Sign up to save your podcasts
Or
Share CTS 068: Wi-Fi Network Access Control
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
CTS 068: Wi-Fi Network Access Control
In this episode, we welcome Andrew Chappelle from Calgary, Alberta, Canada.
We talked about network access control focusing on securing the Wi-Fi network. He shared his experience with complex NAC systems such as Cisco ISE or Aruba ClearPass and also share his view of what the future of access control will look like.
Andrew Chappelle (CCIE-W #42377) works as a System Engineer for Aruba HPE out of Calgary. In his previous positions, he worked a lot on complex network access deployments. He is very knowledge about Wi-Fi and will soon be CWNE! I guess, we are going to have to bring him back on the show when he does! You can find him on twitter at @AngryWrelessGuy. He blogs at angrywirelessguy.wordpress.com.
Wi-Fi Network Access Control
The WHY: Why do we need a network access control for the WLAN infrastructure? Let’s talk about customer’s requirements:
* Offer different access and level of security for different type of users & devices
* Enable easy & secure BYOD
* Segment the Wi-Fi network so guest traffic is isolated
* Make the user experience is easier
The WHAT: What are the solutions to meet these requirements?
* SSID for corporate users (would do both BYOD and corporate access) – SSID consolidation
* SSID for guest
* Profiling
The HOW: How do we implement it? What do we need to make it happen?
* NAC server
* Certificate PKI
We talked about the most common EAP methods used today.
What is coming next? What can we expect seeing in these NAC solutions in the near future?
Resources
Links to ISE documentation:
* ISE community: https://communities.cisco.com/community/technology/security/pa/ise
* ISE Demo videos: https://communities.cisco.com/docs/DOC-63878
* ISE YouTube Channel: https://www.youtube.com/user/CiscoISE/playlists
Links to ClearPass documentation:
* ClearPass Documentation: https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/6864/Default.aspx
* ClearPass Demo (require credentials): https://clearpass.arubademo.net/tips/tipsLogin.action
Upcoming Episode on Wi-Fi Issue
Here is the link to the Wi-Fi issues submission form for one of our upcoming episode.
This Week In Wireless
Cisco – New AireOS version – released the 8.3.111.0
Adaptive 802.11r
802.11r is the IEEE standard for fast roaming and this concept of roaming is also known as Fast Transition (FT). Here the initial handshake with the new AP is done even before the client roams to the target AP. The feature allows you to set up a network without choosing Enable for Fast Transition (FT). The Apple devices (iOS 10 clients) signal the Cisco APs to identify this functionality. Cisco APs mutually signal that adaptive 802.11r is supported on the network and perform an FT association on the WLAN.
Legacy wireless clients that do not support 802.11r can still join the same network however does not benefit from faster FT roaming. Legacy devices that do not recognize the FT AKM’s beacons and probe responses join as an 11i/WPA2 device.
This feature is supported on the following Wave2 APs:
View all episodes
4.7
6262 ratings
In this episode, we welcome Andrew Chappelle from Calgary, Alberta, Canada.
We talked about network access control focusing on securing the Wi-Fi network. He shared his experience with complex NAC systems such as Cisco ISE or Aruba ClearPass and also share his view of what the future of access control will look like.
Andrew Chappelle (CCIE-W #42377) works as a System Engineer for Aruba HPE out of Calgary. In his previous positions, he worked a lot on complex network access deployments. He is very knowledge about Wi-Fi and will soon be CWNE! I guess, we are going to have to bring him back on the show when he does! You can find him on twitter at @AngryWrelessGuy. He blogs at angrywirelessguy.wordpress.com.
Wi-Fi Network Access Control
The WHY: Why do we need a network access control for the WLAN infrastructure? Let’s talk about customer’s requirements:
* Offer different access and level of security for different type of users & devices
* Enable easy & secure BYOD
* Segment the Wi-Fi network so guest traffic is isolated
* Make the user experience is easier
The WHAT: What are the solutions to meet these requirements?
* SSID for corporate users (would do both BYOD and corporate access) – SSID consolidation
* SSID for guest
* Profiling
The HOW: How do we implement it? What do we need to make it happen?
* NAC server
* Certificate PKI
We talked about the most common EAP methods used today.
What is coming next? What can we expect seeing in these NAC solutions in the near future?
Resources
Links to ISE documentation:
* ISE community: https://communities.cisco.com/community/technology/security/pa/ise
* ISE Demo videos: https://communities.cisco.com/docs/DOC-63878
* ISE YouTube Channel: https://www.youtube.com/user/CiscoISE/playlists
Links to ClearPass documentation:
* ClearPass Documentation: https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/6864/Default.aspx
* ClearPass Demo (require credentials): https://clearpass.arubademo.net/tips/tipsLogin.action
Upcoming Episode on Wi-Fi Issue
Here is the link to the Wi-Fi issues submission form for one of our upcoming episode.
This Week In Wireless
Cisco – New AireOS version – released the 8.3.111.0
Adaptive 802.11r
802.11r is the IEEE standard for fast roaming and this concept of roaming is also known as Fast Transition (FT). Here the initial handshake with the new AP is done even before the client roams to the target AP. The feature allows you to set up a network without choosing Enable for Fast Transition (FT). The Apple devices (iOS 10 clients) signal the Cisco APs to identify this functionality. Cisco APs mutually signal that adaptive 802.11r is supported on the network and perform an FT association on the WLAN.
Legacy wireless clients that do not support 802.11r can still join the same network however does not benefit from faster FT roaming. Legacy devices that do not recognize the FT AKM’s beacons and probe responses join as an 11i/WPA2 device.
This feature is supported on the following Wave2 APs:
More shows like Clear To Send: Wireless Network Engineering
View all
This Week in Tech (Audio)
3,011 Listeners
Security Now (Audio)
1,981 Listeners
Planet Money
30,734 Listeners
Freakonomics Radio
32,071 Listeners
Heavy Networking
326 Listeners
Smashing Security
314 Listeners
Darknet Diaries
7,921 Listeners
CISO Series Podcast
190 Listeners
RUCKCast
5 Listeners
The Art of Network Engineering
84 Listeners
Cyber Security Headlines
128 Listeners
Huberman Lab
28,531 Listeners
Heavy Wireless
11 Listeners
The Industrial Wi-Fi Shop Podcast
1 Listeners
Packet Protector
6 Listeners