SNMP-Simple Network Management Protocol is used to provide management capability for TCP/IP based networks. There are three versions (v1, v2, v3) & only version 3 added the security capability to this protocol. If you are using this SNMP to manage & configure your network devices, it is better to use SNMPv3 which provide authentication & encryption capability to this protocol. You can read RFC3411- An Architecture for Describing SNMP Management Frameworks if your are interested in more details about this protocol.

There are 3 level of security you can provide to any SNMPv3 messages.

noAuthNoPriv – without authentication and without privacy,
authNoPriv   – with authentication but without privacy,
authPriv     – with authentication and with privacy.

In this post we will see how to configure SNMPv3 on a Cisco IOS device (5760,3850, Autonomous AP) & a Cisco WLC (5508) in order to manage via Prime Infrastructure as Network Management System(NMS).

In any IOS devices it is very simple two step process

1. Configure a SNMP group
2. Configure a SNMP user

Let’s configure this on a 3850 switch. First we will create a snmp group (called SNMP-GRP) with “authPriv” secuirity level. If you want  you can associate an ACL to restrict which NMS host can be part of this group. But in this example I have used without that to make it simpler.

3850-3(config)#snmp-server ?
  accounting        SNMP Accounting parameters
  cache             Enable SNMP cache
  chassis-id        String to uniquely identify this chassis
  community         Enable SNMP; set community string and access privs
  contact           Text for mib object sysContact
  context           Create/Delete a context apart from default
  drop              Silently drop SNMP packets
  enable            Enable SNMP Traps
  engineID          Configure a local or remote SNMPv3 engineID
  file-transfer     File transfer related commands
  group             Define a User Security Model group
  host              Specify hosts to receive SNMP notifications
  ifindex           Enable ifindex persistence
  inform            Configure SNMP Informs options
  ip                IP ToS configuration for SNMP traffic
  location          Text for mib object sysLocation
  manager           Modify SNMP manager parameters
  packetsize        Largest SNMP packet size
  password-policy   SNMP v3 users password policy
  queue-length      Message queue length for each TRAP host
  source-interface  Assign an source interface
  spi               Configs for SNMP communication using SPI
  sysobjectid       sysObjectID
  system-shutdown   Enable use of the SNMP reload command
  tftp-server-list  Limit TFTP servers used via SNMP
  trap              SNMP trap options
  trap-source       Assign an interface for the source address of all traps
  trap-timeout      Set timeout for TRAP message retransmissions
  user              Define a user who can access the SNMP engine
  view              Define an SNMPv3 MIB view

3850-3(config)#snmp-server group ?
  WORD  Name of the group

3850-3(config)#snmp-server group SNMP-GRP ?
  v1   group using the v1 security model
  v2c  group using the v2c security model
  v3   group using the User Security Model (SNMPv3)

3850-3(config)#snmp-server group SNMP-GRP v3 ?
  auth    group using the authNoPriv Security Level
  noauth  group using the noAuthNoPriv Security Level
  priv    group using SNMPv3 authPriv security level

3850-3(config)#snmp-server group SNMP-GRP v3 priv ?
  access   specify an access-list associated with this group
  context  specify a context to associate these views for the group
  match    context name match criteria
  notify   specify a notify view for the group
  read     specify a read view for the group
  write    specify a write view for the group
  <cr>

3850-3(config)#snmp-server group SNMP-GRP v3 priv

Now let’s define a SNMP user for this group with required Authentication & Encryption parameters. As you can see below 3850 supports 128,192, 256 bit AES encryption & you can choose any. I have chosen 128bit as that’s what Prime Infrastructure is supported. I have used “HMAC-SHA” over “HMAC-MD5″ since it is more secure.

3850-3(config)#snmp-server user ?
  WORD  Name of the user

3850-3(config)#snmp-server user prime2 ?
  WORD  Group to which the user belongs

3850-3(config)#snmp-server user prime2 SNMP-GRP ?
  remote  Specify a remote SNMP entity to which the user belongs
  v1      user using the v1 security model
  v2c     user using the v2c security model
  v3      user using the v3 security model

3850-3(config)#snmp-server user prime2 SNMP-GRP v3 ?
  access     specify an access-list associated with this group
  auth       authentication parameters for the user
  encrypted  specifying passwords as MD5 or SHA digests
  <cr>

3850-3(config)#snmp-server user prime2 SNMP-GRP v3 au
3850-3(config)#snmp-server user prime2 SNMP-GRP v3 auth ?
  md5  Use HMAC MD5 algorithm for authentication
  sha  Use HMAC SHA algorithm for authentication

3850-3(config)#snmp-server user prime2 SNMP-GRP v3 auth sh
3850-3(config)#snmp-server user prime2 SNMP-GRP v3 auth sha ?
  WORD  authentication pasword for user

3850-3(config)#snmp-server user prime2 SNMP-GRP v3 auth sha <AUTH_PASSWORD> ?
  access  specify an access-list associated with this group
  priv    encryption parameters for the user
  <cr>

3850-3(config)#snmp-server user prime2 SNMP-GRP v3 auth sha <AUTH_PASSWORD> priv ?
  3des  Use 168 bit 3DES algorithm for encryption
  aes   Use AES algorithm for encryption
  des   Use 56 bit DES algorithm for encryption

3850-3(config)#snmp-server user prime2 SNMP-GRP v3 auth sha <AUTH_PASSWORD> priv aes ?
  128  Use 128 bit AES algorithm for encryption
  192  Use 192 bit AES algorithm for encryption
  256  Use 256 bit AES algorithm for encryption

3850-3(config)#snmp-server user prime2 SNMP-GRP v3 auth sha <AUTH_PASSWORD> priv aes 128 ?
  WORD  privacy pasword for user

3850-3(config)#snmp-server user prime2 SNMP-GRP v3 auth sha <AUTH_PASSWORD> priv aes 128 <PRIVACY_PASSWORD> ?
  access  specify an access-list associated with this group
  <cr>

3850-3(config)#snmp-server user prime2 SNMP-GRP v3 auth sha <AUTH_PASSWORD> priv aes 128 <PRIVACY_PASSWORD> 

Now if you go to Prime Infrastructure (PI), you can add this switch with the configured SNMPv3 details. To fully manage the switch PI need to access the switch via CLI (ssh/telent), so better to configure CLI credential as well for that purpose.

Note, that when you add a 3850/3650 switch to Prime it will automatically treated it as a WLC as well (since those switches has integrated WLC within the switch). So same 3850 appear under Controllers & Switches section.

Let’s configure this on 5760 controller. Since it is IOS device, you have to simply add those two lines.

5760-1(config)#snmp-server group SNMP-GRP v3 priv
5760-1(config)#snmp-server user prime2 SNMP-GRP v3 auth sha <AUTH_PASSWORD> priv aes 128 <PRIVACY_PASSWORD>

You can verify your configuration using “show snmp-server group” & “show snmp-server user” outputs as shown below.

5760-1#show snmp group 
groupname: SNMP-GRP                         security model:v3 priv 
contextname: <no context specified>         storage-type: nonvolatile
readview : v1default                        writeview: <no writeview specified>        
notifyview: <no notifyview specified>       
row status: active

5760-1#show snmp user 
User name: prime2
Engine ID: 80000009030044ADD9039D00
storage-type: nonvolatile        active
Authentication Protocol: SHA
Privacy Protocol: AES128
Group-name: SNMP-GRP

Let’s see same configuration on Autonomous Access point (again IOS device). So there is no difference, only those two lines required. But some time depend on the AP hardware & IOS version you running on the AP, all these encryption may not supported. For example 1252 with 15.2 support AES encryption where as 1131 running on 12.4 version only support DES for SNMP encryption.

AAP1(config)#do sh ver | in IOS
Cisco IOS Software, C1250 Software (C1250-K9W7-M), Version 15.2(2)JA1, RELEASE SOFTWARE (fc1)

AAP1(config)#snmp-server group SNMP-GRP v3 priv
AAP1(config)#snmp-server user prime2 SNMP-GRP v3 auth sha <AUTH_PASSWORD> priv aes 128 <PRIVACY_PASSWORD> 

AAP2#sh ver | in IOS
Cisco IOS Software, C1130 Software (C1130-K9W7-M), Version 12.4(21a)JY, RELEASE SOFTWARE (fc1)

AAP2(config)#snmp-server group SNMP-GRP v3 priv
AAP2(config)#snmp-server user prime2 SNMP-GRP v3 auth sha <AUTH_PASSWORD> priv ?
  des56  Use 56 bit DES algorithm for encryption
AAP2(config)#snmp-server user prime2 SNMP-GRP v3 auth sha <AUTH_PASSWORD> priv des56 <PRIVACY_PASSWORD>

Now let’s see how we can configure SNMPv3 on a 5508 (run on AireOS). Since it is not IOS command syntax is different, but again it is one simple config line. I have not shown the GUI method here, but if you are more comfortable with that you can do it in that way too.

(5508-1) >config snmp v3user create ?           
<username>     Enter user name for a v3 user.
               
(5508-1) >config snmp v3user create prime2 ?               
ro             Read-only mode.
rw             Read-write mode.
               
(5508-1) >config snmp v3user create prime2 rw ?
none           Disable authentication protocol for a SNMP v3 user.
hmacmd5        Set the SNMP v3 user authentication type to HMACMD5.
hmacsha        Set the SNMP v3 user authentication type to HMACSHA.
               
(5508-1) >config snmp v3user create prime2 rw hmacsha ?
none           Disables encryption type for SNMP v3 user.
aescfb128      Set the SNMP v3 user encryption type to AES.
des            Set the SNMP v3 user encryption type to DES.
               
(5508-1) >config snmp v3user create prime2 rw hmacsha aescfb128 ?               
<authkey>      Enter authentication key for authtype hmacmd5/hmacsha for a v3 user.
               
(5508-1) >config snmp v3user create prime2 rw hmacsha aescfb128 <AUTH_PASSWORD> ?
               
<encrypkey>    Enter encryption key for for des encryption for a v3 user.
               
(5508-1) >config snmp v3user create prime2 rw hmacsha aescfb128 <AUTH_PASSWORD> <PRIVACY_PASSWORD>

You can verify “show snmpversion” & “show snmpv3user” CLI commands. There is default SNMPv3 user called “default” & you can delete that using “config snmp v3user delete default” if needed. In the below I have deleted that user.

(5508-1) >show snmpversion 
SNMP v1  Mode.................................... Disable 
SNMP v2c Mode.................................... Enable 
SNMP v3  Mode.................................... Enable 

(5508-1) >show snmpv3user 
SNMP v3 User Name    AccessMode  Authentication Encryption   
-------------------- ----------- -------------- ----------   
prime2                Read/Write  HMAC-SHA       CFB-AES

In this way you can make sure Prime Infrastructure to your managed devices communicate in secure fashion (SNMPv3). Here is a sample PI dashboard showing this managed devices.

Here is a quick reference link from Cisco if you want to configure & verify SNMPv3 on Cisco devices.

Related Posts

1. Configuring SNMP on WLC

In this post we will see how to configure “new mobility” feature on a legacy controller to communicate with a NGWC (like 5760/3850/3650). As shown in the below topology there are two WLCs (5760 & 5508) used in my test setup.

If you are familiar with the mobility between legacy controllers they use UDP port 16666 for Mobility Control messages & EoIP for Mobility Data Messages between controllers. Here is two packet captures between two 5508 within a mobility group.

Here is a data Mobility data packet

If you want to add a Next Gen Wireless Controller (eg 5760/3850/3650) into existing CUWN environment, you have to enable a feature called “New Mobility” on your legacy controllers (5508,2504, WiSM2) if you want client to roam between these controllers. This feature will simply change EoIP mobility tunnel to UDP 16667 mobility tunnel for inter-controller data plane traffic. Since a single controller cannot have both EoIP & UDP16667 tunnels you have to choose one method.

1. Flat Mobility (EoIP for Inter controller Data plane traffic ) : NGWC is not understand this protocol, So you cannot integrate NGWC to your exising CUWN environment (Roaming won’t work between these controllers)
2. Hierarchical Mobility or New Mobility (UDP 16667 for Inter controller Data plane traffic ) : You could have NGWC & Legacy controllers in same mobility domain & roaming working between those controllers.

We will use a 5508 controller to enable this feature.This feature available only on 7.3.112.0, 7.5.102.0 or anything above 7.6.x Releases. Here is the “show mobility summary” output of 5508 prior to configuring this new mobility feature. 5508 is configured with mobility domain “BUN-1“

(5508-1) >show mobility summary 
Mobility Protocol Port........................... 16666
Default Mobility Domain.......................... BUN-1
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0xd3ca
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 1
Mobility Control Message DSCP Value.............. 0

Controllers configured in the Mobility Group
 MAC Address        IP Address                                       Group Name                        Multicast IP                                     Status
 50:57:a8:bb:bd:60  10.160.33.1                                      BUN-1                             0.0.0.0

Now let’s change the mobility architecture to First of all you need to enable this new mobility feature on 5508.

(5508-1) >config mobility ?             
dscp           Configures the Mobility inter controller DSCP value.
group          Configures the Mobility group parameters.
multicast-mode Configures the Multicast Mode for mobility messages
new-architecture Configure the controller to switch between old and new mobility architecture.
statistics     Resets the mobility statistics.

(5508-1) >config mobility new-architecture ?               
enable         Configure the controller to switch to new mobility architecture.               
disable        Configure the controller to switch to old mobility architecture.

(5508-1) >config mobility new-architecture enable 
Enabling new-mobility would change mobility architecture from old to new(Converged Access) !!!
Configuration changes will be saved and System will be rebooted. !!! 
Are you sure you want to continue? (y/n) 
y

The system has unsaved changes.
Configuration saved!
System will now restart!

Once it rebooted you can verify the “New Mobility” Feature is enabled on 5508.

(5508-1) >show mobility summary 
New Mobility (Converged Access).................. Enabled
Mobility Protocol Port........................... 16666
Default Mobility Domain.......................... BUN-1
Multicast Mode .................................. Disabled
DTLS Mode ....................................... Enabled
Mobility Domain ID for 802.11r................... 0xd3ca
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 1
Mobility Control Message DSCP Value.............. 0
Mobility Oracle.................................. Disabled
Mobility MC public IP ........................... 10.160.33.1
Mobility Oracle IP address ...................... 0.0.0.0

Controllers configured in the Mobility Group
 IP Address       Public IP Address       Group Name         Multicast IP  MAC Address               Status
 10.160.33.1      10.160.33.1                BUN-1            0.0.0.0         50:57:a8:bb:bd:60          Up

Now you can add 5760 as mobility member of 5508.

(5508-1) >config mobility group member add 10.160.49.1 ?              
group-name     Optional member switch group name (if different from default group name)
mac-address    It is recommended to add mac for old-new compatibility, however Optional member switch MAC address. 
public-ip-address Optional member switch public IP address

(5508-1) >config mobility group member add 10.160.49.1 group-name ?               
<group-name>   Optional member switch group name (if different from default group name)

(5508-1) >config mobility group member add 10.160.49.1 group-name BUN-1 ?               
public-ip-address Optional member switch public IP address
mac-address    It is recommended to add mac for old-new compatibility, however Optional member switch MAC address. 

(5508-1) >config mobility group member add 10.160.49.1 group-name BUN-1 

You have to add 5508-1 as a mobility member for 5760 as well

5760-1(config)#wireless mobility group member ip 10.160.33.1 group BUN-1

Once you do this you will see mobility is established between 5760 & 5508

5760-1#show wireless mobility summary 
Mobility Controller Summary:
Mobility Role                                   : Mobility Controller
Mobility Protocol Port                          : 16666
Mobility Group Name                             : BUN-1
Mobility Oracle                                 : Disabled
Mobility Oracle IP Address                      : 0.0.0.0
DTLS Mode                                       : Enabled
Mobility Domain ID for 802.11r                  : 0xd3ca
Mobility Keepalive Interval                     : 10
Mobility Keepalive Count                        : 3
Mobility Control Message DSCP Value             : 48
Mobility Domain Member Count                    : 2

Link Status is Control Link Status : Data Link Status
Controllers configured in the Mobility Domain:
IP               Public IP        Group Name       Multicast IP     Link Status
-------------------------------------------------------------------------------
10.160.49.1      -                BUN-1            0.0.0.0          UP   : UP 
10.160.33.1      10.160.33.1      BUN-1            0.0.0.0          UP   : UP 

Now if you look at a packet capture of 5508 connected switch port you would see something like below. Still inter-controller mobility CONTROL packet use UDP 16666 where as inter-controller mobility DATA packet using UDP 16667.

As you can see below, now 5508 using UDP 16667 instead of EoIP.

If you configure Mobility oracle (MO) feature, then that use UDP 16668 port for its mobility communication.In a future post we will see how a client roam work between these two controller setup.

Here is the reference white paper I found very useful in this converged access deployments.

Converged Access- Wired/Wireless System Architecture, Design & Operation.

 Related Post

1. What is “New Mobility” ?

In this post we will see how to control access to a WLC using a RADIUS server. I have used Cisco ISE (Identity Service Engine)a s RADIUS server in this post.

I have created 3 user group (WLC-RW,WLC-RO & WLC-LobbyAdmin) and created 3 users (wlcrw,wlcro & user1). Each user assign for respective User Group as shown below.

Below shows the 3 users with their respective Group.

Now you can create 3 different “Authorization Profiles” under “Policy->Policy Elements -> Results” section with different RADIUS attribute values. For full administrative access you have to choose”Service-Type” Radius Attribute setting to “Administrative“. For the Read-Only user this setting should be set to “NAS-prompt” where as for Lobby Ambassador it should be set to “Callback Administrative “

Below shows the created “WLC-Admin-RW” profile with “Service-Type” RADIUS setting to “Administrative”

Here is the Authorization profile created for Read-Only user.

Here is the Authorization profile created for Lobby Ambassador user.

Let’s add a 5508 controller onto ISE as managed network device. I have created a WLC “Device Type” group to better control similar type of devices.

You have to use same “Shared Secret” when configuring RADIUS server on WLC as well.

Here is the WLC RADIUS Server configuration Settings, You have to remember to tick “Management User” option here.

Then I have create a simple “Authentication Policy” to use “Internal User”. Since default policy also to point to “Internal Users” this step may be optional.

Finally you need to create a “Authorization Policy” for each type of use case selecting the different “Authorization Profiles” you created.

Now it is ready to test. If you access the WLC via “https://wlc-mgt-ip” URL & when prompt, if you enter user1 (WLC Lobby Admin user) credential you will see something like this.

If you use “wlcro” Read-Only user credentials you will see a output like below. It is very similar to full WLC access view, but if you try to modify some changes using this credential it should prompt user does not have sufficient privileges.

Here is the output when I try to disable a SSID using this login.

If you use “wlcrw” credential you will have the full administrative access of the WLC.

Remember that this will applicable for any AireOS WLC (5508, 2504, WiSM2,etc) & not applicable for Next Gen IOS based WLC (5760,3850,3650). For those IOS based controllers you can restrict device CLI access (Privilege level 15 for full access, Privilege Level 1 for minimum access) via RADIUS. I do not see a way of controlling WLC access (https://device-mgt-ip/wireless) via RADIUS.

PS: Thanks to Gaith Alrawi (CCIE#23006 Sec, Wireless) for helping me on this topic.

Related Posts

1. WLC access via TACACS
2. WLC access via RADIUS (ACS 5.2)

In this  post we will see how to control WLC access via RADIUS, where ACS 5.2 used as the RADIUS server.

First you need to add WLC in to your ACS as an AAA device. Ensure shared secret configured for RADIUS option & if you have created a Device Type group or Location Group select those as well.

I have created two user group in ACS ( Users and Identity Store ->Identity Group section as shown below)

Then create the two users and assign them to the groups created above. You can do this via “Users & Identity Stores -> Internal Identity Stores -> User ” section as shown below

Since RADIUS only support Authentication/Accounting you have to use  Network Access Authorization Profiles to do this. (In TACACS you have seperate Device Admin section to control this)

So we will create a policy element called “WLCUser”  in Policy Elements -> Authorization & Permissions -> Network Access -> Authorization Profiles section as shown below. RADIUS attribute needs to select is “Service-Type  or ID=6)

Then attribute value needs to be selected. Since this is Read-Only user attribute value should be NAS Prompt. For full admin user this value should be “Administrative” & Lobby Ambassador it should be “Callback Administrative”

It is important to hit “Add^” button to ensure selected values properly configured. If you hit submit button without this step settings will not saved.

Once you hit the “Add” button then you can click submit button as shown below.

You have to follow the similar steps for WLCAdmin profile created for Admin users. As described earlier attribute value should be “Administrative”. Here is the attribute value setting for WLCAdmin profile.

Then in the Access Policies section you have to create a Rule for Admin users & Non-Admin users as shown below. I have selected device type & Identity Group for the conditions.

You can select the previously defined rule & by clicking “Duplicate” button you can easily recreate a rule & modify it to suit the Non-Admin user.

Once you created the Rules you should have something similar to this.

That’s finish the ACS configuration. You have to add ACS as RADIUS server on your WLC and select the correct priority order for Management User of WLC. Below Screen shows how to do this. You have to go to “Security -> AAA -> RADIUS -> Authentication” section to do this.

You have to select priority order ” Local” & then ” RADIUS” to ensure that you will not be lock yourself out in case of wrong configuration with radius. Unless RADIUS server is unreachable you cannot fall-back to local.

Now you can check the WLC access to those two different user. With a “Non Admin-Group” user you should be able to view any WLC config settings, but should not able to modify any configurations. With a “Admin-Group” user credential you would have full administrative access to the WLC.

Related Posts

1. WLC Access via TACACS
2. WLC Access via RADIUS (ISE1.2)

I am taking a long awaited break & now enjoying 6 weeks off from my work (including blogging itself). That’s the reason for lack of my responses to your comments/mails/etc.

I have spent few days in Singapore & now I am in Sri Lanka for next 4 weeks. Will be on Dubai for couple of days (26-27th June) on my way back to Melbourne.

@Singapore

If you ever wonder how to configure “vlan select” or “interface group” feature in a Converged Access (3850/3650/5760) setup, here how you do it. (I am using IOS-XE 3.6E for this post). This feature is known as “Vlan Group” in IOS based controller(In GUI of these controller you still see it as interface group for familiarity). Here is my topology for the post.

In my topology 5760 acting as MC & 3850 stacks acting as MA.In this post I have configured “vlan group” on 3850-2 MA. Let’s say you have four different subnets to be assigned to a single WLAN.

Vlan 1360- x.x.110.0/24
Vlan 1361-x.x.16.0/23
Vlan 1362-x.x.228.0/23
Vlan 1363-x.x.241.0/24

This post is assumed you are doing this on Layer 2 Access topology (not Routed -L3 Access) where all your vlans SVI define on your distribution layer. In my case all SVI defined on DR01 switch. So on my 3850-2, only two SVI, one for Switch Management (vlan1600) & other for Wireless Management (vlan 1610)

3850-2#sh ip int bri | ex un
Interface              IP-Address      OK? Method Status                Protocol
Vlan1600               x.160.x.22    YES NVRAM  up                    up      
Vlan1610               x.161.x.22    YES NVRAM  up                    up

Since you do not have L3 interface of user vlans (1360-1363) on your 3850 switches,you have to enable DHCP snooping for vlan 1360-1363 in order to wireless client to get IP from a DHCP server. Refer Understanding DHCP Snooping post for more detail about this feature. Also you have to trust your uplink ports towards your DHCP server (G1/0/48 in this example)

ip dhcp snooping
ip dhcp snooping vlan 1360-1363
no ip dhcp snooping information option
ip dhcp snooping wireless bootp-broadcast enable
!
int g1/0/48
 ip dhcp snooping trust

“Vlan Group” configuration is a very straight forward configuration in CLI (one CLI entry). In Converged Access wireless users CAPWAP traffic will be terminating at your access layer. So your access layer switch should have those user vlans defined like any other wired vlans. Unless you have Routed-Access, all your vlans SVI are defined on your distribution switch where these access switches are connected.

Now we have to create a “Vlan Group” (let’s say STUDENT-INTGRP) & map vlans 1360-1363 on to this group. Later on we will add this interface group to the WLAN

3850-2(config)#vlan ?
  WORD           ISL VLAN IDs 1-4094
  access-map     Create vlan access-map or enter vlan access-map command mode
  configuration  vlan feature configuration mode
  dot1q          dot1q parameters
  filter         Apply a VLAN Map
  group          Create a vlan group
  internal       internal VLAN

3850-2(config)#vlan group ?
  WORD  Group name starts with alphabet

3850-2(config)#vlan group STUDENT-INTGRP ?
  vlan-list  List of vlans in this group

3850-2(config)#vlan group STUDENT-INTGRP vlan-list ?
  <1-4094>  VLAN id

3850-2(config)#vlan group STUDENT-INTGRP vlan-list 1360-1363

Now when you are defining “client vlan x ” under WLAN configuration, you can give the “Vlan Group” name instead of a single vlan ID. Here is a sample configuration of a 802.1X SSID where clients are map to defined vlan group (Refer WLAN Config with 3850 for full configuration including RADIUS) . So when connecting to this SSID, users will get IP from those 4 different subnets in vlan 1360-1363. Remember that you have to configure this under AP-Group -> WLAN if you are using any AP-Groups.

wlan DATA 22 DATA
 aaa-override
 accounting-list TEST-RAD
 band-select
 client vlan STUDENT-INTGRP
 ip dhcp required
 ip flow monitor wireless-avc-basic input
 ip flow monitor wireless-avc-basic output
 security dot1x authentication-list TEST-RAD
 service-policy input platinum-up
 service-policy output platinum
 wmm require
 no shutdown
!
ap group TEST-APG 
 wlan DATA
  vlan STUDENT-INTGRP

You can verify using “show ap groups” command to see correct interface group/vlan group is mapped to your WLAN.

3850-2#show ap groups  
Site Name: TEST-APG
Site Description: 

WLAN ID   WLAN Name                        Interface
-----------------------------------------------------
22        DATA                     STUDENT-INTGRP 

AP Name                         Ethernet MAC      Location
-----------------------------------------------------------
3702-1                           b838.617f.eb88 default locatio

Now you can test this by connecting multiple clients to see whether they are getting different subnet IP. You can use “show wireless client summary” & “show wcdb database all” commands to verify that your client connecting to WLAN ID 22 are getting IP addresses from different subnets across vlan 1360-1363.

3850-2#show wcdb database all | in 136
c8e0.ebdd.63bd   1362 x.x.229.18  0x00C6ED40000001C2 RUN      LOCAL   
c4d9.8767.90e9   1361 x.x.17.232  0x00C6ED40000001C2 RUN      LOCAL   
cc08.e0cf.499f   1362 x.x.229.14  0x00C6ED40000001C2 RUN      LOCAL   
74e2.f558.5a82   1360 x.x.156.63  0x00C6ED40000001C2 RUN      LOCAL 
78a3.e493.bc5f   1363 x.x.241.114 0x00C6ED40000001C2 RUN      LOCAL   
!
3850-2#show wireless client summary | in 5a82|63bd|499f|90e9|bcbf
74e2.f558.5a82 3702-1                           22   UP                 11n(2.4) 
c4d9.8767.90e9 3702-1                           22   UP                 11n(2.4) 
cc08.e0cf.499f 3702-1                           22   UP                 11n(2.4) 
c8e0.ebdd.63bd 3702-1                           22   AUTHENTICATING     11g  
78a3.e493.bc5f 3702-1                           22   UP                 11n(2.4)

If you want to do this via GUI, you can do the same. Here is the steps to do this (I would not think anyone like to define L2 switch configs via GUI :shock: but option is there for anyone willing to go in that path as well ). You have to go “Controller -> Configuration -> VLAN” section & add your required vlans to the switch & then group them.

Then you can go to “Wireless -> WLAN -> Select Your WLAN -> General -> Interface/Interface Group”  field to bind vlan group to WLAN.

Reference

IOS XE Release 3E – VLAN Configuration Guide

Related Posts

1.
2.

In this post we will see how to install a WebAuth certificate on a 5760 controller. This will help to prevent Guest Users prompting with SSL error when they are trying to authenticate to a guest portal.

First task is to obtain a CSR (Certificate Signing Request) for the 5760. Since 5760 cannot do this by itself you have to use a software like OpenSSL. I have used Win64 OpenSSL v0.9.8za Light since my PC is 64bit version. ( You can refer Configuring EAP-TLS on a WLC post for a 32bit version working OpenSSL). Here is the screenshots of OpenSSL installation wizard.

Once the installation completed you can open a command prompt (All Programs -> Accessories ->Right Click on Command Prompt -> Run as Administrator). Then you can generate the CSR (5760-1111req.pem) with the PrivateKey(5760-1111key.pem) as shown below. You have to use FQDN as the name correspond to your 5760 virtual IP address

Once you do this you would see those two files in C->OpenSSL->bin folder. Then you can use CSR(in my case 5760-1111req.pem) to your Certificate Authority to generate a certificate. Once your request approved, you will get your digital certificates in different format. Here is what I got from CA.

Then I  downloaded PKCS#7 Base64 encoded format of the certificate. Since 5760 Configuration guide documented installing certs inn PKCS12 format as shown below I have converted my cert in to that format.Here how you can convert it to PKCS12 format. I have renamed my downloaed cert from CA as “webauth-guest.p7b” & used that to generate PKCS12 file named “webauth-guest.pfx“. Here is the command syntax if you are doing this through a linux host.

openssl pkcs7 -print_certs -in webauth-guest.p7b -out webauth-guest.cer
openssl pkcs12 -export -in webauth-guest.cer -inkey 5760-1111key.pem -out webauth-guest.pfx

Here how I did this through OpenSSL application. You have to use the same password that you used to generate the CSR.Once the PKCS12 format certificate is available you can install it on your 5760 using IOS commands. First you can copy cert to your 5760 flash & then install it.

5760-1#copy tftp://x.x.13.20/webauth-guest.pfx flash:
Destination filename [webauth-guest.pfx]? 
Accessing tftp://x.x.13.20/webauth-guest.pfx...
Loading webauth-guest.pfx from x.x.13.20 (via Vlan1600): !
[OK - 6477 bytes]

6477 bytes copied in 0.080 secs (80963 bytes/sec)

5760-1(config)#crypto pki import ? 
  WORD  Trustpoint label to associate certificate or pkcs-12 file with

5760-1(config)#crypto pki import webauth-cert pkcs12 flash:webauth-guest.pfx password Cisco123
% Importing pkcs12...
Source filename [webauth-guest.pfx]? 
Reading file from flash:webauth-guest.pfx% The CA cert is not self-signed.
% Do you also want to create trustpoints for CAs higher in
% the hierarchy? [yes/no]: yes
CRYPTO_PKI: Imported PKCS12 file successfully.

Now your 5760 is equipped with WebAuth Cert :)  You can verify your cert configuration on your 5760 using “show archive config diff ”  prior to do a write mem. Also you can use “show crypto ca certificate verb” as well.

5760-1#show archive config differences nvram:startup-config system:running-config
!Contextual Config Diffs:
+crypto pki trustpoint webauth-cert
 +revocation-check crl
 +rsakeypair webauth-cert
+crypto pki trustpoint webauth-cert-rrr1
 +revocation-check crl
+crypto pki trustpoint webauth-cert-rrr2
 +revocation-check crl

+crypto pki certificate chain webauth-cert
.
.

5760-1#show crypto ca certificate verb
Certificate
  Status: Available
  Version: 3
 .
 .
 .
  Associated Trustpoints: webauth-cert 
  Key Label: webauth-cert

So your guest users won’t see something like below when they enter their credential in Guest Portal

Here are some related Cisco Documents which may be useful as well

1. Converged Access Wireless LAN Controllers Third-Party Certificate Installation (Doc 117197)
2. 5760 IOS-XE Release 3E-Configuring Guest Wireless
3. Generate CSR for 3rd Party Cert & install it on WLC (Doc 70584)

Special Thanks to my colleague Gareth for helping me to understand a little bit about these certificates.

Related Posts

1. Guest Anchoring in Converged Access
2. Web Auth in Converged Access
3. Configuring EAP-TLS on a WLC

If you want to find all about Cisco Tech Notes & Configuration Examples, then you have to go http://www.cisco.com/web/services/technical-services-newsletter/techdocs/index.html.

You can search by Title, Type, Technology & Category. For example if you want to find all wireless Tech Notes published in 2014 you can simply select the technology as “Wireless” in 2014 archives.

If you  bookmark this & visit it frequently then you will not miss any Tech Notes or Configuration Example of your technology of interest (I am regularly watching what’s coming in wireless space) . This is a great resource for anyone preparing their CCIE as well.

If you are using Cisco Technical Support Application on you smart phone/tablet, then you can view these TAC documents through that as well. Here is an screenshot of how I can see that on my iPhone.

In this post we will see how client information can be found in Converged Access platforms (5760/3850/3650). Normally client information will be stored in 3 different places within the switch

1. WCM – Wireless Control Module
2. WCDB – Wireless Client DataBase within IOSd
3. Platform or Forwarding Infrastructure

Below diagram shows these components within the switch architecture & commands you can run to view this information.

Here is an example. “show wireless client summary” output will provide each client MAC address, Connected AP name, WLAN ID, Client Status & Protocol. In this output if protocol appear as “Mobile” that mean that client is a roamed client.

3850-1#show wireless client ?
  ap                    Cisco access point information
  calls                 Wireless client calls
  client-statistics     Show clients statistics
  dot11                 Show 802.11 parameters
  location-calibration  wireless client location calibration
  mac-address           Wireless client MAC address
  probing               Show probing clients
  statistic             Show protocol client count
  summary               Show active clients
  tclas                 Show TCLAS associated with a client and User Priority
  timers                Display 802.11 system timers
  top                   top
  username              Shows wireless client information
  voice                 Wireless client voice parameters
  wifidirect            Show wifidirect related attributes 

3850-1#show wireless client summary 
Number of Local Clients : 2

MAC Address    AP Name                          WLAN State              Protocol 
--------------------------------------------------------------------------------
8c70.5a74.2370 xxx-AP06                         22   UP                 11n(5)   
9018.7cfa.c6ac N/A                              22   UP                 Mobile

You can find client IP information from “show wcdb database all” command. As you can see below mobility state shown as “LOCAL” for local client & “ANCHOR” for the mobile client indicating that client has roamed to another AP managed by a different 3850.

3850-1#show wcdb database all 
        Total Number of Wireless Clients = 2
                Clients Waiting to Join   = 0
                Local Clients             = 1
                Anchor Clients            = 1
                Foreign Clients           = 0
                MTE Clients               = 0

Mac Address    VlanId IPv4 Address    Src If         Auth     Mob    
------------------ ------ --------------- ------------------ -------- -------
8c70.5a74.2370   1420 x.x.104.29  0x0081670000000007 RUN      LOCAL   
9018.7cfa.c6ac   1420 x.x.104.100 0x008094400000003E RUN      ANCHOR  

“LOCAL” mean that client connects to an AP managed by this switch & that client remain on that AP without roaming. Here is mobility state “LOCAL” client detail information in WCDB. You can find client State_Change history from this output (ASSOCIATE -> L2_AUTH -> LEARN_IP->RUN)

3850-1#show wcdb database ?
  H.H.H             48-bit hardware address
  all               All WCDB entries
  client-id-db      All Client ID entries
  ip-db             All IP ADDR entries
  non-cisco-wgb-db  All Wired Clients behind Non-Cisco WGB

3850-1#show wcdb database 8c70.5a74.2370 
mac:             8c70.5a74.2370
ssid:            Wireless2
client_type:     Regular Wireless
client_id:       0x00B9D50000000832
client_index:    1978
user_id:         xyz
src_interface:   0x00A0080000000028
dst_interface:   0x0000000000000000
bssid:           b838.6183.70a0
radio_id:        1
wgbid:           0000.0000.0000
wlan_id:         1
global_wlan_id:  22
assoc_id:        1
vlan_id:         1420
mcast_vlan_id:   1360
mobility_state:  LOCAL
auth_state:      RUN
auth_state_wcm:  RUN
dhcp_req_rx:     0
ipv4_source:     DHCP
ipsg_flag:       0
num_v4_addrs:    1
ipv4addr[0]:     x.x.104.29
ipv4addr[1]:     0.0.0.0
ipv4addr[2]:     0.0.0.0
ipv4addr[3]:     0.0.0.0
num_v6_addrs:    0
dhcp_server_ip:  0.0.0.0
dhcp_class_name: Test
dhcp_action_flags: 0
option 82:
option_82 length: 0
dhcp_notify_preference_flag: 1
dhcp_notify_interested_options: 0
options_length: 0
options TLV is: 
p2p_state:        P2P_BLOCKING_DISABLE
bssid_iifid:     0x009C83C0000000A0
radio_iifid:     0x009D0C400000002A
num_protocol_values:  1
 Entry no: 0
 protocol = 0
 type = 0
 value = 0
ip_learnt:     0x1
flags:         0x2
switch_num:      0
asic_num:        0

state_change_history:
    Vlan Auth     Mob    Flags IPv4Src     IPv4Address(s)      time
 2. 1420 LEARN_IP LOCAL   0x2  DHCP    [1]  x.x.104.29     08-05-2014 18:35:43.329569
 1. 1420 L2_AUTH_ INIT    0x2  UNKNOWN [0]                 08-05-2014 18:35:42.465359
 0. 1363 ASSOCIAT INIT    0x0  UNKNOWN [0]                 08-05-2014 18:35:39.525280

    IPLearnt IPv6Address(s)
 2. 0x1      [0]
 1. 0x0      [0]
 0. 0x0      [0]

In the “show capwap detail” output you can find out “src_interface” is corresponds to Ca6 where xxx-AP08 is connected. “destination_interface”  0x000… 000 indicate it is destined to switch itsef.

3850-1#show capwap ?       
  ap-name  CAPWAP Interface Info of an AP
  detail   CAPWAP Interface Details
  summary  CAPWAP Interface Summary

3850-1#show capwap detail 

CAPWAP Tunnels General Statistics:
  Number of Capwap Data Tunnels       = 8  
  Number of Capwap Mobility Tunnels   = 7  
  Number of Capwap Multicast Tunnels  = 1  


Name   APName          Type PhyPortIf Mode      McastIf
------ -------------------------------- ---- --------- --------- -------
Ca0    -               mob  -         unicast   -      
Ca15   -               mcas -         unicast   -      
Ca9    -               mob  -         unicast   -  
.
Ca6    XXX-AP08        data Gi1/0/1   multicast Ca15   
Ca4    XXX-AP02        data Gi2/0/2   multicast Ca15   


Name   SrcIP           SrcPort DestIP    DstPort DtlsEn MTU   Xact
------ --------------- ------- --------------- ------- ------ ----- ----
Ca0    x.y.32.26    16667   x.y.49.1     16667   No     1464  1    
Ca15   x.y.32.26    5247    239.160.32.265247    No     1449  1   
Ca9    x.y.32.26    16667   x.y.32.25    16667   No     1464  1  
. 
Ca6    x.y.32.26    5247    x.y.32.133   4154    No     1449  0    
Ca4    x.y.32.26    5247    x.y.33.66    65196   No     1449  0    


Name   IfId               McastRef
------ ------------------ --------
Ca0    0x009D6B4000000001 0       
Ca15   0x009417400000007D 8       
Ca6    0x00A0080000000028 0       
Ca4    0x009A4C000000001A 0       

Now if you look at the WCDB client detail for the other client  you will see something below. “ANCHOR” means that client first associated to an AP managed by a this switch(3850-1) & then roam to an AP managed by different switch (3850-2). Now you can see in this switch client mobility status become “ANCHOR” & prior to that state client was in “LOCAL” mobility state.

3850-1#show wcdb database 9018.7cfa.c6ac ?
  |  Output modifiers
  <cr>

3850-1#show wcdb database 9018.7cfa.c6ac 
mac:             9018.7cfa.c6ac
ssid:            Wireless2
client_type:     Regular Wireless
client_id:       0x00A1E6C0000007A9
client_index:    1841
user_id:         abc123
src_interface:   0x008094400000003E
dst_interface:   0x0000000000000000
bssid:           0000.0000.0000
radio_id:        0
wgbid:           0000.0000.0000
wlan_id:         1
global_wlan_id:  22
assoc_id:        5
vlan_id:         1420
mcast_vlan_id:   1360
mobility_state:  ANCHOR
auth_state:      RUN
auth_state_wcm:  RUN
dhcp_req_rx:     0
ipv4_source:     DHCP
ipsg_flag:       0
num_v4_addrs:    1
ipv4addr[0]:     x.x.104.100
ipv4addr[1]:     0.0.0.0
ipv4addr[2]:     0.0.0.0
ipv4addr[3]:     0.0.0.0
num_v6_addrs:    0
dhcp_server_ip:  0.0.0.0
dhcp_class_name: Test
dhcp_action_flags: 0
option 82:
option_82 length: 0
dhcp_notify_preference_flag: 1
dhcp_notify_interested_options: 0
options_length: 0
options TLV is: 
p2p_state:        P2P_BLOCKING_DISABLE
bssid_iifid:     0x0000000000000000
radio_iifid:     0x0000000000000000
num_protocol_values:  1
 Entry no: 0
 protocol = 0
 type = 0
 value = 0
ip_learnt:     0x1
flags:         0x2
switch_num:      0
asic_num:        0

state_change_history:
    Vlan Auth     Mob    Flags IPv4Src    IPv4Address(s)      time
 3. 1420 RUN      LOCAL   0x2  DHCP    [1] x.x.104.100     08-05-2014 15:03:49.43096
 2. 1420 LEARN_IP LOCAL   0x2  DHCP    [1] x.x.104.100     08-05-2014 15:03:42.854828
 1. 1420 L2_AUTH_ INIT    0x2  UNKNOWN [0]                 08-05-2014 15:03:41.105011
 0. 1362 ASSOCIAT INIT    0x0  UNKNOWN [0]                 08-05-2014 15:03:38.187555

    IPLearnt IPv6Address(s)
 3. 0x1      [0]
 2. 0x1      [0]
 1. 0x0      [0]
 0. 0x0      [0]

In this situation you can see the traffic is sourcing( x.y.32.25) from different switch (3850-2).

3850-1#show capwap detail | in 003E
Ca9    0x008094400000003E 0 

3850-1#show capwap detail | be Ca9
Name   SrcIP        SrcPort DestIP      DstPort DtlsEn MTU   Xact
------ --------------- ------- --------------- ------- ------ ----- ----
Ca0    x.y.32.26    16667   x.y.49.1     16667   No     1464  1    
Ca7    x.y.32.26    5247    x.y.33.71    30387   No     1449  0    
Ca9    x.y.32.26    16667   x.y.32.25    16667   No     1464  1 

Now if you go to x.y.32.25 switch you should be able to see this client detail.

3850-2#show wcdb database all 
        Total Number of Wireless Clients = 2
                Clients Waiting to Join   = 0
                Local Clients             = 1
                Anchor Clients            = 0
                Foreign Clients           = 1
                MTE Clients               = 0

Mac Address    VlanId IPv4 Address    Src If             Auth     Mob    
-------------- ------ --------------- ------------------ -------- -------
9018.7cfa.c6ac   1420 x.x.104.100 0x008E6CC000000017 RUN      FOREIGN 
0080.9244.fd09   1108 x.x.9.1     0x00A76C0000000010 RUN      LOCAL

You can verify client WCDB details as below

3850-2#show wcdb database 9018.7cfa.c6ac
mac:             9018.7cfa.c6ac
ssid:            Wireless2
client_type:     Regular Wireless
client_id:       0x00AB5540000004B0
client_index:    1131
user_id:         abc123
src_interface:   0x008E6CC000000017
dst_interface:   0x0083A74000000007
bssid:           b838.6183.6730
radio_id:        1
wgbid:           0000.0000.0000
wlan_id:         1
global_wlan_id:  22
assoc_id:        7
vlan_id:         1420
mcast_vlan_id:   1360
mobility_state:  FOREIGN
auth_state:      RUN
auth_state_wcm:  RUN
dhcp_req_rx:     0
ipv4_source:     DHCP
ipsg_flag:       0
num_v4_addrs:    1
ipv4addr[0]:     x.y.104.100
ipv4addr[1]:     0.0.0.0
ipv4addr[2]:     0.0.0.0
ipv4addr[3]:     0.0.0.0
num_v6_addrs:    0
dhcp_server_ip:  0.0.0.0
dhcp_class_name: Test
dhcp_action_flags: 0
option 82:
option_82 length: 0
dhcp_notify_preference_flag: 1
dhcp_notify_interested_options: 0
options_length: 0
options TLV is: 
p2p_state:        P2P_BLOCKING_DISABLE
bssid_iifid:     0x0092BB8000000022
radio_iifid:     0x008FA4800000001F
num_protocol_values:  1
 Entry no: 0
 protocol = 0
 type = 0
 value = 0
ip_learnt:     0x1
flags:         0x2
switch_num:      0
asic_num:        0

state_change_history:
    Vlan Auth     Mob    Flags IPv4Src     IPv4Address(s)      time
 7. 1420 RUN      FOREIGN 0x2  DHCP    [1] x.y.104.100  08-05-2014 19:32:12.183349
 6. 1420 RUN      FOREIGN 0x2  DHCP    [1] x.y.104.100  08-05-2014 19:32:12.182996
 5. 1420 RUN      FOREIGN 0x2  DHCP    [1] x.y.104.100  08-05-2014 19:02:50.914053
 4. 1420 RUN      FOREIGN 0x2  DHCP    [1] x.y.104.100  08-05-2014 19:02:50.913653
 3. 1420 RUN      FOREIGN 0x2  DHCP    [1] x.y.104.100  08-05-2014 18:32:49.712737
 2. 1420 RUN      FOREIGN 0x2  DHCP    [1] x.y.104.100  08-05-2014 18:32:49.712373
 1. 1420 RUN      FOREIGN 0x2  DHCP    [1] x.y.104.100  08-05-2014 18:03:07.347859
 0. 1420 RUN      FOREIGN 0x2  DHCP    [1] x.y.104.100  08-05-2014 18:03:07.347511

    IPLearnt IPv6Address(s)
 7. 0x1      [0]
 6. 0x1      [0]
 5. 0x1      [0]
 4. 0x1      [0]
 3. 0x1      [0]
 2. 0x1      [0]
 1. 0x1      [0]
 0. 0x1      [0]

Now this time you can see the source interface is pointing to Ca10 where  xxx-AP02 is connected & destination interface pointing to Ca2 where mobility tunnel establish with anchor 3850 for this client.

3850-2#show capwap detail 
CAPWAP Tunnels General Statistics:
  Number of Capwap Data Tunnels       = 6  
  Number of Capwap Mobility Tunnels   = 7  
  Number of Capwap Multicast Tunnels  = 1  

Name   APName                           Type PhyPortIf Mode      McastIf
------ -------------------------------- ---- --------- --------- -------
Ca10   xxx-AP02                         data Gi1/0/3   multicast Ca1       
Ca2    -                                mob  -         unicast   -      
.   

Name   SrcIP           SrcPort DestIP          DstPort DtlsEn MTU   Xact
------ --------------- ------- --------------- ------- ------ ----- ----
.  
Ca10   x.y.32.25    5247    x.y.33.72    4115    No     1449  0     
Ca2    x.y.32.25    16667   x.y.32.26    16667   No     1464  1    

Name   IfId               McastRef
------ ------------------ --------  
.      
Ca10   0x008E6CC000000017 0        
Ca2    0x0083A74000000007 0

As you saw in the above examples, it is important to understand those client Mobility States & Client Authentication Status when troubleshooting these cleint connectivity issues. Below diagram show where to look (WCM or WCDB) depend on the Client State (Assoc, L2_AUTH, LEARN_IP, L3_AUTH, RUN) in your troubleshooting process.

Here are some important points about the above flow chart.

1. 802.11 association related information can be found only from AP debug messages (not from WLC)
2. Once 802.11 association complete WCM will add client entry onto WCDB
3. L2_AUTH (EAP or PSK) occur afterwards
4. Once L2_AUTH complete WCM send mobility messages to its peers to see that client information available with any of them
5. If no client info from any other WLC, it will go for LEARN_IP states (it can be via ARP, DHCP, etc)
6. If Web Auth configured then L3_AUTH state happen next
7. Once that complete client will move to RUN state once all QoS/Sec policy applied.
8. If 802.1X then AAA accounting start at that point.

Here is the reference Ciscolive365 presentation used for this post. You can watch the recorded session from the below link

BRKEWN-3021 – Advanced Troubleshooting Converged Access Wireless Deployments (2014 San Francisco)

Related Post

1.
2.

Have you ever get complaints from users stating “Network is too slow” ? how do you measure network throughput in your environment ? It is always good idea to benchmark your network(wired or wireless) performance. In this way when a user complaint about slowness, you can run a quick test again & compare it with your baseline performance results.

Iperf is great network performance testing tool (free :smile: )you can use to measure throughput of a given network. In this post we will see how we can use it to measure wireless network performance. We will primarily focus on wireless performance testing & will use shown topology diagram where few different type of clients connect to my converged access setup.

I have used a wired connected window PC as my iPerf server. You can simply download jperf from here. Once you download jperf-2.0.2 you can copy that onto your computer C: drive as shown below.

Once you do this you can go to “C:\jperf-2.0.2\bin” in the command prompt as shown below.

If you want to use it as “Iperf Server” you have to use “iperf -s” syntax. If you want to set it as “Iperf client” then you have to use “iperf -c <server-ip-address>” There are optional parameters you can set. You can view all of these “iperf -h” as shown below.

Prior to measure wireless performance you need to make sure your wired network won’t be a bottleneck. Sometime there may be QoS policies throttling standard UDP/TCP port numbers used in this application. So it is good idea to benchmark using wired connection first & them move to wireless performance.

In my case I have connected my laptop onto 3850-1 via 1G Ethernet & run it as Iperf client. I have used 1s interval , 1MB as TCP window size & run it for 2min (120s),sometime if you leave default TCP window size, your throughput will reduced. So test it & use a value that gives close to expected results.

When you read this test result shown in below, it tells you about bandwidth available from iperf client to iperf server (ie client upload & server download). As you can see I got ~900Mbps.

C:\jperf-2.0.2\bin>iperf -c x.x.13.31 -i 1 -t 120 -w 1M
------------------------------------------------------------
Client connecting to x.x.13.31, TCP port 5001
TCP window size: 1.00 MByte
------------------------------------------------------------
[168] local x.x.13.20 port 56898 connected with x.x.13.31 port 5001
[ ID] Interval       Transfer     Bandwidth
[168]  0.0- 1.0 sec   105 MBytes   885 Mbits/sec
[168]  1.0- 2.0 sec   105 MBytes   881 Mbits/sec
[168]  2.0- 3.0 sec   112 MBytes   939 Mbits/sec
[168]  3.0- 4.0 sec   107 MBytes   897 Mbits/sec
[168]  4.0- 5.0 sec   106 MBytes   888 Mbits/sec
[168]  5.0- 6.0 sec   109 MBytes   914 Mbits/sec
.
.
[168] 110.0-111.0 sec   108 MBytes   906 Mbits/sec
[168] 111.0-112.0 sec   111 MBytes   933 Mbits/sec
[168] 112.0-113.0 sec   109 MBytes   916 Mbits/sec
[168] 113.0-114.0 sec   111 MBytes   927 Mbits/sec
[168] 114.0-115.0 sec   108 MBytes   908 Mbits/sec
[168] 115.0-116.0 sec   111 MBytes   934 Mbits/sec
[168] 116.0-117.0 sec   111 MBytes   930 Mbits/sec
[168] 117.0-118.0 sec   111 MBytes   930 Mbits/sec
[168] 118.0-119.0 sec   111 MBytes   933 Mbits/sec
[168] 119.0-120.0 sec  76.4 MBytes   641 Mbits/sec
[168]  0.0-120.0 sec  12.6 GBytes   903 Mbits/sec

To measure the client download, you can run “iperf -s” on the PC you ran as client previously. I have used 1M as TCP window size. This time  you have to run “iperf -c x.x.13.20” command on the other PC.

C:\jperf-2.0.2\bin>iperf -s -w 1M
------------------------------------------------------------
Server listening on TCP port 5001
TCP window size: 1.00 MByte
------------------------------------------------------------
[268] local x.x.13.20 port 5001 connected with x.x.13.31 port 58151
[ ID] Interval       Transfer     Bandwidth
[268]  0.0-120.0 sec  11.5 GBytes   823 Mbits/sec

You can export these data onto excel & graph it for nice representation.(you can simply hold Alt button in windows & copy only the data rate values :) ). So here is my graph look like for wired bandwidth performance.

Let’s see now how can we measure the wireless performance. In my case I have created a SSID (Open Auth simpliciy) on my 3850 MA & 3700 AP register to it. So this is the simplest without any QoS policies on it.

wlan ABC 20 ABC
 no broadcast-ssid
 client vlan 1410
 no security wpa
 no security wpa akm dot1x
 no security wpa wpa2
 no security wpa wpa2 ciphers aes
 no shutdown

My AP is running on power level 5 & DCA channel width set to 80MHz. You can verify it shown as below

3850-2#show ap dot11 5ghz summary 
AP Name            MAC Address     Slot  Admin State  Oper State  Channel             Width  TxPwr   
---------------------------------------------------------------------------------------------------
3702-1             b838.6184.c670     1  Enabled      Up          (161,157,149,153)*     80    5(*)  

Here I have connected a MacBookAir,Nexus 5 phone, Dell E6430, Dell E7440 to my AP for testing. You can get the details of client RSSI/SNR from the switch itself. I had trouble with AC-7260 driver getting this detail & this NIC/driver is giving some grievance to many of us(Here is some detail & I am using  17.0.5.8 driver version in this NIC)

3850-2#show wireless client summary                                          
Number of Local Clients : 4
MAC Address    AP Name      WLAN State              Protocol 
---------------------------------------------------------------
6067.2077.5470 3702-1        20   UP                 11n(5) <-Dell E6430   
8086.f2cd.3c5f 3702-1        20   UP                 11ac <-Dell E7440     
bcf5.acfe.eb1c 3702-1        20   UP                 11ac <-Nexus 5
8438.3540.2100 3702-1        20   UP                 11ac  <-MBA 

**** MBA ****
3850-2#sho wireless client mac-address 8438.3540.2100 detail | in Signal|Rate
Current Rate : 12.0
Supported Rates : 12.0,24.0,36.0,48.0,54.0,12.0,24.0,36.0,48.0,54.0
  Radio Signal Strength Indicator : -40 dBm
  Signal to Noise Ratio : 52 dB

**** NEXUS 5 ****
3850-2#sho wireless client mac-address bcf5.acfe.eb1c detail | in Signal|Rate
Current Rate : m7
Supported Rates : 12.0,24.0,36.0,48.0,54.0,12.0,24.0,36.0,48.0,54.0
  Radio Signal Strength Indicator : -29 dBm
  Signal to Noise Ratio : 58 dB

*** DELL E6430 (N6205) ****
3850-2#sho wireless client mac-address 6067.2077.5470 detail | in Signal|Rate
Current Rate : m15
Supported Rates : 12.0,24.0,36.0,48.0,54.0,12.0,24.0,36.0,48.0,54.0
  Radio Signal Strength Indicator : -29 dBm
  Signal to Noise Ratio : 63 dB

*** DELL 7440(AC-7260) different to all others ****
3850-2#sho wireless client mac-address 8086.f2cd.3c5f detail | in Signal|Rate
Supported Rates : 12.0,24.0,36.0,48.0,54.0,12.0,24.0,36.0,48.0,54.0
  Radio Signal Strength Indicator : Unavailable
  Signal to Noise Ratio : Unavailable

Now on your wireless client (first in MacBookAir) if you run “iperf -c x.x.13.20 -i1 -t 120 -w 1M” you can measure the wireless client upload performance. As you can see below I got average 294 Mbps for wireless upload speed for this client.

Something:~ $ iperf -c x.x.13.20 -i1 -w 1M -t 120
------------------------------------------------------------
Client connecting to x.x.13.20, TCP port 5001
TCP window size: 1.00 MByte (WARNING: requested 1.00 MByte)
------------------------------------------------------------
[  4] local 10.141.96.19 port 54005 connected with x.x.13.20 port 5001
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0- 1.0 sec  28.8 MBytes   241 Mbits/sec
[  4]  1.0- 2.0 sec  44.8 MBytes   375 Mbits/sec
[  4]  2.0- 3.0 sec  40.9 MBytes   343 Mbits/sec
[  4]  3.0- 4.0 sec  38.2 MBytes   321 Mbits/sec
[  4]  4.0- 5.0 sec  39.9 MBytes   334 Mbits/sec
[  4]  5.0- 6.0 sec  43.2 MBytes   363 Mbits/sec
.
.
[  4] 117.0-118.0 sec  42.9 MBytes   360 Mbits/sec
[  4] 118.0-119.0 sec  49.5 MBytes   415 Mbits/sec
[  4] 119.0-120.0 sec  42.6 MBytes   358 Mbits/sec
[  4]  0.0-120.0 sec  4.10 GBytes   294 Mbits/sec

If you run “iperf -s  -w 1M” on my MBA & run “iperf -c 10.141.96.19 -i 1 -t 120 -w 1M” command on wired PC I can measure the wireless client download performance. Here is the wireless download performance (avg 304 Mbps) for MBA

C:\jperf-2.0.2\bin>iperf -c 10.141.96.19 -i 1 -t 120 -w 1M
------------------------------------------------------------
Client connecting to 10.141.96.19, TCP port 5001
TCP window size: 1.00 MByte
------------------------------------------------------------
[168] local x.x.13.20 port 55232 connected with 10.141.96.19 port 5001
[ ID] Interval       Transfer     Bandwidth
[168]  0.0- 1.0 sec  53.3 MBytes   447 Mbits/sec
[168]  1.0- 2.0 sec  48.2 MBytes   404 Mbits/sec
[168]  2.0- 3.0 sec  48.3 MBytes   405 Mbits/sec
[168]  3.0- 4.0 sec  49.5 MBytes   415 Mbits/sec
[168]  4.0- 5.0 sec  51.6 MBytes   433 Mbits/sec
[168]  5.0- 6.0 sec  52.6 MBytes   442 Mbits/sec
[168]  6.0- 7.0 sec  53.5 MBytes   449 Mbits/sec
.
.
[168] 116.0-117.0 sec  43.3 MBytes   364 Mbits/sec
[168] 117.0-118.0 sec  40.9 MBytes   343 Mbits/sec
[168] 118.0-119.0 sec  43.8 MBytes   367 Mbits/sec
[168] 119.0-120.0 sec  11.2 MBytes  93.9 Mbits/sec
[168]  0.0-120.2 sec  4.26 GBytes   304 Mbits/sec

For any Android device you can install iperf application from Play Store for free :smile: & then you can run these iperf client server commands. Here is a snapshot of Nexus 5 phone running as iperf client. For iOS device you have to pay ;(

Like this I have run this performance testing for all those clients mentioned & export that data onto excel. So here is the result I got for 3 clients who supports 802.11ac. As expected, MBA gave me the best performance out of these 3 devices.As you can see below I got less than 100Mbps (less than 1/3 of equivalent MBA) download speed for Intel AC7260 (though it is two spacial stream client). Even Nexus 5 (single SS clinet) performed much better in downloads. You may surprised :shock: by this result, but such is the way of life with this Intel 7260 driver.

Just to compare, I have done the test with Intel N6205 (802.11n) & compare the result with Intel N7260(802.11ac 2 SS). As you can see below you will get marginal differences between those two.

Hope this is useful to you as well. When next time you get a slowness  complaint, always measure network performance like this.

PS: There are lots of commercial apps available if you willing to pay for these type of testing. I have given you a simpler method & cost you nothing, but you have to do some manual work.

 related posts

1. 802.11ac with Cisco 3700AP

In this post we will see how to decrypt WPA2-PSK traffic using wireshark. This is useful when you study (my case for CWSP studies) different security protocols used in wireless.Here is the basic topology for this post.

Before start capturing you should know which channel your AP is operating. Since my AP is managed by WLC 4400, I can simply get that info from CLI. Otherwise you can simply use application like InSSIDer to see which channel given SSID is operating. I am using 5GHz & therefore get 802.11a summary here (If you want sniff 2.4GHz, then you can issue command with 802.11b)

(4402-3) >show ap config 802.11a summary
AP Name                SubBand RadioMAC            Status     Channel   PwLvl   SlotId 
--------------------   ------- ------------------  --------   -------   ------  ------ 
LAP1                      -    64:a0:e7:af:47:40   ENABLED    36        1       1

Simply what you have to do is take a “wireless packet capture” on CH 36 as my AP operate in that channel. I have used BackTrack with USB adapter to take this packet capture (Refer this youtube video for how to do it). It is just simple 2-3 line configuration required to set up a USB adapter as monitor interface for wireshark.

root@bt:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:21:9b:62:d0:4a  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:21 Memory:fe9e0000-fea00000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:66 errors:0 dropped:0 overruns:0 frame:0
          TX packets:66 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:4665 (4.6 KB)  TX bytes:4665 (4.6 KB)

root@bt:~# ifconfig wlan2 up
root@bt:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:21:9b:62:d0:4a  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:21 Memory:fe9e0000-fea00000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:66 errors:0 dropped:0 overruns:0 frame:0
          TX packets:66 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:4665 (4.6 KB)  TX bytes:4665 (4.6 KB)

wlan2     Link encap:Ethernet  HWaddr 00:20:a6:ca:6b:b4  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

root@bt:~# iwconfig wlan2 channel 36
root@bt:~# iwconfig
wlan2     IEEE 802.11abgn  ESSID:off/any  
          Mode:Managed  Frequency:5.18 GHz  Access Point: Not-Associated   
          Tx-Power=20 dBm   
          Retry  long limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off
          
lo        no wireless extensions.

eth0      no wireless extensions.

root@bt:~# airmon-ng start wlan2
Found 1 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

PID    Name
1158    dhclient3
Interface    Chipset        Driver

wlan2        Atheros AR9170    carl9170 - [phy2]
                (monitor mode enabled on mon0)

Once you do this you can open wireshark application & select the interface named “mon0” for wireless packet capturing.

Here is my packet capture (WPA2-PSK-Final) You can open this in wireshark to test this out by yourself. Now if you analyze this you would see “4-way handshake (EAPOL-Messages 1 to 4)” messages exchanged after Open Authentication phase finished (Auth Request, Auth Response, Association Request, Association Response). Once 4 way handshake is completed, both client & AP having required key for data encryption. So that point onwards all your data frames (not management frames, null frames) are encrypted using CCMP/AES.As you can see below, data frames are encrypted & you cannot see what traffic it is. I have taken frame 103 for example.Before we go & decrypt these messages, it is very important to understand that you have to properly capture  “4-way handshake messages” in your sniffer in order to decrypt using wireshark. If you are not capture M1-M4 messages successfully, wireshark will not be able to derive all the keys to decrypt rest of that data. Here is one example where all the frames has not been captured properly in 4-way handshake process (This happened when I was using same USB adapter with Fluke WiFi Analyzer)Now you have to go to “Edit -> Preferences -> Protocol -> IEEE 802.11” & need to “Enable Decryption” checkbox. Then click on Edit “Decryption Keys” section & add your PSK by click “New“.  You have to select Key-type as “wpa-pwd” when you enter the PSK in plaintext.

If you enter the 256bit encrypted key then you have to select Key-type as “wpa-psk“.If you want to get the 256bit key (PSK) from your passphrase, you can use this page. It use the following formula to do this conversion

PSK=PBKDF2(PassPhrase, SSID,SSIDLength,4096,256)

Here is 256bit PSK derived from above

I have used simple plaintext password (ie wpa-pwd key type) in below. You can simply enter the plaintext password only (without SSID name).In this case wireshark try to use last seen SSID, It is always good practice to use <password:SSID>.

I have used my configured PSK “Cisco123Cisco123” & specify my SSID as “TEST1“. Refer this document for more details of this settings.

Then you need to hit “Apply“

As you can see below, now you will able to see the traffic inside these data frames. Here is the same frame (103) which you saw earlier in encrypted format, but now wireshark able to decrypt it.Now if you look further you will see the client is getting IP through DHCP (DORA-Discover, Offer, Request, ACK) & then register to a CME (SKINNY protocol) & then establish a voice call (RTP) details. Now you can analyses these packets in detail

This trick may be useful to you when you do wireless troubleshooting on your PSK networks.

References
1. 802.11 Sniffer Capture Analysis – WPA/WPA2 with PSK or EAP
2. 802.11 Sniffer Capture Analysis -Wireshark filtering
3. 802.11 Sniffer Capture Analysis – Management Frames and Open Auth
4. 802.11 Sniffer Capture Analysis – Physical Layer
5. 802.11 WLAN Roaming and Fast-Secure Roaming on CUWN (DOC116493)

Related Posts

1. Free Wireless Packets Capture
2. Wireshark captures in 3850

Did you ever wanted to find out inventory details of the SFP plugged into WLC ports ? Typically “show inventory” is what we need. But in AireOS, that command only give the Chassis serial Number as shown below.

(5508-1) >show inventory 
Burned-in MAC Address............................ 64:00:F1:F5:B0:80
Power Supply 1................................... Present, OK
Power Supply 2................................... Present, OK
Maximum number of APs supported.................. 250
NAME: "Chassis"    , DESCR: "Cisco 5500 Series Wireless LAN Controller"
PID: AIR-CT5508-K9,  VID: V02,  SN: FCW1519L0B1

This CSC forum thread give a very useful CLI command (debug fastpath cfgtool –dump.sfp)  you can run on AireOS WLC to get that information.

Here is a sample output

(5508-WC01) >debug fastpath cfgtool --dump.sfp
(5508-WC01) >FP0.
Port SFP Vendor       Transceiver Type    OUI PartNumber       Rev  SerialNumber     DateCode Auth
   1 CISCO-OEM        (0x02)1000BaseLX        GLC-LH-SM-CRB    2.0  ZZ120607419      120607   ok      
   2 CISCO-OEM        (0x02)1000BaseLX        GLC-LH-SM-CRB    2.0  ZZ120607423      120607   ok      
   3 CISCO-OEM        (0x02)1000BaseLX        GLC-LH-SM-CRB    2.0  ZZ120607425      120607   ok      
   4 CISCO-OEM        (0x02)1000BaseLX        GLC-LH-SM-CRB    2.0  ZZ120607424      120607   ok      
   5 CISCO-EQUIV      (0x02)1000BaseLX        GLC-LH-SM-CRB    2.0  ZZ121008094      121008   ok      
   6 CISCO-EQUIV      (0x02)1000BaseLX        GLC-LH-SM-CRB    2.0  ZZ121008093      121008   ok      
   7 CISCO-EQUIV      (0x02)1000BaseLX        GLC-LH-SM-CRB    2.0  ZZ121008095      121008   ok      
   8 CISCO-EQUIV      (0x02)1000BaseLX        GLC-LH-SM-CRB    2.0  ZZ121008096      121008   ok      
FP0.

Here is another example

(5508-WC02) >debug fastpath cfgtool --dump.sfp
(5508-WC02) >FP0.
Port SFP Vendor       Transceiver Type    OUI PartNumber       Rev  SerialNumber     DateCode Auth
   1 CISCO-FINISAR    (0x02)1000BaseLX        FTLF1318P2BCL-C3 A    FNS15400WH6      110927   ok      
   2 CISCO-FINISAR    (0x02)1000BaseLX        FTLF1318P2BCL-C3 A    FNS15400PCE      110926   ok      
   3 CISCO-FINISAR    (0x02)1000BaseLX        FTLF1318P2BCL-C3 A    FNS15400B2U      110925   ok      
   4 CISCO-FINISAR    (0x02)1000BaseLX        FTLF1318P2BCL-C3 A    FNS15400QRR      110926   ok      
   5 CISCO-FINISAR    (0x02)1000BaseLX        S210             11.0 S21010121511     101215   ok      
   6 CISCO-FINISAR    (0x02)1000BaseLX        S210             11.0 S21010121576     101215   ok      
   7 CISCO-FINISAR    (0x02)1000BaseLX        S210             11.0 S21010121580     101215   ok      
   8 CISCO-FINISAR    (0x02)1000BaseLX        S210             11.0 S21010121571     101215   ok      
FP0.

Just to make it complete, if it is any IOS WLC platform you can run “show inventory raw” command you can get that information. Here is an example form a 5760.

5760-1#show inventory raw | in SFP-
NAME: "TenGigabitEthernet1/0/3", DESCR: "SFP-10GBase-LR"
PID: SFP-10G-LR         , VID: V02  , SN: ONT151702VS    
NAME: "TenGigabitEthernet1/0/4", DESCR: "SFP-10GBase-LR"
PID: SFP-10G-LR         , VID: V02  , SN: ONT151702VE    
NAME: "TenGigabitEthernet1/0/5", DESCR: "SFP-10GBase-LR"
PID: SFP-10G-LR         , VID: V02  , SN: FNS16150BWF    
NAME: "TenGigabitEthernet1/0/6", DESCR: "SFP-10GBase-LR"
PID: SFP-10G-LR         , VID: V02  , SN: FNS170701E6

Here is similar output from 3850

3850-1#show inventory raw | in SFP-
NAME: "TenGigabitEthernet1/1/3", DESCR: "SFP-10GBase-LR"
PID: SFP-10G-LR         , VID: V01  , SN: SLK02742740BH  
NAME: "TenGigabitEthernet2/1/3", DESCR: "SFP-10GBase-LR"
PID: SFP-10G-LR         , VID: V02  , SN: FNS17420M9K 

This may be a useful command to remember if anyone asked this info from you.

In this post we will go through 4-Way Handshake process. This is described in Chapter 5 of CWSP Official Study Guide. Page 194 of this book shows the RSN key hierarchy.

MSK-Master Session Key ( or AAA Key):
Key information that is jointly negotiated between the Supplicant & Authentication Server. This key information is transported via a secure channel from Authenticating Server to Authenticator.

PMK-Pairwise Master Key:
PMK is derived from MSK seeding material. PMK is first 256bits (0-255) of MSK. It can be derived from an EAP method or directly from a PresharedKey(PSK).

GMK-Group Master Key:
GMK is randomly created on Authenticator & refresh it in configured time interval to reduce the risk of GMK being compromised.

PTK-Pairwise Transient Key:
A value derived from PMK,Authenicator nonce(Anonce),Supplicant nonce(Snonce), Authenticator Address, Supplicant Address. This is used to encrypt all unicast transmission between client & an AP. PTK consist of 5 different keys

1. KCK-Key Confirmation Key-used to provide data integrity during 4 -Way Handshake & Group Key Handshake.
2. KEK – Key Encryption Key- used by EAPOL-Key frames to provide data privacy during 4-Way Handshake & Group Key Handshake.
3. Temporal Key – used to encrypt & decrypt MSDU of 802.11 data frames between supplicant & authenticator
4. Temporal MIC-1
5. Temporal MIC-2

GTK-Group Temporal Key:
GTK is used to encrypt all broadcast/multicast transmission between an AP & multiple client statsions. GTK is derived on Authenticator & sending to supplicant during 4-Way Handshake (M3)

4-Way handshake utilizing EAPOL-Key frames initiated by the Authenticator to do the following.
1. Confirm that live peer holds PMK
2. Confirm that PMK is current.
3. Derive a fresh PTK from PMK & Install the pairwise encryption & integrity keys into 802.11
4. Transport the GTK & GTK sequence number from Authenticator to Supplicant & install them in Supplicant & AP(if not already installed)
5. Confirm cipher suite selection.

If it is PSK,  4 way handshak starts immediately after Open System Authentication & Association state finish as you can see below.

If it is 802.1X/EAP, then 4 way handshake starts when EAP Authentication finished.

Below figure shows the steps involved in 4-Way handshake process. This CWNP video explain well this process & have a look on it before go into details.

Here is the details about each step.

Message 1 (M1)
* Authenticator sends EAPOL-Key frame containing an ANonce(Authenticator nonce) to supplicant.
* With this information, supplicant have all  necessary input to generate PTK using pseudo-random function(PRF)

Message 2 (M2)
* Supplicant sends an EAPOL-Key frame containing SNonce to the Authenticator.
* Now authenticator has all the inputs to create PTK.
* Supplicant also sent RSN IE capabilities to Authenticator & MIC
* Authenticator derive PTK & validate the MIC as well.

Message 3 (M3)
* If necessary, Authenticator will derive GTK from GMK.
* Authenticator sends EAPOL-Key frame containing ANonce, RSN-IE & a MIC.
* GTK will be delivered (encrypted with PTK) to supplicant.
* Message to supplicant to install temporal keys.

Message 4 (M4)
* Supplicant sends final EAPOL-Key frame to authenticator to confirm temporal keys have been installed.

From this point onwards data frame MSDU will be encrypted using PTK or GTK (depending upon unicast or multicast/broadcast frame)

References
1. WPA2-PSK-Final -Sample Packet Capture (Frame 93-99 shows M1-M4 EAPOL-key frames)
2. CWSP Official Study Guide
3. http://www.my80211.com/cwsp-george-stefanick/
4. 802.11i AKM CWNP- White Paper

Related Post

1. CWSP – L2 Encryption Method:WEP
2. CWSP – L2 Encryption Method:CCMP
3. CWSP – L2 Encryption Method:TKIP
4. CWSP – RSN Information Element
5.
6.

In IEEE 802.11-2007 standard define 3 encryption methods that operate at layer 2 of OSI model (WEP, TKIP, CCMP). These used to encrypt upper layer information of 802.11 data frames what has MSDU payload. They all use symmetric algorithms where WEP,TKIP use RC4 cipher while CCMP use AES cipher.

Here is the details about CCMP  (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol)

*  AES is a block cipher based on Rijndael algorithm.
*  Algorithm allows for a selection of block sizes & key sizes (128,192 & 256 bits for each), when NIST adopted for AES, it specified only 128 bit block size.
* IEEE 802.11-2007 standard restricts both the key size & block length to 128 bits.
* To make use of a block cipher a method used to convert messages to blocks referred as block cipher’s “mode of operation“
* CCMP uses a mode called “CCM-Counter Mode + CBC-MAC” which itself based on “Counter Mode-CTR“
* Counter mode encrypt the value of an arbitrary value called the “counter” & then XOR the result with the data to produce ciphertext.
* Counter is generally incremented by 1 for each successive block processed.
* Counter might start at an arbitrary value & might increment by some other value or pattern (not same as shown above)
* Receiving party who wants to decrypt the message must know the starting value of counter & rules for advancing it.
* In counter mode, decryption is exactly same process as encryption because XOR the same value twice takes you back to the original value (so easy to implement)
* Encryption can be done completely in parallel as counter values are known at the start.
* Basic counter mode does not provide any message authentication, only encryption.(so RSN, additional capability must be added)
* CCM uses counter mode in conjunction with message authentication method called “cipher block chaining - CBC“.
* CBC is used to produce a message integrity code(MIC)
* MIC is called message authentication code by cryptographic community leading to CBC-MAC (in IEEE 802.11-2007 standard it is CBC-MIC to avoid confusion with MAC)
* In CBC-MIC, take the 1st block & encrypt it using AES, XOR the result with 2nd block & then encrypt the result  & XOR the result with next block & encrypt it .. so on.
* If one or more bits were changed, computed MIC is different ( provide msg authenticity)
* MSDU will be fragmented into MPDU & assign its own 802.11 header.
* Each MPDU is processed by the CCMP algorithm to generate a new encrypted MPDU.
* Only data part is encrypted, not the header. But MIC provide data integrity for both MSDU data & portions of MAC header of the MPDU.

* CCMP header prepend encrypted data & transmitted in clear text. It has two purpose
1.  48 bit Packet Number (PN) provides replay protection & enable receiver to derive vlaue of the “nonce” used for encryption.
2.  In the case of multicast, it tells the receiver which group key has been used.

* CCMP header is very similar to TKIP header & it was intentionally done in that way to simplify the implementation of TKIP & CCMP mixed environment.
* Out of 8 byte CCMP header, 6 used for PN, 1 reserved & remaining byte contain key ID values (2 bits for key id)
* The bit next to the Key-ID is set to 1 (Ext IV in TKIP) to indicate that the frame format is RSN rather than earlier WEP format.
* In CCMP first block of CBC-MAC is not directly taking from MPDU, but formed in special way using “nonce” value.

* 104 bit “nonce” is formed using Packet Number(PN), Transmitter Address (TA) & priority bits in QoS.
* “flag” field has a fixed value of 01011001 and indicates that the MIC is 64 bits.
* “Dlen” indicate length of the plain text data.
* Additional Authentication Data (AAD) is constructed from portion of MPDU header

* 128 bit counter value is constructed using “nonce” & “Flag” & “Ctr” field
* CCMP  encryption & data integrity process is like below

1. 48 bit PN crated & incrementing with each MPDU
2. AAD created using MPDU header
3. Nonce is created using PN, TA & QoS filed.
4. 8 byte CCMP header is constructed
5. CCM which use AES block cipher used to created integrity check (8 byte-MIC) & encrypt upper layer data
6. Original MAC header is append to CCMP header.
7. FCS is calculated over all the fields of the header & entire frame body.

References
1. CWSP Official Study Guide
2. Real 802.11 Security: Wi-Fi Protected Access and 802.11i

Related Posts

1. CWSP – L2 Encryption Method:WEP
2. CWSP – L2 Encryption Method:TKIP
3. CWSP – 4 Way Handshake
4. CWSP – RSN Information Element
5.
6.

Here is my study notes from CWSP-Official Study Guide – Chapter 2.

There two legacy (Pre-RSNA) authentication methods.

1. Open System Authentication
2. Shared Key Authentication.

In Open System Authentication there are 4 frames exchanged between client & AP.Here is a wireless packet capture showing these frame exchange (I have configured an Open SSID called “ABC” & then join the client to that while capturing on the AP channel)

As you can see above, client starts the process by sending “Authentication Request” frame to Access Point (frame 1246 in the above). Note that it is a management frame with subtype 11  [You can filter these in wireshark with (wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x0b) ] going from client to AP. Authentication Algorithm is “Open System” & Sequence Number is “1” indicating it is the “Authentication Request” frame.

Then AP respond with Authentication Response (frame 1248). As you can see below it has sequence number “2” indicating it is a response frame.

Then Client Station sends “Association Request-Management frame subtype 0″ frame specifying its client capability. You can filter those in wireshark using (wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x00) filter.

Then AP  responds with “Association Response- Managemet frame with subtype 1″. You can see status code “successful” & association ID has been given. Association response frame can be filtered using (wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x01) in wireshark.

Now lets see how “Shared Key Authentication” works. Shared Key Authentication uses WEP(Wireless Equivlanet Privacy) to authenticate client stations & that require a static WEP key configured on both AP & Client. Here is the frame exchange in this “Shared Key Authentication” mechanism.

Below shows a sample wireless capture during “shared key authentication”

As you can see this time we will have 4 authentication frames. First client send the “Authentication Request” to the AP. You can see the “SEQ No is 1” for this frame & Authentication algorithm is “Shared Key“.

Then AP sends a cleartext challenge to the client station in an authentication response. You will notice the SEQ number is “2” & challenge Text is included.The client station then encrypt the cleartext challenge and sends it back to the AP in the body of another authentication request frame. You will see the WEP header information with encrypted data.

By using the WEP key in wireshark you should be able to decrypt this message. Then you will see something like this. As you can see, it is the Sequence number 3 where AP send cleartext was encrypted using WEP.

Once AP get the WEP encrypted authentication message 3, AP decrypt station response & compare it with the cleartext challenge.If they match AP will respond by sending forth & final authentication frame to the station.

From this point onwards, all the data frame will be encrypted using same WEP key used for authentication.

WEP encryption process steps as below.

* 24 bit cleartext IV(Initialization Vector) is randomly generated & combined with static secret key.
* key length is 40bits in 64bit WEP & key length would be 104bits in 128bit WEP.
* IV & Key with RC4 pseudo-random algorithm generate a keystream.
* Resulted key stream are then combined with plaintext data bits using XOR process.
* End result is the WEP ciphertext.
* WEP also run CRC on plaintext data & append as 32 bit ICV(Integrity Check Value) to the end  of plain text data.
* WEP add 8 byte (4-IV, 4-ICV) encryption overhead resulting max MSDU from 2304 to 2312 bytes.

As you can see below WEP initialization vector (IV) include the WEP KEY ID details where receiving device can identify which key has been used for encryption.(so it can properly decrypt traffic). Also note that MSDU & ICV information will be go as encrypted text.

Since WEP has following drawbacks it has been deprecated from using. (TKIP developed to address these issues)
1. IV Collision Attack – 24bit IV it is possible IV collisions occur & an attacker can recover WEP key easily.
2. Weak Key attack -
3. Reinjection Attack – Tools exist that implement a packet injection attack to accelearate the collection of weak IV on a network with little traffic.
4. Bit-Flipping Attack – ICV data integrity check is considered weak.

 Related Posts

1. CWSP – L2 Encryption Method:CCMP
2. CWSP – L2 Encryption Method:TKIP
3. CWSP – 4 Way Handshake
4. CWSP – RSN Information Element
5.
6.

RSN-IE (Robust Security Network Information Element) is an optional field of variable length that can be found in 802.11 management frames.RSN element has an element ID of 48 & present in below different management frames

1. Beacon frames.(send by AP)
2. Probe Response frames.(send by AP)
3. Association Request frames.(send by Client)
4. Reassociation Request frames (Send by client)

All 802.11 radios will use one cipher (pairwise) suit for unicast encryption  & another cipher(group) for encrypting multicast/broadcast traffic. Below are the different cipher suite values.

00-0F-AC-04 (CCMP) is the default
00-0F-AC-02 (TKIP) is optional.
00-0F-AC-01 (WEP-40)
00-0F-AC-05 (WEP-104)

When station supports several ciphers, it always chooses the stronges one first (ie CCMP, TKIP, WEP-104, WEP-40)

RSN-IE also used to indicate what authentication methods are supported. The Authentication Key Management (AKM) suite indicate whether the station support 802.1X or PSK authentication. Below are the two AKM suite values depend on the Authentication method used.

00-0F-AC-01 (802.1X)
00-0F-AC-02 (PSK)

Here is the structure of RSN element.

Below shows sample wireless frame captures of those 4 different type of frames where RSN-IE field exists.

Here is a beacon frame.You can filter Beacon frames in wireshark using (wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x08) filter. As you can see below both Group & Pairwise cipher is CCM-AES (00-0F-AC-04) & AKM suite is PSK (00-0F-AC-02)

Here is a Probe Response frame. You can filter Probe Response frames using (wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x05) wireshark filter.

Here is a Association Request frame.You can filter Association Request frames using (wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x00) wireshark filter.

Here is a Reassociation Reuest frame. You can filter these frames using (wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x02) wireshark filter. As you can see it uses AKM suite of 00-0F-AC-01 (802.1X) & CCM-AES (00-0F-AC-04) encryption ciphers.

When you have multiple cipher suites (for mixed client support) Group Cipher should be always lowest denominator.(ie if CCMP, TKIP & WEP ciphers, group cipher should be WEP)

References.
1. http://www.my80211.com/8021x/2010/7/4/george-stefanick-cwsp-journey-chapter-5-rsn-post2-742010.html
2. CWSP-Official Study Guide (page 184-188)

Related Posts

1. CWSP – L2 Encryption Method:CCMP
2. CWSP – L2 Encryption Method:TKIP
3. CWSP – 4 Way Handshake
4. CWSP – Legacy 802.11 Security
5.
6.

The Extensible Authentication Protocol (EAP) as defined in IETF RFC 2284 provides support for many authentication methods.EAP was originally adopted for use with PPP, since been redefined in IETF RFC 3748 for use with 802.1X port base access control.

There are 4 different type of EAP packets & identify by the “Code” octet of EAP header.

Code=1  Request
Code=2 Response
Code=3 Success
Code=4 Failure

Most of the time EAP messages are encapsulated in EAP over LAN(EAPOL) frames. There are 5 different major types of EAPOL messages

1. Type 0 – EAP Packets (encapsulated EAP frame)
2. Type 1 – EAPOL-Start (optional frame that supplicant can use to start EAP Proces)
3. Type 2 – EAPOL-Logoff (this frame terminate an EAP session & shut virtuall ports)
4. Type 3 – EAPOL-Key (used to exchange dynamic keying info,eg 4way-handshake)
5. Type 4 – EAPOL-Encapsulated-ASF-Alert (used to send alerts such as SNMP traps to virtual ports)

Below shows the generic EAP frame exchange (Page 140 of Official CWSP Study Guide)

Authenticator maintains two virtual ports (uncontrolled & control port). When open “uncontrolled port” allows EAP authentication traffic to pass through. The control port blocks all other traffic until the supplicant has authenticated.When control port is open, upper layer (3-7) traffic can pass through.  Here is the flow of frame exchange.

1. Supplicant associate with BSS, both controlled & uncontrolled ports are blocked on the authenticator.
2. Supplicant initiate the EAP process by sending EAPOL-Start frame (optional frame & may or may not be used by different type of EAP)
3. Authenticator send EAP-Request frame.
4. Supplicant send EAP-Response frame with identity in clear text. Then uncontrolled port open to allow EAP traffic through.
5. Authenticator encapsulate EAP response frame in RADIUS packet & forwards it to authentication server(AS).
6. AS looks at supplicant’s name & check again user database & then send a password challenge.
7. Authenticator send the password challenge to the supplicant in a EAP frame.
8. Supplicant send EAP-challenge response by hashing password using hash algorithm (like MS-CHAPv2)
9. Authenticator forwards the challenge response in a RADIUS packet to AS.
10. AS runs an identical hash & see if response is correct. AS will send “Success” or “Failure”
11. Authenticator forwards AS message to supplicant in “EAP-Success” frame or “EAP-Failure” frame.
12. 4-Way handshake (if EAP-Success) between Authenticator & Supplicant occurs
13. Once 4 way-handshake is completed, the controlled port is unblocked & supplicant is authorized to use network resources.

Here is a snapshot of a wireless frame capture when EAP authentication in uesd. You will see the EAP-Request(frame 113), EAP-Response (frame 115), EAP-Success (fram 157) which are type -0 EAP packets. Also you can see type-2 EAPOL-Key messages (frame 159,161,163 & 165)

Here is some more details on different type of EAP packets in the above capture.

EAP-Request (frame 113 in the above).Note that Type 0 EAP packet type is “0” &  Code is 1 (ie EAP-Request)

Here is an EAP-Response frame(115 in the above).Note that Type 0 EAP packet type is “0” &  Code is 2 indicating it is a EAP-Reseponse frame. Also note the Identity is sent as cleartext (user1 in this capture).

Here is the “EAP-Success” frame(no 157). Note that EAP packet type 0 indicating it is normal EAP frame & Code is set to 3 indicating it is a EAPOL-Success frame.

Here is an “EAPOL-Key” exchange frame (no 159). Note that EAP packet type 3 indicating it is a EAPOL-Key exchange frame.
There are many different types of EAP authentication methods & some of them are  less secure compare to others.As you saw abouve, supplicant identity sending as cleartext is security risk & some EAP methods use encrypted tunnel to make it more secure. Here are the different type

1. EAP-MD5 (weak)
2. EAP-LEAP (weak)
3. EAP-PEAP (2 phase tunneled)
4. EAP-TTLS (2 phase tunneled)
5. EAP-TLS (2 phase tunneled)
6. EAP-FAST (2 phase tunneled)

Here is a quick comparison of these EAP methods (page 157 of CWSP Study Guide)

Reference
1. CWSP Official Study Guide- CH4.

Related Post

1. CWSP- EAP LEAP
2. CWSP- EAP PEAP
3. CWSP- EAP FAST
4. CWSP- EAP TLS
5. CWSP- EAP TTLS
6. CWSP- EAP MD5

EAP-LEAP (Lightweight Extensible Authentication Protocol) is Cisco proprietary authentication method. Below diagram shows the EAP-LEAP authentication process. (page 143 of CWSP Official Study Guide)
Here is a wireless frame capture of a client doing LEAP authentication. Here is the frame number mapping with above process diagram.

Step 2-Establish Datalink (frame no 76,84,88,90)
Step 3-EAPOL Start (optional frame & not in this capture)
Step 4a- EAP Identity Request (frame 92)
Step 4b- EAP Identify Response (frame 94)
Step 5a – LEAP Server Challenge (frame 100)
Step 5b – LEAP Server Challenge Response (frame 102)
Step 7 – EAP Success (frame 104)
Step 8 -LEAP Client Challenge (frame 107)
Step 10 – LEAP Client Challenge Response (frame 109)
Step 11-14 – 4 Way Handshake (frame 111,113,115,117)

Here is the EAP-Identity Request frame (step 4a) details. You can see the code type is 1 (for a Request frame)
Here is the Identity Response frame (step 4b). As you can see the supplicant identity (user1) is send in cleartext. Code value is 2 indicating a EAP response frame.
Here is the LEAP Server Challenge(step 5a). It is an EAP-Request (code=1) frame with server challenge in it.
Here is the Server Challenge Response send by supplicant. Challenge hash is calculated using password & MS-CHAPv2 algorithm.
Here is the EAP-Success (step 7) frame. You can see the code=3 (ie EAP Success )
Here is the LEAP Client Challenge (step 8) frame which is EAP-Request (code=1) type frame send by Supplicant to Authenticating Server(AS).
Here is the Client Challenge Response coming from AS. This point onwards Supplicant & AS will do the 4-Way Handshake.
LEAP is considered as weak protocol & easily can be cracked. As you can see below once you have LEAP-Server Challenge & LEAP-Server Challenge Response , you can easily use offline dictionary attack tool to get the password. Here is using ALEAP availabe in BackTrack how you can get the supplicant password. As you can see below in my case, I have used Challenge & Challenge Response info in frame 100 & 102 to derive the key using this ASLEAP.

56:85:b1:1c:ad:cf:1f:36 <- EAP Request Challenge in frame 100
bc:52:74:47:e3:d2:5a:b8:f3:3b:7b:c5:ad:98:e7:5b:51:85:5e:e7:b9:94:e2:a4 <- EAP Response challenge in frame 102

root@bt:~# asleap -C 56:85:b1:1c:ad:cf:1f:36 -R bc:52:74:47:e3:d2:5a:b8:f3:3b:7b:c5:ad:98:e7:5b:51:85:5e:e7:b9:94:e2:a4 -W /pentest/passwords/wordlists/rockyou.txt 
asleap 2.2 - actively recover LEAP/PPTP passwords. <jwright@hasborg.com>
Using wordlist mode with "/pentest/passwords/wordlists/rockyou.txt".
    hash bytes:        215d
        NT hash:           f2e787d376cbf6d6dd3600132e9c215d
    password:          Cisco123

Other EAP methods (PEAP, TLS, FAST) developed to send the supplicant identity in an inner TLS tunnel which is more secure.

Reference
1. EAP-LEAP-7921 (sample packet capture used for this post)
2. CWSP Official Study Guide – Chapter 4

Related Posts

1. CWSP- EAP Basics
2. CWSP- EAP PEAP
3. CWSP- EAP FAST
4. CWSP- EAP TLS
5. CWSP- EAP TTLS
6. CWSP- EAP MD5

EAP-PEAP (Protected Extensible Authentication Protocol), creates an encrypted TLS tunnel withing which the supplicant’s inner identity is validated. Sometime it is referred as EAP within EAP. There are 3 major versions of PEAP.

1. EAP-PEAPv0(EAP-MSCHAPv2)
2. EAP-PEAPv0(EAP-TLS)
3. EAP-PEAPv1(EAP-GTC)

PEAPv0 & PEAPv1 both refer to the outer authentication method and are the mechanism that create the secure TLS tunnel to protect subsequent authentication transaction. The EAP protocol enclosed within parenthesis (ie MSCHAPv2, TLS & GTC) is the inner EAP protocol.

Below shows the EAP-MSCHAPv2 process.
PEAP Phase1
1. Authenticator sends an EAP frame requesting identity of the supplicant.
2. Supplicant responds with EAP Response frame with clear text outer identity(not the real username)
3. Authenticator forwards outer identity response to Authenticating Server.
4. AS sends the server certificate down to the supplicant & Supplicant validate server-side certificate.
5. An encrypted point-to-point TLS tunnel is created between Supplicant  & AS.

PEAP Phase2
1. AS requests the real identity of the supplicant.
2. The supplicant respond with the inner identity, which is real username.
3. AS sends an EAP request with challenge
4. Supplicant sends an EAP response with hashed challenge response.
5. AS send an EAP request with EAP-MSCHAPv2 success.
6. Supplicant sends an EAP response with ACK.

Once Phase 2 completed, TLS tunnel will be torn down & AS send RADIUS Acceess Accept msg where Authenticator send it to Supplicant as “EAP-Success” (or EAP-Failure). Then 4-Way Handshake EAPOL-Key exhange (M1-M4) occures.

Here is the Identity Request frame (step 4a)
Here is the Identity Response frame (step 4b). This is sending the outer Identity & may not be the real username (in my case Supplicant – 7921 phone use the real username)
Here is the Start-PEAP (an EAP Reuest type) message (step 6).
Server certificate validation (step 7) include multiple frame exchange as shown in the below.(image source)Here is the response to “PEAP-Start” frame which  is “Client Hello“.
This shows Server Hello, Certificate, Server Hello Done frames coming from AS. There may be multiple fragments as this is a large packet (due to cert size)
Then Client Key exchange frame goes from Supplicant to AS.
Here is Change Cipher Spec frame.

Here is the  last frame (step 8) in Phase 1 send by the Supplicant to ensure TLS tunnel can establish since this time on.Since that point onwards all packets are TLS encrypted. Here is the first frame exchange in Phase 2 which is Identify Request for real username (step 9).Here is the EAP-Response/Identity Response frame (step 10) send by the supplicantThen AS will send EAP-MSCHAPv2 challenge inside the TLS tunnel to supplicant as EAP-Request frame.(step 11)

Here is the EAP-Response/Challenge from Supplicant (step 12)
Then AS validate client & send EAP-Request/EAP-MSCHAPv2-Success inside TLS (step 13).
Then Supplicant send EAP-Response/EAP-MSCHAPv2-ACK (Step 14).

So now AS sending the RADIUS accept to Authenticator & then Authenticator send that as “EAP-Success” frame to the Supplicant (step 17). This completes the Phase 2 of PEAP process.

Once PEAP authentication completes, it starts EAPOL-Key exchange (4 Way handshake frame 159,161,163,165)

References
1. EAP-PEAP-7921 (sample packet capture)
2. CWSP Official Study Guide – Chapter 4

Related Posts

1. CWSP- EAP Basics
2. CWSP- EAP LEAP
3. CWSP- EAP FAST
4. CWSP- EAP TLS
5. CWSP- EAP TTLS
6. CWSP- EAP MD5

EAP-TLS (EAP-Transport Layer Security) is defined in RFC 5216 & considered as most secure EAP methods used in WLAN. EAP-TLS is required to use client-side certificates in addition to server-side certificate. However maintain a client-side certificates is challenging (maintain PKI infrastructue & manage client certs).

Here is the EAP-TLS process. (page 152 of CWSP Study Guide)As you can see above, there is no tunnel establishes for inner authentication to take place like any other EAP methods (PEAP, FAST,TTLS). There is an optional privacy mode available where TLS handshake established prior to client identity is passed (not implemented by vendors).

Here is a packet capture of a supplicant using EAP-TLS for authentication. Supplicant is having MAC 00:20:a6:ca:6b:b4

Here is the details of the EAP-TLS frame exchange. Like any other EAP methods first two frames are “Identity Request (step 4a)” & “Identity Response (step 4b)” excluding optional EAPOL start frame.Here is the EAP-Identity Response frame (4b) send by Supplicant. Note that outer identity is go as cleartext.

Then AS will send “EAP-TLS  start” frame to supplicant as shown below. Note that type 13 identify “TLS” & code 1 identify as “Request” frame.Then Supplicant start validating the server certificate process (step 5a) with a “Client Hello” frame. Below shows the detail steps involved in Server & Client Certificate validation.(image source)

Here is the Client Hello frame.Then AS sending certificate with Server-Hello, Certificate, Certificate Request, Server-Hello-Complete. As you can see server certs will use fragmented frames as of the size of cert.(in my example 3 fragmented frames 55,57 & 59).Once Server Hello Done, AS start the client certificate verification (step 5b). Supplicant sent client certificate,client key exchange, Cert Verification, Change Cipher spec (again there are more than fragments in my capture-62,66).Here is the change cipher spec (frame 68) send by Authenticating Server.Here is the EAP-Response frame send by Supplicant to complete the Client Certificate (step 5b) process.Finally AS will send RADIUS Accept (or Reject) where inturn Authenticator convert it to EAP-Success(or Failure) frame (step 7). Here is my EAP Success frame (Code 3).This point, 4-Way Handshake starts (step 8-11 & frames 74,76,78,80).

Reference
1. EAP-TLS sample packet capture.
2. CWSP Official Study Guide – Chapter 4

 Related Posts

1. CWSP- EAP Basics
2. CWSP- EAP PEAP
3. CWSP- EAP FAST
4. CWSP- EAP LEAP
5. CWSP- EAP TTLS
6. CWSP- EAP MD5