Super-Networking Blog

This is a follow-up post to Clamp Down Security on Your Cisco Aironets with Win XP SP2. This post is not just applying to Cisco Aironets but anything that uses WEP.

People contiune to point out how easy it is to crack WEP. It has gotten to the point where WEP encryption can be broke within a minute. It doesn’t take much processing power to do it either, possibly able to be down with a PDA or Smartphone.

�NIST estimates that a machine that can break 56-bit DES key in 1 second would take about 149 trillion years to crack a 128-bit AES key (unless someone is very lucky)�

It is time to switch to WPA2 and I have the step by step on how to do it with a Cisco Aironet AP here.

Paper put together by Darmstadt Technical University.

Another good article on the subject.

Another good thing to do for a medium to large business is to get a good wireless IDS system like RF Protect. Check out my review here.

Say goodbye to your old WEP 128-bit keys and say hello to AES and WPA2. If you want to really secure down your Cisco Aironets follow these settings.

*Personal with Pre-Shared Key*

In the Windows Client (If you have your SSID Hidden and you are using Microsoft’s Zero Config)

1) Do properties on you wireless connection
2) Go to the Wireless Networks Tab
3) Under Association Tab:

Network Name “Your SSID”
Network Authentication “WPA2-PSK”
Data encryption “AES“

*Enterprise without Pre-Shared Key*

In the Windows Client (If you have your SSID Hidden and you are using Microsoft’s Zero Config)

1) Do properties on you wireless connection
2) Go to the Wireless Networks Tab
3) Under Association Tab:

Network Name “Your SSID”
Network Authentication “WPA2”
Data encryption “AES“

You might need the following patch.

*Personal with Pre-Shared Key*

In Aironet

Under Security Menu
1) Encryption Manager

Select your VLAN
Encryption Modes “Cipher - AES CCMP”
Encryption Keys “Blank”
Global Properties “Disable Rotation

2) SSID Manager

Choose your Current SSID
Methods Accepted: “Open Authentication”
Client Authenticated Key Management “Mandatory” + “WPA” + Pre-shared Key of at least 10 characters.

*Enterprise without Pre-Shared Key*

In Aironet

Under Security Menu
1) Encryption Manager

Select your VLAN
Encryption Modes “Cipher - AES CCMP”
Encryption Keys “Blank”
Global Properties “Disable Rotation

2) SSID Manager

Choose your Current SSID
Methods Accepted: “Open Authentication with EAP”
Client Authenticated Key Management: “Key Management: Mandatory and Check WPA”
General Settings: “Check Advertise Extended Capabilities of this SSID”

Version of Software on Aironets - 12.3(8)JA2

This is by far not all the tweaks that can be done but will get you off the ground and very secure. If you are currently running WEP you should be able to keep all your other settings in the aironet except change these and you will be 100s of time more secure.

Questions please leave a comment.

It looks like 802.11n is finally going to get through all of the red tape and arguing to become a standard soon. Draft 2.0 for 802.11n was passed with a supermajority in its currently step moving it forward for an IEEE standard.

Also it appears that the currently specs will be compatible with most currently 802.11n gear. It has been a long time in coming for this new standard. We have been waiting what seems like forever for a better, faster, greater distance wifi.

More details here.

I had to update my Cisco Aironets as well for the DST change. There isn’t much for controls in the web console to help you fix the issues. You can uncheck and check to use Daylight Savings Time but since it doesn’t think that DST applies yet that won’t help.

The work around for this is to apply the command �clock summer-time CST date Mar 11 2007 2:00 Nov 4 2007 2:00? which is the same one as you would use for the routers. This command should work for any IOS device and thankfully the aironets I run have an IOS backend.

This command worked great and the time is now correct on them, at least until they decide to change the DST again.

I have been doing some research on what settings would most optimize my Cisco aironets. One of my major questions has been should I run one or two dipole antenna and what should the setting be. My first thought it why not just use one antenna because the way the aironets work is they can only send and receive from one antenna at a time and the two antennas are only a couple inches apart. So put one antenna on and switch the send and receive power to only go out the one antenna. Well I found out why you need two antennas, it is because with one antenna when the signal reflects off of things it can leave you with micro pockets of no signal. Apparently when you have these two antennas spaces that little amount apart either one or the other antenna will cover all of those micro pockets. When you have two antennas to need to have them on diversity settings on both send and receive. The reason to have only one antenna is when you put a high gain antenna on for great distance of coverage. Then make sure to change your antenna settings to send and receive only out that antenna. Any questions of comments on this topic are quite welcome.

Just thought I would meantion this and give a link to a good site I have used quite a bit in the past. If you are in need of boosting your wifi signal by a good chunk take a look at this site http://www.hyperlinktech.com/ . They have all sorts of commerical antennas, cables, pigtails, adapters, singal amps, enclosures etc.. I have lit up entire neighborhood, for a commerical wifi network, over 1 mile in diameter with some of their equpiment. Take a look.

B-rad left a comment on my post Wireless Ceiling that the longest cable is only 5′ but you should be able to get good coverage from one ceiling tile in the area. You should then be able to mount an AP above this ceiling tile and running the access point off of POE. I have some info about running an Aironet 1200 series AP using POE in this post Cisco Aironets POE

In my reseach for this other topic Where to Place Wireless I found a product that is one of the best ideas I have seen in quite some time. The product is a ceiling tile that has a W-Fi antenna built into it. So it is like hanging your wifi point or your wifi antenna on the ceiling tile but not being able to see it. Better coverage and looks better. Check it out at I-Ceilings

I am researching right now where is the best place to put your Wi-Fi points in an enterprise environment. There are a lot of things to consider, such as floor plan, where you need coverage, what devices are going to be used on the network, what kinds of speeds do you need. With mounting them you have to be aware of what is near them, not only because of absorbing of RF but reflecting of RF. I am adding in a link for some recommendations from Cisco as well as some stats on building materials you might encounter. One thing I have yet to find is what kind of affect does sound proof material have on RF if any. Cisco Recommendations 1. Paper and vinyl walls have little effect on RF signal penetration.2. Solid and pre-cast concrete walls limit signal penetration to one or two walls without degrading coverage.3. Concrete and concrete block walls limit signal penetration to three or four walls.

4. Wood or drywall allows for adequate signal penetration for five or six walls.

5. A thick metal wall causes signals to reflect off, resulting in poor signal penetration.

6. Chain link fence and wire mesh with 1 to 1�” spacing act as �” waves that block a 2.4 GHz signal.

7. When you deploy a wireless bridge link through a window, the window glass can introduce significant signal loss. Typical losses range from 5 to 15 dB per window, depending upon the type of glass. Your deployment plan must take this extra loss into account conservatively when you plan antenna gains and power settings.

I have been looking into running some Aironet 1231s off of POE on the new network I am setting up. What I have found is that the 1200 series Aironets don’t support the IEEE POE standard but have been built to the legacy Cisco inline power. There are multiple ways you can power these devices using power over CAT5. The first and best way to do it is to have a Cisco POE device that can prestandard support. Look at the following link for info on that.

Otherwise what you can do is go with an adapter, you can get an adapter to change from the IEEE standard POE switch back to legacy or you can go from a regular switch and put an active POE adapter in the middle. A company that makes these products and was a great help in researching this is http://www.powerdsine.com . Basically the different between the two standards is one travels on the same pair of wires as the data and the other does not.