Category Archives: Cisco

Using WiFi to find Someone?


How could WiFi Superman use his knowledge of 802.11 technologies to help apprehend the escapees of the Clinton Correctional Facility?  Well first we will need to suspend reality a bit as inmates get very limited access to the Internet and cell phones are strictly forbidden.  But in our little story let’s suppose that the accomplice of this love triangle, “Tillie” Mitchell, gave the escaped convicts her smart phone.

So at the Clinton Correctional Facility there is a BYOD network that Tillie uses for her smart phone.  Let’s say that law enforcement finds out that she gave her phone to the escapees.  There are a couple avenues a crime fighter could take, although a little far-fetched it would be possible.  The first thing that could be investigated is what the MAC address of the wireless card was.

This could be determined in several different ways.  Most of the WiFi manufacturers have client information that will remain in memory for some time, if we knew the hostname of the device we could correlate this.  ClearPass and ISE will have data regarding clients and may allow us to narrow down to a handful of MAC addresses if we only know the make and model of the device.  Once we have a MAC or a few MACs then we can proceed to search for these on the airwaves.

Let say Richard Matt has relatives in Albany and police have a strong suspicion that he is on the lam and hunkered down in Albany.  WiFi Superman could war-fly (akin to war-driving) until he finds the MAC address and try to pinpoint the building where they are hiding.  If Optimum Online was willing to help they could look for the MAC and if they saw it on 3 or more access points we could locate them by triangulation.

Now let’s say we have no idea what the MAC address is.  Another plan of attack could theoretically work.  Clients discover networks in one of two ways: passive or active.   The prison has a specific SSID for its BYOD and we know what it is.  When scanning the client is looking for info on available wireless networks.   In the passive scan the wireless NIC listens for beacons or probe responses.   Beacons will not help us.  They could hurt our effort if an access point happened to be broadcasting the same SSID.

In active scanning the wireless client SSID portion of the probe request is NULL or empty.  This is also of no use to us.  However in an active scan the probe request will request info in one of two manners.  The client will either ask “Is anyone there?” (FF:FF:FF:FF:FF:FF).  The client’s other option is to ask “Are you there Bill?” this request contain specific SSIDs stored in the clients wireless profiles of the clients software (e.g. Wireless Zero Config).  Since we know the SSID from the prison we can snoop for the SSID.  By putting a laptop in promiscuous mode and collecting all packets in an area we suspect the duo to be hiding we can later filter packets to show only probe requests and further filter on the SSID.

And there you have it, if we see the SSID in question we could ascertain is the inmates are in the area.  It is a little far-fetched, but super hero work always is.

Heating up Wifi with Heat Maps


Patrick Hubbard of SolarWinds has written an article called “Wi-Fi heat map: Secret weapon for wireless network admins”.

It is an interesting read and I agree with most of the article.  I will present one warning: heat maps are only as good as the information that has been fed to them.  When loading maps into WNMS systems it is critical to calibrate the floor plan accurately otherwise your coverage will be over or under represented.  Some systems allow you to select polarization of antennas this orientation is also critical for keeping the prediction somewhat accurate.  If you do not add attenuation values for objects like walls, doors, and windows then the heat map is just a general estimation.  Adding attenuation will make the prediction more realistic.

So as valuable as it is to see the estimation of your RF coverage, remember it is not a panacea and only as good as the info it has been fed.


What’s in a (WiFi) word?


If I need a new WiFi access point, should I get an 802.11n access point, one that follows 802.11 Clause 20 access point, or an HT access point.? Why not get them all?  That’s easy enough you see because they are all the same!

Let’s look at how this whole mess began.  The IEEE created the 802 family of standards in 1980.  You probably recognize 802.3 as Ethernet and maybe even 802.5 for Token Ring if you’ve been around like me.  The IEEE specifications that I deal with on a daily basis are 802.11 (WLAN) and 802.15 (WPAN).  Way back in 1997 the original 802.11 standard was born and soon followed by 802.11a and b in 1999.  802.11g was born in 2003 which used the same modulation as 802.11a and ported it to 5.0GHz.

By the time 2007 came around the IEEE decided to reboot the standard to 802.11-2007 by rolling up all the amendments (a,b,d,e,g,h,i,j) into this one.  The clauses are a little confusing and to make matters worse they changed in 2012 after a subsequent roll up.

Here are all the amendments (from Wikipedia) up until 2012…

  • IEEE 802.11-1997: The WLAN standard was originally 1 Mbit/s and 2 Mbit/s, 2.4 GHz RF and infrared (IR) standard (1997), all the others listed below are Amendments to this standard, except for Recommended Practices 802.11F and 802.11T.

  • IEEE 802.11a: 54 Mbit/s, 5 GHz standard (1999, shipping products in 2001)

  • IEEE 802.11b: Enhancements to 802.11 to support 5.5 Mbit/s and 11 Mbit/s (1999)

  • IEEE 802.11c: Bridge operation procedures; included in the IEEE 802.1D standard (2001)

  • IEEE 802.11d: International (country-to-country) roaming extensions (2001)

  • IEEE 802.11e: Enhancements: QoS, including packet bursting (2005)

  • IEEE 802.11F: Inter-Access Point Protocol (2003) Withdrawn February 2006

  • IEEE 802.11g: 54 Mbit/s, 2.4 GHz standard (backwards compatible with b) (2003)

  • IEEE 802.11h: Spectrum Managed 802.11a (5 GHz) for European compatibility (2004)

  • IEEE 802.11i: Enhanced security (2004)

  • IEEE 802.11j: Extensions for Japan (2004)

  • IEEE 802.11-2007: A new release of the standard that includes amendments a, b, d, e, g, h, i, and j. (July 2007)

  • IEEE 802.11k: Radio resource measurement enhancements (2008)

  • IEEE 802.11n: Higher-throughput improvements using MIMO (multiple-input, multiple-output antennas) (September 2009)

  • IEEE 802.11p: WAVE—Wireless Access for the Vehicular Environment (such as ambulances and passenger cars) (July 2010)

  • IEEE 802.11r: Fast BSS transition (FT) (2008)

  • IEEE 802.11s: Mesh Networking, Extended Service Set (ESS) (July 2011)

  • IEEE 802.11T: Wireless Performance Prediction (WPP)—test methods and metrics Recommendation cancelled

  • IEEE 802.11u: Improvements related to HotSpots and 3rd-party authorization of clients, e.g., cellular network offload (February 2011)

  • IEEE 802.11v: Wireless network management (February 2011)

  • IEEE 802.11w: Protected Management Frames (September 2009)

  • IEEE 802.11y: 3650–3700 MHz Operation in the U.S. (2008)

  • IEEE 802.11z: Extensions to Direct Link Setup (DLS) (September 2010)

  • IEEE 802.11-2012: A new release of the standard that includes amendments k, n, p, r, s, u, v, w, y, and z (March 2012)

Here is a handy little translator that explains further changes in the clauses from 2007 to 2012:



So that explains some things that are usually a little cloudy.  IEEE specs are not the only area in the wireless arena that can be confusing.  People’s definitions of Guest and BYOD often vary.  My understanding is that Guest is usually a specific type of BYOD, whereas BYOD implies that the user is an employee but owns their own mobile device.


Remember that networking is very technical stuff and knowing terms and what acronyms stand for can be half the battle.  I will spare you all the discussion on MPDU versus PSDU, I guess that will be a future blog.


Which wireless certification is right for you?



You want to get certified in the WiFi field, but which one is right for you?  Well Clark Kent will help you decide.  I presently have certifications granted by 3 of the biggest WiFi vendors and 3 vendor-neutral certifications.  First lets look at the biggest vendors out there.  Cisco bought Meraki in 2013 so that kept them in the top slot.  HP bought Aruba keeping them at a strong #2.

CWNP was founded by Planet3 Wireless but I think is simply CWNP now.  There are a total of 5 tests in the certification track.  CWTS, CWNA, CWSP, CWDP, CWAP

CWNP certs


I have taken all of these (except I skipped the CWTS)  I have passed all the exams except the CWAP which I am presently working on.  These are great exams that really dig into RF and 802.11.  They also test your knowledge of “the tools of the trade” like packet analyzers and spectrum analyzers.  The tests vary in price from $150 to $225.  It is good idea to get one of the bundles from CWNP.  They offer a bundle with practice exams, textbook, and exam voucher for $325.  At present there are only 163 CWNE’s in the world.  This certification is real deal.  Pass the CWNA and the 3 Professional level certs and you are eligible to apply for the CWNE.  After publishing WiFi related material and verification of employment and good character, the CWNP board will grant you CWNE status.

More info at CWNP website:

Cisco has a Wireless certification track which follows the same model as their other tracks take the CENT entry-level networking exam based on routing and switching.  Then take the CCNA.  To achieve the CCNP you will need to pass 4 exams.  The exams are based on Site Survey, Voice/QoS, Security, and Mobility (this encompassed RTLS, WNMS, and MESH).  Once you achieve this (which I have) you can go for the CCIE, that is only if you are a masochist.  I have passed the CCIE written, but failed the CCIE practical exam twice.  I am not 100% sure but I think I will subject myself to this again in the future. There are also very few Wireless CCIEs.  Cisco does not publish the exact number but it is around 150 last it was referenced.  The Cisco track is very vendor-specific and not nearly as deep as the CWNP in IEEE and RF fundamentals.  The exams vary from $125 – $250 for associate and professional level.  The CCIE written is $400 and the lab is $1600.

Cisco wireless certification page:

Aruba (an HP company) offers a similar track as Cisco to advance in the Aruba WiFi realm.  Aruba offers the ACMA, ACMP, ACMX and ACDX.  I presently hold the ACMA and the ACMP.  I would say that the Aruba is a hybrid of the Cisco and CWNP tracks as it is vendor-specific but strong on standards as well. Aruba’s exams are all $125 except for the expert level exams, they are $1000.  There is another track that is interesting and helpful; it is for Aruba’s ClearPass.  ClearPass is an access management platform that is great for BYOD and Guest Access as well as TACACS and RADIUS.

Find out more from Aruba here:

Meraki also has a certification called the CMNA.  It is based on taking a class and completing the labs and an exam.  I did complete this certification but it is in a different class of certs.  It is not taken at a Pearson Vue and it is free of charge.  Many of the vendors have this type of certification.  I have done these for Enterasys, Symbol, and Motorola in the past.  In general certifications are a great way to further your knowledge and education while increasing your potential for earning more.  Good luck and Happy studying!



Why do you need 802.11ac?

me                 REASONS YOU NEED 802.11AC

Originally posted 14 February, 2014

More, more, more

  • There are more devices which cries for efficiency
  • There are more applications which demands higher performance
  • There is more multimedia which necessitates getting users off and on quicker

Better coverage

  • Thanks to explicit transmit beam forming  your coverage is much more effective

Backwards compatibility

  • 802.11ac is backwards compatible for all other IEEE 802.11 standards
  • Even older chipset will benefit from many of the enhancements of 802.11ac


  • If you do not have 802.11ac then you will not have any visibility into emerging 802.11ac threats
  • Even if you are not ready to rip and replace your legacy system you could benefit by adding some 802.11ac APs as monitors.

To read more on this topic go here: