Vacations and IT Operations: Calm the Chaos

As I prepare to head out on summer vacation, I can’t help but realize that planning a vacation is a lot like managing IT operations. Both require coordinating a handful of individual tasks (from booking flights and reserving a hotel to deploying servers and resolving issues and more). Luckily, just as online travel services have made vacation planning easier, SaaS tools also make IT operations easier. In a series of blogs, I’ll explore this comparison to drive home the point that any IT shop still using multiple tools—or worse, trying to manually coordinate multiple tasks—can make their life much easier by using an integrated SaaS platform like Cisco Intersight for hybrid cloud operations.

From Manual Travel Management to Online Vacation Planning

The first recorded instance of a travel management service may be in 1840 when Thomas Cook organized rail transportation and lunch for 540 people. Five years later he was managing travel services for 165,000 people. All with a pen and ledger. Back then it was the model for success.

Let’s fast forward to the age of the internet. The internet not only wiped-out pens and ledgers through digital vacation planning, but it also made way for a more connected world that puts the power of integrated vacation planning at our fingertips.

Online Isn’t Good Enough

Imagine you’re planning a summer vacation for your family. Your first challenge is finding the best flights to your destination. There are 18 major airlines operating in the US plus more than 40 smaller ones. You’ll have to search each airline site for tickets. Doing this 18+ times to compare and find the best flights gets overwhelming quickly. I’ll just leave it there because when you multiply the effort to search for lodging, restaurants, and activities, it becomes clear that the internet alone isn’t the key to efficient vacation planning.

A flock of birds take synchronized flight off the beach in Destin, FL.

Integration is Key

But you’re smart. You know that all you have to do is log on to your favorite travel site, like Tripadvisor, Kayak, or a handful of others. Integrated travel sites aren’t just about booking your vacation. You can get alerts, track deals, make changes, and get support…all from your fingertips anywhere in the world. That’s the power of an integrated SaaS platform.

The Power of Integrated SaaS for IT Ops

Now let’s bring IT operations back in. Running IT operations requires juggling multiple tasks to plan, manage, and optimize outstanding experiences while managing risk and dependencies. This means deploying servers and apps, monitoring system health, identifying and resolving issues, managing critical dependencies, configuring profiles, and driving collaboration, to name just a few tasks. Then multiply these tasks across your on-prem, hybrid, and public cloud infrastructure.  It’s an incredibly complex and overwhelming responsibility with virtually no margin for error (somewhat like pleasing each family member who has a different view of the perfect vacation).

Simplify Hybrid Cloud Management with Cisco Intersight

What if there was an integrated IT operations platform that lets IT teams manage your hybrid cloud infrastructure in a few clicks from one place? There is! Cisco Intersight.

Like an integrated online travel service, Cisco Intersight:

◉ Integrates multiple tasks in one place:

    ◉ Deploy and troubleshoot your on-prem, public cloud, and edge environments, including physical servers, hypervisors, and VMs

    ◉ Evaluate workload and app performance and optimize in real time

    ◉ Build, deploy, and manage cloud-native Kubernetes clusters, and

    ◉ Provision on-prem resources for Infrastructure-as-Code deployments

◉ Provides value-added services:

    ◉ Customizing the dashboard to view your global inventory, fault monitoring, and firmware status

    ◉ Automating tasks for device configuration, OS installation, HCI cluster upgrades, K8 and infrastructure-as-code (IaC) deployments, and other routine tasks

    ◉ Creating and executing workflows across multiple infrastructure domains and cloud platforms

    ◉ Integrating with 3rd-party operations tools such as ServiceNow

    ◉ Automating workload placement, scaling, and capacity so workloads get the resources they need when they need them and you optimize spend

    ◉ Modeling capacity planning and migration scenarios to reduce risk and ensure predictable performance and cost

    ◉ Managing your entire infrastructure on the go from the Intersight mobile app

◉ Provides role-based experiences:

    ◉ Gives IT Ops a powerful tool to control every aspect of your environment and move faster with powerful automation capabilities

    ◉ Allows developers the agility and freedom they need to deploy applications even faster their own way – using the tools of their choice

Take Control

To wrap up, just like an online travel planning service lets you easily tame the many aspects of planning a vacation, Cisco Intersight helps you take control of your IT operations across your entire hybrid cloud environment. Intersight gives you one place to manage your on-premises, public cloud, and edge locations and all types of workloads (bare metal, VMs, K8s, and serverless). Its services make common IT operations tasks easier, give your DevOps teams the agility they need, and help you stay ahead of issues to optimize performance and costs.

Source: cisco.com

Continue reading

300-215 CBRFIR Preparation: Tips to Clear 300-215 Exam with Question Bank

Cisco CBRFIR Exam Description:

Conducting Forensic Analysis and Incident Response Using Cisco Technologies for CyberOps v1.0 (CBRFIR 300-215) is a 60-minute exam that is associated with the Cisco CyberOps Professional Certification. This exam tests a candidate's knowledge of forensic analysis and incident response fundamentals, techniques, and processes. The course Conducting Forensic Analysis and Incident Response Using Cisco CyberOps Technologies helps candidates to prepare for this exam.

Cisco 300-215 Exam Overview:

• Exam Name- Conducting Forensic Analysis and Incident Response Using Cisco Technologies for CyberOps
• Exam Number- 300-215 CBRFIR
• Exam Price- $300 USD
• Duration- 90 minutes
• Number of Questions- 55-65
• Passing Score- Variable (750-850 / 1000 Approx.)
• Recommended Training- Conducting Forensic Analysis and Incident Response Using Cisco Technologies for CyberOps (CBRFIR)
• Exam Registration- PEARSON VUE
• Sample Questions- Cisco 300-215 Sample Questions
• Practice Exam- Cisco Certified CyberOps Specialist - CyberOps Forensic Analysis and Incident Response Practice Test

Cisco 300-215 Exam Topics:

• Fundamental- 20%
• Forensics Techniques- 20%
• Incident Response Techniques- 30%
• Forensics Processes- 15%
• Incident Response Processes- 15%

Related Reads:-

• Cisco 300-215 CBRFIR Exam: Study Resources and Tips to Overcome Exam Anxiety
• Cisco 300-215 Certification Path: Road to Build Your Future
• Cisco 300-215 CBRFIR Certification Exam That You Need to Check Out

Continue reading

Cisco NDFC One View – Centralized Management of the Global SAN Infrastructure

Cisco Nexus Dashboard Fabric Controller (NDFC) is a scalable application for managing Fibre Channel SAN. However, in some cases a single NDFC server may not be efficient. For example, it may be a better solution for large global environments to utilize a dedicated NDFC server for each region or department. But how do you get a centralized view of the global SAN infrastructure when using multiple instances of NDFC managing separate regions or departments?

The answer is NDFC One View. It delivers the centralized management and visualization of multiple SAN environments that are managed by different NDFC servers.

What does NDFC One View offer?

NDFC One View provides insights into what is happening within the Fibre Channel SANs at multiple locations in a single pane of glass. It offers the following:

◉ Executive Dashboard: Important and relevant information.

◉ Faster Troubleshooting: Centralized view of the fabric and switch health.

◉ Increased Collaboration: Define the access using Role-Based Access Control (RBAC).

◉ High Availability: Each participating NDFC server can run on a 3-node active-active Nexus Dashboard cluster.

◉ Simplicity: Single Sign-On (SSO) allows seamless click-thru navigation to any of the servers that participate within NDFC One View.

◉ One View in Context: One View is always just a click away via a breadcrumb regardless of the participating NDFC server.

Figure 1: Nexus Dashboard SAN Controller One View

You can view a summary of all the SAN switches across the globe on the NDFC One View Dashboard.  However, for making a change on any of the switches, such as creating a zone, you must do that from the NDFC server that manages that switch. NDFC One View simplifies this inter-cluster navigation with a single log in, so you do not have to remember which switches are managed by which Nexus Dashboard (ND) clusters.

How does NDFC One View work?

NDFC One View is an intuitive presentation layer. Only when accessed, it uses the RESTful APIs over HTTPS transport for retrieving the data from the participating NDFC servers. NDFC One View doesn’t store any additional data, or increase the storage requirement of the ND clusters.

No Extra Licensing Requirements for NDFC One View

Unlike other competing solutions, there is no extra license for NDFC One View. If you already have DCNM advanced license for managing Fibre Channel switches, you can start using NDFC One View today with no added cost.

How is NDFC One View different from Cisco Nexus Dashboard One View?

Cisco Nexus Dashboard (ND) One View and NDFC One View are different features. ND One View provides centralized management of Nexus Dashboard itself, which is a hosting platform in which applications such as NDFC can run. In contrast, NDFC One View provides centralized management of the global SAN Infrastructure that is managed by different NDFC servers.

How is NDFC One View different from DCNM Federation?

DCNM SAN, the predecessor of NDFC, provides high availability using a Federation. The participating DCNM servers in a federation must use an externally shared Oracle RAC database, which increases the total cost of ownership. In contrast, Nexus Dashboard integrates all the required services, including the distributed database services, which provide native active-active clustering. This design makes NDFC One View even more affordable.

How-to setup NDFC One View?

It’s easy. First, configure remote authentication for the Nexus Dashboard clusters. Then, add the address and the credentials under Infrastructure > Cluster Configuration > Multi Cluster Connectivity.

Source: cisco.com

Continue reading

Got Windows… But Jonesing For Linux?

I suspect most people are aware of the Windows Subsystem for Linux (WSL). And how you can use it to install a distribution like Ubuntu on Windows. That will get you all the command-line features of Linux, which are many. Most people I know use vi as their console-based editor. I prefer Joe’s Own Editor (joe), which I have customized to use my favorite keystroke commands. And then there’s Midnight Commander (mc), which is a favorite for file and directory navigation.

But what about the powerful GUI applications? This blog entry shows you how to get them working on Windows 10 and Windows 11.

I’ve been a Linux guy for decades now. But when I began my career at Cisco with Developer Support, I chose Windows 10 as my operating system. At that time, David Staudt had Linux covered and David Nguyen had a Mac, so I filled in the gap. I like Windows 10. I like Windows 11 even more. It puts the virtual desktop chooser at the bottom of the screen, like Windows 10 originally did it.

But I’m still a Linux guy at heart

So, when it comes time to get a laptop refresh, I will be getting a Mac. No, it’s not Linux, but OS X has a lot of BSD (Berkely Software Distribution) in it (and/or FreeBSD, depending on who you ask), so it is a familiar platform for Linux users like me.

Why does the Mac build on FreeBSD and not Linux? My friend Brett Glass made very strong arguments for FreeBSD over Linux back in the day. He pointed out that you can build proprietary code on top of FreeBSD and make money doing it. Steve Jobs, when forced out of Apple, started up NeXT, a computer that ran on a BSD-based OS. So, the foundation for making money on BSD was already laid. Apple simply continued the evolution.

That’s hard to do with Linux. The GNU Public License (GPL) constrains Linux proprietary use, because (for the most part) you must share your Linux code free of charge. The way to make money is to charge for support. Of course, that’s an over-simplified comparison of BSD vs Linux, but that’s the gist.

While I can clearly see the advantages of an open-source operating system like Linux, I’m beyond caring about the philosophical differences, these days. I just prefer a UNIX-like operating system for my personal use over Windows. So, the Mac is a great choice for me.

In the meantime, while I wait for a laptop refresh, there’s a way to run Linux on Windows, and that’s what this blog entry is about.

Here’s how to start:

First, you must make sure your computer BIOS settings allow your CPU to support virtualization. If you can’t do that, then I can’t predict how the rest of these instructions will work out.

Then you need to install some optional Windows features, if they aren’t already installed. There are different ways to get to the Windows optional feature installation dialog, so I’ll just jump right to it and assume you know how.

Install Hyper-V, Virtual Machine Platform and Windows Hypervisor Platform shown in these two sample screen shots:

Some may say, like chicken soup, one or more of these wouldn’t help, but it wouldn’t hurt. Click OK and do whatever Windows tells you to do if anything.

Now, make sure you have the latest graphics drivers installed. I have a Radeon 5700 XT on my personal computer running Windows 11. My company laptop has an Nvidia Quadro display adapter.

Open the Microsoft Store and “get” a copy of Ubuntu. I recommend Ubuntu 22.04.1 LTS, unless a later version is available by the time you read this. Run it, and the installation will ask you for your language, a username and password, and not much else.

Open a Windows PowerShell console with administrator privileges. Perform these operations:

C:>wsl –list

C:> wsl --set-version Ubuntu-22.04 2

C:> wsl --set-default-version 2

It is possible those are already the default settings (and that last command is probably redundant), but it’s worth making sure.

Now launch Ubuntu from the Windows menu, and enter these commands:

$ sudo apt update

$ sudo apt dist-upgrade

You can use “upgrade” instead of “dist-upgrade”, but “dist-upgrade” is more comprehensive. It removes unnecessary files and adds newly needed files. The “upgrade” option only upgrades what you already have on your system.

Let’s install some sample apps. If you’re like me and prefer the KDE Plasma desktop on Linux, install the KDE editor, kate.

$ sudo apt install kate

If you’re a fan of GNOME, install gedit instead.

$ sudo apt install gedit

And just for fun, install some basic X11 GUI apps.

$ sudo apt install x11-apps

You can install whatever other Linux GUI apps you like, but the above will get you started. The one thing you cannot do is install a graphical desktop, like Xfce, KDE Plasma, GNOME, Cinnamon, or any of the many other desktops. But you can run almost any graphical application.

You need to set an environment variable for the X11 display. So back in the Ubuntu terminal type:

$ export DISPLAY=:0.0

That’s only good for this one Ubuntu terminal session, so edit your .bashrc file and add this line somewhere at the top of the file:

DISPLAY=:0.0

STOP, do not turn the page until told to do so

If you are running Windows 11 or some super-secret double probation version of Windows 10, you can stop installing, open an Ubuntu terminal window and happily run your Linux GUI applications. For example, start kate or gedit (the ampersand launches the app and returns you to the prompt):

$ kate &

$ gedit &

If, on the other hand, you’re on Windows 10, there’s more for you to do. There are several different ways you can get Linux GUI apps working on Windows 10, but here’s what I have found to be the easiest. Download and install MobaXTerm. You can install the free home version or the paid version if it is for business purposes.

Once you have it installed, launch MobaXTerm. You should see something like this:

You see that X server icon in the upper right? If it’s in color, you’re gold. If it’s black and white, click it to start the X server.

You can see that MobaXTerm is aware that you have Ubuntu-22.04 installed. Double-Click on that to bring up a terminal for Ubuntu-22.04. DO NOT use the “Start local terminal” button. That way lies madness.

You should see something like this:

Now go ahead and start kate or gedit, or whichever app you like. I started xeyes and kate. Yes, kate complains about missing theme items, but I can install those later.

Voila, I now have access to graphical Linux apps:

And there you have it. All the pleasure of using Linux graphical applications on a Windows computer.

Source: cisco.com

Continue reading

Leveraging the Cloud to Scale your Industrial DMZ

The iDMZ (industrial demilitarized zone) is a critical layer in a comprehensive end-to-end security strategy for an industrial operations environment. The primary function of the iDMZ is the enforcement of a secure boundary between the internal trusted operations environment and external entities that may need to exchange data with services that support the operation.

One of the challenges with an exclusively on-site iDMZ is the limited ability around expansion to meet future demand and capabilities. With the growth of Industrial IoT (IIoT), it will be necessary for hardware and resource growth to meet the demands of increasing data. This translates to a consistently increasing hardware footprint and utilities to provide cooling and power, which can be in limited supply on premises. In addition, operators must explore new ways to obtain deeper insights and introduce enhancements to the operation, which may require tighter alignment with partners and/or the ability to securely consume XaaS offers.

Operators also have a safety-first culture, keeping people out of the “line of fire.” Vendors and partners may need to maintain on-site hardware, applications and services, potentially exposing people to risk through their presence on-site. For heavy industry environments, accessibility to site and the equipment residing on it is not necessarily an easily accomplished task. Many industrial sites require site safety training and approved work permits as a prerequisite for physical access.

Finally, a lack of iDMZ consistency when comparing multiple sites, from a hardware and feature composition, creates challenges for operations staff. In some instances, product and feature selection is made locally. This impacts the ability to deliver consistent policies and end user experiences. It also complicates support across the operation for staff responsible for troubleshooting and minimizing time to resolution and maintaining different SOPs and training documents.

Operators exploring options to gain operational efficiencies through modern service offerings may benefit from exploring how to extend their iDMZ beyond the “four walls” of the operation.

One deployment alternative for iDMZ is extending the architecture to leverage a hybrid-cloud model. A hybrid cloud iDMZ model can be deployed as a centralized model or repeated regionally, based on geographic presence and/or regulatory or compliance requirements. While migrating the entirety of the iDMZ and its capabilities to the cloud may not be an option, a hybrid cloud iDMZ architecture does offer operational benefits and mitigates previously raised challenges.

First, the hybrid cloud iDMZ can secure the operation, and mitigate risk and exposure. Similar to an on-prem iDMZ, multiple tools and applications should be leveraged to take a holistic approach for enforcing security. This can include:

◉ Services that support a secure and encrypted pipe between an operations site and a regional iDMZ

◉ Segmentation and possible options for multi-tenancy

◉ Visibility to monitor applications and flows traversing the industrial zone

The solution should also include tools for consistently configuring, deploying, enforcing policies, and managing assets.

In addition to providing a holistic security strategy, a hybrid cloud iDMZ offers the benefit of shared resources and assets, as opposed to entirely duplicating unique stand-alone iDMZ deployments per site. The regional based approach offers a more repeatable and consistent architecture, delivering consistent policies, as well as easing the operational overhead and complexity mentioned previously.

A hybrid cloud solution offers more flexibility to expand, and contract based on evolving requirements and demand. By leveraging public cloud services as part of the iDMZ architecture, operators have the ability to increase capabilities without physically maintaining hardware and space to house equipment. This approach affords the unique opportunity to foster tighter engagements with partners and ecosystem vendors, while leveraging cloud services to drive innovation, deeper operational insights and efficiencies. Adding tools like Thousand Eyes and App Dynamics, operators can verify adherence to application SLAs/SLOs, in accordance with operational requirements.

Finally, a hybrid cloud iDMZ aligns with the concept of the ROC (Regional Operations Center), which is top of mind for some industrial organizations, especially those with a global footprint. A ROC model seeks to leverage more automation and remote operations, thus reducing on-site headcount to mission essential resources, improving on-site safety and driving more operational efficiencies. With a regional based iDMZ deployment, the process of aggregating and presenting the status and data for operations within the region can become more streamlined and a regionally distributed model can facilitate compliance with local industry regulations, if applicable.

For more details on how to build a hybrid cloud iDMZ architecture and its benefits for securing industrial operations, we have just published a short white paper that you should read on the Hybrid Cloud Industrial DMZ. We’ll also be discussing this in a free webinar on September 20, 2022.

Source: cisco.com

Continue reading

Cisco DNA Center and Device configuration management

In my conversations with customers and partners, there are two topics that are different but somewhat related: compliance and device configuration management. In my latest blog, “Compliant or not? Cisco DNA Center will help you figure this out”, we discussed compliance capabilities in Cisco DNA Center 2.3.3. In this blog, I will address device configuration management.

Let me start by saying that DNA Center always has the latest device configuration in its internal databases. This has always been the case. The configuration of a device is first collected and stored when the device is added to the inventory, it’s then updated by periodic triggers as well as event-based triggers. Event-based triggers happen when there is a change in the configuration. DNA Center uses these up-to-date configurations for all its capabilities including, but not restricted to, assurance, device replacement, and compliance. Network administrators can also leverage these configurations so, in this blog, we will explore different ways to access them.

Visualize Configuration in Inventory

For certain device types, like switches, DNA Center has the option to show and export the full device configuration. This allows the network administrator to have quick visibility into the configuration. For security reasons, sensitive data is masked which means that we can’t directly use this device config to restore a device.

Figure 1: Configuration Visualization in Inventory: sensitive data is masked

Export the device configuration

Configuration archive is the DNA Center feature that allows network administrators to export raw configurations to an external server. Raw configurations are useful to restore a device for example.

Figure 2: Configuration Archive: exporting raw configurations to an external server

Device configuration backup can be scheduled with the desired recurrence and the configurations are sent to an external server. For each configuration backup, DNA Center creates a password-protected zip file. This zip file contains one directory per device and each directory contains three files: running-config, startup-config, and VLAN database.

Figure 3: Password-protected zip file

Figure 4: One directory per device containing running config, startup configs and VLAN DB

APIs to retrieve device configuration

Another way to access the clear text device configurations is via APIs. The API available in Cisco DNA Center allows to retrieve raw startup, running configs, and VLAN DB in the form of a zip file in a similar way as the configuration archive capability.

API details:

POST /network-device-archive/cleartext

Visualize Configuration Drifts

Arguably, I’m leaving the most interesting capability for last!

At the beginning of the blog, we mentioned that DNA Center stores the device configuration and updates the configurations periodically and upon changes. Every time there is a change in the configuration, DNA Center will store and timestamp this new configuration for a maximum of 50. We call these configurations config drifts. Moreover, DNA Center can show differences between these stored configurations to help the network administrator identify any changes. For out-of-band changes, Config Drift tool will also show the username of the person that made the change.

In the example below, we are comparing two configurations taken on September 2nd, 2022, one at 1:56pm and the other at 2:57pm. We can see in the latter, that a “description” command was removed from “interface GigabitEthernet 1/0/10”. Once we identify these changes in the running configuration, the network administrator can take specific actions to remediate the issue. For example, the device can be re-provisioned.

Figure 5: Config Drift

We can also identify and label a specific configuration that we deem “standard”. That way, it will be easier to compare the current running configuration with the selected labeled configuration.

In the example below, we will first select the preferred configuration and name it with the label of our choice, in this case, “TBRANCH-Std-Config“:

Figure 6: Label Config

Once we label our standard configuration, we can then compare it to the current configuration. In this example, the current running configuration is identified as “September 2nd at 3:10pm”. In this case, both running configuration and standard configurations match.

Figure 7: Comparing running-config to labeled config

Continue reading

WLAN/SSID Security Migration into 6GHz Networks

With the introduction of Wi-Fi 6E/6GHz, there is a huge increase in available RF space, multiplying the overall total capacity of any wireless network, and at the same time, removing sources of interference and noise. This increase in performance and quality of the wireless connections will be really exciting and bring multiple opportunities, but this will come with the price of new and better security requirements for our WLAN/SSID configuration migration.

The new standard did not leave security out of the picture and any new device supporting 6GHz, will be required to “only” support the following security standards while in the new band:

◉ WPA3: this enforces mandatory Protected Management Frames (PMF/802.11w)

◉ Opportunistic Key Encryption (OWE). This replaces the concept of “Open SSID”, and allows to have encryption across devices, without any authentication

◉ Simultaneous Authentication of Equals (SAE). This takes the role of PSK (also called “personal”) authentication methods but makes it resistant to offline password attacks, with improved cryptographic algorithms

There are as well provisions for more advanced encryption methods (WPA3 Enterprise-192), and several mandatory things that must “not be supported“, for example:  PMF disabled/optional, TKIP, WEP, etc.

What does this mean for 6GHz deployments?

Well… in the rare case of a greenfield 6GHz deployment, it would be just “awesome, we get new improved security standards by default”…

The problem is that almost deployments will not be greenfield.  You will have to support the coexistence of all current networks and devices with the new standard and migrate existing networks to include the new 6GHz access points and clients.

What is more: with few honorable exceptions, most of the current WLAN/SSIDs configured out there for 2.4 and 5, will “not” work over 6GHz radios, as they do not meet the new security requirements.

This means that your SSID supporting WPA2 Enterprise (802.1x), can’t be broadcasted directly in 6GHz… same for any existing Webauth or WPA2-PSK SSIDs. All of them will need to be changed to conform to the new standard. In order to ensure things can be done properly, this will need planning, and quite possibly, careful testing.

Changes also mean concerns about backward compatibility, and any older devices may not like or support the new security settings, so this is not just a matter of flipping a configuration switch and hoping it works.

The good thing is that there are different options on how to handle brownfield scenarios, with proper and natural coexistence of the new APs and clients supporting WPA3 and 6GHz, with older devices still stuck supporting WPA2 or older standards. Each one has its benefits and implementation costs, so it is important to plan properly.

Figure 1. Radio Policy and 6GHz support

Transition mode

Some people may come back with “But transition mode is available, we should be able to set this WLAN with WPA2/WPA3 transition and get it done”, unfortunately,  things are not so simple. This mode was created to introduce WPA3 into legacy bands, not to make it easy for 6GHz adoption.

WPA3 describes transition mode as a kind of hybrid WPA2/WPA3 scenario, with PMF set to optional, and the group key using legacy crypto, but this is not allowed in 6GHz, so we can’t just flip the existing WLAN from WPA2 to transition mode and get it done…it simply can’t be supported in the new band.

Transition mode is an excellent way to handle a migration into a more secure standard in the legacy band. Older devices can coexist on the same SSID with new devices supporting WPA3/PMF, allowing a smoother migration, but the price to pay is compatibility. Multiple clients may behave erratically, or simply, fail to connect to a transition mode SSID, even if what they support is still allowed, plus this alone can’t solve the 6GHz  security mandatory requirements.

One word of caution: There is a related feature called “Transition Disable”, which can be set in the WLAN Security tab, in the WPA Parameters area.

Figure 2. Transition Disable location

This setting tells the client, that once it has connected successfully to WPA3, it should migrate its SSID profile to support “only” WPA3, and not connect back to WPA2 if that is the only option available. On one side, this is good for security, as it will migrate all client devices to WPA3 only, as they join the transition mode WLAN, but if the network is composed of multiple physical locations, for example, some are set to WPA2, others to WPA3/WPA2 transition mode, this will cause the migrated clients to fail when moved to a location with WPA2 only.

This is a possible scenario for some large networks, with the same SSID covering different controllers/AP setups and with configurations not matching  100%.  The largest example would be Eduroam, which shares the same SSID name worldwide. Setting this could have serious issues for clients  moving across different network providers, so please use this with care, and only if you can ensure the same security setting is set properly across all network locations

So, what options do we have?

Option 1: Everybody Moves

This is the most radical solution. Here we move all SSIDs to WPA3, SAE, or OWE, with a single SSID across all bands. This means that all legacy security support will be removed across all SSIDs.

This is only feasible for the Greenfield scenario, or when we have absolute control of all clients’ device versions and configurations. It is highly probable that customers will never go this route.

Client support

◉ Apple IOS: on 15.1, it does support WPA3/PMF, and SAE, but it does not support OWE. SAE support is not compatible with 6GHz requirements

◉ Android: Supports WPA3/PMF/SAE since version 10

◉ Windows: supported in 11, but should work on version 10-2004

Cons

◉ There is a large list of compatibility issues regarding some of the requirements, and implementing this option will lead to compatibility issues as soon as any older device tries to connect

◉ Migrating the SSID profile on clients may be problematic, depending on operating systems. Several devices will use right away the higher security offerings, others will need to be adjusted

Pros

◉ No need for additional SSIDs

◉ Removes any older low-security SSIDs

Option 2: Tailored SSIDs

In this scenario,  the idea is to create new SSIDs, specifically focused on functionality, with support on each band as needed. New SSIDs would be created for 6GHz support, optionally broadcasted in other bands.

This maximizes backward compatibility, as it leaves anything existing  “untouched”.

For example, a company may have an existing SSID design as:

◉ Legacy SSID: mycompany, broadcasted in 5 GHz supporting WPA2 Enterprise

◉ Guest SSID: mycompanyGuest, supporting webauth in 2.4 and 5 GHz

◉ IoT: mycompanyIOT, with WPA2-PSK, for restricted sensor/telemetry devices in 2.4 GHz

What we would add:

◉ Wi-Fi 6 specific SSID: mycompanyNG, broadcasted on 5 and 6GHz, using WPA3 with 802.1x authentication and PMF

Cons

◉ A new SSID will need to be created and broadcasted

◉ Additional profile configuration across devices. Depending on client management being available, this can be a daunting task

◉ SSID names are a sensitive subject for customers. Selecting a new name may not be simple in some instances

Pros

◉ No impact on anything already existing

◉ You can have a gradual migration of devices supporting the new security standards (WPA3) to the new SSID, without having to do a risky forklift in the client profile configuration

◉ Fast roaming supported between bands for the same WLAN

Option 3:  Same SSID, two WLAN profiles, using transition mode

Keeping the same SSID across bands, touches your existing WLAN profile changing it to WPA3 transition mode and restricting it to 2.4 and 5GHz. Plus adds a new profile, just for 6GHz, with the required security settings.

Following on our previous example:

◉ Legacy SSID: mycompany, WLAN profile mycompany, broadcasted in 5 GHz. Modified now to supporting WPA2 Enterprise and WPA3 in transition mode

◉ Guest SSID: mycompanyGuest, supporting webauth in 2.4 GHz

◉ IoT: mycompanyIOT, with WPA2-PSK, for restricted sensor/telemetry devices in 2.4 GHz

What we would add:

◉ Wi-Fi 6 specific WLAN profile: same mycompany, SSID, with different profile name, mycompanyNG  broadcasted on 6GHz, using WPA3 with 802.1x authentication and PMF

Cons

◉ Several client vendors have issues handling WPA3 transition mode properly

◉ Clients may not like the same SSID with different security settings across bands.

◉ Roaming is not supported across WLANs. A client authenticated in 5 GHz, will have to do full authentication when moving into 6

Pros

◉ No new SSIDs on the client side to be managed

◉ Devices supporting WPA3 will connect in legacy bands with the higher security standard. This will help with security migration

◉ As we have the same SSID name across bands, clients will be able to fallback from 6 to 2.4/5, in case of any coverage problem

Option 4:  Same SSID, two WLAN profiles, no transition

This is basically a small variation of option 3.  The existing profile is left untouched, and we add a 6GHz specific WLAN profile:

◉ Legacy SSID: mycompany, WLAN profile mycompany, broadcasted in 5 GHz. WPA2-Enterprise

◉ Guest SSID: mycompanyGuest, supporting webauth in 2.4 GHz

◉ IoT: mycompanyIOT, with WPA2-PSK, for restricted sensor/telemetry devices in 2.4 GHz

What we would add:

◉ Wi-Fi 6 specific WLAN profile: same mycompany, SSID, with different profile name, mycompanyNG  broadcasted on 6GHz, using WPA3 with 802.1x authentication and PMF

Cons

◉ Clients may not like the same SSID with different security settings across bands. This is yet to be confirmed, so far, no issues reported in testing

◉ Roaming across WLANs is not supported. A client authenticated in 5 GHz, will have to do full authentication when moving into 6

◉ Legacy bands will be stuck on lower security protocols

Pros

◉ No new SSIDs to be managed on the client side

◉ As we have the same SSID name across bands, clients will be able to fallback from 6 to 2.4/5, in case of any coverage problem

◉ Avoids any client interoperability issues with transition mode

Too many options, but which is the best?

For most customers, option 4 (new WLAN profile, same name, new security), is what will be implemented most of the time, as it allows deployments, reducing most risks.

For customers that want better security, option 2 (specific SSID), or option 3 (change to transition mode, add new profile for 6), will be the best suited.

And for sure, don’t move WPA2 networks to WPA2/WPA3 transition mode, without validating with your existing clients, especially if there are any legacy or custom devices present.

Source: cisco.com

Continue reading