Thank you for a fantastic "Shoot to Win" event!

Thanks to all of you that came to our “Shoot to Win” event. The event was a success thanks to you! We had a fantastic time at the wonderful Whistling Pines Gun Club West with you and Aruba.

HUGE thanks to Olympic Shooters Amber English and Keith Sanderson. Your expertise, instruction, and amazing generosity made the event. We can't wait to do another one with you!

I'd like to congratulate Cindy Senger of the Senger Design Group who won the new AppleTV for best shooting as judged by Amber and Keith. Our Olympians were quite impressed with Cindy - who is new to shooting - deeming her "a natural". Indeed!


And now, the winner of the drawing for the ARUBA IAP-225, 802.11ac access point:

Ken Fry of Colorado Springs Christian School

Congratulations, Ken, enjoy your new AP! You will be receiving your prize next week.

 

 

Issue with TLS v1.2,  iOS 9 and Aruba Networks Products.

In case you haven’t heard, iOS 9 and OSX 10.11 introduce App Transport Security (ATS), which uses TLS v1.2.   If you are going to have to support the new OSes, read on.  Bottom line, you’ll probably be looking at some upgrades of your Aruba software.

Apple plans to make ATS mandatory for all apps going forward, and this will affect both 802.1X and SSL authentication.  The Apple developer site says “Certificates must use at least an SHA256 fingerprint with either a 2048 bit or greater RSA key, or a 256 bit or greater Elliptic-Curve (ECC) key”.

For Aruba customers, if you are using ClearPass for 802.1X authentication (includes OnBoard clients), TLS v1.2 is supported in 6.5.2 and later (6.5.2 fixes a TLS v2.1 bug in 6.5.1).

If you are doing EAP termination (EAP offload) on an Aruba controller (instead of passing the 802.1X directly through to a RADIUS server), you’ll need ArubaOS 6.4.2.9 or later (6.4.2.x is GA) or 6.4.3.3 or later (6.4.3.x is currently EA).  But if you are just passing the 802.1X through to a RADIUS server (the most common scenario), the controller shouldn’t care and so shouldn’t need the upgrade.

If you are doing EAP pass through to a non-Aruba RADIUS server (e.g. Microsoft NPS) for 802.1X, check with your RADIUS vendor for TLS v1.2 support.

By the way, if you are upgrading a ClearPass VM to 6.5, please look at the attached updated hardware requirements doc.  Also, the doc says you need 2 GE ports on your VM, but one will still work.

As I said earlier, this isn’t just an 802.1X issue because TLS is also used for “SSL” (https) connections.  So this will have a pretty substantial impact across the internet because many apps and websites are running on older middleware servers that don’t use 2048-bit or greater “SSL” certs, and they don’t support TLS1.2.  

So just be aware that when your users migrate to IOS9 or OSX10.11 it will likely get pretty ugly for a short period of time as the web developers race to catch up.

UPDATE 08-28-2015:

A fellow Twitterer wanted us to clarify that the issue is not with TLS v1.2 "intolerance", or even support, but with the implementation of broken version of FreeRADIUS, 2.2.6 which is included in ClearPass. Support for TLS v1.2 was pre-existing and it was the updated FreeRADIUS implementation that was causing the issues.




WLAN TROUBLESHOOTING & DESIGN GUIDE

Aerohive Networks is offering this free WLAN Troubleshooting and Design Guide authored by CWNE #4 David Coleman and CWNE #7 David Westcott. This is actually chapter 12 of the Certified Wireless Network Administrator Guide (CWNA)

We would recommend buying the CWNA Study Guide to anyone who interested in, or has the responsibility of managing, WLAN. Put it on your shelf next to your copy of "Microsoft Exchange for Dummies" 😬. Read a chapter a day and you'll be amazed how much you'll learn and come to understand about how wireless works.

Either way, take advantage of this free download and the generosity of Aerohive Networks. Way to go guys! 👍

DOWNLOAD NOW!

UPDATED: ClearPass Device Profiling Technote

Danny Jump at Aruba Networks has just updated the ClearPass Device Profiling TechNote. He's added in details of the features from the CPPM 6.5 release, such as TCP Fingerprinting, On-demand SUBNET scan, SNMP Updates and the framework developed to allow administrator’s to perform custom device classification of unknown devices. Basically it allows admins to create custom rules from an endpoint using profiled attributes.

DOWNLOAD NOW! →

 

Why Site Surveys Matter

There are those that think site surveys are a waste of time, and that Predictive Surveys alone (they are not surveys by-the-way) are enough to get the job done. Sometimes, if the building is new construction, or a very open floorpan, etc. you'll get lucky and things work out. But, as the Tweet above shows, just because a wall looks like it’s regular old drywall, doesn’t mean it is. Site surveys save a lot of heartache by taking as much guess-work as possible out of the equation.

I'm not saying that a full "AP-On-A-Stick" type survey needs to be done throughout the entire facility, but I am saying that you should collect as much data as possible. We do “Predictive Models” here at CommunicaONE for most of our designs. However, we take as much guessing out as we can by performing a site survey at the location we’re designing for.

Things you really want to know: attenuation/loss through walls, glass, tile (is this REALLY just drywall, or is or merely a facade over BRICK?) ; is there RF interference that may cause issues, are there fixtures, appliances, building materials that cause unexpected RF attenuation, reflections, refraction (oh, the 200 gallon fish tank wasn't in the floor plans?), scattering, etc. These are things that can only be known by a site survey. 

The moral here is when designing a WLAN you should get as much information as possible to about the environment you are designing for. Knowing what your building materials are, and what their RF characteristics are, will help go a long way in making WLAN designs as accurate, and successful as possible.

Not everyone has the time, nor can afford the tools needed to properly perform a survey. CommunicaONE can help by performing site surveys, spectrum analysis, and valuable data collection about your existing infrastructure, device types and capabilities, applications, and more, to help make sure that we have as much information as possible to design the best WLAN for your organization.

Hey, it’s a corporate blog, did you not expect a sales pitch? 😏

For a good overview of how to properly determine and document  wall attenuation see Devin Akin's blogpost here.

802.11ac WAVE 1 AND 2 REALITY CHECK

801.11ac (the so-called "Wave 1") arrived with much fanfare early last year, and despite the hype, it did not saturate our wired networks. Now "Wave 2" has arrived and the pundits are out again saying your wired network needs to be upgraded to 2.5, or 5 Gig Ethernet depending on whose technology they're pushing.

The reality is whether you're deploying "Wave 1", or "Wave 2" (don't get me started on the "Wave" marketing) it's unlikely that you will max-out your 1 Gig ports. Unless you have only one, or two APs, and are bittorrenting Avatar, the chances that you need to run out and upgrade all your switching infrastructure (or run two cables to every AP) are small for the foreseeable future. 

Here are some of the reasons why:

♒︎

1. WIRELESS IS A HALF-DUPLEX, SHARED MEDIUM

So, even if you were the only client on that brand-new 802.11ac access point the best you could possibly achieve is around 60+% of the max connection speed - maybe. It's important to understand is that 802.11 is a shared medium - only one device can transmit at a timeThat means that if multiple clients are connected to an AP, on the same channel, individual throughput will be further reduced as more users try to access the medium. The key thing to remember here is that the bandwidth is shared.

 

2. THEORETICAL MAXIMUM SPEEDS REQUIRE LARGE CHANNELS, CLOSE PROXIMITY TO THE AP, AND LINE-OF-SIGHT

There are only three non-overlapping 80MHz channels in 5GHz (five if you can use DFS channels). Three/Five channels is great in a small environment with few APs, but in an enterprise environment with tens, hundreds, or thousands of APs - 80MHz is not an option because of co-channel interference, due to so many APs, and so few channels being re-used. "Wave 2" brings us two 160MHz channels which, if you do the math, is less...

* Screen cap from the greatest show ever, "Firefly".

* Screen cap from the greatest show ever, "Firefly".

So, at best you're using 40MHz channels which has effectively brought your max throughput down half again. If you're in a high-density (HD) environment like a Higher-Ed campus, or large event space, where you may have hundreds to thousands of APs, you're more than likely going to be using 20MHz channels, thus halving you throughput yet again. So, when you are designing for capacity you will be using smaller channels to increase that capacity at the expense of the maximum possible throughput of your shiny 802.11ac APs.

Lastly, those fancy-pants, "hyper-speeds" that are all the rage? Well, what they don't tell you in the marketing brochure is those speeds are only attainable when you are very close (less than 25-30ft) and have line-of-sight, with no obstructions, or interference, or other clients, on the AP. You need extremely high SNR (Signal-To-Noise-Ratio) to reach the unicorn-like 256-QAM that is required to get there. Reality is in most environments there are walls, desks, bookshelves, people, kitchens, and more, all between the client and the APs.

 

3. THE MAJORITY OF CLIENTS ARE NOT FULLY UTILIZING THEIR CONNECTIONS, OR THE CAPABILITIES OF THE AP.

Most wireless clients in enterprise, educational, or event environments are not streaming HD video, bittorrenting, or otherwise using as much bandwidth as they can. The majority are doing average things like web surfing, watching YouTube, e-mailing, accessing databases, Tweeting, Facebooking, Instagraming, listening to music, etc. - things that don't require extremely high, or even consistent bandwidth.

So, if you have 60-100 clients on an AP, many are likely just idley connected, and maybe a few are pushing serious bandwidth. If you look at statistics on your WLAN you will probably see that most users are not serious bandwidth hogs. Most likely your bandwidth bottleneck will happen on 1Gb uplinks between switches. This would be a good place to look to upgrade.

Also, there is wide disparity between clients. You may have a 3-Stream, 3-Radio, 802.11ac access point, but most smartphones are single-stream, or at best dual-stream. Even with laptops the MacBook Pro appears to be the only 3-Stream device on the market (for now). The fact is most devices (typically mobile devices) aren't even CAPABLE of matching the APs capabilities. So, those gigabit speeds you've been reading about? Ain't gonna happen.

¯\_(ツ)_/¯

Here's a good video that discusses client capabilities:

4. MU-MIMO IS NOT THE BANDWIDTH HOG YOU MAY HAVE READ IT IS. 

Multi-User MIMO (Multiple-Input-Multiple-Output), is the latest feature added to 802.11ac "Wave 2" along with160MHz channels. Unlike what many have stated - it is NOT wireless switching. Also, as discussed previously, Wi-Fi is a half-duplex medium. MU-MIMO does not change that. The idea for MU-MIMO is to create efficiency by using as many spatial streams as possible - whether that's one 3-Stream device, or three Single-Stream devices - and it's only supported for downstream transmissions from the AP to the client. Also, the clients need to support MU-MIMO as well as the AP.

The benefits of MU-MIMO are that an AP can transmit to multiple clients at once (so far, three is the max on the market), but the APs cannot receive from multiple clients. What this actually does is increase the EFFICIENCY on the downlink, but not necessarily THROUGHPUT.

♒︎

The takeaway here is that all the marketing on 802.11ac (Waves 1 and 2) boast of the amazing speeds that can be achieved (It's right there on the box!). But, what they don't tell you is that in reality those speeds are only attainable when you use 80/160MHz channels, are very close (less than 25-30ft) to the AP, line-of-sight, with no obstructions, interference, or other clients, on the AP. The reality is, in most environments, these are not options for the majority of clients, or the infrastructure itself.

So, remember, just because you CAN have a throughout of say, 800+ Mbps, it doesn't mean you will. More likely, you won't. So, don't succumb to the hype. The Tsunami of "Wave 2" in all in the marketing, not so much the reality.

802.11AC WAVE 2 TECHNOLOGY DEEP DIVE FROM ATMOSPHERE 2015

No joke, when they say this is a "deep dive, they mean it. The video from this year's Aruba Networks Atmosphere Conference goes into the technical aspects of beam-forming in 802.11ac (Wave 2), MU-MIMO, and real world  throughput. Enjoy.

“Wave 2 data rates are insanely high, and they’re also farther from reality than ever before.” - Peter Lane

802.11ac Wave 2 technology deep dive and deployment recommendations - 802.11ac Wave 2 is right around the corner. Now's the time to prepare yourself and impress your colleagues with knowledge about multi-user MIMO, Wave 2's most sought-after capability. Our experts will share their planning recommendations so you'll know the perfect time to migrate to this new technology. We'll also give you an updated about the latest on mobile device support for the protocol.