CCNA Wireless

Passed CCNA Wireless Exam ~~~> Moving on to CCNP Wireless

Posted on Updated on

Just a  short update. 

Took my exam in the end of July and passed then went on a three week vacation. Am now back and ready to go on with my daily hustle. I have one more exam to complete my CCDP, but I will start preparing for it towards the end of the year. To be honest, the ARCH book is rather boring for me as it has too much theory. I am in the middle of that book and have not managed to get to the end yet :). I hope to sit for that exam by the end of this year, that way, i will feel that I have accomplished something in my certification journey this year. I cannot really hope to complete CCNP Wireless certification this year as it comprises of 4 exams + the NA exam. So that will be my 2015 year end goal. For now, I will take a break from DP preparation and read the more interesting (642-732 CUWSS) exam. 

Thank you for continually sharing in my certification journey with me 🙂 



CCNA Wireless Summary Notes: Understanding 802.11 Frame Types

Posted on Updated on

Switches do not actively participate in the exchange of frames. The APs however are active participants. a client must join or associate  with a specific wireless network by first getting permission from the AP. Then the client
must send and receive every frame through the AP or coordinate with the AP for direct  client-to-client communication to use 802.11z – Direct Link Setup (DLS). The 802.11 frame has a maximum length of 2346 bytes. Read the rest of this entry »

CCNA Wireless Summary Notes: Planning Coverage with Wireless APs

Posted on Updated on

AP Cell Size is known as the Basic Service Area. Cell size can be controlled by changing the following parameters:

  • AP Transmit power (Increase signal strength of AP). Most APs are set to transmit within government regulations which limit the effective isotropic radiated  power (EIRP) to a maximum transmit power level of 20 dBm (100 mW). The client should also be able to transmit at the set power level otherwise its signals will not reach the AP and we will have the asymmetric
    power problem, where the two communicating devices have differing transmit power levels that might not reach each other.
  • Using specific data rates. the higher data rates or more complex modulation and  coding schemes (MCS) offer the greatest throughput but require the best signal conditions (closer to the AP). You can disable the lower data rates like 1-, 2-, and 5.5-Mbps hence forcing the AP to clients to use higher data rates. This effectively reduces the usable size of the AP’s cell, even though the radio  frequency (RF) footprint remains the same.

Adding APs to an ESS. Clients will remain connecetd to an AP as long as the following conditions are met:

  • The client is able to receive the AP’s signal at an acceptable level.
  • The AP is able to receive the client’s signal.
  • One of the acceptable modulations can be successfully used between the client and the AP.

Roaming is  the process of moving an association from one AP to the next, so that the wireless connection  is maintained as the client moves. Adjacent APs should be configured to use different non-overlapping channels. Cisco recommends  15 percent to 20 percent overlap for most applications.The roaming process is driven entirely by the wireless client driver—not by the AP.  Wireless clients decide that it is time to roam based on a variety of conditions eg

  • received signal strength indicator (RSSI),
  • signal-to-noise ratio (SNR),
  • a count of missed AP beacons,
  • errors due to collisions or interference,

WLAN Channel Layout

To minimize channel overlap and interference, APs cells should be designed so that adjacent  APs use different channels. Cells should be made to overlap in a honeycomb fashion even when planning deployment when several floors are involved. Alternating channels to avoid overlap is commonly called channel reuse .

CCNA Wireless Summary Notes: Understanding Autonomous APs

Posted on Updated on

APs bridge wireless data from the air to normal wired network. Autonomous APs have both wired and wireless hardware so that wireless client associations can be locally terminated onto a wired connection. the AP is in charge of  mapping a service set identifier (SSID) to a VLAN, or in 802.11 terms, mapping a basic service set (BSS) to a distribution system (DS). Multiple SSIDs can be mapped to multiple VLANs using a trunk port.

By default, the AP will request an IP via DHCP. Otherwise, It will use the IP

By default, any autonomous AP running IOS Release 12.3(4)JA or later has its radios disabled and does not have any SSIDs configured.

GUI initial credentials:

  • username – blank
  • password – Cisco

Radio Modes:

  • Access Point Mode – AP maintains active BSS
  • Repeater – AP associates with nearby AP to extend coverage. Ethernet port is disabled
  • Root bridge – AP uses its Ethernet port to connect to bridge the wired network
    to a remote wireless bridge over a point-to-point or point-to-multipoint link. No
    wireless clients will be allowed to associate.
  • Non-Root Bridge – The AP will act as a remote wireless bridge and will connect to a
    root bridge AP over a wireless link.
  • Workgroup Bridge – The AP will use one radio to associate with a nearby Cisco
    access point, as if it is a wireless client. The other radio interface is disabled. The AP bridges between its radio and its Ethernet port. You can use an AP in workgroup
    bridge (WGB) mode to provide wireless client capability to wired-only devices.
  • Universal Workgroup Bridge —The AP will act as a workgroup bridge to associate
    with Cisco and non-Cisco access points.
  • Scanner —The AP will use its radio to scan channels and collect data

Aironet Extensions are Cisco proprietary information elements that Cisco APs can use to
interact with Cisco-compatible wireless clients. eg provide information  about its current client load so that potential clients can choose the least busy AP.  Aironet extensions are enabled by default.

Convert Autonomous AP to LAP

  • Using Cisco PI
  • Use the Autonomous to Lightweight Mode Upgrade tool
    • Only works for Cisco Aironet 1100, 1130, 1200, 1240, and 1310. Others need manual upgrade
    • Download the Lightweight AP IOS Software. Its a recovery image file (small bootstrap  version of lightweight code) that allows the AP to boot up and find a wireless controller.
    • Open the Upgrade tool as Administrator
    • In the IP File field add fle that contains the list of AP IPs that need to be upgraded. This can be edited in notepad.
    • Fill in Upgrade Options – are they using DHCP, WAN for upgrade etc
    • LWAPP Recovery Image section – show path to TFTP or use internal.
    • Add optional Controller Details
    • Fill in Time Details
    • If DNS is to be used enter DNS address and domain name
    • Click start
  • Use AP’s CLI

archive download-sw /overwrite /force-reload { tftp:|ftp:}//location/image-name

If a filename contains k9w8,  as in Example 8-4 , it is a lightweight image. If it contains k9w7, it is an autonomous image.



CCNA Wireless Summary Notes: Understanding the CUWN Architecture

Posted on Updated on

AP traffic is divided into the following:

  • Data Plane traffic – end user traffic
  • Control Plane traffic – control, configure, manage, and monitor the AP

Recall that autonomous APs bridge traffic between a wireless BSS and a wired VLAN. An Autonomous AP performs the following combined functions

  • Lightweight AP functions (Real Time functions)
    • RF Transmit/Receive
    • MAC Management
    • Encryption
  • WLC Functions (Management functions)
    • RF Management
    • Association & Roaming Management
    • Client Authentication
    • Security Management
    • QoS

The Cisco Unified Wireless Network (CUWN) is a centralized, unified approach. In the CUWN, a lightweight access point (LAP) performs only the real-time 802.11
operation. Management is performed on the WLC. The LAP-WLC division of labor is known as a split-MAC architecture. The Control and Provisioning of Wireless Access Points (CAPWAP – RFCs 5415, 5416, 5417, and 5418) tunneling protocol enables the AP and the WLC to communicate despite their location. It encapsulates the data between the APs and the WLC. UDP port 5246 transports CAPWAP control data to the WLC. CAPWAP data uses UDP port 5247 and is not encrypted by default. Encrypted packets are protected by Datagram Transport Layer Security (DTLS).

Every LAP and WLC must also authenticate each other with X.509 digital certificates.

Activities performed by the WLC:

  • Dynamic channel assignment
  • Automatically sets the power for each LAP according to the coverage area needed
  • Self-healing wireless coverage incase a LAP dies by increasing power for remaining LAPSю able to pinpoint and recover from external problems dynamically.
  • L2 and L3 client roaming
  • Dynamic client load balancing
  • RF Monitoring
  • Security management
  • Wireless intrusion protection system

For Autonomous APs, traffic from client to client passes through the LAP then to the next client. For LAP, The client traffic  usually travels through the CAPWAP tunnel and passes through the WLC before making a return trip back through the tunnel to the other client. Clients may use DLS to communicate directly, without passing through the AP and controller; LAPs can also be configured in FlexConnect mode, so that traffic can be forwarded locally at the AP if needed.

Flexconnect: remote site LAPs are able to locally switch the traffic without traversing the CAPWAP tunnel. FlexConnect allows the LAP to keep switching traffic locally to maintain wireless connectivity available inside the remote site.

Cisco WLCs


The vWLC cannot support any APs in local mode; all APs must be configured for FlexConnect instead.

Cisco APs. 

2014_07_25_19_23_21_CCNA_Wireless_640_722_Official_Cert_Guide_SECURED_Adobe_Reader 2014_07_25_19_23_36_CCNA_Wireless_640_722_Official_Cert_Guide_SECURED_Adobe_Reader

CleanAir – allows an AP to perform spectrum analysis on the wireless channels to detect non-802.11 interference.

As the number of radios and spatial streams increases, the AP is able to provide a greater throughput for its clients.

AP Operation Modes:

  • Local (Default). During times that it is not transmitting, the LAP will scan  the other channels to measure the noise floor, measure interference, discover rogue
    devices, and match against intrusion detection system (IDS) events.
  • Monitor Mode. No transmission of traffic. but its receiver is enabled to act  as a dedicated sensor. The LAP checks for IDS events, detects rogue access points,
    and determines the position of stations through location-based services (LBS).
  • Flexconnect (HREAP). LAP can locally switch traffic between an SSID and a VLAN if its CAPWAP tunnel to the  WLC is down or configured to.
  • Sniffer Mode. Acts as packet sniffer and passes traffic to software analyzers like wireshark
  • Rogue detector.
  • OfficeExtend AP (OEAP).  LAP connects to the local broadband service and builds  a CAPWAP tunnel to the central WLC. User data can be encrypted over the
    CAPWAP data tunnel using DTLS.
  • SE-Connect for spectrum analysis.

CUWN Management

  • Wireless Control System (WCS)
    • Dedicated appliance
    • WLAN management or configuration tasks
    • RF planning
    • wireless user tracking, troubleshooting, and monitoring
    • display predictive “heatmap” representations of coverage
    • locate a wireless client  to within a few meters by triangulating the client’s signal as received by multiple LAPs.
    • with Cisco Wireless Location Appliance it could track client location
    • The WCS Navigator product provided a single portal to manage up to 20 instances  of WCS and up to 30,000 APs
  • Cisco Prime Network Control System (NCS)
    • Either dedicated appliance or vMware
    • wireless device management
    • switch management
    • dynamic RF coverage heatmaps
    • with MSE it could provide client location tracking
  • Cisco Prime Infrastructure (PI)
    • offers converged management  of both wireless and wired network devices
    • integration with wireless intrusion  prevention services,
    • spectrum analysis,
    • tracking of users, interferers, and rogue devices.

CCNA Wireless Summary Notes: Initial Controller Configuration

Posted on Updated on

For WLC ports and interfaces refer to different concepts. Controller ports are physical connections made to an external switched network, whereas interfaces are logical connections made internally within the controller.

Port types:

  • Service port – OOBM, system recovery, initial boot. Connects using Access port only.
  • Distribution system port – For AP and management traffic, Client data. Usually a 802.1Q trunk port. For resiliency, configure as LAG port (etherchannel)
  • Console port – OOBM, system recovery, initial boot
  • Redundancy port — connect to peer controller for redundancy.

Controller interfaces:

  • Management interface – For management traffic
  • AP-manager interface (Optional) – Used to terminate CAPWAP tunnels between the controller and its APs. Should be on same vlan as the management but it can be created separately if we want to seperate the management and CAPWAP traffic.
  • Virtual interface – Used to relay client DHCP requests, client web authentication,
    and to support client mobility (all WLCs in same mobility group should have the same IP)
  • Service port interface – Connects to the SP port for OOBM
  • Dynamic interface – connects WLAN to VLAN

Initial setup via WEB and CLI

  • Configure system access.
  • Configure SNMP access. v3 is recommended
  • Configure the service port.
  • Enable or disable LAG
  • Configure the management interface.
  • Configure the RF mobility domain and country code. Default is US.
  • Configure the virtual interface. Should add this to the DNS because it is used for client web authentication
  • Configure a WLAN. The WLAN ID is an internal index used when configuration templates are applied to a controller from an Cisco Prime Network Control System (NCS) or Cisco Prime Infrastructure (PI) management station.
  • Configure a RADIUS server for client authentication
  • Configure 802.11 support.
  • Configure the system clock.
  • Save and Reboot.



CCNA Wireless Summary Notes: Understanding Controller Discovery

Posted on Updated on

Process of discovering a controller

AP state machine (sequence of states that the AP undergoes following bootup)

  • AP boots on a small IOS, gets IP via DHCP and communicates through the network.
  • AP tries to discovertheWLC.
    • Discovery methods in order of sequence followed
    • Local subnet broadcast.
      • AP sends a unicast CAPWAP Discovery Request or broadcast in local subnet.
      • Controller returns a CAPWAP Discovery Response
    • Prior knowledge of the WLC (a primary, a secondary, and a tertiary). These are primed addresses. They are stored in NVRAM so that the AP can remember after reboot. If AP was previously connected with a controller, it should have up to 8 out of a list of 32 addresses that it received from the controller. It will try to communicate with as many as possible to build a list of candidates.
    • DHCP server can send DHCP option 43 that suggests a list of WLCs.
    • DNS. AP tries to resolve the name CISCO- CAPWAP-CONTROLLER.localdomain via DNS
    • Reset and try again
  • How an AP selects a WLC.
    • Try primed addresses
    • It tries the master controller
    • Try the least loaded controller. During the discovery process, the WLC also sends its load (ratio of the number of APs joined to the total capacity). If a WLC is oversubscribed, it cannot add any more APs. APs can be considered with a priority value beginning with a default of low. It can be low, medium, high, critical. If WLC is loaded, it will reject the APs with low priority to make room for higher priority ones.
  • AP builds a CAPWAP tunnel to WLC. They authenticate each other by exchanging their digital certificates. Tunnel is a secure Data Transport Layer Security channel for AP-WLC control messages.
  • AP sends CAPWAP join request, WLC sends CAPWAP join response
  • WLC tells the AP the image that its supposed to use. If the AP image differs, the AP will download the image from the WLC. otherwise, no need. Downloading can take some time. If the AP gets rehommed, it will get the image version that is on the new WLC..therefore it is best to have them all running the same version. The AP image version is dependent  on the WLC that it joins and cannot be specified.
  • AP downloads its config from the WLC and updates existing values.
  • WLC places the AP in run state. They provide the BSS and begin accepting clients.
  • Reset – If reset, it tears down the tunnel and existing client associations, reboots and starts from 1.

Designing High Availability

If a WLC fails, the AP tries to join the least loadded WLC in its list. Best way is to use the primed option – primary, secondary, tertiary). The AP builds a CAPWAP tunnel to more than 1 WLC but will only join 1. Incase of failure, time is not wasted.

How an AP detects a controller failure:

  • Default keepalives sent every 30 sec(heartbeat), If missed, more are sent at certain intervals (depending on version, for v7 – 5 at 1 sec, for 7.2 – 4 at 3 sec), if no answer, AP moves to next. Keepalive can be adjusted between 1 to 30 sec AP will remain joined to WLC until it fails. AP fallback feature enables you to fall back to the WLC after it has come back online.

Redundant WLCs should be configured similarly.

N+1 Redundancy (N:1)

  • N controllers are backed up by 1 WLC.
  • Can withstand failure of only 1 WLC.
  • Configure primary and secondary WLC only
  • backup controller must sit idle and empty of APs until another controller fails.
  • Backup must have same capacity as the active WLC it  supports.
  • the backup controller must be configured identically to every other active controller it has to support.

N+N Redundancy (N:N or 1+1)

  • Controllers are grouped in pairs.
  • you can divide the active role across two separate devices.
  • APs and clients loads will be distributed across separate hardware
  • N+N redundancy can support failures of more than one controller, but
    only if the active controllers are configured in pairs.
  • APs  are configured with primary and secondary WLC

N+N+1 Redundancy

  • Has advantages of both N+N and N+1 redundancy
  • APs  are configured with primary, secondary and tertiary WLC
  • if the other active controller happens to fail, the backup controller is available to carry the load.
  • The tertiary should be left with 0% AP load so that it can carry the load for the rest.

AP SSO (AP stateful switchover (SSO) Redundancy

  • Keeps failover transparent from APs
  • Groups controllers into HA pairs – Active and hot standby. Active has the licences necessary for AP count, the hotstandby has HA licence. Standby can be paired with Active of any size.
  • APs are configured with only a primary. The rest do not need to be configured unless for additional redundancy.
  • APs create a CAPWAP tunnel to the active unit
  • The active unit keeps CAPWAP tunnels, AP states, configurations, and image files all in sync with the hot standby unit.
  • Incase of failure, APs do not have to rebuild the CAPWAP. the controllers simply swap roles so the APs can stay joined to the active controller in the HA pair
  • The active and standby controllers must always run an identical software image.
  • The two controllers share a “mobility” MAC address that initially comes
    from the first active unit’s MAC address. From then on, that address is maintained by whichever unit has the active role at any given time.
  • The controllers also share a virtual IP address.
  • When one controller is upgraded, its standby peer is also upgraded and same goes to the rebooting
  • The hot standby controller monitors the active unit through keepalives that are sent every 100 ms, if unanswered, standby begins sending ICMP echo requests to determine what is wrong, if active has failed, standby takes over. The failover may take up to 500 ms, in the case of a crash or power failure, or up to 4 seconds if a network failure has occurred.
  • AP SSO does not maintain the state of any clients. If a primary
    controller fails, any associated clients will be dropped and will have to reassociate with their APs (and the secondary controller). Fron v7.5 A primary controller synchronizes the state of each associated client that
    is in the RUN state with a secondary controller. If the primary fails, the secondary will already have the current state information for each client, making the failover process transparent


CCNA Wireless Summary Notes: Understanding Roaming

Posted on Updated on

Roaming with Autonomous APs

  • Moving from one autonomous AP  to another autonomous AP

Intracontroller Roaming:

  • Moving from one lightweight AP that is connected to a WLC to another AP that is connected to the same WLC.
  • Controller updates its client association table
  • Takes less than 10 ms
  • Client has no knowledge of what is happening.
  • Processes that occur:
    • Client reassociation
    • May get new DHCP lease or renew his
    • Client authentication (this may slow the process down)
  • Fast roaming techniques
    • Cisco Centralized Key Management (CCKM) – WLC has the databse of the clients and the keys on behalf of the APs and can provide to other WLCs and APs when clients move. Cisco Compatibility Extensions CCX support is required from the clients
    • Proactive key caching (PKC) or sticky pairwise master key ID caching (SKC) – Clients have a list of the keys they used before. The key for the destination AP should be there. Max of 8 AP-key entries.
    • 802.11r – client can cache a portion of the authentication server’s key and present that to future APs as it roams

Intercontroller Roaming

Moving from one lightweight AP that is connected to a WLC to another AP that is connected to a different WLC.

  • Layer 2 Roaming (Local to Local)
    • Client roams but stays in same VLAN and subnet
    • Client can keep its IP address
    • Fast roaming (<20ms)
  • Layer 3 Roaming (Local to Foreign)
    • Client changes subnet
    • Avoid DHCP to save time.
    • WLCs compare the clients VLAN IDs, if same, then L2 roaming will occur, otherwise L3 roaming.
    • Tunnel is built between original WLC (anchor) and foreign WLC (foreign). Traditionally it was Ethernet over IP (EoIP) tunnels. For the new codes, they create CAPWAP tunnels . Tunnel connects the client to its original controller no matter the location.
    • Anchor and foreign controllers are determined automatically. For like the guest WLAN, you can have 1 WLC as a static anchor so all the rest of the WLCs send the traffic to it via l3 tunnels.

Mobility Groups

If WLCs are in the same static groups, clients can roam between them. If in different mobility groups, they can still roam but inefficiently.

Controllers have a list of the MAC addresses of its own and others in same group. Each controller also has a mobility group name. List can have max of 72 controllers with 24 in each group.

CCNA Wireless Summary Notes: Understanding Radio Resource Management (RRM)

Posted on Updated on

Data Rates

Initial IEEE requirements are as follows – which are configured by default on WLC:

  • For 2.4 GHz, the 1-, 2-, 5.5-,and 11-Mbps rates are all marked as mandatory ( Must sopport all possible modulations in 802.1b)
  • For 5-GHz band, the 6-, 12-, and 24-Mbps rates are marked as mandatory

Enable 802.11a – 5GHz


Enable 802.11b – 2.4GHz



Enable 802.11n



802.11n can bond one 20-MHz to an adjacent 20-MHz channel to effectively double the channel width. By default, the controller will use only a single 20-MHz channel. This is configurable.



Enable 802.11ac


Radio Resource Management (RRM)

This is flexible and an automatic mechanism that Cisco Wireless LAN controllers  that is used to manage Radio resources. RRM works out an optimum transmit power level and channel number for  each AP. It also detects changes and makes appropriate adjustments.

The APs should be in one RF group. RF group can traverse controllers if:

  • The controllers share a common RF group name
  • At least one AP from one controller can be overheard by an AP on another controller at a received signal strength indicator (RSSI) of –80 dBm or greater, they are close enough to belong to the same RF group. – basically they should be located near enough.
  • Up to 20 controllers and 1000 APs can join to form a single RF group.

One controller in each group is elected as an RF group leader. This can be done statically. The leader collects and analyzes the information from all members in real time.



  • APs are set to receive and transmit on a single channel hence they can hear noise or interference on that channel.
  • APs scan other channels for noise and interference too (less than 60 ms)

What RRM can accomplish:

  • Set transmit power levels for each AP – Transmit power control (TPC) algorithm
    • AP joins the WLC and scans channels for RF conditions. It uses the RSSI values of the neighbouring APs to measure how close the AP is and sends to RF group leader for TPC algorithm calculation.
    • TPC works on one AP at a time, one band at a time. If an AP has been heard with an RSSI above a threshold (–70 dBm by default) by at least three of its neighbors, TPC considers the AP’s cell to be overlapping the cells of its three neighbors too much. The AP’s transmit power level will be decreased by 3 dB, and then its RSSI will be evaluated again.
    • Runs on both bands separately.



  • If you select on demand, the algorithm will be run once at the next 10 min interval and frozen till next manual initiation.
  • Cisco controllers determine the transmit power level according to an index from 1 to 8


  • It is best to match the AP and client transmit power level. To prevent such a condition, you can set minimum and maximum power level boundaries for the TPC algorithm. By default, the minimum level is set to –10 dBm and the maximum to 30 dBm


  • Dynamically adjust AP channel – Dynamic channel allocation (DCA) algorithm
    • Adjacent APs should use different non overlapping channels.
    • When a new AP first powers up, it uses the first non-overlapping channel in each band—
      channel 1 for 2.4 GHz and channel 36 for 5 GHz.
    • Algorithm runs every 10 mins and can adjust channels.
    • Metrics used during calculation:
      • RSSI of neighboring APs
      • 802.11 interference
      • Non-802.11 noise
      • AP traffic load
      • Persistent interference
    • The RF group leader will undergo an RRM startup mode after it is elected. The startup mode consists of ten DCA iterations at 10-minute intervals, or a total of 100 minutes before the channel layout reaches a steady state.
    • DCA is not limited to 2 dimension and can also help minimize interference between floors if the APs are in the same RF group.
    • The DCA parameters also include the 802.11n channel width. By default, 20-MHz channels
      will be used. For  802.11n in the 5-GHz band and want to enable 40-MHz channels, be sure to select 40 MHz as the channel width.
    • You can specify which channels the DCA algo can dish out to APs



  • Event-Driven RRM (ED-RRM) – Can trigger DCA based on RF events in real time


  • Detect RF coverage holes – Coverage hole detection mechanism (CHDM) 
    • Does not run frequently, It monitors RF conditions of wireless clients and decides when to run.
    • It runs on a per band basis and on each controller separately
    • Conditions that must be met for a coverage hole to be detected:
      • Client RSSI at the AP is at or below –80 dBm.
      • The low RSSI condition must last at least 60 seconds over the past 180 seconds.
      • The condition must affect at least three clients or more than 25 percent of the clients on a single AP




CCNA Wireless Summary Notes: Wireless Security Fundamentals – Part 2

Posted on Updated on

Wireless Privacy and Integrity Methods

  1. WEP
    • deprecated
  2. Temporal Key Integrity Protocol (TKIP)
    • Developed by 802.11i working group and the Wi-Fi Alliance
    • Adds following features to legacy hardware with WEP
      • MIC — Algorithm that adds a hash value to each frame as a message integrity
        check to prevent tamperin
      • Time stamp —Added into the MIC to prevent replay attacks
      • Sender’s MAC address — Added to the MIC
      • TKIP sequence counter —Provides a record of frames sent by a unique MAC
      • Key mixing algorithm —Computes a unique 128-bit WEP key for each frame.
      • Longer Initialization Vector (IV) —The IV size is 48 bits, making it  impossible to exhaust all WEP keys by brute force calculation.
    • Should be avoided
    • deprecated in the 802.11-2012 standard
  3. Counter/CBC-MAC Protocol (CCMP)
    • Best method so far
    • Cannot be used in legacy devices that support only WEP or TKIP.
    • Has 2 algorithms:
      • AES counter mode encryption – used in US gov etc. Its open and publicly available and most secure.
      • Cipher Block Chaining Message Authentication Code (CBC-MAC) for integrity checks
    • The wireless network must support both AES counter mode and CBC-MAC in hardware

WPA and WPA2

IEEE 802.11i standard defines best practice wireless security methods.

The Wi-Fi Alliance introduced its Wi-Fi Protected Access (WPA) industry standard while IEEE 802.11i standard was being developed. WPA was based on parts of 802.11i and included 802.1x authentication, TKIP, and a method for dynamic encryption key management. They later developed WPA2 standared that is compared below.


Wi-Fi Alliance certifies interoperability with methods like EAP-TLS, PEAP, EAP-TTLS, and EAP-SIM.

Both can have the following authentication modes:

  • Personal mode – uses preshared key for smaller deployments.
  • Enterprise mode – uses 802.1x EAP-based authentication

Best Practice is to use WPA2 and CCMP.

Management Frame Protection (MFP)

Developed by Cisco to mitigate attacks that leverage AP management frames in 2 forms:

  1. Infrastructure MFP – APs add a MIC toward the end of each frame. Neighbouring APs in the same infrastructure can understand and determine if the frame has been altered and alert controller. Participating APs compute and tag management frames with a MIC value and then listen
    to detect any evidence of tampering. Clients do not participate in this.
  2. Client MFP – only associated clients and neighboring APs can understand the MIC and encryption of the management frames. Client MFP, in contrast, uses a MIC to protect management frame integrity and adds
    end-to-end encryption to protect the privacy of management frame contents. Clients must be capable of participating too, to decrypt the management frames and validate the MIC value.

Clients must support CCXv5 and must use WPA2 with  TKIP or CCMP.



CCNA Wireless Summary Notes: Wireless Security Fundamentals – Part 1

Posted on Updated on

For confidentiality purposes, wireless clients should be authenticated before they are allowed to associate with an AP. It is also best that the AP authenticate to the client before sending traffic so as to minimize attacks from illegitimate APs. The data payload should also be encrypted before sending and decrypted after receiving so as to maintain privacy of the message.

Each WLAN supports only one authentication method and one encryption scheme.

An AP can provide a group key that  can be used to encrypt data when it needs to send data to all clients.

To ensure that the message has not been tampered with, we can use the tool Message Integrity Check (MIC) to verify. Sender adds a secrete stamp to the encrypted message, this stamp should be used to compare once the message is decrypted.

Wireless Client Authentication Methods

  1. Open Authentication- No credentials needed. Client must use 802.11 auth request before attempting to associate. Clients are authenticated locally at the AP.
  2. WEP (Wireless Equivalent Privacy) – uses RC4 cipher algorithm  for encryption and decryption. They need to have identical keys to decrypt the encrypted data. 4 WEP keys re configurable but only one is active at a time.  It uses a shared key mechanism. Every client should have the same key before associating with AP. It can be an authentication method or an encryption method. AP sends a challenge, client encrypts the challenge with WEP, AP compares key with its own. Can be 40 or 104 bits long, string can be 10 or 26 hexadigits.WEPencryption and WEP shared key auth are weak methods. WEP was implemented in the wireless adapter hardware making it rather difficult to move from it without changing hardware. Clients are authenticated locally at the AP.
  3. 802.1x/EAP (Extensible Authentication Protocol) – More extensible and scalable. It does not have only one auth method. EAP can be intergrated with portbased access control method 802.1X. When 802.1x is enabled, it limits access to a network media until a client authenticates through an EAP method so even if the client associates with the AP, it cannot pass traffic until it is authenticated. Client uses open auth to associate with AP then the actual auth process occurs at a dedicated auth server. Supplicant requests access, authenticator provides access to the network while authentication server usually radius, permits or denies access based on user database. Common EAP-based authentication methods are:
    • Lightweight EAP (LEAP)
      • Developed by Cisco
      • Client supply’s username & Password
      • Auth server and client exchange challenge messages
      • Used dynamic WEP keys
      • Was depreciated as method used to encrypt the challenge messages was found to be vulnerable
      • Should not be used.
    • EAP Flexible Authentication by Secure Tunneling (EAP-FAST)
      • Developed by Cisco
      • Authentication credentials are protected by passing a protected
        access credential (PAC) between the AS and the supplicant. The AS generates the PAC for auth. After auth, a Transport Layer Security (TLS) tunnel is negotiated and used by end user for added security. The auth occurs in two separate processes – outside the TLS tunnel and within the TLS tunnel.
      • Radius  server should be an EAP-FAST server so that it can generate PACS for each user
      • Known vulnerability but still secure if managed well.
    • Protected EAP (PEAP)
      • Uses inner and outer authentication
      • In outer auth, AS presents a cert to the supplicant inorder to auth itself. The digital certificate of the AS consists of data in a standard format that identifies the owner and is “signed” or validated by a third party (certificate authourity CA). Supplicant should also have the certificate so that it can validate the one it receives from AS. The certificate is also used to pass a public key, in plain view,
        which can be used to help decrypt messages from the AS.
      • If supplicant is ok with identity of AS, they build a TLS tunnel for inner auth and encryption key exchange.
      • Only the AS has a certificate. The client does not have or use a certificate of its own, so it must be authenticated within the TLS tunnel using either MSCHAPv2 or GTC
        • GTC —Generic Token Card; a hardware device that generates one-time passwords for the user or a manually generated password
    • EAP Transport Layer Security (EAP-TLS)
      • Requires a certificate on both the AS and every client device.
      • AS and supplicant can auth each other using certificate.
      • Afetr auth, TLS tunnel is built o that the client can be authenticated and encryption key material can be securely exchanged
      • Most secure method available
      • Public Key Infrastructure (PKI) could supply certificates securely and efficiently and revoke them when a client or user should no longer have access to the network instead of having to manually do that for each and every client. This usually involves setting up your own CA or building a trust relationship with a third-party CA that can supply certificates to your clients.
      • Many wireless devices, such as communicators, medical devices, and RFID tags, have an underlying operating system that cannot interface with a CA or use certificates.

CCNA Wireless Summary Notes: Implementing a Wireless Guest Network

Posted on Updated on

Guest Access should be isolated from corporate access. 

Steps involved: 

  1. Create dynamic interface for the guest. 
  2. Create guest WLAN 
  3. Bind WLAN to dynamic interface
  4. Configure security parameters

Anchors can be used to handle guest traffic on behalf of the other controllers by building a tunnel to the controller. Configuring Mobility Anchors:

  1. Create identical guest WLANs on each controller. The outgoing interfaces may differ. Ussually, the management interface is used. On the anchor controller, we must use the actual dynamic interface name for the guest DMZ.  
  2. Create Mobility group relationship. All controllers should have each other in their mobility group lists for the neighborship to be formed. They should also be in the same mobility group.
  3. On each contoller, including the anchor itself, you should identify the anchor controller. Begin with the anchor controller first. 



From the list, select the IP address of the Anchor. If you select local, that controller is the anchor then click on mobility anchor create. 




The status of the EoIP tunnel will be displayed.