Saturday, January 26, 2019
Tuesday, November 27, 2018
Just a little home advice for a WiFi novice
I recently had a
coworker ask me how to improve the wireless in his home. He says he has two
standalone APs on opposite ends of the house and coverage is horrible. He
explained that both APs were older and didn’t have the latest advancements
available in 802.11ac. Trying to get information about how he set them up was
difficult. I hadn't realized before now
how complicated Wi-Fi could be to someone that hasn’t studied it. After asking
a few questions… "what channel are the APs on? Do the APs support 2.4 and
5 Ghz? Are you using WEP,WPA or WPA2? " I came away with the following.
- Two APS
- One AP was set to "b" radio and the other to "g"
- Two SSIDs differently named with different passwords , one on each AP
- Both APs were set to the same channel (not sure which one)
Having studied Wi-Fi
but not knowing his system, I was able to point out a few issues and make some
suggestions.
- Don’t set the radios to "b" or "g". If they have "n" capability that’s the best if they need to be set to anything
- Each AP should be on a different channels in 2.4 choose either 1, 6 or 11
- If it has a 5Ghz radio make sure to set those channels differently also
- You only need 20mhz wide channels in both 2.4 and 5Ghz
- If possible set the SSIDs to WPA2-AES
Along with the
suggestions came some explaining. I'll keep it short and simple.
- 2.4 and 5GHz are frequency bands that device radios can communicate on.
- Channels are within each frequency band and are used to separate transmission domains. Much like radio stations, two can't broadcast on the same channel at the same time otherwise you'll get collisions on media and have a hard time hearing anything.
- Channels can be set to different widths to allow more data to be passed (20, 40, 80 160MHz)
- WPA2-AES is the best security at the moment (WPA3 is around the corner). For 802.11n or ac data rates you need to have WP2-AES or higher(future) set. Otherwise your just going to get 802.11a or g data rates.
The one thing I
think any new person to wireless needs to understand is the lettering
designation and what frequency band they work on. 802.11 a,b,g,n,ac don’t all
work on both 2.4 and 5GHz, only one of the 802.11 amendments specified support
for both bands. Here is how it breaks down.
2.4GHz - b, g, n
5GHz - a, n, ac
As you see 802.11n
is the only amendment that had support for both bands. This caused confusion
back in the day when purchasing equipment. What we noticed was anything that
had a wireless card capable of 802.11n support wasn’t always a 5Ghz capable. We
needed to look for cards that said WiFi a/b/g/n. Seeing that the WiFi card had
the "a" designation told us that it supported 5Ghz and seeing the
"b" designation meant it supported 2.4Ghz.
Friday, November 16, 2018
Aruba 802.11ax 510 series
Aruba has just
released its first ax AP. The 510 series is the first ax Enterprise AP that
I've seen to also supports the new WPA3 certification. Aruba has two AP models
in this lineup 514 which has external antennas and 515 which has internal
antennas. Both models are 4x4x4 on 5GHz and support 160MHz channels, on the
2.4GHz side the APs are 2x2x2. Aruba HPE has included two RJ-45's one of which
supports HPE SmartRate up to 2.5Gbps for hooking this bad boy into the wired
side. As for powering to full capacity you're going to need 802.3at compliant
switches as without the an external USB device the AP draws 19W max according
to documentation.
Check out the New
Aps and specs over at Aruba
Wednesday, October 17, 2018
Simple WiFi Config changes
When
looking over the configs in wireless systems I find a lot are deployed like
one's home network. Meaning that someone came in and stood the network up to
work with every device under the sun.
Just like at home with the cable company installing your WiFi I find older legacy security protocols enabled on SSIDs where the latest enterprise clients are connecting. Most schools I work in have a refresh of devices every 3 -5 years which means as of today all enterprise devices should be 802.11n at the minimum (and where I am most are).
I haven't seen WEP enabled in a while but I still find a lot of WPA TKIP enabled. These settings are killing the data rates on your devices and the throughput of your wireless network. Deploying WPA TKIP when it's not needed impacts performance do to its backward compatibility with older PHYs.
If you want the latest AC or even N data rates you need to move to WPA2 AES to secure the network. 802.11n doesn’t support WPA TKIP so having it enabled neuters your expensive network back down to 802.11g or 802.11a rates. Another thing I often find is all data rates enabled. This isn't always bad (usually is) depending on your deployment but where I am with 1 AP per classroom and no need to support 802.11b clients this is simply a no no. Having lower "b" and 802.11 prime rates enabled can slow down the network and cause "hidden node" issues. All beacons, broadcasts and multicasts traverse the wireless medium at the lowest mandatory rate so all clients can hear and understand them. This ends up consuming unnecessary airtime in a high density deployment with 802.11n as the lowest common denominator.
More recently in deployments of 802.11ac I find that vendors have enabled 80 MHz channels in high density networks. This is probably do to the fact that the school district demanded the highest possible data rates for their standardized testing or for the fact that they need 30 kids in each classroom to stream HD video all at the same time. I can't fault the vendor for this because they were just doing what they are told and it also helped them sell their product (along with extra unnecessary switching equipment for the 2 drops they ran to every classroom). After the vendor is gone and the network is under load the problems with 80 MHz surface. There simply isn't enough channel space available to deploy 80 MHz channels in high density environments nor have I seen a need for it yet. I back every deployment down to 20 MHz channels and the complaints from districts stop. The tough part is explaining to the school district that the great speed increase they were expecting out of there 802.11ac network was all marketing and wasn't realistic for their needs.
In Summary here are some guidelines for your 802.11 wireless config.
Just like at home with the cable company installing your WiFi I find older legacy security protocols enabled on SSIDs where the latest enterprise clients are connecting. Most schools I work in have a refresh of devices every 3 -5 years which means as of today all enterprise devices should be 802.11n at the minimum (and where I am most are).
I haven't seen WEP enabled in a while but I still find a lot of WPA TKIP enabled. These settings are killing the data rates on your devices and the throughput of your wireless network. Deploying WPA TKIP when it's not needed impacts performance do to its backward compatibility with older PHYs.
If you want the latest AC or even N data rates you need to move to WPA2 AES to secure the network. 802.11n doesn’t support WPA TKIP so having it enabled neuters your expensive network back down to 802.11g or 802.11a rates. Another thing I often find is all data rates enabled. This isn't always bad (usually is) depending on your deployment but where I am with 1 AP per classroom and no need to support 802.11b clients this is simply a no no. Having lower "b" and 802.11 prime rates enabled can slow down the network and cause "hidden node" issues. All beacons, broadcasts and multicasts traverse the wireless medium at the lowest mandatory rate so all clients can hear and understand them. This ends up consuming unnecessary airtime in a high density deployment with 802.11n as the lowest common denominator.
More recently in deployments of 802.11ac I find that vendors have enabled 80 MHz channels in high density networks. This is probably do to the fact that the school district demanded the highest possible data rates for their standardized testing or for the fact that they need 30 kids in each classroom to stream HD video all at the same time. I can't fault the vendor for this because they were just doing what they are told and it also helped them sell their product (along with extra unnecessary switching equipment for the 2 drops they ran to every classroom). After the vendor is gone and the network is under load the problems with 80 MHz surface. There simply isn't enough channel space available to deploy 80 MHz channels in high density environments nor have I seen a need for it yet. I back every deployment down to 20 MHz channels and the complaints from districts stop. The tough part is explaining to the school district that the great speed increase they were expecting out of there 802.11ac network was all marketing and wasn't realistic for their needs.
In Summary here are some guidelines for your 802.11 wireless config.
- WPA2-AES (needed for a minimum of 802.11n data rates)
- disable lower mandatory or basic data rates.
- 20 MHz channels in 2.4 GHz always
- 20 MHz channels in 5 GHz unless using DFS channels then you can use 40 MHz if needed
- Enable WMM
Friday, August 24, 2018
WPA3 Overview
WPA3 Overview
So what's different
and what matters with WPA3. Two modes are available in WPA3 just like in
previous versions, Personal and Enterprise.
Let's start off with
WPA3-Personal. Personal mode networks
are just that… "Personal". They have no real place in enterprise
networks and should be kept that way. I
know this is wishful thinking as I myself have had to compromise and deploy
many WPA2-Personal networks at customer sites. At some point I hope device
manufactures start offering the option for WPA3-Enterpise in everything! Until then we are stuck using Personal mode
networks with their draw backs but thankfully with WPA3-Personal they get a
little more secure… for now.
- WPA3-Personal mode uses Simultaneous Authentication of Equals (SAE) instead of Pre-Shared Key (PSK)
As opposed to PSK,
SAE is a password for the network and that password is not used to derive the
Pairwise Master Key (PMK) like PSK was.
What this means is that if an attacker gets the SAE password somehow,
they only have a way onto the network and not a way of decrypting the traffic
of other devices using the network. Which brings me to the next point..
- SAE like PSK generates a new PMK per session. The difference being SAE provides forward secrecy by insuring the PMK cannot be obtained if the password is compromised.
A compromised
password is only going to allow an attacker access to the network which could
be damaging enough but because SAE provides forward secrecy, PMKs cannot be
obtained to decrypt other device sessions over the air.
Now on to
WPA3-Enterprise. Not a lot has changed here except for the requirement of
Protected Management Frames (PMF).
Disabling PMF for WPA3-Enterprise networks is not an option. PMF can
only be set to capable or required.
WPA3-Enterprise also
has a new optional security mode, 192-bit security mode. The security mode is
meant for highly secure environments and doesn't allow for any backward
compatibility with lesser security protocols.
Subscribe to:
Posts (Atom)
-
Aruba Guest authentication with Wildcards If you have a wildcard certificate you can use it on your Aruba controllers to provi... -
Google Expeditions on School Networks For those who don’t know Google Expeditions allows for Teachers to take students on virtua...
