CCNP Enterprise Core (350-401) Cisco Wireless

Troubleshooting Client Connectivity from the Wireless Access Point

There may be cases where multiple users are having issues with the same general area or access point.

The split-MAC architecture in Cisco wireless provides a few points where troubleshooting can occur.

For a lightweight access point to operate, it needs to have connectivity through its access layer switch, and connectivity to the wireless LAN controller (Unless the access point operates in FlexConnect mode)

The connectivity between the access point and the controller should be verified as a first step. The access point should be able to discover and join a wireless LAN controller.

Access points that have joined a wireless LAN controller are in a list of live access points in the wireless LAN controllers management GUI. This can be checked to ensure the access point has got a method of communication to the wireless LAN controller.

Similar to a client view, the wireless LAN controller has a view for statistics and information about each access point connected to the system.

The access point information can show it’s connection to the network, it’s IP address and show CDP information if available on what device it is directly attached too.

The performance summary shows information on the wireless performance and radio frequency conditions.

It gives statistics on the utilisation of the radio channels and how busy they are in percentages. A highly utilised channel will mean less air time for clients to send or receive traffic across the wireless network.

The air quality is shown which indicates how competing and interfering devices compromise the airtime quality or performance on a channel. It is presented as a number as 0 for worst and 100 for the best quality.

CCNP Enterprise Core (350-401) Cisco Wireless

Troubleshooting Client Connectivity from the Wireless LAN Controller

Most of the troubleshooting of a clients connectivity to a wireless network can be done through the wireless controllers GUI.

As the wireless client probes and attempts to associate with an access point, there is a wealth of logs generated that can aid in troubleshooting.

This information can be filtered down easily with the clients wireless network cards MAC address.

The wireless controller has two GUIs, one that is dedicated for monitoring and the other for more advanced configuration and monitoring. The advanced configuration screen can be accessed by clicking the Advanced button on the upper right corner of the screen.

The search bar with the string ‘AP or Client Search’ can be inputted with the clients MAC address to display information regarding that client.

Client Connection Status

When viewing the clients detailed information page, there are green dots to show a sequence of states the client must progress through in order to connect to the network.

Start – Client Activity has begun

Association – The client requested 802.11 authentication and association with the access point

Authentication – The client must pass the PSK or 802.1x policy check

DHCP – The wireless LAN controller is trying to learn the IP address assigned to the client

Online – The client has passed security policies, has successfully associated and can transmit and receive traffic.

If a stage is not successful, a black dot appears instead of a green one. This can be a good indicator on where troubleshooting is required to help a client along to the next stage

Checking Client Association and Signal Status

There is information on the left side of the client view screen that shows the wireless clients username, hostname, MAC address, connection uptime, and the SSID it is connected too.

Further down is a performance section that shows the signal quality of the connection to the client. It includes strength, quality, connection speed and the channel width it is utilising.

With these figures the wireless LAN controller calculates a connection score that consists of the current data rate divided by the lower maximum supported rate of the client or access point.

Further details can be displayed by clicking on the connection score.

Checking Mobility State

The WLC Client Search will display a end to end graphical representation of the clients wireless connection.

The graphical representation allows an administrator to quickly discover where the client is connected too and where the connection goes. The diagram can show AP names, IP addresses, and where the connection goes.

Checking the Client Wireless Policies

More specific information is shown further down the page, network, quality of service, security, and other policies applied to the client are located in the Network & QOS and Security & Policy sections.

Testing a Wireless Client

Scrolling to the bottom of the client search page provides some testing and diagnostics tools.

Ping Test

Sends five ICMP echo packets to the clients IP address and measures the response time

Connection Test

Debugs the connection for up to three minutes and checks the policy steps as the client attempts to join the wireless network.

Event Log

Displays a log of events as the clients attempts to join the wireless network served by the access point.

Packet Capture

Enables a packet capture at the access point where the client attempts to join. The packet capture is saved to a specified FTP server where it can be downloaded and analysed on a client machine

CCNP Enterprise Core (350-401) Cisco Wireless

Troubleshooting Wireless

When it comes to troubleshooting wireless networks, there are three things that are required for a client to connection to an access point succesfully:

  1. The client is in range of the access point
  2. The client is able to successfully authenticate with the access point
  3. The client is able to gain a DHCP lease from the DHCP server through the access point

CCNP Enterprise Core (350-401) Cisco Wireless

Wireless WebAuth Authentication

Web authentication differs from other methods of authentication as it presents the user with content to read and interact with before giving full access to the network.

It can prompt for user credentials, display information about the enterprises network they are connecting too, or terms and conditions on the networks purpose and use.

The user must open a web browser to view and interact with this content.

WebAuth authentication can be used as a layer on top of Open Authentication, PSK based authentication or EAP based authentication

WebAuth can be handled locally on the WLC for smaller environments through Local Web Authentication (LWA). Local Web Authentication can be used in a number of different modes:

  • LWA with an internal database
  • LWA with an external database on a RADIUS server or LDAP
  • LWA with an external redirect after authentication
  • LWA with an external splash page redirect via an internal database on WLC
  • LWA with passthrough but requires user acknowledgement

When there many controllers involved that provide the web authentication, it makes sense to use a centralised database solution such as a RADIUS Server like ISE so reduce administration overhead.

The web authentication page can be moved onto a centralised server too, known as central web authentication.

Configuration of Web Auth

To active WebAuth for a network, on the Security -> Layer 3 tab select the Security Type of Web Policy.

The local web server can be configured to display content at Security -> Web Auth -> Web Login Page

CCNP Enterprise Core (350-401) Cisco Wireless

Wireless EAP Based Authentication using Local EAP

If the environment is small or there is no RADIUS server in production, an authentication that is built into the Cisco wireless controller can be used.

The local EAP service needs to be defined on the controller. Navigate to Security -> Local EAP -> Profiles and click the New button.

A name is required to be entered for the Local EAP profile which will be used to define the authentication server methods.

A list of local users needs to be created on the WLC for authentication, this can be done in Security -> AAA -> Local Net Users

CCNP Enterprise Core (350-401) Cisco Wireless

Wireless EAP Based Authentication using RADIUS Servers

Configure one or more external RADIUS servers in the Security > AAA > RADIUS section.

Enter the servers IP address and the shared secret key that the wireless controller uses to communicate with the RADIUS server and ensure the server is set to Enabled.

To use the RADIUS server with wireless network clients make sure the Enable box to ticked next to Network User.

Navigate to WLANs and select the WLAN to edit. Configure the WLAN security under WPA2 Enterprise.

On the Security -> Layer 2 tab select WPA+WPA2 and ensure WPA2 Policy is ticked and WPA is not.

Check the box next to WPA2 Encryption that indicates AES to use the best encryption.

Select 802.1x under Authentication Key Management to enable the enterprise mode. Make sure PSK is not checked so Personal mode is left disabled.

CCNP Enterprise Core (350-401) Cisco Wireless

Wireless Authentication – EAP

Authenticating a client normally requires a challenge, then a response, then a decision on whether to grant access. The challenge and response can involve a range of encryption keys and algorithms with unique requirements to pass information between the client and access point.

Extensible Authentication Protocol (EAP) provides a framework that allows for building of different types of additional authentication methods.

Extensible Authentication Protocol does not contain any of it’s own authentication methods, but by defining a common set of functions and methods that can be utilised to authenticate a client.

Extensible Authentication Protocol can integrate with 802.1x port based access, limiting access to a network until the client has authenticate.

This means a wireless client may be able to join a wireless network, but won’t get access beyond the wireless access points network port until it has authenticated.

Open Authentication and pre shared keys keep the authentication gate at the access point, but 802.1x allows the client to openly join the access point but the actual authentication for network access is at a network server. 802.1x has a three party system, the supplicant that is the client, the authenticator that is the network device providing access to the network, and the authentication server that takes the clients credentials and permits or denies access based on its policies.

To utilise extension authentication protocol and 802.1x, the enterprise modes of WPA1, WPA2, and WPA3 should be used.

Enterprise mode supports many EAP methods such as LEAP, EAP-FAST, PEAP, EAP-TLS, EAP-TTLS, and EAP-SIM.

Cisco wireless controllers can utilise an external RADIUS server or a local EAP server on the wireless controller itself for authentication with 802.1x

CCNP Enterprise Core (350-401) Cisco Wireless

Wireless Authentication – Pre Shared Key

One methods of a secure connection to a wireless network is by utilising one of the Wi-Fi Protected Access (WPA) technologies, WPA1, WPA2, or the latest version, WPA3.

Each version of Wi-Fi Protected Access is certified by the Wi-Fi Alliance so a client and wireless access point utilising the same version of Wi-Fi Protected Access should be compatible with each other.

WPA can also specify encryption and data integrity technologies to help protect data that passes over the airwaves.

All three versions of Wi-Fi Protected Access can support two methods of client authentication, Pre-Shared Key (PSK) or 802.1x, also known as personal mode or enterprise mode respectively.

In personal mode the pre shared key must be shared and configured on every access point and client before a client device can connect to a wireless network.

Ideally the pre shared key is kept secret so unauthorised users not connect to the wireless network without the correct pre-shared key.

The pre-shared key is never sent across the air in plain text, instead a four way handshake procedure uses the pre shared key to construct and exchange an encryption key that can be openly exchanged. If the four way handshake is successful the client can connect to the network

In WPA1 and WPA2 an attacker can eavesdrop and capture the four way handshake between the client and access point. A dictionary attack can be utilised to try guess the pre shared key. If successful, the attacker can decrypt the wireless data or even join the network posing as a legitimate user.

WPA3 builds on key exchange to improve security by introducing Simultaneous Authentication of Equals (SAE). Rather than a client authenticating against the access point or server, the client and access point can initiate the authentication process equally or simultaneously.

When a password or key is compromised with WPA3, WPA3 Personal offers forward secrecy which prevents an attacker using the key to decrypt data that has been transmitted over the air.

Configuring a network with Wi-Fi Protected Access

In a Cisco wireless controller, navigate to WLANs and select Create New.

Next, select Security and the Layer 2 tab. In the Layer 2 Security drop down box select the WPA version for the WLAN.

For Personal Mode, look under Authentication Key Management and check only the box next to PSK. Enter the pre-shared key into the box next to PSK format.

CCNP Enterprise Core (350-401) Cisco Wireless

Wireless Authentication – Open

The original 802.11 standard has two choices in authenticating a client, Open Authentication and WEP (Wired Equivalent Privacy)

Open Authentication offers open access to a wireless network. The only requirement is that a 802.11 authentication request must be made before it attempts to associate with an access point.

Any 802.11 can authenticate to gain access to an open network, with no security challenge in order for access. All authentication does is validate that the client utilises the 802.11 protocol for joining a wireless network.

Some open wireless networks utilise a Web Authentication technology for some form of client screening. A client can authenticate to the open network straight away but must open a web browser to accept terms of use for a wireless network (and possibility enter credentials on that web site to complete the access request)

Creating an Open Authentication Network

To create a wireless network with open authentication on a Cisco wireless controller, create a wireless network and map it to the correct VLAN.

Next, go to the general tab and enter the name of the SSID and apply the appropriate controller interface. Remember to change the status to enabled.

Finally go the security tab and configure the wireless network security and user authentication settings. Select the Layer 2 tab and select None to enable open authentication.

CCNP Enterprise Core (350-401) Cisco Wireless

Locating Wireless Network Devices

Device location can be important to a business or enterprise network. A large store may be interested in tracking protentional customers as they walk around the store, or a museum as they walk around exhibits to present relevant content.

A client can be located to which access point they are associated too, but it can get more granular with the use of received signal strength.

A clients distance can be calculated using the received signal strength between the access point and the client.

In case of a single access point through, with an omnidirectional antenna, the client could be anywhere with-in a certain distance of a circle from the antenna of the access point.

By using three or more access points, the calculated signal strength can be combined to more accurately determine where the clients device may be located.

This information can be combined with other technologies to provide a real time location service.

Cisco access points and their wireless controllers can integrated with other Cisco technologies such as DNA Centre with location servers such as Cisco Mobility Services Engine, MSE or Cisco Connection Mobile Experiences, CMX, to gather and display location information in real time.

Real time location is not something that was intended to be part of wireless network infrastructure.

The access points interface directly with the client devices and handle normal data forwarding, but the wireless LAN controllers can forward information such as client probing, joining and leaving, their RSS values along to the DNA centre platform for location calculation.

Calculations can be easily done if a device is in free space open air, but with walls and furniture in between an access point and a client device it can be make accurate pin-pointing of a device location more complicated.

Areas can be calibrated by an administrator walking through an area taking measurements with a device to get a real world view of a signals strength in a particular area.

A client device can be discovered and their location calculated by several different access points at the same time.

When a client sends out a 802.11 Probe Request to discover any access points that may be nearby, it will be sent on every channel and band that the client device can support. Multiple access points will pick up on this request as it is sent out by the client, which can be measured and a user device accurately tracked.