Sign up to save your podcasts
Or
Share CTS 068: Wi-Fi Network Access Control
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
CTS 068: Wi-Fi Network Access Control
In this episode, we welcome Andrew Chappelle from Calgary, Alberta, Canada.
We talked about network access control focusing on securing the Wi-Fi network. He shared his experience with complex NAC systems such as Cisco ISE or Aruba ClearPass and also share his view of what the future of access control will look like.
Andrew Chappelle (CCIE-W #42377) works as a System Engineer for Aruba HPE out of Calgary. In his previous positions, he worked a lot on complex network access deployments. He is very knowledge about Wi-Fi and will soon be CWNE! I guess, we are going to have to bring him back on the show when he does! You can find him on twitter at @AngryWrelessGuy. He blogs at angrywirelessguy.wordpress.com.
Wi-Fi Network Access Control
The WHY: Why do we need a network access control for the WLAN infrastructure? Let’s talk about customer’s requirements:
* Offer different access and level of security for different type of users & devices
* Enable easy & secure BYOD
* Segment the Wi-Fi network so guest traffic is isolated
* Make the user experience is easier
The WHAT: What are the solutions to meet these requirements?
* SSID for corporate users (would do both BYOD and corporate access) – SSID consolidation
* SSID for guest
* Profiling
The HOW: How do we implement it? What do we need to make it happen?
* NAC server
* Certificate PKI
We talked about the most common EAP methods used today.
What is coming next? What can we expect seeing in these NAC solutions in the near future?
Resources
Links to ISE documentation:
* ISE community: https://communities.cisco.com/community/technology/security/pa/ise
* ISE Demo videos: https://communities.cisco.com/docs/DOC-63878
* ISE YouTube Channel: https://www.youtube.com/user/CiscoISE/playlists
Links to ClearPass documentation:
* ClearPass Documentation: https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/6864/Default.aspx
* ClearPass Demo (require credentials): https://clearpass.arubademo.net/tips/tipsLogin.action
Upcoming Episode on Wi-Fi Issue
Here is the link to the Wi-Fi issues submission form for one of our upcoming episode.
This Week In Wireless
Cisco – New AireOS version – released the 8.3.111.0
Adaptive 802.11r
802.11r is the IEEE standard for fast roaming and this concept of roaming is also known as Fast Transition (FT). Here the initial handshake with the new AP is done even before the client roams to the target AP. The feature allows you to set up a network without choosing Enable for Fast Transition (FT). The Apple devices (iOS 10 clients) signal the Cisco APs to identify this functionality. Cisco APs mutually signal that adaptive 802.11r is supported on the network and perform an FT association on the WLAN.
Legacy wireless clients that do not support 802.11r can still join the same network however does not benefit from faster FT roaming. Legacy devices that do not recognize the FT AKM’s beacons and probe responses join as an 11i/WPA2 device.
This feature is supported on the following Wave2 APs:
View all episodes
By Rowell Dionicio and François Vergès
4.8
6464 ratings
In this episode, we welcome Andrew Chappelle from Calgary, Alberta, Canada.
We talked about network access control focusing on securing the Wi-Fi network. He shared his experience with complex NAC systems such as Cisco ISE or Aruba ClearPass and also share his view of what the future of access control will look like.
Andrew Chappelle (CCIE-W #42377) works as a System Engineer for Aruba HPE out of Calgary. In his previous positions, he worked a lot on complex network access deployments. He is very knowledge about Wi-Fi and will soon be CWNE! I guess, we are going to have to bring him back on the show when he does! You can find him on twitter at @AngryWrelessGuy. He blogs at angrywirelessguy.wordpress.com.
Wi-Fi Network Access Control
The WHY: Why do we need a network access control for the WLAN infrastructure? Let’s talk about customer’s requirements:
* Offer different access and level of security for different type of users & devices
* Enable easy & secure BYOD
* Segment the Wi-Fi network so guest traffic is isolated
* Make the user experience is easier
The WHAT: What are the solutions to meet these requirements?
* SSID for corporate users (would do both BYOD and corporate access) – SSID consolidation
* SSID for guest
* Profiling
The HOW: How do we implement it? What do we need to make it happen?
* NAC server
* Certificate PKI
We talked about the most common EAP methods used today.
What is coming next? What can we expect seeing in these NAC solutions in the near future?
Resources
Links to ISE documentation:
* ISE community: https://communities.cisco.com/community/technology/security/pa/ise
* ISE Demo videos: https://communities.cisco.com/docs/DOC-63878
* ISE YouTube Channel: https://www.youtube.com/user/CiscoISE/playlists
Links to ClearPass documentation:
* ClearPass Documentation: https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/6864/Default.aspx
* ClearPass Demo (require credentials): https://clearpass.arubademo.net/tips/tipsLogin.action
Upcoming Episode on Wi-Fi Issue
Here is the link to the Wi-Fi issues submission form for one of our upcoming episode.
This Week In Wireless
Cisco – New AireOS version – released the 8.3.111.0
Adaptive 802.11r
802.11r is the IEEE standard for fast roaming and this concept of roaming is also known as Fast Transition (FT). Here the initial handshake with the new AP is done even before the client roams to the target AP. The feature allows you to set up a network without choosing Enable for Fast Transition (FT). The Apple devices (iOS 10 clients) signal the Cisco APs to identify this functionality. Cisco APs mutually signal that adaptive 802.11r is supported on the network and perform an FT association on the WLAN.
Legacy wireless clients that do not support 802.11r can still join the same network however does not benefit from faster FT roaming. Legacy devices that do not recognize the FT AKM’s beacons and probe responses join as an 11i/WPA2 device.
This feature is supported on the following Wave2 APs:
More shows like Clear To Send: Wireless Network Engineering
View all
The Joe Rogan Experience
228,856 Listeners
The Everything Feed - All Packet Pushers Pods
195 Listeners
Heavy Networking
327 Listeners
Risky Business
371 Listeners
Network Break
101 Listeners
Darknet Diaries
8,062 Listeners
IPv6 Buzz
33 Listeners
The Hedge
16 Listeners
Bad Friends
14,513 Listeners
The Art of Network Engineering
85 Listeners
The Rest Is History
15,526 Listeners
The Why Files: Operation Podcast
8,115 Listeners
Heavy Wireless
11 Listeners
Packet Protector
7 Listeners
N Is For Networking
21 Listeners