Blogs – Dutch-Fi

19/01/201803/02/2018

Cisco Champion 2018

The Cisco Champions for 2018 have been announced and I am honored and proud to be able to announce that I have been selected. A special thanks goes to Pieter-Jan Nefkens (Twitter: @pjnef) for supporting and nominating me for this program.

What actually is a ‘Cisco Champion’? Several vendors have a global advocacy programs. For example the VMware vExpert and the Microsoft MVP programs. Well, for Cisco this is the Champion program.

But what defines a Champion? Well, Cisco Champions make a difference by:

Sharing experiences on Cisco products and services
Active in social communities such as Twitter, blogs or the Cisco Community sites
Contribute and share knowledge with the community others witch their questions

Cisco’s website describes it as follows:

Cisco Champions are passionate experts who share their perspectives with the community.

This designation comes with responsibilities. It is not a title you earn and then rest on your laurels. The exposure gives you the opportunity to help Cisco forward in areas which might need more attention and improvement. You can also help the community with challenges they are experiencing in day to day operations.

So I am proud of my designation as a Cisco Champion and will try to work even harder to deserve this title and help Cisco and the IT community wherever possible.

My expertise is primarily in Security and Wireless. So if you have any questions, don’t hesitate to ask. I will not always know the answer, but with the excellent Cisco Champion community behind me I am sure we will be able to help.

More information about the program can be found at https://communities.cisco.com/groups/cisco-champions

23/11/201705/02/2018

Frame classes

While studying for the CWNA and CWAP, you learn about the 802.11 State Machine. This describes the states of client connectivity during a session.

In the provided schematic there are three Frame classes mentioned.

Below an overview of these frame classes.

Class 1

Control frames
- Acknowledgement (ACK)
- CF-End
- Clear to send (CTS)
- Contention-Free (CF)-End+ACK
- Request to send (RTS)
Management frames
- Announcement Traffic Indication Message (ATIM)
- Authentication
- Beacon
- Deauthentication
- Probe Request / Response
- Spectrum Management Action. Only applicable in an IBSS.
Data frames
- Between stations in an IBSS

Class 2

Management
- Association Request/ Response
- Disassociation
- Reassociation Request / Response

Class 3

Management
- Block Ack Action
- Direct Link Setup (DLS)
- Quality of Service (QoS)
Control
- Action. Only applicable in an infrastructure BSS.
- Block Ack (BlockAck)
- Block Ack Request (BlockAckReq)
- Power Save (PS)-Poll
Data

07/08/201710/02/2018

Maximum allowed transmission power in the ETSI domain

In most Wi-Fi related documents, especially in study books, you read about the regulatory maximum allowed transmission power (EIRP) for access points.

The values described are usually based on the standards as defined by the United States Federal Communications Commission (FCC).

As a Dutch based Wi-Fi consultant these are not the values I can use as a standard for my configurations. In Europe the standard is defined by the European Telecommunications Standards Institute (ETSI).

In the following tables give an overview of the different values used in the ETSI domain.

2.4 GHz - DSSS / CCK modulation

Channel	Center frequency	Maximum EIRP
1	2412 MHz	18 dBm (63 mW)
2	2417 MHz	18 dBm (63 mW)
3	2422 MHz	18 dBm (63 mW)
4	2427 MHz	18 dBm (63 mW)
5	2432 MHz	18 dBm (63 mW)
6	2437 MHz	18 dBm (63 mW)
7	2442 MHz	18 dBm (63 mW)
8	2447 MHz	18 dBm (63 mW)
9	2452 MHz	18 dBm (63 mW)
10	2457 MHz	18 dBm (63 mW)
11	2462 MHz	18 dBm (63 mW)
12	2467 MHz	18 dBm (63 mW)
13	2472 MHz	18 dBm (63 mW)

2.4 GHz - OFDM modulation

Channel	Center frequency	Maximum EIRP
1	2412 MHz	20 dBm (100 mW)
2	2417 MHz	20 dBm (100 mW)
3	2422 MHz	20 dBm (100 mW)
4	2427 MHz	20 dBm (100 mW)
5	2432 MHz	20 dBm (100 mW)
6	2437 MHz	20 dBm (100 mW)
7	2442 MHz	20 dBm (100 mW)
8	2447 MHz	20 dBm (100 mW)
9	2452 MHz	20 dBm (100 mW)
10	2457 MHz	20 dBm (100 mW)
11	2462 MHz	20 dBm (100 mW)
12	2467 MHz	20 dBm (100 mW)
13	2472 MHz	20 dBm (100 mW)

5 GHz

Channel	Center frequency	Band	Maximum EIRP (DFS / TPC)	Maximum EIRP (no DFS / no TPC)	Maximum EIRP (DFS / no TPC)
36	5180	RLAN 1 - sub-band I (Indoor only) U-NII-1	N/A	23 dBm (200 mW)	N/A
40	5200	RLAN 1 - sub-band I (Indoor only) U-NII-1	N/A	23 dBm (200 mW)	N/A
44	5220	RLAN 1 - sub-band I (Indoor only) U-NII-1	N/A	23 dBm (200 mW)	N/A
48	5240	RLAN 1 - sub-band I (Indoor only) U-NII-1	N/A	23 dBm (200 mW)	N/A
52	5260	RLAN 1 - sub-band II U-NII-2A	23 dBm (200 mW)	20 dBm (100 mW)	N/A
56	5280	RLAN 1 - sub-band II U-NII-2A	23 dBm (200 mW)	20 dBm (100 mW)	N/A
60	5300	RLAN 1 - sub-band II U-NII-2A	23 dBm (200 mW)	20 dBm (100 mW)	N/A
64	5320	RLAN 1 - sub-band II U-NII-2A	23 dBm (200 mW)	20 dBm (100 mW)	N/A
100	5500	RLAN 2 U-NII-2C	30 dBm (1000 mW)	20 dBm (100 mW)	27 dBm (500 mW)
104	5520	RLAN 2 U-NII-2C	30 dBm (1000 mW)	20 dBm (100 mW)	27 dBm (500 mW)
108	5540	RLAN 2 U-NII-2C	30 dBm (1000 mW)	20 dBm (100 mW)	27 dBm (500 mW)
112	5560	RLAN 2 U-NII-2C	30 dBm (1000 mW)	20 dBm (100 mW)	27 dBm (500 mW)
116	5580	RLAN 2 U-NII-2C	30 dBm (1000 mW)	20 dBm (100 mW)	27 dBm (500 mW)
120	5600	RLAN 2 U-NII-2C	30 dBm (1000 mW)	20 dBm (100 mW)	27 dBm (500 mW)
124	5620	RLAN 2 U-NII-2C	30 dBm (1000 mW)	20 dBm (100 mW)	27 dBm (500 mW)
128	5640	RLAN 2 U-NII-2C	30 dBm (1000 mW)	20 dBm (100 mW)	27 dBm (500 mW)
132	5660	RLAN 2 U-NII-2C	30 dBm (1000 mW)	20 dBm (100 mW)	27 dBm (500 mW)
136	5680	RLAN 2 U-NII-2C	30 dBm (1000 mW)	20 dBm (100 mW)	27 dBm (500 mW)
140	5700	RLAN 2 U-NII-2C	30 dBm (1000 mW)	20 dBm (100 mW)	27 dBm (500 mW)

More information can be found on the ETSI website.

2.4 GHZ – ETSI EN 300 328 V2.1.1 (2016-11)

5 GHz – ETSI EN 301 893 V2.1.1 (2017-05)

05/11/201606/02/2018

Protected Management Frames (PMF)

Protected Management Frames (PMF) is described in the IEEE 802.11w-209 amendment. PMF increases security by providing data confidentiality of management frames, mechanisms that enable data integrity, data origin authenticity, and replay protection.

This protection applies only to Robust Security Networks (RSN) and just to a subset of the management frames. The frames which are required before and during the 4-way handshake are not protected. Therefore the protection is limited to the following frames:

Channel Switch Announcement
De-authentication
Disassociation
Robust Action
- Block ACK Request / Response
- Fast BSS Transition
- QoS Admission Control
- Radio Measurement
- Spectrum Management

Another limitation is the support of this amendment on the wireless clients. The Wi-Fi Alliance (WFA) interoperability certification program requires support for PMF. However, this requirement applies only when certifying for 802.11ac. This means that there are a lot of devices which do not support PMF.

When you decide to enable PMF on your wireless network, beware of the consequences. You could potentially prevent a lot of clients from your connecting to your network. Unless you are in full control of the clients on your network and know if 802.11w is supported, my recommendation would be to disable PMF.

There are other options, such as enabling PMF as optional instead of disabled or mandatory, but I am not sure if all clients support this.

The 802.11w-2009 amendment has been superseded by the 802.11-2012 standard.

07/09/201505/02/2018

Cisco VPN client in Windows 10

Although the Cisco VPN Client 5.x has been End-of-Support since July 2014, it is still widely used. Up till Windows 8.1 the program could be installed and would function properly. However, in Windows 10 the VPN client does not function … by default! There is a workaround to get the software to function.

Personally I would advise using the Cisco AnyConnect Secure Mobility Client v4.x. This program is fully supported by Cisco and functions under Windows 10. However, this client only supports SSL VPNs and remote access VPNs based on IKEv2.

In my experience many firewalls are still using remote access VPNs based on IKEv1. If you need the Cisco VPN Client 5.x for this reason, this document is for you.

Step 1

Obtain the latest Cisco VPN Client v5.x. This can be downloaded from http://www.cisco.com if you have the appropriate privileges.

Step 2

To be able to run the Cisco VPN Client you have to install a correct Deterministic Network Enhancer (DNE).

Download winfix.exe from ftp://files.citrix.com/winfix.exe, Install this file and run it.

If you already are on Windows 10, skip the following steps and jump to chapter ‘Additional steps for Windows 10 users’

If you are on Windows 8, download and install the latest DNE:

For 32-bit OS go to ftp://files.citrix.com/dneupdate.msi
For 64-bit OS go to ftp://files.citrix.com/dneupdate64.msi
Reboot the computer.

Step 3

Install the Cisco VPN Client
Reboot the computer

Step 4

There is a possibility that you run into error ‘Reason 442’:

To resolve this error, a Registry Key has to be changed.Open the registry editor (regedit)
Browse to the following Registry Key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CVirtA

Modify the DisplayName
- For x86, change the value data from something like “@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter” to “Cisco Systems VPN Adapter”

- For x64, change the value data from something like “@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter for 64-bit Windows” to “Cisco Systems VPN Adapter for 64-bit Windows“

Reboot the computer

Step 5 – Optional

Error reason 443 – Additional steps for Windows 10 users –

If you experience error ‘Reason 443’ after following the instructions above, follow these steps in the exact order.

Uninstall any Cisco VPN software on the computer
Uninstall any DNE updater software
Reboot the computer
Run winfix.exe again
Reboot the computer
In order to run the Cisco VPN Client you have to install a new Deterministic Network Enhancer (DNE) versin. This is part of the SonicWall Global VPN Client and can be downloaded in a 32-bit (http://www.gleescape.com/wp-content/uploads/2014/09/sonic32.zip) and a 64-bit (http://www.gleescape.com/wp-content/uploads/2014/09/sonic64.zip) version.
Install the Dell SonicWall Global VPN Client
Reboot the computer
Install the Cisco VPN Client 5.x software
Open the registry editor (regedit)
- Browse to the following Registry Key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CVirtA

Modify the DisplayName if it states the following:
- For x86, change the value data from something like “@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter” to “Cisco Systems VPN Adapter”
- For x64, change the value data from something like “@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter for 64-bit Windows” to “Cisco Systems VPN Adapter for 64-bit Windows“
Reboot the computer

The Cisco VPN Client should now work in Windows 10.