything about EAP methods. So, if some one asks what version of EAP the AP will support, all you need to do is ask them, what does their Client and AAA server support.
What is 802.11i?
Simply put, 802.11i is an amendment to the original 802.11 standard to address the well documented security short comings of WEP. It incorporates WPA as a part of the 802.11i amendment and adds the fully approved WPA2 with AES encryption method. 802.11i introduces the concept of a Robust Security Network (RSN) with the Four-way handshake and the Group key Handshake.
Read More »
Tags: 802.11, 802.11i, 802.1x, AAA server, access point, access points, EAP, EAP-FAST, EAP-TLS, engineer, engineers, PEAP, wi-fi, wifi, wireless, wireless controller, wireless LAN, wlan, WLC
As organizations look to improve operations through centralized control, they often need to take into account what would happen if an area of the network fails. In many cases, having a centralized controller-based wireless architecture in organizations with multiple branch offices has prompted the question, “What happens if the WAN is slow, or even worse, goes down?”
Many organizations have been reluctant to implement a centralized wireless controller located in the data center or private cloud due to this concern. Without centralized control, these organizations have two deployment strategies available to them:
- Implement wireless controllers at each branch site. This approach is perfectly fine for an organization with many Access Points per branch, or those that require high throughput for applications such as Video. However, many branches only require a few Access Points per location or require simple applications such as bar-code scanning and printing. For these organizations, local controllers become less cost effective, with the capital expense becoming prohibitive.
- Implement access points running in autonomous mode. This approach eliminates the benefits of having any kind of centralized control such as the ability to centrally configure wireless policy and security setting on access points, WIPS capabilities and advanced mobility services like CleanAir, leaving the branch vulnerable and opening the corporate network to attacks.
Read More »
Tags: access point, AP, WAN, wi-fi, wifi, wireless, wireless controller, wlan
When Cisco conducted an industry survey a few months back, the research revealed that 61% of employees believe they don’t need to be in an office to be productive – and two-thirds of employees place a higher value on workplace flexibility than salary. Attitudes toward working remotely have certainly shifted over recent years, as working from home is no longer seen as a privilege – it’s expected.
But for just about any employee who has ever needed to work from home, getting a home office wireless network up and running can be time consuming, even if you already have an existing home network. By the time you change network profiles, start VPN clients, and deal with security concerns, not to mention time spent on the phone with the corporate IT helpdesk, you can easily spend a good chunk of your day setting up and configuring your wireless network.
But once again, Cisco can help.
Cisco announced today new OfficeExtend wireless solutions designed toward making the whole teleworking process painless for both the remote worker and the IT manager back at the corporate office. With the new OfficeExtend wireless solutions from Cisco, not only can you have home network profiles for personal use, but as an additional feature, the very same corporate WLAN profiles and security that you using at the office can now be replicated at home. And better yet, the new wireless solutions require no intervention from end users by allowing IT departments to remotely manage home access points alongside the rest of their corporate infrastructure. Read More »
Tags: 802.11n, access point, Aironet, AP, Cisco, Cisco 2500 Series, Cisco Aironet 600, Cisco Catalyst 6500, Cisco ClientLink, Cisco Connected World Report, Cisco ISR G2 Services-Ready Engine, Cisco VideoStream, Cisco Wireless Business Unit, Cisco Wireless Services Module, cleanair, controller, dual radio, Hotspot, mobility, OfficeExtend, service providers, videoscape, wi-fi, wireless, wireless controller, WiSM2, WNBU