Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss Wireless Solutions with Cisco expert Eric Blaufarb. Eric is a Market Development Manager for the Wireless Networking Business Unit(WNBU), he is responsible for evangelizing wireless LAN technologies and growing the adoption of WLAN technologies across a variety of markets including Enterprise and Public Access. Feel free to post any questions relating to Wireless Solutions.
Eric might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through June 21. Visit this forum often to view responses to your questions and the questions of other community members.
What's your opinion on bridging through windows? If it is completely unavoidable to mount atleast one of the antennas inside and you are well within the limits of the antenna ranges, are there any tests you can perform to verify that it will not cause problems after the install? Also, if you do install an antenna behind a window, and it seemed to be a problem, would the errors be consistant? or could they be inconsistent, appearing only spuratically every few days or so?
I've seen 97.5% degredation (16dB loss) through a single window with a reflective coating.
Basically, there's enough signal to get through one window, but not through a second - so you can't always go window-to-window. (assuming that the customer doesn't like the idea of 24" dishes in their windows!)
Here's the wierd part - on one installation with six buildings, nine windows each, I found two windows in one building that did not exhibit the same loss. I was lucky in that those two windows faced the other five buildings, so we were able to get into every building with just 2 APs. There was no visible difference in the windows - pure luck.
The alternative was to mount the antennas outside and drill through, which is what I would have done to begin with, but we were trying to help them save money.
My advice it to test the loss through the window with ACU (in dB mode), another utility, or a Spectrum Analyzer before expecting to shoot through it. You can do that with one AP and one client card.
Bridging through windows is an excellent alternative for traditional campus type bridging applications as it resolves many of the expenses & labor to performing a traditional mast mount/roof mount bridging deployment.
Your assumption about possible problems mounting antennas behind glass is correct. Certain types of glass are manufactured with metal particles embeaded providing a reflective surface. Although I haven't personally run into this problem myself, I know it exists. This type of glass will inhibit hroughput and link quality. So how do you ensure your not experiencing this problem.
1. Set up the bridge in the location that you plan on installing
2. Use the BR352 alignment utility during the installation
3. Perform a FTP PUT/GET across the bridge link (should be 6.0-7.0MB at higest data rate)
4. Check for poor performance & ACK/retry counts
If no noticable degridation is noticed in performance through the glass you're O.K. This type of interferor will be constant; once the link is tested and found to be operating properly, you won't experience any future problems.
If you notice poor throughput quality, link quality and high retry counts you're probably going to have to move to a standard roof mount/mast mount deployment
Hello. I am using several Cisco AP350 with ACS 3.0 server in our wireless LAN, using LEAP authenticating over RADIUS with ny NT network. I have wireless running in a separate subnet, hanging off my core 6509 infrastructure (IOS 12.1(11b)E1) but want to know if there is anything else that I can do to enhance security. Any useful ACL's or PVLANS? Anytihng along those lines that you can offer would be most appreciated. Cheers.
Yes there are three items that will assist you in providing greater security to your WLAN network implementation beyond the items listed above:
1. Cisco Pre-TKIP - Temporal Key Integrity Protocol - Includes turning on Broadcast Key Rotation, MMH Hash Function, & Message Integrity Check
URL below on how to configure these settings & firmware requirements:
2. Key refresh - ability to rotate keys to clients at a specific time set on the ACS 3.0 RADIUS server URL below:
3. SAFE Blueprint for WLAN - provides a complete overview of desiging secure WLAN from the edge to the core of the network URL below:
By implementing TKIP & RADIUS timeout's the vunerabilities in WEP are mitigated today.
I have mapped out a wireless rollout using Aironet 1200 and LEAP using ACS radius, so I'm familiar with the technology. My superiors want a EAP-TLS solution using windows 2k radius and a win2k CA. I want to continue to use the Cisco access point and Cisco adapters for the clients. Are there any good whitepapers or walk through for setting this up, and are there any gotcha's I should be looking for. Personally I think the LEAP approach is much easier to administer and setup, but the powers that be want certificates. TIA!!
Yes, we've got a great white paper for EAP-TLS deployment, take a look at the URL below:
This paper discusses how to deploy EAP-TLS in a Cisco environment with Win XP, Cisco Aironet 350/1200, & ACS 3.0.
Architecture around the design of Certificate Authorities from a server perspective should be based on Microsofts deployment recommendations.
As far as the commentary for LEAP, if documentation is an indication of complexity the LEAP deployment paper is only a few pages .vs the EAP-TLS paper which is 30+
In a LEAP environment where the ACS server is centrally located and services multiple remote WLAN's what are the options for starting or continuing WLAN operations in the event the link from a remote site to the central site goes down before or after authentication? Is there a relatively easy way to disable LEAP for the duration of the outage (and accept the associated risks for that timeframe)?
Currently, we do not have any mechanism to disable LEAP. Once a user has selected LEAP the client device must be able to reach the server.
The Cisco Aironet access point does provide the ability to have up to 4 LEAP/RADIUS servers listed. If one ACS server is unavilable, the AP will request access to the other ACS/RADIUS servers providing a backup server is available. This feature promotes high availability of secondary RADIUS server for failover fault tolerance.
I wish to wirelessly bridge two wired 10/100BT LANS. Each LAN resides in a separate vehicle (each networking three PC's via a 4-port 10/100 switch). The vehicles may be up to 1000m apart, while the effective data throughput should be 4Mbps.
Given this scenario, could I connect, to each of the two switches, a bridge (perhaps the Cisco Aironet 350) and an omni-directional antenna? Will this give me >= 4Mbps effective! (ie. stated 10/11Mbps) at 1000m (at 0-360 deg)? If not, could you please advise on a suitable alternative with pricing info.
Thank you for your time,
The ability to bridge 1000 meters with the BR352E2R and AIR-ANT4121 or AIR-ANT2506 omni antennas can be easily accomplished and is within the
general specificiations of the Cisco Aironet products.
You can achieve 4Mbps of WLAN throughput and in some cases up to 6.8Mbps of throughput using the correct antennas and site survey.
In this particular senario, it is difficult to guarantee connectivity as you mention that this will be briding between vehicles. Bridging products are usually deployed in a fixed configuration.
If the vehicles are moving from one location to another then you should perform link tests and throughput tests as you move the vehicles to new locations to ensure proper operation and link quality.
If the vehicles are both moving it will be difficult to guarantee coverage due to line of site and coverage issues. I would recommend testing this application of WLAN in as many senarios as possible before deployment.
you can contact me directly: email@example.com regarding this deployment
Your clearance requirement at 1Km is 11 feet (3.325m) above the tallest obstacle between the vehicles.
If you have that, then you should be able to use one AP and one WGB or Station Adapter. If not, your data rate will suffer.
Either way, you will pick up additional RF noise using an omni. If you can point the antennas at all (even within 30 degrees accuracy) your reliability will improve.
Cisco employees won't typically give you pricing.
How do I secure a wireless network that includes Cisco AP's, Cisco clients, and Symbol clients? Both the SYmbol and Cisco clients are mostly DOS based. We will use MAC-AUTH. ANd we don't broadcast SSID. But what steps can we take to have better authentication and encryption? Our AP's are 351's, so they only do 40 bit WEP. Let me know what you suggest. Thanks.
This is a common message that Cisco hears on a daily basis from Retail customers. Retailers, who have been using WLAN technologies for years are becoming more concerned about security as this once, vertical technology is becoming more main stream and tools for breaking WLAN security (128/40-bit WEP) are readily available.
There really is no good answer to this dilema without some hardware replacement. If the current system only supports 40-bit WEP then you will not be able to move up to 128-bit WEP.
It is also difficult to upgrade to newer authentication architectures such as 802.1X because of the legacy DOS devices. These devices don't give you much flexibility for greater security.
If you are using Cisco Secure ACS 3.0 for your MAC based authentication you can set-up standard traps and using RADIUS messaging to report unauthorized MAC addresses that are trying to gain access to the WLAN infrastructure.
You can also set up MAC based filters on the AP's allowing only valid MAC addresses to assocate to the AP's.
Lastly, with new network management devices such as Cisco's Wireless LAN solution Engine (WLSE). You can easily monitor & manage the WLAN network from unauthorized use.
Don't dispair, almost all retailers large and small are working on plans to secure the WLAN network and upgrade the infrastructure to support next generation security methods; many of these plans include replacing the hand held devices and infrastructure. For many retailers this is too great an expense, if you are considering an upgrade then many architectures exists today to secure your WLAN from attack.
The question that you must ask yourself is how much and how far are you willing to go to remove the threat of an attack?
I work for Wavelink. Are you familiar with our Mobile Manager and Avalanche products? If so, I'm interested to know your thoughts about our software.
Wavelink is one of Cisco's wireless development partners for network management. Cisco has worked closely with Wavelink to provide our customers with an excellent 3rd party solution to manage client devices, access points and the general WLAN networking environment. Wavelink provides a strong complement to the WLAN Network management solutions offered by Cisco today including CW2K and the Wireless LAN solutions engine.
Additionally, for many of Cisco's vertical market customers Wavelink provides a compelling management platform for providing many of the day-to-day network management requirements that are specific to WLAN including firmware distribution and image management for client devices & access points, general WLAN network monitoring and pre-emptive problem notification.
Cisco is encouraged by the work that Wavelink has provided in this space and continues to develop and maintain a working relationship with Wavelink to continue to enhance there offerings for Cisco Aironet products.
Hi, we are jumping into the Wireless arena here and I have two questions. Can one mix antenna types on the AP 1200 model? Must you always have two antenna hooked up at all times to the AP? I ask because the safety info stated one must have antenna(s) connected or you could damage the radio.
The first point to make in regard to this question is antenna selection is critical in designing WLAN systems. Without the appropriate antenna selection range, throughput, and general network performance may not be optimized.
Cisco provides many different antennas to choose from depending on the application:
1. Out-door point-to-point antennas for bridging applications
2. Indoor antennas for WLAN applications
A full listing of antennas and applications can be found below along with the applications this is a GREAT document:
Now regarding your questions:
1. No you should not mix antenna types. The two RP-TNC antennas are used for multi-path mitigation, basically interference immunity. Only one of the antennas will be transmitting or receiving at a time. If you use two different antenna types your area of coverage will vary dramatically and will decrease the reliability of the WLAN deployment.
2. Yes you can have only one antenna attached at a time to the AP or Bridge products. This is usually used for point-to-point applications but, you have the option of selecting right/left/both antennas on the access point/Bridge. The right RP-TNC connector is the primary antenna. Make sure to enable the correct RP-TNC connector right/left with the antenna connected.
Does Cisco recommend *against* using properly-specified multi-antenna configurations on a single port (i.e. through a splitter)?
By creating a coverage cell in the size and shape that our clients need, we often achieve results that would otherwise be impractical otherwise. When done properly, such designs work well, but if you have a specific objection to this I would want to know.
Do you know if Cisco is going to change the LEAP authentication so that the LEAP user name is not transmitted in clear text over the wireless network? I understand the reasons why the WEP key cannot be used at this point of the authentication process but, it seems that the LEAP login utility could use some type of algorithm to encrypt/scramble the user id. Anyone using a wireless sniffer can easily get 50% of the required credentials to authenticate to the wireless network.
I am not aware of any plans to make changes to the general LEAP architecture at this time.
While agree that sending the user name in the clear does provide some information I disagree that the people trying to attack the network are getting 50% of the information to effectively mount an attack.
The hashing algorithems provided by Cisco today when using LEAP & pre-TKIP. (11.10T firmware release). Provides for strong encryption and mutual authentication.
Cisco has spent significant engineering resources to ensure that the LEAP based architecture coupled with TKIP is providing a STRONG security solution today for our customers. Additionally, all of the current weakness with WEP (RSA RC4) have been mitigated with the additional enhancements (11.10T release) Cisco has made including:
per packet hashing function
broadcast key rotation
Message integrity check
I would recommend to any customers worried about security that they move to a LEAP based TKIP solution for strong security.
More information on designing and deploying secure wireless networks can be found at:
Does the Cisco AP 1200 support wireless hopping? If so, what is the maximum number of wireless hops it can support?
Any information would be greatly appreciated,
Thank you for your assistance,
Yes the 1200 series support all features of the 350 series products including wireless reapeater mode (wireless hopping). The 1200 series can support up to 7 repeater segments BUT we recommend no more than three. Each time you add a repeater segment throughput is decreased by 1/2:
First Hop: 3.4MB
Second Hop: 1.8MB
Third Hop: .9MB
Specific information on configuring repeater mode can be found at the link below:
"Can anyone explain what happens when you enable non-Aironet 802.11-Select this setting if there are non-Cisco Aironet devices on your wireless LAN ? What is the AP/ 802.11 doing different than if nothing is enabled in the Radio Network Compatibility (config on an AP)."
By selecting the "Aironet Extensions" option under radio advanced on the access point the following features are enabled for CISCO AIRONET CLIENTS ONLY:
Load balancingThe access point uses Aironet extensions to direct client devices to an access point that provides the best connection to the network based on factors such as number of users, bit error rates, and signal strength.
Message Integrity Check (MIC)MIC is an additional WEP security feature that prevents attacks on encrypted packets called bit-flip attacks. The MIC, implemented on both the access point and all associated client devices, adds a few bytes to each packet to make the packets tamper-proof.
Temporal Key Integrity Protocol (TKIP)TKIP, also known as WEP key hashing, is an additional WEP security feature that defends against an attack on WEP in which the intruder uses an unencrypted segment called the initialization vector (IV) in encrypted packets to calculate the WEP key.
The extensions also improve the access point's ability to understand the capabilities of Cisco Aironet client devices associated with the access point.
For other clients that are interoperating with the Cisco Aironet Access Points they will not be able to use these features but will use the features specified in the 802.11b specification along with Wi-Fi testing and interoperability. You can find out more about the Wi-Fi interoperability testing and certification @:
The important idea to remember is that all Wi-Fi certified 802.11b clients have a high degree of interoperability the Aironet Extensions provide greater functionality for Cisco Aironet clients.