Workbench WiFi

Cisco WLC 8.3.111 Released

The first major maintenance release for WLC 8.3, 8.3.111, aka 8.3MR1, is now available. Release notes are here. Notable updates include:

  • Adaptive 802.11r FT support on 1800/2800/3800 series APs *
  • QoS Fastlane support on 1800/2800/3800 series APs *
  • Location tag support for 1800/2800/3800 series APs
  • Support for the 1560 and 1815i APs
  • FIPS compliance features
  • Massive list of bug fixes

*  Cisco and Apple have published several documents on Adaptive 802.11r FT and QoS Fastlane:

Enterprise Best Practices for iOS Devices on Cisco Wirless LAN (PDF)

iOS Compatibility with QoS Fastlane and Adaptive 802.11r 

Optimizing WiFi Connectivity and Prioritized Business Apps (PDF)

In addition to bug fixes, I’m always curious to see what devices and software versions Cisco is using to test their newest releases. Notable OS versions mentioned in the release notes include:

  • Mac OS X 10.11.5, 10.11.6, 10.12
  • Windows 8.1, 10 (and possibly others, lots of driver versions mentioned)
  • Android 4.0.4 – 7.1.1
  • ChromeOS Release 55

Wireless Packet Capture via Netgear R7800

As introduced in a previous post, I have been using a $199 Netgear R7800 consumer router/AP (running DD-WRT) for performing packet wireless packet captures. Here is a little more detail on the process:

Step 1: Determine the frequency and width of the desired channels. In this example, I am capturing 80 MHz wide 802.11ac in the U-NII-3 band, channel 155 (5775 MHz center, 5735 – 5815 MHz range). This is also known as the four 20 MHz channels 149 (5745 MHz center, 5735 – 5755 MHz range), 153, 157, and 161.

Step 2: SSH to the R7800. Use the iw command to determine which radio has 5 GHz support. First, use “iw phy” to list the details of all physical interfaces. Then, use “iw dev” to list the device to physical interface mappings. On my R7800, phy#0 has 5 GHz support and is represented by device ath0.

Step 3: Put the desired device into monitor mode and set the channel. In this example, I am using ath0 and channel 155 (5745 MHz center of the first channel 149, 80 MHz wide, and 5775 MHz center of the entire 80 MHz channel).

root@DD-WRT:~# ip link set ath0 down
root@DD-WRT:~# iw dev ath0 set type monitor
root@DD-WRT:~# ip link set ath0 up
root@DD-WRT:~# iw dev ath0 set freq 5745 80 5775

Step 4: Begin the capture. Here, I am saving the capture file to the ramdisk at /tmp. This particular device has only about 400 MB available, so I’m going to only capture for less than 10 seconds. After issuing the command below, press CTRL-Z to stop the capture.

root@DD-WRT:~# tcpdump -i ath0 -n -w /tmp/capture1.pcap

Step 5: Move the capture to a PC for analysis. I could use a flash drive and copy the file that way, but I already have tftp64 running on my PC for some Cisco firmware updates, so I will use tftp. is the IP of my PC.

root@DD-WRT:~# tftp -l /tmp/capture1.pcap -p

Note: High data rate captures can become large in a hurry. This 6.3 second capture is about 237 MB in size. A quick look in Wireshark shows most of the frames were transmitted at VHT MCS 7 with 2 spatial streams, 585 Mbps rate.

Preview: Low-cost managed system

For part of a class I am teaching, I am walking the students through building two managed Wi-Fi systems: one based on a Cisco WLC and one based on MikroTik CAPsMAN. Both have their pros and cons, but the really exciting part about the MikroTik system is the low barrier to entry in terms of cost and time. I hope to document some of the project on this blog to share some pointers and configuration examples.

This test bench example setup consists of a MikroTik RouterBoard hEX PoE (a router with 4 PoE outputs), two MikroTik wAP ac (2 dBi omnidirectional dual band 3×3:3 802.11a/b/g/n/ac) and a MikroTik SXT SA 5ac (14 dBi 90-degree sector single band 2×2:2 802.11a/n/ac). All pieces, including the router, can operate on 12 – 57 volt passive PoE. In fact, the entire 4 piece ensemble was consuming just 14.7 watts @ 49 volts at the time these photos were taken (PoE provided via port 1 on the router, generic 48v injector is outside of the frame between the router and the upstream Internet source).

Affordable 802.11ac 4×4:4 packet capture device

Performing an 802.11 packet (frame) capture from a AP is nothing new. But sometimes an extra AP isn’t available or there is a desire for a lower cost alternative. What looks like a wedge-shaped battle bot but can capture those 3×3 MIMO frames for $199? Why, this piece of heavy duty marketing… when running different software.

The WiFi Pineapple Tetra is one of my favorite inexpensive wireless tools, but it is limited to 2×2 802.11n at best. Installing a very recent build of DD-WRT on the Netgear R7800 allows for many of the same functions using an Atheros 4×4:4 802.11ac radio, albeit in a more primitive manner. Both iw and tcpdump are included in the base DD-WRT environment, so the usual commands for gathering basic site survey information and performing packet captures are available immediately. I do not have any USB storage devices fast enough to store a real time 300+ Mbps (37.5+ MB/s) capture, but the R7800 does have 512 MB ram, about 400 MB of which is free, so I generally capture as much as 350 MB to the /tmp ramdisk first and later copy the pcap to an external storage device. I can post some more detailed instructions if there is interes


Per-device PSK with CAPsMAN



For larger or more critical WLANs, I primarily use Cisco APs and WLCs. I’ve had many successes with Cisco and am comfortable installing their equipment in challenging environments. But for smaller networks or when cost a major concern, I often turn to MikroTik for a CAPsMAN-managed solution.

There is no shortage of CAPsMAN tutorials online, but many skip past some of the more handy features, especially those involving access lists. I hope to post more many examples in the future, but for now, here is one I use fairly often with IoT devices in a home or small office environment: per-device Private Passphrase.

To configure via the WinBox GUI, add a new item in the Access List tab of the CAPsMAN window. Use the MAC address of the wireless client. This can also be done by using the “Copy to Access List” button in the details window of an already-associated client from the Registration Table tab.

Once the client has been identified, additional parameters can be added. In this example, I specified the 5 GHz Lobby interface as this device is 5 GHz capable and happens to be located near that specific AP. The device-specific PSK can entered in the field below. Changes are applied immediately upon clicking Apply or OK.

To prevent the device from associating to another AP on the system, and to keep it from using 2.4 GHz on the lobby AP, I have added an explicit reject rule below the PSK rule.

The configuration looks like this from the CLI:

/caps-man access-list
add disabled=no interface=Lobby_5GHz mac-address=xx:xx:xx:xx:xx:xx private-passphrase=supersecretpsk ssid-regexp=""
add action=reject disabled=no interface=all mac-address=xx:xx:xx:xx:xx:xx ssid-regexp=""

Many other configuration options can be specified in these access list rules. You may want to assign these IoT devices to a specific VLAN. A minimum RSSI can also be defined here.

MikroTik RouterOS hints and tips

It’s no secret that I am a fan of MikroTik products for low- to mid-range layer 3 router tasks. MikroTik’s RouterOS is based on Linux, not unlike many other router appliances, and has a similarly wide feature set. The low cost of most MikroTik devices means I can easily build a full switch and router test lab for less than the cost of a single Cisco AP, freeing time and money for layer 1 and 2 challenges.

The only way to learn RouterOS is to purchase a RouterBoard and get your hands dirty. Download winbox, browse the release notes, explore the forums, search the wiki, and challenge yourself to build many different configs. Please, please, please use Winbox. The RouterOS web interface is helpful in a pinch, but is nowhere near as nice to use as the Winbox client. And as much as I love the CLI, the Winbox GUI is much more conducive to exploring than stumbling around in an alien text environment (the RouterOS CLI is nothing like Cisco IOS). I have successfully used Winbox in Windows versions XP through 10, and in Linux and Mac OS X via wine. You may have to tinker with wine font settings, but it will work fairly well on most versions of Linux and OS X.

The MikroTik User Meetings, or MUMs, are regional conferences full of presentations and vendor exhibits. The MUM Archive is a great place to browse slides and videos from past MUM presentations, some of which are linked below.

Manito Networks has published a very useful MikroTik Router Hardening guide along with many other handy RouterOS-related posts.

Rick Frey, a consultant and certified MikroTik instructor, has a great MikroTik firewall presentation from about two years ago.

Andis Arins, another MikroTik consultant and instructor, presented his Top 10 Configuration Mistakes at the USA MUM last year. This is available as both a PDF of his slides, and as a YouTube video.

These should be enough resources to get started. It took me a few weeks of casually playing with my first RouterBoard before I got the hang of it. It’s not Cisco, but that’s sort of the point!

Wireless tools on a MikroTik RouterBoard

As a cheap thrifty person, I enjoy finding flexible and low-cost tools to use and share with others. The MikroTik RouterBoard family has a lot to offer in the $50 – $100 range and is often found in my toolkit. While I am a fan of products from NetScout, Ekahau, and MetaGeek, I do use MikroTik equipment for the occasional test, especially in situations where I have to leave equipment in place in my absence.

/interface/wireless/spectral-scan and spectral-history provide a quick overview of RF conditions:

Spectral-scan is a live view, while spectral-history is a low resolution waterfall graph. Both can be utilized remotely via telnet, ssh, winbox, and The Dude.

For the occasional wireless packet capture can be performed using the Wireless Sniffer feature. These can be saved to internal flash, external USB storage, or streamed via TZSP to a remote protocol analyzer such as Wireshark.

Selecting the desired frequency range is less than obvious. One easy method is to partially configure the wireless interface as a station. SSID doesn’t matter, but be sure to specify the band, width, and frequency.

Cisco Wireless Software Versions

Navigating the many versions of Cisco wireless software can become a headache. I often use the newest versions, especially when working with the latest Cisco APs (such as the new 2802i). This is not always practical or possible, especially when working in an existing environment where specific versions may be required for compatibility or stability reasons. The Cisco Wireless Solutions Software Compatibility Matrix has cross referenced lists of AP, WLC, MSE, Prime, and other related component versions.

Another helpful resource is the list of WLC versions supported by the TAC, along with brief notes on each.


MikroTik DHCP Server Option 43

I often use MikroTik routers for DHCP, NAT, management VPN, and other tasks for the WLANs I manage. Utilizing DHCP Option 43 to provide Cisco APs with the IP address of the WLC(s) helps simplify the AP provisioning process. The MikroTik RouterOS configuration segment below is a glimpse of how I accomplish this.

The only potential gotcha is the format of the hex string value. Per the Cisco WLC documentation, the string always starts with 0xf1, followed by the length of the IP address lists expressed in number of octets. In this example, I have just one IP address for one WLC, so that number is 04 (one IPv4 address is made up of 4 octets). The remainder of the string, ac14640c, refers to the IP address, the WLC. A simple decimal to hex calculator can help with this conversion. Decimal 172 is hex ac, decimal 20 is hex 14, and so on. Note that single-digit values must be padded with a leading zero: decimal 12 is hex c, padded with a leading zero to become 0c.

/ip pool
add name="AP Management Pool" ranges=

/ip dhcp-server option
add code=43 name=apmgmtopt43 value=0xf104ac100105

/ip dhcp-server network
add address= dhcp-option=apmgmtopt43 gateway=