A blog with tips, tricks and tutorials to help you prepare your CCIE Wireless lab exam.

Friday, October 30, 2009

Locating Wireless clients (Cont.)... from the CLI!

There are a couple of interesting CLI commands that you can use to refine the S36 message for location measurement behavior...
First, what if you are asked to turn it on, but only on one AP? Why in the world would you do that, as location works with several access points, may remain a mystery. More likely, you could be asked to turn the feature on for a series of access points, or turn it on globally and disable it for a couple of access points. From the CLI, you would use:

config advanced {802.11a | 802.11b} ccx location-meas global enable

This enables the CCX location measurement feature for the given radio, with an interval you can define (the same interval option appears in the Web interface when you check the Location Measurement option box). Default interval is 60 seconds, range is 60 to 32400 seconds.

Okay, so this enables or disables the feature globally. You can override this global feature, on a per AP radio basis, with the command:

config advanced {802.11a | 802.11b} ccx customize AP_name {on | off}

This turns it on or off on a specific AP radio (regardless of the global config).

If what you want to do is configure a specific interval for one AP, use:

config advanced {802.11a | 802.11b} ccx location-meas ap AP_name enable interval_seconds

You can also use the disable form of this command to turn the location measurement feature off on one specific AP, which creates the same effect as the "customize off" option.

You can check this configuration with the usual series of related show commands:

show advanced {802.11a | 802.11b} ccx global
show advanced {802.11a | 802.11b} ccx ap AP_name

Thursday, October 29, 2009

Track (locate) wireless clients

What do you need to configure if you are asked to track wireless clients locations on your controller? Nothing would you say, it does it automatically... well.. depends on your wireless clients.
The basic point is that wireless clients are not located based on the data frames they send... the reason behind this fact is probably that data frames are usually sent to the closest access point, at high speed and maybe low power... To locate a client, you want a frame sent at low speed and high power, so that the frame can be heard by as many access points as possible, to increase the location accuracy.
So how are wireless clients located? Solely based on the probe requests they send. These probe requests are sent at the lowest mandatory speed supported by the client, and max possible power. Perfect would you say... well, yes, but that's IF your client send these probes...
Some clients do send active probes requests very often, even when they are associated to one AP, just to know how the environment is like on this channel and others. Some other clients do not send probes once connected. Some others never send any active probes, they just passively listen... those guys are harder to detect and locate.

How do you solve this problem? 2 possibilities:
- your clients are NOT CCX. Then you must look on the client if there is a setting you can use to force the client to send active probes. This can be as simple as changing from "flight safe mode" to "normal mode" on a PDA, or completely impossible... look around and good luck...
- your clients ARE CCX. They have to be CCX v2.0 or later. This is very easy to see if your client is associated: on a controller, go to Monitor > Clients.

In that case, you can ask your controller to force all these CCX clients to send active probes at regular interval. This request is sent through a CCX message "S36". So you can configure your controller to send this request by checking the CCX Location Measurement box in the Network page of each band (802.11a or 802.11b/g). This feature is global for all APs and all WLANs on this controller having a radio in the spectrum for which you enable CCX Location Measurement.

As a side note, rogues (APs, or ad-hoc rogue laptops) are located based on their beacons (always sent a lowest mandatory rate and max power)... wireless clients of these rogues are located... because of the probes they send, as you probably guessed.
Last item to be localized, RFID tags, are located because the frame they send has a specific destination MAC address, recognized by the wireless infrastructure as RFID type of address. RFID tags usually send their frames at regular interval, at 1 or 2 Mbps, at configurable power and on configurable channel.

Thursday, October 22, 2009

EAP-TLS and PEAP configurations

I know that PEAP and EAP-TLS may be challenging configurations, so I posted a couple of videos on youtube showing how to configure them, using both ACS and controller local certificates:

Mechanisms:
http://www.youtube.com/watch?v=pPfwemHBblk explains what EAP-TLS is
http://www.youtube.com/watch?v=JNSY46EPiws explains what PEAP is, and what you need to configure EAP-TLS and PEAP, RADIUS, controller and client parts

ACS configuration:
http://www.youtube.com/watch?v=Wk_bRdmsQlA explains how to install certificates on the ACS adn prepare the ACS for EAP-TLS and PEAP

Client configuration:
http://www.youtube.com/watch?v=UBE5s6qY5xY explains how to configure a wireless client for EAP-TLS
http://www.youtube.com/watch?v=QPQZfqkuzaA explains how to configure a wireless client for PEAP

Local EAP:
http://www.youtube.com/watch?v=sazfGz2D3eo and
http://www.youtube.com/watch?v=vhbf-39W3rQ explain how to install a certificate on the controller and prepare the WLC for EAP-TLS and PEAP with local EAP.
Have fun!