• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Wireless Client Info

N

nweaver

Diamond Member
At the request of Spidey, I am posting a quick FAQ on wireless clients. As a quick background, I do CCX (cisco compatible extensions) cert testing. Cisco CCX

First, I would establish what (imho) are the big 3 chip makers in the wireless business. Those are Atheros, Broadcom, and Intel. Each of these have multiple chips they use, but most have 2-3 active products. You should take note that when looking at these, there are sometimes even 2 cards with the same product, but are "dual band", meaning 5 Ghz (802.11A) and 2.4 Ghz (802.11B/G). An example is the Intel 2915 MiniPCI card, which is offered in single and dual band.
To stave off the "but what about *Insert vendor here* statements, this is in my experience. Linksys, Belkin, Netgear, etc have very FEW ccx compatible products.

What does it mean to be "CCX Certified"? That means that THIS CARD with THIS DRIVER (and sometimes in THIS LAPTOP) meets the CCX standard. The standard does very little with range and speed, but is instead concerned with security and feature compatibility. We don't worry about bouncing signal through 4 rooms and around a corner, we worry about things like "does security schema A work with this setup".

CCXV3 means that all the latest things are supported, and work together, such as WPA2 with 802.1Q tagging using LEAP/EAP authentication, Wep128 with EAP-TLS and Brodcast Key Rotation w/CMIC. During testing, we typically setup the test, and run a script that releases/renews DHCP, Pings a host, receives Multicast for one minute, and does a get/put/get ftp transfer, with a FC compare on the files to ensure integrity.

During testing, we use the client's utility i.e Atheros Client Utility (may be rebranded/cobranded), Intel Proset, and Broadcom Wireless utility.

I prefer Atheros, as it seems straight forward in setup/use. Atheros is used in many laptops (Dell, Gateway, Fujitsu amoung others) and is the chipset used in Cisco cards. Sometimes they have a habit of just dying with 802.1X authentication profiles, if you make lots of changes. Removing and recreating the profile helps.

Intel has a decent utility, but has a few (from a testing standpoint) annoyances. The biggest one is the "Admin Tools" option required to setup SSO (Single Sign On). The caveat to my dislike is that it's a HUGE benifit in the enterprise, because you can lock down wireless for corp use (and keep PSK/WEP keys secure). This does cause some troubleshooting problems, as the only error with SSO profiles is "contact your admin", as opposed to the other 2, which will say "Leap Timout, Leap credentials refused" etc. They used to (a few revs back) have some funky roaming algorithims, where it would refuse to roam, and would sometimes disassociate and then scan and find the new AP instead of roaming. This has been getting better it seems. Some settings are in funky places (WPA confused me for a minute with the newest version).

Broadcom has a utility that is very WZCish. Some features are ONLY supported via CLI (such as specifing multiple keys, Power level settings, etc). They also do a few things odd on RM requests, where the do not respond with the serving AP.

Of the 3, I prefer Atheros based (CB21 is incredible), then Intel based, then Broadcom.


Spidey, this what you were looking for?
 
Thanks a bunch! Great info.

The thing that I'm struggling with is built in intel cards and their driver set. the CCX compatability, LEAP support and single sign-on work great.

But what doesn't is their roaming. It just doesn't make sense sometimes. They roam constantly and sometimes pick an access point with poor RSSI. Also I don't know if I should trust their utility to report things like RSSI and speed.

Otherwise it works well.

Also do you know if these cards fully conform to CCX standards and will they support the site survey and client walkabout tools and security features/radio management of the WLSE? So far these built-in cards work well...it is the roaming that concerns me.

-edit- as an aside I try very hard not to be a cisco bigot and discourage proprietary stuff (CCX). But Cisco is ruling the roost in this arena and are setting the path that the rest of the industry follows.
 
ccx is just a standard to say it's up to snuff, not breaking standards really.


To be CCX V2+ it must support Radio measuments, and pass several WLSE tests (including rogue AP reporting and walkabout measurments)

As far as the roaming, have you tried using CCKM fast roaming (maybe you already are?) If you have good coverage, manually change the client transmit power down to 5ish mW and see if they roam better. BTW, "Built In" means minipci, and are usually changable 😉

What Intel's do you have? The most recent I have seen are 2200 (B/G Only) 2915 (single and dual band) and one other that slips my mind.

Part of CCX is the ability to CCKM (requires WDS btw) to roam within 150 ms
 
well you already know that our rollouts are WLSM in every plant.

fast secure roaming isn't a problem, client maintain connectivity.

It is the client's choice to roam at random that is.

I'm following SWAN to a tee at all 12 plants.
 
If this is OT to the OP I apologize. What benefits, besides the obvious (ie. it being cisco) does Cisco wireless provide over other solutions?
 
you mean using Cisco infrastructure, or using CCX certified stuff?

Cisco meshes well, and with other cisco stuff, it integrates VERY nicely, such as detecting a rogue AP and shutting down the switchport it is on.

CCX, the advantage would be that it's been tested and works. And this is testing done by a third party to verify it meets this standard Cisco has set forth for Wireless security.
 
I believe CCX also reports a whole lot of stuff.

If the clients hop onto a wireless network, the wireless network can tell the client to turn his radio down some because other access points are hearing him too strongly.

The radio management you get is simply amazing.

The big thing the CCX provides is 'one hugely scalable, secure wireless network'

For example I've got wireless LANs with 300+ access points. And its all a single, cohesive wireless network.
 
So basically it's the integration with other networking (cisco) equipment. The radio management stuff is interesting, and I guess it would be necessary in large installations.
 
The Cisco APs also support multiple SSID / multiple VLAN configs, so you can have a very secure VLAN/subnet for execs, a guest VLAN for Internet / VPN access, etc. The Fast Ethernet port supports 802.1q trunking.

The management is what sells the system in many cases. Hospitals and industry are really getting into the wireless stuff. Using the Wireless Lan Support Engine (WLSE), you get all of the normal network management functions, plus scheduled firmware upgrades of one, a few, many, or all APs ... client tracking, ad-hoc and rogue detection and suppression, "Re-Survey" .... where you set the system to watch one or more MAC addresses as they wander about and track the signal strength & coverage (and automatically adjust radio output for the proper "seamless roaming" overlap) ...

BUT WAIT! There's more! (really!?) The management on networks of any size makes it about as painless as a system (especially large systems) can get (wireless or not).

Then there's the Wireless LAN support Module (WLSM). This component resides in a 6500 series switch, with a Sup720 engine, and frequently / usually one or more POE Ethernet blades.

The WLSM acts as an authoriazation proxy between the APs and the RADIUS server. Once a client is authenticated, it's credentials are hashed & cached in the WLSM. As the client roams, the credentials are forwarded to the next AP/cell so that the client never loses connection (important for VoIP via 802.11).

The other prime function of the WLSM is to provide L3 roaming capability. The client can cross networks / subnets (leave his "home" broadcast domain) and still maintain the connection seamlessly. This allows you to keep the radio domains reasonably sized but still have seamless roaming capability. It also allows a VoIP/802.11 phone to move from site-to-site and still keep it's identity.

The mechanism used is a multi-point tunnel and coordination logic for the addressing proxy services.

It's a pretty slick system.

The rest of the wired active infrastructure is also "wireless aware" (SWAN = "Structured Wireless Aware Networking") and offers services and adjustments to permit the seamless L3 roaming and still have a good, secure system.

The radios are upgradable, so you can do the hardware upgrades without replacing the entire unit (~$US200.00 for a radio versus ~$600-800 per AP ... this is retail, I'm sure Spidey is getting a "good" discount for the size of his account).

For a commercial application, Cisco is pretty hard to beat. Extreme, Foundry, Orinoco, Motorola and the rest have a pretty good story too, but IMHO, Cisco is tops by virtue of the complete integration and management.

Downsides? a couple ... Intel NICs with older drivers can throw MIC errors that will (by default) shut down the AP. that "feature" can be disabled, but it's an 802.11 standard feature, so it's enabled by default (two MIC errors in 60 seconds). Upgrading to the most current drivers got rid of the problem on our network.

WPA2 (so far) only seems to work with Cisco NICs. I've tried Linksys, D-Link, 3COM, Nortel, Intel, and a few others ... none come up on WPA2 ... but the Cisco '21 pops right up everytime.

To use most of the seamless roaming features, you need to use LEAP or EAP-FAST, which may limit the type of RADIUS server you can use (MS IAS doesn't do LEAP, for example).

There's a few other wrinkles, mostly benign. There may be some issues with DHCP delivery ... which can be cured by some minor architechture changes.

Overall, it's a Wunnerful Thang.

FWIW

Scott
 
Heh, hey Scott.

I'm getting real familiar with SWAN, realy quick. Its like taking a firehose at full blast.

It can also get real complicated. You have so many pieces and they all must fit together seamlessly. Plus I'm doing full redundancy, no single point of failure in the entire infrastructure. Another neat feature of WLSE is the self-healing aspect - if you lose an AP it adjusts all the other radios to provide coverage of the lost cell.

Pieces needed:
clients
APs/Radios
Routers/switches
sup720 (required)
WLSM
WLSE
Radius server
Authentication database (normally windows AD)
multipoint GRE tunnels everywhere
 
WPA2, check the CCXV3 list of vendors, there are more then a few, and WPA2 is required to be V3 compatible
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top