Category Archives: CWNP

Using WiFi to find Someone?

inmates

How could WiFi Superman use his knowledge of 802.11 technologies to help apprehend the escapees of the Clinton Correctional Facility?  Well first we will need to suspend reality a bit as inmates get very limited access to the Internet and cell phones are strictly forbidden.  But in our little story let’s suppose that the accomplice of this love triangle, “Tillie” Mitchell, gave the escaped convicts her smart phone.

So at the Clinton Correctional Facility there is a BYOD network that Tillie uses for her smart phone.  Let’s say that law enforcement finds out that she gave her phone to the escapees.  There are a couple avenues a crime fighter could take, although a little far-fetched it would be possible.  The first thing that could be investigated is what the MAC address of the wireless card was.

This could be determined in several different ways.  Most of the WiFi manufacturers have client information that will remain in memory for some time, if we knew the hostname of the device we could correlate this.  ClearPass and ISE will have data regarding clients and may allow us to narrow down to a handful of MAC addresses if we only know the make and model of the device.  Once we have a MAC or a few MACs then we can proceed to search for these on the airwaves.

Let say Richard Matt has relatives in Albany and police have a strong suspicion that he is on the lam and hunkered down in Albany.  WiFi Superman could war-fly (akin to war-driving) until he finds the MAC address and try to pinpoint the building where they are hiding.  If Optimum Online was willing to help they could look for the MAC and if they saw it on 3 or more access points we could locate them by triangulation.

Now let’s say we have no idea what the MAC address is.  Another plan of attack could theoretically work.  Clients discover networks in one of two ways: passive or active.   The prison has a specific SSID for its BYOD and we know what it is.  When scanning the client is looking for info on available wireless networks.   In the passive scan the wireless NIC listens for beacons or probe responses.   Beacons will not help us.  They could hurt our effort if an access point happened to be broadcasting the same SSID.

In active scanning the wireless client SSID portion of the probe request is NULL or empty.  This is also of no use to us.  However in an active scan the probe request will request info in one of two manners.  The client will either ask “Is anyone there?” (FF:FF:FF:FF:FF:FF).  The client’s other option is to ask “Are you there Bill?” this request contain specific SSIDs stored in the clients wireless profiles of the clients software (e.g. Wireless Zero Config).  Since we know the SSID from the prison we can snoop for the SSID.  By putting a laptop in promiscuous mode and collecting all packets in an area we suspect the duo to be hiding we can later filter packets to show only probe requests and further filter on the SSID.

And there you have it, if we see the SSID in question we could ascertain is the inmates are in the area.  It is a little far-fetched, but super hero work always is.

Coaxing Wifi Clients to make the right choice…

cant make me

It is a wireless client that determines when it will roam and to which access point it will roam.  All we can do as designers is design and implement WLANs that make the clients’ decisions better.  There are also two amendments to 802.11 that aid in this effort.

802.11k and 802.11r (which have been rolled up into 802.11-2012) were both spearheaded to aid clients in making wise roaming choices.  If a client can roam faster and roam to the access point that will provide the best performance, all clients in the ESSID (a group of APs that share the same SSIDs and corresponding security) benefit.

802.11r or Fast BSS Transition (FT) is an amendment that provides for continuous connectivity via faster secure roaming.  This is achieved in the following manner.  Essentially a client completes a portion of the key exchange and that key is cached and waiting for the client should it roam to that particular AP.  This reduces the time it takes to complete a secure roam between APs.  There is another less-robust method that exists called OKC (Opportunistic Key Caching).

802.11k or Radio Resource Management (sometimes referred to as RRM).  The purpose of 802.11k is to help a mobile unit roam to the best possible access point.  Wikipedia list 4 steps how RRM achieves this…

  1. Access point determines that client is moving away from it.
  2. Informs client to prepare to switch to a new access point.
  3. Client requests list of nearby access points
  4. Access point gives site report
  5. Client moves to best access point based on report

So no Mr. Mobile Client we cannot make you roam, but we can use the recommendations that the IEEE made to give you a strong incentive.  There is yet one more amendment which I know little about (802.11v) and it seems not many others know much about.  Furthermore it has not received much traction by vendors.  There is some interesting info posted on Ben Miller’s blog…

http://www.sniffwifi.com/2014/01/80211v-keep-dreamin-in-iphones-running.html

 

Which wireless certification is right for you?

Hmm

 

You want to get certified in the WiFi field, but which one is right for you?  Well Clark Kent will help you decide.  I presently have certifications granted by 3 of the biggest WiFi vendors and 3 vendor-neutral certifications.  First lets look at the biggest vendors out there.  Cisco bought Meraki in 2013 so that kept them in the top slot.  HP bought Aruba keeping them at a strong #2.

CWNP was founded by Planet3 Wireless but I think is simply CWNP now.  There are a total of 5 tests in the certification track.  CWTS, CWNA, CWSP, CWDP, CWAP

CWNP certs

 

I have taken all of these (except I skipped the CWTS)  I have passed all the exams except the CWAP which I am presently working on.  These are great exams that really dig into RF and 802.11.  They also test your knowledge of “the tools of the trade” like packet analyzers and spectrum analyzers.  The tests vary in price from $150 to $225.  It is good idea to get one of the bundles from CWNP.  They offer a bundle with practice exams, textbook, and exam voucher for $325.  At present there are only 163 CWNE’s in the world.  This certification is real deal.  Pass the CWNA and the 3 Professional level certs and you are eligible to apply for the CWNE.  After publishing WiFi related material and verification of employment and good character, the CWNP board will grant you CWNE status.

More info at CWNP website:          www.cwnp.com/certifications/

Cisco has a Wireless certification track which follows the same model as their other tracks take the CENT entry-level networking exam based on routing and switching.  Then take the CCNA.  To achieve the CCNP you will need to pass 4 exams.  The exams are based on Site Survey, Voice/QoS, Security, and Mobility (this encompassed RTLS, WNMS, and MESH).  Once you achieve this (which I have) you can go for the CCIE, that is only if you are a masochist.  I have passed the CCIE written, but failed the CCIE practical exam twice.  I am not 100% sure but I think I will subject myself to this again in the future. There are also very few Wireless CCIEs.  Cisco does not publish the exact number but it is around 150 last it was referenced.  The Cisco track is very vendor-specific and not nearly as deep as the CWNP in IEEE and RF fundamentals.  The exams vary from $125 – $250 for associate and professional level.  The CCIE written is $400 and the lab is $1600.

Cisco wireless certification page:

www.cisco.com/web/learning/certifications/associate/ccna_wireless/index.html

Aruba (an HP company) offers a similar track as Cisco to advance in the Aruba WiFi realm.  Aruba offers the ACMA, ACMP, ACMX and ACDX.  I presently hold the ACMA and the ACMP.  I would say that the Aruba is a hybrid of the Cisco and CWNP tracks as it is vendor-specific but strong on standards as well. Aruba’s exams are all $125 except for the expert level exams, they are $1000.  There is another track that is interesting and helpful; it is for Aruba’s ClearPass.  ClearPass is an access management platform that is great for BYOD and Guest Access as well as TACACS and RADIUS.

Find out more from Aruba here:

www.arubanetworks.com/pdf/education/DS_certification.pdf

Meraki also has a certification called the CMNA.  It is based on taking a class and completing the labs and an exam.  I did complete this certification but it is in a different class of certs.  It is not taken at a Pearson Vue and it is free of charge.  Many of the vendors have this type of certification.  I have done these for Enterasys, Symbol, and Motorola in the past.  In general certifications are a great way to further your knowledge and education while increasing your potential for earning more.  Good luck and Happy studying!