OmPrakashRavipati

The conundrum of need for WiFi 6E

Recently, Apple has released its new flagship 14 series iPhones and to a lot of surprise to the WiFi Community, these phones did not seem to have support for 6E technology. A lot of people came in support of Apple arguing 6E products does not have stable code versions and Apple not wanting to take the blame for poor performance while others expressed disappointment that an industry leader in developing products with futuristic vision did not have support to a feature that has already been on the market with other products (not talking about swipe typing here). To this my personal opinion is that Apple always does what it “thinks” is best for the customer and not what the customer is wanting or asking for. It turned out to be the case with 6E as well. Customers were expecting it from an year ago during the iPhone 13 release but the wait continues for at least another year. The conversations in the WiFi community led to bigger questions. Do we need 6E capable devices and infrastructure to support today or in the near future? There is no right or wrong answer to this. It depends mainly on the individual cases and what one is trying to solve. To get a definitive answer one must find it through multiple questions.

Firstly, let’s take a look at what 6E is offering. Depending on the country you are in, an additional spectrum of up to 1200 MHz in 6 GHz band is offered for WiFi use. This in itself is a big boon for all the environments that are saturated on 2.4 GHz and 5 GHz with high utilization WiFi client devices. So the first question that needs to be answered if 6E is needed today is how much of your spectrum in these bands is saturated. With spectrum limitations before 6E, lot of high bandwidth devices were recommended to be connected via ethernet especially the ones that are not mobile. If an environment has such high bandwidth applications especially that need mobility, then 6E is a must. It is important to note these applications will have better experience on wider 80 MHz channels than 20 MHz or 40 MHz used to an extent on 5 GHz band. Mobile phones are probably at the end of the list (excluding IOT devices) that need higher throughput. Even if they support 6E, is allowing them on 6 GHz especially in BYOD cases a wiser option than reserving this new spectrum for mission critical bandwidth intensive applications? The answer is we are probably better off not allowing them on 6E. There might be a scenario eventually where 2.4 GHz is used for IOT, 5 GHz for BYOD, guest and non critical applications and 6 GHz for corporate high bandwidth and mission critical devices. Only time will tell but now is the right time to envision the right fit.

The next major consideration with today’s products is the firmware stability and efficiency. With 1200 MHz spectrum comes challenges in discovering, connecting and roaming on the network. The question here to be answered is, do you have the time and resources to perform exhaustive testing of these devices that you are enabling the network for. 802.11 client device testing has not been popular to this day mainly because of the need for multiple test data gathering devices (logs, pcaps, traffic generation etc) and time needed to analyze all these pieces of the puzzle. A lot of engineers certainly perform basic testing that involves validating device support for different 802.11 protocols, ensuring they connect to networks, check data loss during roaming etc but not necessarily a deep dive. Cost benefit analysis always indicated deep dive is not a worthy option for most use cases. That could change with WiFi 6E which introduced a lot of new concepts in addition to the secret sauce every vendor tries to add. It is important to study and understand whats connecting to the network and what is expected or ideal behavior before enabling them to connect on different vendor infrastructures. To do that it helps to have devices for testing rather than companies releasing products that do not support it (Hello Apple again !!).

The next question that often comes is “we don’t have a use case for 6E yet, but we have an upcoming infrastructure refresh. Should we procure 6E access points?” There are three ways to approach this. One is to procure WiFi 6 access points that have been in the market for couple of years now. Second is to procure WiFi 6E access points and third is to use whats currently in production and wait for WiFi 7 access points. There is a lot of uncertainity with WiFi 7 timelines and hence the third option is my least preferred. Among the first two options, the main considerations are the budget and product lead time. WiFi 6E access points are tri-band and tend to be more expensive than other models. But this option does provide longer lifecycle and could save money in the long run. WiFi 6E access points have a different chipset than the previous models and depending on the vendor you are working with they might also have better lead times on these access points. Wireless infrastructure refresh may require switching upgrade mainly for 802.3bt power requirement and multigig switch ports (may be). Although wireless vendors are offering different features to make access points operational in limited capacity with 802.3at power, one must review these in detail to ensure they meet their requirements and determine the need for switching upgrades.

There may or may not be a use case for everyone to leverage 6E today. But it is important to think about the strategy and roadmap to use this technology in improving the mobility experience. Answering some of these questions could be a great start in this process.

WPA3 – SAE in Action

In my previous blog , I have discussed some of the concepts of Diffie Hellman (DH) key exchange and elliptic curve cryptography. In this post, I will be discussing how these work together to enable secure connectivity with WPA3-SAE. To understand this better, I have configured an SSID on juniper mist access point with authentication protocol setting toggled between WPA3-PSK + WPA2 and WPA3-PSK modes for different packet captures. WPA3-PSK+WPA2 is the transition mode in which the SSID supports both legacy WPA2(PSK) only clients and WPA3 SAE supported client devices whereas WPA3-PSK mode supports SAE only. Juniper mist access point AP41 is on version 0.9.22801 and the client device iPhone XR which supports WPA3 is on iOS version 14.7.1.

First lets examine the RSN Information element (IE) in the beacons with transition mode.

Notice the Authentication key management suite had two elements: 00-0F-AC-02 for PSK and 00-0F-AC-08 for Simultaneous Authentication of Equals (SAE). The management frame protection is enabled but not mandatory in transition mode. This enables backward compatibility with WPA2 PSK devices that don’t support management frame protection. The group management cipher suite has a suite type 00-0F-AC-06 indicating it uses BIP-CMAC-128 for management frame encryption.

Now lets look at the RSN information element when the SSID is configured for WPA3-PSK mode.

The main differences between the transition mode and this one is it supports only one type of authentication key management which is 00-0F-AC-08: SAE and management frame protection is mandatory. Examining the RSN IE on the beacons should help in identifying the SSID authentication settings.

Now lets look into the SAE between access point and client device.

After the initial probe request and response, there are four frames exchanged in SAE in place of two frames in case WPA2-PSK which uses open system authentication. This four frame exchange is embodied by the principles of public key cryptography and Elliptic Curve Diffie Hellman (ECDH) Groups. The first two frames are commit messages and the last two are confirm messages. Below is a snippet of authentication element from a commit message.

The authentication element of the frame has 6 fields. The first field indicates the type of authentication algorithm which in this case is SAE followed by a sequence number and status code. The next field, Group ID plays a critical role in the SAE process. This ID refers to a set of parameters defined by IANA that will help both client device and access point determine the point on an elliptic curve without having to exchange the password and other details over an insecure channel. Group ID 19 uses ECP that defines the math behind mapping the PSK to a point P on an elliptic curve (EC) and mandates the use of 256 bit keys for high security. ECP provides higher security with less compute than other DH groups with MODP which uses modulus functions to determine P. Diffie Hellman exchange only works when both parties can agree to a common variable, in this case a point on an elliptic curve. The next field elements are scalar and finite field element. Scalar is randomly chosen by the device and finite field element (FFE) is a result of calculation with P determined by using ECP.

The second commit frame is from the access point to the client device that contains the same elements with a scalar and FFE of its own.

The third frame in the sequence is the confirm message from client device to the access point.

The fourth frame is the confirm message from access point to client device.

Each device uses the scalar and FFE received from the other device to calculate the shared secret that is the seeding material for PMK calculation and send these confirm messages. It is important to note that the confirm field value in frames 3 and 4 is different because the order of values hashed by client and AP is different. However, each device can calculate the hash of other device to confirm they are using the same key. The entire SAE exchange that calculates the shared secret and confirms is also called dragon fly key exchange. If you are interested in specific math details of the exchange they can be found here . After the SAE exchange, the devices proceed with association process followed by the 4 way handshake. The following summarizes SAE frame exchange process.

Client             --Commit-->           Access Point
Client             <--Commit--           Access Point
Client             --Confirm-->          Access Point
Client             <--Confirm--          Access Point

Comparing this with the DH paint analogy makes it easier to understand better.

Alice and Bob agree on using group ID that is defined by IANA to determine P on a curve which can be treated as common paint. They exchange scalar and FFE over public transport which can be treated as part of public key. It is not possible to determine private keys/secret colors from these values. They use this information to calculate the common secret and in turn PMK that is used to derive session keys using the 4 way hand shake. Because the secrets are device and session specific, even if the password is compromised, the attacker cannot decrypt the traffic of other users.

References:

https://mrncciew.com/2019/11/29/wpa3-sae-mode/
Presentation by Hemant Chaskar at WLPC 2019 https://www.youtube.com/watch?v=fCsR8aK4mqE
https://sarwiki.informatik.hu-berlin.de/WPA3_Dragonfly_Handshake
Packet Capture

Wi-Fi Feasibility for your IoT Application

Today, every enterprise has Wi-Fi infrastructure in place to enable connectivity and mobility in the environment. It is safe to say Wi-Fi is ubiquitous and is the primary mode of connectivity for mobile phones, laptops, and a multitude of other things. But is using Wi-Fi for connecting all things a good solution? It certainly helps the consumers/end users to have a single connectivity solution to use and manage. But if you are product developer or someone involved in decision making of a connectivity solution for your Internet of Things (IoT) application this might be helpful. In this blog post, I dive into some of things that need to be considered to evaluate the suitability of Wi-Fi for different applications. For this blog purposes, any object that needs network connectivity is treated to be part of IoT. It can be a laptop that has great compute resources or a sensor that merely detects temperature and transmits it. The following factors will help in determining how effective it would be to use Wi-Fi for connectivity.

Scale

When it comes to IoT, scalability is a key requirement that drives much of the technology conversations. How many devices does your application require? We can talk a lot about the theoretical number of simultaneous connections an 802.11a/b/g/n/ac access point (AP) can support but in reality, the number of devices that can have reliable connection simultaneously depends on the throughput requirements which we will be discussed later. A few motion detector sensors, temperature sensors, security cameras and other smart home devices work great on home Wi-Fi but when you scale the numbers into hundreds and thousands in a smart enterprise environment, Wi-Fi may not scale well enough to meet the requirements. As a rule of thumb, you can expect a typical 802.11a/b/n/ac access point to serve tens of client devices with individual throughput requirements of less than 1 Mbps. But capacity analysis and determining how many reliable connections an access point can provide is a much more complicated discussion. Advanced algorithms might have to be implemented to make the client devices turn on/off their radios when necessary so that the number of simultaneous connections at any time is within the Wi-Fi limits. However, things change when you consider 802.11ah (Halow) standard. This Wi-Fi technology operates in sub 1 GHz band and was developed specifically for internet of things to be able to support large number of devices with low throughput requirements. Theoretically each Halow access point can support 8,191 client devices but I haven’t seen products in the market that support more than 250 connections. While this technology has promising features, there are not a lot of products in the market today.

Support for IPv4/IPv6

Devices need to support IPv4/IPv6 to be able to communicate over Wi-Fi. Supporting these protocols might require the client devices to have more compute than they would typically need to perform their intended tasks. Adding support for IP can add more overhead than the actual data making the system inefficient. Support for IP on devices like mobile phones and laptops is a necessity without which they can’t transfer the large amounts of data they are typically designed for. But adding IP support to a motion sensor detector can result in more overhead and less data. The overhead only increases with scale and is a good trade off to having a different connectivity solution to manage. One other thing to consider is IPv4 may not be sufficient at scale and could require IPv6. IPv4 is supported by all enterprises but IPv6 is still in adoption phase. So the support might have to be considered on both client device as well as the consumer networks.

Power

802.11 capable devices tend to have less battery life when compared to 802.15.4 based devices that support protocols like LoRa, ZigBee etc. If client devices can be recharged frequently and has support to continue to operate while charging, using them on Wi-Fi can be great but a lot of connected objects like temperature sensors operate on coin cell batteries. Using the low powered devices that are expected to have longer life (months or years) on Wi-Fi may not be an ideal solution. These devices operate more efficiently on 802.15.4 based protocols.

Throughput

One of the best attributes of Wi-Fi is the throughput capabilities it can offer. This is especially true when compared with other wireless protocols like Bluetooth, ZigBee and LoRa. Wi-Fi offers better throughput at an individual client device level as well as an aggregate level although both the values fall with increased number of connections per AP. Throughput requirements must be evaluated along with scale factor because both are interdependent. Thousands of RFID tags might require few Kbps per tag and an aggregate of few Mbps of throughput but a single inventory management robot that requires higher throughout to continuously scans and transmit data is a better client device to be connected on Wi-Fi.

To be able to determine if Wi-Fi is the right connectivity solution for an IoT application a combination of all these factors also need to be considered. More throughput means more resource utilization which translates to more power consumption which makes the need to have client device be recharged frequently more critical. On the other hand, if the throughput requirements are low, adding an IP support can add enough overhead at scale making the solution impractical. 802.15.4 based connectivity solutions might make more sense in those use cases. There could be a hundred other reasons to choose or not choose Wi-Fi for an IoT application but these four factors are foundational to determining the suitability of the solution.

A good Wi-Fi design is about getting four things right..!!

Becoming a good Wi-Fi design professional requires extensive knowledge in different aspects of networking and also some areas of project management. The 400+ pages of CWDP book from CWNP teaches you exactly that. From requirement gathering & analysis to post implementation validation, the CWDP curriculum is designed to make you a well rounded design professional. But are there nuggets to achieving good Wi-Fi design? In this blog post, I explain why nailing four fundamentals is the key to achieving this.

Choice of Access Points

Selecting the right access point drives the entire design process. This sounds a lot easier than done. So how can we get the first step of the process right. Access points are typically two types, the ones with internal omnidirectional antenna and the others with connections to external antenna. Choosing between the two types needs a thorough requirement analysis. Is the goal to provide coverage or capacity? The main intent of coverage design is to be able provide good signal without taking into consideration of how many clients connect. Coverage design works well for guest only or other networks where the WiFi performance is not critical. Access points with internal omnidirectional antennae are a great fit for this purpose. But WiFi performance is more critical in today’s world than ever. That is where capacity design comes into play. Capacity planning requires an understanding of the number of clients expected to be on the network, the applications that will be used and the throughput SLA requirements per user or device based on these applications. Ideally it should also contain room for growth in number of devices in the future. Capacity planner from Andrew is great resource to determine how many access points are needed to meet the capacity requirements. The type of access point for capacity design really depends on the number of required access points and the layout. High density spaces like auditorium, large conference rooms, lecture halls etc, where the number of client devices is high per square foot, using access points with directional external antennae will be highly beneficial. Office spaces with well spaced desks layout can work with APs with omnidirectional antennae. But as the scale increases (devices, additional floors), use of directional antennae may be required for creating smaller coverage cells. I have a blog post that explains the need for these antennae in modern enterprises. This should help in choosing the correct type of access point for your deployment.

Location of Access Points

Once the required types of access points are determined for the deployment, the next step would be determine the ideal placement of these access points on the floor plan. This can be done in a couple of ways. One design survey method is the AP on a stick method. This process involves placing AP in the actual environment, taking the readings from a site survey software and determining the correct placement for optimal signal. The clear to send blog has very good content on how to perform this type of surveys. It is important to note that this is not a scalable way of determining the AP locations. The second method called predictive design is a scalable solution. This requires use of site survey software like Ekahau Pro or iBWave Wi-Fi to identify the ideal AP placements. Most predictive site survey software comes with default attenuation values for walls and other obstacles in the environment. It is recommended to do a combination of both survey methodologies to make the design more accurate. AP on a stick method can be performed in parts of the environment to determine the attenuation values of different obstacles and input these into the site survey software to improve accuracy in the predictive models. As a rule of thumb, never place APs in the hallways and always try to leverage the walls to reduce cell size especially when omnidirectional antennae are in use. The AP placement should not solely depend on the coverage but also client density for capacity designs. High density spaces will require more number of access points in closer proximity than other areas. Designs that involve placing APs every ‘x’ feet might miss some obstacles that prevent signal penetration. Shotgun implementations like adding APs where people need it can result in over engineering and these are only few of the many reasons why determining ideal AP placements is the second fundamental one needs to get right to achieve required performance.

Channel Planning

With continuous improvements to the proprietary Radio Resource Management (RRM) protocols, many vendors today recommend using auto channel settings in any environment. This may not necessarily result in optimal performance. Coming up with a good channel plan that would reduce adjacent and co-channel interference is an important step in achieving better results. 20 MHz channels are widely recommended in enterprise environment. But each case is unique and needs to be evaluated accordingly. Perhaps, there is an area in the environment with clients performing file transfers frequently and can benefit from 40 MHz channels in the area. The environment might be closer to an airport that results in frequent channel switching when using default RRM settings. Such environments could benefit from disabling some of the DFS channels. 2.4 GHz range is better than 5 GHz considerably. So some 2.4 GHz radio might have to be turned off to reduce interference. Even on 5 GHZ channels, channel 36 will have better range than channel 165 although the difference is not too considerable. Some clients may not have support for all channels. All these factors need to be taken into account in the design phase to be able to deliver more predictable performance. Static channel assignment yields best results but performance when using RRM and device profiles with appropriate settings do not fall far off as well. More than anything, using RRM vs static channel assignment is a question of scalability. In any case, coming up with a channel plan manually or using auto channel assignment options on the predictive survey tools will give better insights into what the actual coverage and channel overlap is going to be post deployment.

Transmit Power Setting

One of the frequently overlooked setting is the transmit power on the access point radios. Using default RRM settings can be quite catastrophic in some cases. Especially when access points are transmitting at high power, the network can face multiple issues in the form of interference, asymmetric uplink/downlink connections, hidden node issues etc. Customizing Tx level in the RRM settings can yield best results without having the need to set static power levels on all access points. The ideal maximum Tx power at which APs transmit should be equal to the transmit power of least capable most important device in the environment and the minimum Tx power should be equal to the power at which all APs can provide required minimum coverage. Predictive site survey tools give you the ability to simulate coverage at different power levels and this will help in determining these values that need to be configured on RRM to make best use of it.

There a ton of other requirements for successful planning, implementation and validation of a good WiFi network but the design is always at the core of it. It is the foundation on which the entire process is built on and getting these four fundamentals right is the key to an optimal design.

A Checklist of Expenses for your WiFi project

Looking to install new WiFi infrastructure or upgrade your current system? Wondering what costs are involved for your project? Here is something that might help. Having worked on multiple WiFi projects ranging from tens of access points (APs) to thousands of access points, I thought it might be a good idea to have a checklist of costs involved in these projects. To keep things simple, costs can be categorized into one of 1. Materials and 2. Time.

Let’s take a look at the materials cost first. This will comprise of hardware, software and other miscellaneous expenses. At a basic level, this will include cost of access points and corresponding licenses. Depending on the choice of vendor solution, a controller (physical or virtual machine) or a subscription (for cloud solutions) will have to be purchased for network management. In general, licenses are sold for 1, 3 and 5 year terms. Latest WiFi products are not expected to be End of Life for 5 years from their release date but I have seen companies preferring a 3 year refresh cycle to be able to take advantage of the latest protocols. Depending on the appetite for future upgrades the licenses can be purchased accordingly. For some vendor solutions, a separate support contract might have to be purchased for troubleshooting help and RMA purposes. These contracts are available with different SLAs and can be chosen appropriately. The next material expense is cabling. If you already have wireless infrastructure in place, additional cabling might be required for APs that may have to be added or existing cabling might need an upgrade to Cat 6 cables. Another expense is the need for switching infrastructure. If you already have POE+ capable switches with enough available ports and power budgets on each one, this may not be required. Additional racks might be required to accommodate the new switches. Most access points today require POE+ but there are also some that can fully operate with POE. If buying new switches with these capabilities is not an option, an alternative is to use POE/POE+ injectors. Assessing the existing environment is critical in determining the cabling and switching costs. If the environment primarily consists of a typical grid style drop ceiling , in most cases the mounts included in the access point package should work. Other wise, additional mounting hardware might have to be purchased. If the environment has areas with high density of users, wireless engineer could recommend using access points with external (directional) antennae. It is worth keeping the mounting hardware for these antennae in the checklist as well. Additionally conduits and electrical boxes might be required for mounting access points for certain ceiling types. NEMA enclosures might be required to protect the access point for outdoor installations . If there is no in-house engineering/cabling/project management resources, consultants might have to be hired. So it is important to keep in mind the travel costs that may include flights, rental cars, hotel and food expenses for these consultants. With hiring consulting companies, a maintenance contract might also have to purchased with them for ongoing support post implementation. To summarize, here is a checklist of material expenses involved in a WiFi project:

Access Points
Controllers
Licenses
Vendor Support contracts
Cables
Switches
Racking for switches
POE/POE+ injectors
Antennae
Mounting Equipment for Access Points & Antennae
Conduits
Electrical boxes
NEMA enclosures
Consultant travel related expenses
Consultancy maintenance agreement

Moving on to the time costs. This category will primarily include expenses on engineering & project management along cable technicians. Provided the project involves more than a couple of access points, it will need a minimum of a wireless engineer and a cable technician. If you do not have an IT team with resources capable of performing wireless design, implementation and validation, it is recommended to hire consultants to do these tasks. Each of these steps is critical to providing better performance. A network engineer might be required to configure the switching and routing aspects of the network but, in a lot of cases a wireless engineer will have the skills to do these tasks. Cable technicians need to be hired for cabling and installers for access point installation. Resources for cabling usually can also install the access points. If there is a business requirement to provide outdoor coverage, a certified electrician might have to be hired to drill on the external walls. A lot of small scale projects (< 50 APs) wouldn’t need a dedicated project manager but the larger the project gets the higher the benefits of having project management resources. A systems engineer may also be required for installing/configuring servers for services such RADIUS, Active Directory, LDAP etc if they don’t already exist in the environment. To summarize the time costs, here is a check list:

Wireless Engineer
Network Engineer
Cabling Technician
Access Point Installer
Project Manager
Systems Engineer

The estimates for the costs vary depending on a lot of factors including but not limited to choice of vendor, scale of the project, reseller discounts etc. The goal of this blog post was to provide a checklist of expenses rather than an estimate of expenses and I hope it can be of good help for your project.

Autocad LT for Wi-Fi Engineers – Managing Layers

Are you a Wi-Fi engineer who received a CAD file to perform design on Ekahau but couldn’t because of the sheer number of layers slowing down the software or making it hard to understand the floor plan after importing? You are not alone. If Wi-Fi designing is part of your job description, this is something you often come across and a lot of the times, a CAD engineer is not easy to find to assist with cleaning the file. I faced similar situations and decided to identify a good software that can help me do the clean up. I evaluated a number of free open source as well as proprietary software and identified Autocad LT as a great fit for Wi-Fi design engineers. LT version of Autocad is supported on both mac and windows with retail price of $420 compared to $1690 for the full version which offers much more capabilities and features but are not necessarily useful for Wi-Fi designing. In this blog post, I will be describing how to manage layers to clean up the floor plans and best optimize for AP placements using Autocad LT for Mac.

Autocad LT provides multiple shortcuts for each operation. Once you open the CAD file using file -> open or cmd + O, using cmd + 4 shows the layers tool on the right which can be popped out into new window by clicking on the top right corner of the tab.

Displaying Layers Tab with CMD + 4

Clicking on any object on the floor plan shows the layer to which it belongs. Some layers are hard to read due to the choice of color. It can be changed simply from the layer property as shown in the video below.

Change Color of a Layer

If your file has tens of layers, an efficient way to browse the list is using the search window at the bottom.

Once you identify the layer you would like to modify, you can select it and perform different operational tools. We focus primarily on four layer tools (highlighted from left to right)

Freeze
Turn off
Lock
Unlock

You can perform them one layer at a time or on multiple layers by selecting them using cmd + click. The first two operations freeze and turn off can be used to disable or hide layers on the floor plan. Visually both these operations give the same result. But it is important to note one key difference. Turning off a layer will disable it for the current instance and re-appears whenever the file is reopened. On the other hand, freezing a layer will result in Autocad releasing it from memory. The layer will still be available to be thawed (unfreeze) at a later point if required. A frozen layer will not be shown on the map while importing on Ekahau whereas a layer that is turned off will be visible. Another layer tool available is lock. Locking a layer will prevent users from making any changes to that particular layer where unlocking will enable editing. Ekahau site survey sometimes have difficulty reading locked layers. So it is recommended to have all required layers unlocked.

These operations can be performed in a couple of ways.

Select the operation highlighted in the above picture and next click on any object of the layer you want to apply to.

Using Layer Tools – Option 1

Select the layer in the list and perform the operation using the tools in the same row with a simple click. The freeze and lock are intuitive on UI but turn off is shown under “visibility” (eye icon) of the layer properties window.

Please note freeze operation cannot be performed on currently active layer meaning the layer you are currently working on. To perform this you need to make some other layer as active. In the video shown below, I tried freeze layer “01” but it was active.

Changing Active Layer

Freezing all unnecessary layers will make the floor plan look more legible and easier to create AP placement maps on Ekahau.

Mentioning about an Ekahau Pro caveat I noticed seems to be a good way to finish this blog post. During one of the design exercises, I noticed the software was not reading some layers while importing. Opening a case with Ekahau revealed that the software does not detect layers without a Poly-object, poly-gon, poly-line or poly-circle. Ekahau support mentioned these are the basis for which the Wall Outlining Wizard allows you to configure as a wall (such as drywall or brick wall). So if you notice the same issue when some layers are not detected it is possible due to missing poly object. The workaround would be identify the layer, make it active and add a poly line from the draw tool on the left tool bar. This is demonstrated in the video below. In this video, it was assumed that the title block layer was not being detected on Ekahau because it was text only layer.

Drawing a Poly Line

Reference:

CAD file from https://www.cadblocksfree.com/en/4bhk-design-second-floor-plan-.dwg.html

Keys to Understanding WPA3 – SAE : Diffie-Hellman Key Exchange, Elliptic Curve Cryptography and Dragonfly Key Exchange

WPA3 certification is introduced by Wi-Fi Alliance in 2018 as a successor to WPA2. It aims to alleviate the vulnerabilities in WPA2 and provide more secure wireless networks. It introduces new concepts like Simultaneous Authentication of Equals (SAE), dragonfly key exchange, NIST elliptical curve cryptography etc. To make it easier to understand WPA3 as a whole, I will be discussing each component individually in detail. WPA3 replaces Pre-Shared Key with Simultaneous Authentication of Equals (SAE) to derive the Pairwise Master Key (PMK) which enables secure communication even when the password is compromised. To understand how this is achieved, we need to understand how Diffie-Hellman key exchange and elliptical curve cryptography work in conjunction with Dragon fly key exchange.

Diffie-Hellman Key Exchange establishes session key between two entities without actually having to exchange any key information over a public insecure channel. Let’s get into the security terms of Alice and Bob being the two entities. Alice and Bob agree on two numbers g and p where p is a prime number. Alice chooses her private key to be a and Bob chooses b.

Alice calculates g^amod p and sends it to Bob. Bob calculates g^bmod p and sends it to Alice. This exchange happens over an insecure channel. Alice and Bob will perform the same multiplicative operation with modulo p against the values received.

Alice             <--agree on g and p-->           Bob
g^amod p            <----Exchange---->           g^bmod p
(g^bmod p)^amod p      --Derive key--     (g^amod p)^bmod p

For example, consider a=4 b=3 p=23 and g=5.

Alice             <--agree on g=5 and p=23-->   Bob
g^amod p = 4          <----Exchange---->      g^bmod p = 10
(g^bmod p)^amod p = 18   --Derive key--   (g^amod p)^bmod p = 18

The strength of the algorithm lies in the fact that (g^bmod p)^amod p is same as g^bamod p and with large values of a,b and p it will be computationally close to impossible to obtain g^bamod p without knowing the private keys a and b. This is an example of a trapdoor function which is nothing but a one-way function that states for a given x it is easy to calculate y = f(x) but very difficult to find x = f^-1(y). The basic concept of DH Exchange cannot be explained better without the paint analogy.

In this analogy g and p are common paint, a and b are secret colors and g^abmod p is the common secret derived. This was one of the earliest implementations of Diffie Hellman algorithm. CWSP-206 study guide explains the same concept with different trapdoor function.

Here George and Billy agree on using 3 and 5 as their commonly agreed numbers and the operation they use is raised to the power.

George (3⁵=243)           ------------         Billy (3⁵=243)
secret 4, 243⁴           <------------>        secret 7,  243⁷
(243⁴)⁷                   ------------         (243⁷)⁴

Now that we have a good idea of what DH key exchange means, let’s take a look at Elliptic Curve Cryptography (ECC).

Elliptic curves like the one shown in the picture are set of points bound by the equation y² = x³ + ax +b. Different curves use variations of this equation. To derive PMK, WPA2 uses a well-known hash function on the password whereas in WPA3, the password is indexed onto a point on the curve which is then used as generator to hash and derive the PMK. Hashing a password directly can be susceptible to dictionary attack. But it becomes very difficult doing it on generator points on an elliptic curve because change in a single character in the password can lead to a different generator point; hashing of which can result in a totally different PMK.

WPA3 also makes it impossible to derive PMK of individual sessions even when the password is compromised. Knowing the password can help the hacker identify the generator point on elliptic curve but due to the integration of Diffie-Hellman with ECC into Dragonfly key exchange makes it impossible to derive individual session PMK. The trap door function in this case could be scalar multiplication. According to discrete logarithmic problem, for two points Q and P on the elliptic curve where Q = n.P (n times P), it is impossible to determine ‘n’ based on only Q and P.

Let’s take a deeper dive into Dragonfly Key Exchange

The client device and access point in this diagram are both configured with a password for authentication. Client device chooses a secret A and access point chooses secret B. At this point let’s assume the password is already compromised and the hacker knows the generator point for PMK. Client hashes the secret A with generator point and transmits DH Hash A. Access point does similar process with secret B to create DH Hash B and transmits it to client. Having received DH Hash B, client hashes it with secret A to derive the PMK and access point hashes its secret B to derive the same PMK following the DH exchange as described earlier. Without knowing secret A and secret B, the hacker will not be able to derive PMK just from the password.

I hope this helped in understanding the WPA3 – SAE fundamentals. If you are interested in learning more I recommend the video playlist from Mojo networks on youtube which provides a simplified yet informative explanation on WPA3 concepts. I will be writing another blog post on frame exchanges during WPA3 – SAE authentication in the future.

References:

CWSP-206 Study and Reference Guide from Certitrek
Wikipedia
Youtube playlist on WPA3 Enhancements by Mojo Networks

Automation of Operational Tasks on Mist Infrastructure

Ever since I posted my first python script to upgrade Mist Infrastructure, I was intrigued with the endless opportunities to automate daily tasks on Mist. I also got the chance to improve my python skills and learned how using modules can enable code reusability and improve efficiency. In this post I am sharing my Github repository which contains fours basic scripts to help with some operational tasks. The repository will be updated frequently with new scripts that will help in increased automation.

Save this repository to your computer

Be sure you have [git](https://git-scm.com/downloads) installed then run the command

git clone https://github.com/opravipati/MistScripts.git

Install Dependencies

The first step required to run the scripts is install the dependencies.
In the directory that you have the script“`pip3 install -r requirements.txt “`

Generate Token

Once you have the packages installed, the next requirement is to populate your token and OrID information in the mistmodule.py file. For steps to create your token and identify your OrgID please please visit https://www.mist.com/documentation/using-postman/

Mist API Documentation

Home Page https://api.mist.com/api/v1/docs/Home

Repository currently contains five files.

mistmodule.py contains the functions that will be used from other scripts. This will also be the file where you store your token and Organization ID information

To start using these scripts , please add your token and Org Id to mistmodule.py file

def getVar():
    token = "#Token Here"  
    orgId= "#ORGID Here" 
    return token,orgId

orgUpgrades.py can be used to upgrade infrastructure at all sites in the organization

To upgrade access points at all sites in your Organization, please set the version in orgUpgrades script in the function shown below

def siteUpgrade(siteId):  # Function Upgrades access points at a site.
    payload = {
        "version": "0.5.1944", #Version to upgrade to
        "enable_p2p": True #Enabling peer to peer upgrade
    }

If you want to upgrade only specific model of APs, the payload can be modified accordingly.

{
    "version": "3.1.5",
    "enable_p2p": false,
    "models": [
        "AP41"   
    ]
}

siteUpgrade.py can be used to upgrade infrastructure at any one site in the organization. This will prompt you to enter a site name. The version on the payload needs to be updated in this file similar to orgUpgrades.py.
orgOfflineAPs.py can be used to provide a list of offline APs in the organization. Running this script will result in a CSV file with the list of APs. Please note the APs need to have a name in order to appear in the list. Mist APs by default display the mac address under the name on UI. Such APs will not be included in the csv file.
trackClients.py can be used to track client details every 60 seconds. When this script is execute, it prompts you to enter a mac address of the client and the site name to track. Mist updates its client information every 60 seconds and so the default frequency to track client has been set to the same value.

Time Analysis of 802.1X EAP-TLS and 802.11r !!

Ever wondered how much time does an entire EAP-TLS protocol exchange take? How efficient is 802.11r in minimizing packet loss during roaming process? You might have already known 802.11r FT over-the-air takes only four frame exchanges between the client and the AP to complete roaming process. But how long does this process take? This post will answer these questions. 802.1X and 802.11r are complex enough to have deep dive blog posts. So, I will discuss only some basics to give context to this time analysis.

EAP-TLS is considered one of the most secure frameworks for authentication. The high security comes from the requirement of using client-side certificates and maintaining Public Key Infrastructure (PKI) which contains the certificates. An overview of frame exchanges are shown in the picture below

Once the client device (supplicant) goes through the open system authentication and association process, it initiates EAPOL start message. The use of EAPOL start message is optional. The access point (authenticator) sends an EAP Request message asking for the identity of supplicant. The supplicant can send a response with real or a dummy identity depending on the configuration. Authenticator will then initialize an Access Request to the Authentication Server with the identity provided by the supplicant. The authentication server presents the server certificate which the supplicant validates before presenting client certificate to the server. The supplicant may or may not choose to validate the server certificate but validation will provide mutual authentication thereby providing better security. After the supplicant provides its certificate, server validates it and sends an access accept or reject message depending on the authenticity of the client certificate. It must be noted that this is only an overview of the process when in reality there are numerous other handshake messages between supplicant and authentication server before the final access accept/reject message. The end result of a successful EAP-TLS exchange is a Master Session Key (MSK) which is used to generate Pairwise Master Key (PMK) which is in turn used to generate sessions keys through the four way handshake for encrypting packets between client and access point.

Fast BSS Transition (FT) uses the concept of key hierarchy to generate multiple keys that will help in efficient roaming. It uses a three level key hierarchy. The MSK from 802.1X EAP process is used to generate first level PMK which is called PMK-R0. PMK-R0 is used to generate second level keys PMK-R1 which generates Pairwise Transient Key (PTK) which is used for encryption between client and access point. Depending on the WLAN architecture, these keys are stored by different devices. I used Mist Systems infrastructure in this case. Mist architecture does not contain a centralized controller. So the PMK-R0 derived from MSK is stored in the access point the device initially connects to. PMK-R1 keys are generated for each access point in the network and transmitted over a secure channel. The following picture shows a summary of where keys are stored.

In summary for first connection, client device needs to go through open system authentication, association, 802.1X EAP process and 4-Way handshake before being able to successfully send its first data packet. The process is shown below

The device is authenticated during the first connection and so when roaming it should not have to go through the entire 802.1X process again to prove its identity. However, it would still have to go through open system authentication (2 frames), re-association (2 frames) and 4-way handshake (4 frames) procedures to be able to communicate on the new access point. That would be eight frames not including ACKs between the new AP and client device. FT defines two methods to enable enhanced roaming: Over-the-air Fast BSS Transition and Over-the-DS Fast BSS Transition

Mist infrastructure employs over-the-air mechanism by default. With this method, FT effectively combines the 4-way handshake functionality with open system authentication and re-association frames thereby reducing the number of frames by half. The roaming process is shown below:

For this study, I chose an android mobile device that authenticates and authorizes using the EAP-TLS framework. The authentication server is an ISE instance with an average of 25 milli seconds latency to the AP. To collect data for analysis, I performed seven iterations of roaming tests. Each iteration had one initial connection instance when the device goes through Authentication, Association, 802.1X EAP and 4-way handshake and at least one roaming instance when the device goes through authentication and re-association. The graph presented below shows the overall time from beginning of authentication to the end of 4-way handshake. Most iterations took less than one second to complete the connection process. However, there is an outlier which took 1.714 seconds for the process to complete. Accounting the outlier to WAN fluctuations and excluding it from calculations gives the average time to complete the initial connection process as 905.8405 milli seconds.

Time for Auth + Assoc + 802.1X + 4-way Handshake

I was also interested in looking at how long only the 802.1X process took. The following shows the time taken from the first EAP-Request frame to ACK frame of EAP-Success. Excluding the outlier, the average time for 802.1X EAP process is 878.84313 milli seconds.

I was able to produce 14 roaming instances in the seven iterations. I considered the time between first authentication frame to the ACK of Re-association response as the time required for handoff between the APs. The average of all instances is 190.512 milli seconds which is about 21% of the total time taken for first connection.

A lot of factors including the delay between access point and authentication server, number of clients connected to access points, retransmissions, coverage overlap etc will impact these numbers. Every application is designed differently to handle traffic. Some of them might have higher timeout values while others could be very time sensitive. The goal of this study was to have an idea of time for initial connection and roaming handoffs and to be able to use this data to help determine application resiliency to these events. I hope this helps for other engineers in the community as well!

Reference:

CWSP Study Guide by David A Coleman, David A. Westcott and Bryan Harkins

A Simple Script to Upgrade Mist Infrastructure

The “API first” approach of Mist Systems is undoubtedly one of the main reasons to become an attractive solution for large enterprises. It has simplified and enabled automation of wireless networks by providing REST APIs for almost every configuration and monitoring task that can be performed on a WLAN. In this post, I will be providing details on a Python script that can upgrade all the sites of your Organization with minimal downtime. The assumption is you have python already installed and have some basic knowledge on the language. The libraries we are going to use in the script are “requests” and “json”. While json module is included in python, you may have to install requests module.

The API to upgrade the devices at a site is shown below

POST /api/v1/sites/:site_id/devices/upgrade

The API call requires payload in the following JSON format to perform the action.

{
    "version": "3.1.5",
    "enable_p2p": false,
    // filters that can be used, if no filter specified, it means entire site
    "device_ids": [
        "00000000-0000-0000-1000-5c5b35584a6f"
    ]
    "models": [
        "AP41"   
    ]
}

Version is the OS version you would like to upgrade to and enable_p2p allows you to upgrade only few devices at a time. Setting it to True will result in only up to 3 or 4 devices upgrading and rebooting simultaneously at each site while other APs continue to serve the clients. This will minimize downtime. But if the preference is to upgrade all of them at the same time during a change window, this has to be set to False. The device_ids and models are only filters that can be used if required. If no filters are specified, all the devices at the site will be upgraded.

As observed, to make the API call, the site_id variable has to be provided. Mist also provides an API to get list of sites in an Organization.

GET /api/v1/orgs/:org_id/sites

So, in the script we are going to be build, we need to first get a list of site IDs and use them to upgrade sites with json payload containing version and other variables.

To accomplish this, we define two functions that will perform each task.

The first function is to get the list of site IDs.

def getSiteDict(orgId):
    sitesUrl = "https://api.mist.com/api/v1/orgs/" + orgId + "/sites"   #API to get list of sites in your Ogranization
    getSiteIds = requests.request("GET", sitesUrl , headers=headers) #API call performed
    getSiteIds_json = getSiteIds.json() #Decodes the JSON data from API Request into a list
    siteDict={}
    for site in getSiteIds_json:    #Loops through the list and appends site names and site IDs to the siteDict
        try:
            siteDict.update({site['name']:site['id']})
        except Exception as e:
            print(e)
    return siteDict

We need to pass the OrgID as an argument to this function. This will enable the function to be reused if you are managing multiple organizations. The function will return a dictionary with <siteName, siteId> as key value pairs. Next we define a function to send the upgrade devices API call to each site. This function takes siteID as an argument.

def siteUpgrade(siteId):
    payload = {
        "version": "0.5.17360", #Version to upgrade to
        "enable_p2p": True #Enabling peer to peer upgrade
    }
    payload=json.dumps(payload)     #Converts the payload to JSON format
    upgradeUrl = "https://api.mist.com/api/v1/sites/" + siteId + "/devices/upgrade" #API URL To upgrade the devices
    upgradeCall = requests.request("POST", upgradeUrl , data=payload, headers=headers)    #API call performed with the payload
    return upgradeCall.status_code    #Returns the HTTP Response code for the API call.

Now that we have the functions defined all we have to do is complete the puzzle to make function calls and perform the tasks. To do this we need OrgID and header which contains Token. The token needs to have read write privileges to perform the operations in this script.

orgId= "#Enter Org ID Here"  
headers = {
    'Authorization': "Token #here", # Token with read write acccess required
    'Content-Type': "application/json",
        }
siteDict=getSiteDict(orgId) #Function call to get siteDict
for siteName,siteId in siteDict.items():  #Loops through the Dictionary to make API calls for each site.
    try:
        upgradeStatus=siteUpgrade(siteId)
        if upgradeStatus == 200: #HTTP Response is 200 for successful API calls.
            print("Upgrade Successful for site " , siteName)
        else:
            print("Error Occurred ", upgradeStatus) 
    except Exception as e:
            print(e)

The full script can be found below.

import requests, json

headers = {
    'Authorization': "Token #here", # Token with read write access required
    'Content-Type': "application/json",
        }
def getSiteDict(orgId):
    sitesUrl = "https://api.mist.com/api/v1/orgs/" + orgId + "/sites"   #API to get list of sites in your Organization
    getSiteIds = requests.request("GET", sitesUrl , headers=headers) #API call performed
    getSiteIds_json = getSiteIds.json() #Decodes the JSON data from API Request into a list
    siteDict={}
    for site in getSiteIds_json:    #Loops through the list and appends site names and site IDs to the siteDict
        try:
            siteDict.update({site['name']:site['id']})
        except Exception as e:
            print(e)
    return siteDict

def siteUpgrade(siteId):
    payload = {
        "version": "0.5.17360", #Version to upgrade to
        "enable_p2p": True #Enabling peer to peer upgrade
    }
    payload=json.dumps(payload)     #Converts the payload to JSON format
    upgradeUrl = "https://api.mist.com/api/v1/sites/" + siteId + "/devices/upgrade" #API URL To upgrade the devices
    upgradeCall = requests.request("POST", upgradeUrl , data=payload, headers=headers)    #API call performed with the payload
    return upgradeCall.status_code    #Returns the HTTP Response code for the API call.

orgId= "#Enter Org ID Here"  

siteDict=getSiteDict(orgId) #Function call to get siteDict
for siteName,siteId in siteDict.items():  #Loops through the Dictionary to make API calls for each site.
    try:
        upgradeStatus=siteUpgrade(siteId)
        if upgradeStatus == 200: #HTTP Response is 200 for successful API calls.
            print("Upgrade API call Successful for site " , siteName)
        else:
            print("Error Occurred ", upgradeStatus) 
    except Exception as e:
            print(e)