Cisco Champion 2018

The Cisco Champions for 2018 have been announced and I am honored and proud to be able to announce that I have been selected. A special thanks goes to Pieter-Jan Nefkens (Twitter: @pjnef) for supporting and nominating me for this program.

What actually is a ‘Cisco Champion’? Several vendors have a global advocacy programs. For example the VMware vExpert and the Microsoft MVP programs. Well, for Cisco this is the Champion program.

But what defines a Champion? Well, Cisco Champions make a difference by:

  • Sharing experiences on Cisco products and services
  • Active in social communities such as Twitter, blogs or the Cisco Community sites
  • Contribute and share knowledge with the community others witch their questions

Cisco’s website describes it as follows:

Cisco Champions are passionate experts who share their perspectives with the community.

This designation comes with responsibilities. It is not a title you earn and then rest on your laurels. The exposure gives you the opportunity to help Cisco forward in areas which might need more attention and improvement. You can also help the community with challenges they are experiencing in day to day operations.

So I am proud of my designation as a Cisco Champion and will try to work even harder to deserve this title and help Cisco and the IT community wherever possible.

My expertise is primarily in Security and Wireless. So if you have any questions, don’t hesitate to ask. I will not always know the answer, but with the excellent Cisco Champion community behind me I am sure we will be able to help.

 

More information about the program can be found at https://communities.cisco.com/groups/cisco-champions

 

Frame classes

While studying for the CWNA and CWAP, you learn about the 802.11 State Machine. This describes the states of client connectivity during a session.

In the provided schematic there are three Frame classes mentioned.

 

Below an overview of these frame classes.

Class 1
  • Control frames
    • Acknowledgement (ACK)
    • CF-End
    • Clear to send (CTS)
    • Contention-Free (CF)-End+ACK
    • Request to send (RTS)
  • Management frames
    • Announcement Traffic Indication Message (ATIM)
    • Authentication
    • Beacon
    • Deauthentication
    • Probe Request / Response
    • Spectrum Management Action. Only applicable in an IBSS.
  • Data frames
    • Between stations in an IBSS
Class 2
  • Management
    • Association Request/ Response
    • Disassociation
    • Reassociation Request / Response
Class 3
  • Management
    • Block Ack Action
    • Direct Link Setup (DLS)
    • Quality of Service (QoS)
  • Control
    • Action. Only applicable in an infrastructure BSS.
    • Block Ack (BlockAck)
    • Block Ack Request (BlockAckReq)
    • Power Save (PS)-Poll
  • Data

Maximum allowed transmission power in the ETSI domain

In most Wi-Fi related documents, especially in study books, you read about the regulatory maximum allowed transmission power (EIRP)  for access points.

The values described are usually based on the standards as defined by the United States Federal Communications Commission (FCC).

As a Dutch based Wi-Fi consultant these are not the values I can use as a standard for my configurations. In Europe the standard is defined by the European Telecommunications Standards Institute (ETSI).

In the following tables give an overview of the different values used in the ETSI domain.

2.4 GHz - DSSS / CCK modulation

ChannelCenter frequencyMaximum EIRP
12412 MHz18 dBm (63 mW)
22417 MHz18 dBm (63 mW)
32422 MHz18 dBm (63 mW)
42427 MHz18 dBm (63 mW)
52432 MHz18 dBm (63 mW)
62437 MHz18 dBm (63 mW)
72442 MHz18 dBm (63 mW)
82447 MHz18 dBm (63 mW)
92452 MHz18 dBm (63 mW)
102457 MHz18 dBm (63 mW)
112462 MHz18 dBm (63 mW)
122467 MHz18 dBm (63 mW)
132472 MHz18 dBm (63 mW)

 

2.4 GHz - OFDM modulation

ChannelCenter frequencyMaximum EIRP
12412 MHz20 dBm (100 mW)
22417 MHz20 dBm (100 mW)
32422 MHz20 dBm (100 mW)
42427 MHz20 dBm (100 mW)
52432 MHz20 dBm (100 mW)
62437 MHz20 dBm (100 mW)
72442 MHz20 dBm (100 mW)
82447 MHz20 dBm (100 mW)
92452 MHz20 dBm (100 mW)
102457 MHz20 dBm (100 mW)
112462 MHz20 dBm (100 mW)
122467 MHz20 dBm (100 mW)
132472 MHz20 dBm (100 mW)

 

5 GHz

ChannelCenter frequencyBandMaximum EIRP (DFS / TPC)Maximum EIRP (no DFS / no TPC)Maximum EIRP (DFS / no TPC)
365180RLAN 1 - sub-band I (Indoor only)
U-NII-1
N/A23 dBm (200 mW)N/A
405200RLAN 1 - sub-band I (Indoor only)
U-NII-1
N/A23 dBm (200 mW)N/A
445220RLAN 1 - sub-band I (Indoor only)
U-NII-1
N/A23 dBm (200 mW)N/A
485240RLAN 1 - sub-band I (Indoor only)
U-NII-1
N/A23 dBm (200 mW)N/A
525260RLAN 1 - sub-band II
U-NII-2A
23 dBm (200 mW)20 dBm (100 mW)N/A
565280RLAN 1 - sub-band II
U-NII-2A
23 dBm (200 mW)20 dBm (100 mW)N/A
605300RLAN 1 - sub-band II
U-NII-2A
23 dBm (200 mW)20 dBm (100 mW)N/A
645320RLAN 1 - sub-band II
U-NII-2A
23 dBm (200 mW)20 dBm (100 mW)N/A
1005500RLAN 2
U-NII-2C
30 dBm (1000 mW)20 dBm (100 mW)27 dBm (500 mW)
1045520RLAN 2
U-NII-2C
30 dBm (1000 mW)20 dBm (100 mW)27 dBm (500 mW)
1085540RLAN 2
U-NII-2C
30 dBm (1000 mW)20 dBm (100 mW)27 dBm (500 mW)
1125560RLAN 2
U-NII-2C
30 dBm (1000 mW)20 dBm (100 mW)27 dBm (500 mW)
1165580RLAN 2
U-NII-2C
30 dBm (1000 mW)20 dBm (100 mW)27 dBm (500 mW)
1205600RLAN 2
U-NII-2C
30 dBm (1000 mW)20 dBm (100 mW)27 dBm (500 mW)
1245620RLAN 2
U-NII-2C
30 dBm (1000 mW)20 dBm (100 mW)27 dBm (500 mW)
1285640RLAN 2
U-NII-2C
30 dBm (1000 mW)20 dBm (100 mW)27 dBm (500 mW)
1325660RLAN 2
U-NII-2C
30 dBm (1000 mW)20 dBm (100 mW)27 dBm (500 mW)
1365680RLAN 2
U-NII-2C
30 dBm (1000 mW)20 dBm (100 mW)27 dBm (500 mW)
1405700RLAN 2
U-NII-2C
30 dBm (1000 mW)20 dBm (100 mW)27 dBm (500 mW)

 

More information can be found on the ETSI website.

2.4 GHZ – ETSI EN 300 328 V2.1.1 (2016-11)

5 GHz – ETSI EN 301 893 V2.1.1 (2017-05)

Protected Management Frames (PMF)

Protected Management Frames (PMF) is described in the IEEE 802.11w-209 amendment. PMF increases security by providing data confidentiality of management frames, mechanisms that enable data integrity, data origin authenticity, and replay protection.

This protection applies only to Robust Security Networks (RSN) and just to a subset of the management frames. The frames which are required before and during the 4-way handshake are not protected. Therefore the protection is limited to the following frames:

  • Channel Switch Announcement
  • De-authentication
  • Disassociation
  • Robust Action
    • Block ACK Request / Response
    • Fast BSS Transition
    • QoS Admission Control
    • Radio Measurement
    • Spectrum Management

Another limitation is the support of this amendment on the wireless clients. The Wi-Fi Alliance (WFA) interoperability certification program requires support for PMF. However, this requirement applies only when certifying for 802.11ac. This means that there are a lot of devices which do not support PMF.

When you decide to enable PMF on your wireless network, beware of the consequences. You could potentially prevent a lot of clients from your connecting to your network. Unless you are in full control of the clients on your network and know if 802.11w is supported, my recommendation would be to disable PMF.

There are other options, such as enabling PMF as optional instead of disabled or mandatory, but I am not sure if all clients support this.

The 802.11w-2009 amendment has been superseded by the 802.11-2012 standard.

 

Cisco VPN client in Windows 10

Although the Cisco VPN Client 5.x has been End-of-Support since July 2014, it is still widely used. Up till Windows 8.1 the program could be installed and would function properly. However, in Windows 10 the VPN client does not function … by default! There is a workaround to get the software to function.

Personally I would advise using the Cisco AnyConnect Secure Mobility Client v4.x. This program is fully supported by Cisco and functions under Windows 10. However, this client only supports SSL VPNs and remote access VPNs based on IKEv2.

In my experience many firewalls are still using remote access VPNs based on IKEv1. If you need the Cisco VPN Client 5.x for this reason, this document is for you.

 Step 1

Obtain the latest Cisco VPN Client v5.x. This can be downloaded from http://www.cisco.com if you have the appropriate privileges.

 

Step 2

To be able to run the Cisco VPN Client you have to install a correct Deterministic Network Enhancer (DNE).

Download winfix.exe from ftp://files.citrix.com/winfix.exe, Install this file and run it.

If you already are on Windows 10, skip the following steps and jump to chapter ‘Additional steps for Windows 10 users

If you are on Windows 8, download and install the latest DNE:

 

Step 3
  • Install the Cisco VPN Client
  • Reboot the computer

 

Step 4

There is a possibility that you run into error ‘Reason 442’:

  • To resolve this error, a Registry Key has to be changed.Open the registry editor (regedit)
  • Browse to the following Registry Key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CVirtA

  • Modify the DisplayName
    • For x86, change the value data from something like “@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter” to “Cisco Systems VPN Adapter

    • For x64, change the value data from something like “@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter for 64-bit Windows” to “Cisco Systems VPN Adapter for 64-bit Windows
  • Reboot the computer

 

Step 5 – Optional

Error reason 443 – Additional steps for Windows 10 users – 

If you experience error ‘Reason 443’ after following the instructions above, follow these steps in the exact order.

  • Uninstall any Cisco VPN software on the computer
  • Uninstall any DNE updater software
  • Reboot the computer
  • Run winfix.exe again
  • Reboot the computer
  • In order to run the Cisco VPN Client you have to install a new Deterministic Network Enhancer (DNE) versin. This is part of the SonicWall Global VPN Client and can be downloaded in a 32-bit (http://www.gleescape.com/wp-content/uploads/2014/09/sonic32.zip) and a 64-bit (http://www.gleescape.com/wp-content/uploads/2014/09/sonic64.zip) version.
  • Install the Dell SonicWall Global VPN Client
  • Reboot the computer
  • Install the Cisco VPN Client 5.x software
  • Open the registry editor (regedit)
    • Browse to the following Registry Key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CVirtA

  • Modify the DisplayName if it states the following:
    • For x86, change the value data from something like “@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter” to “Cisco Systems VPN Adapter
    • For x64, change the value data from something like “@oem8.inf,%CVirtA_Desc%;Cisco Systems VPN Adapter for 64-bit Windows” to “Cisco Systems VPN Adapter for 64-bit Windows
  • Reboot the computer

 

The Cisco VPN Client should now work in Windows 10.