Chapter 20: Authenticating Wireless Clients Chapter 21: Troubleshooting Wireless Connectivity •Instructor Materials CCNP Enterprise: Core Networking ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Open Authentication Authentication Once a client station is discover a SSID (Probe Request/Response or listening to Beacons) it move to Join phase. This exchange comprise of at least 4 frames 1.Authentication (Request) 2.Authentication (Response) 3.Association Request 4.Association Response Authentication frame format ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Open Authentication Authentication frame format Authentication Frame consist of the following fields 1.Authentication Algorithm Number •0 for Open System •1 for Shared Key 2.Authentication Transaction Sequence Number •Current state of progress 3.Status Code •0 for Success •Unspecified failures 4.Challenge Text •Used in Shared Key Authentiction frame 2 & 3 ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Open Authentication Authentication frame field values & usages Table below summarizes the authentication frame field values & usages. Authentication algorithm Authentication transaction sequence no. Status code Challenge text Open System 1 Reserved Not present Open System 2 Status Not present Shared Key 1 Reserved Not present Shared Key 2 Status Present Shared Key 3 Reserved Present Shared Key 4 Status Not present ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Open Authentication Authentication frame exchange •The initial purpose of the authentication frame is to validate the device type (verify that the requesting station has proper 802.11 capability to join the cell). •This exchanged is based on simple two-frame (Auth Request & Auth Response) called Open System. • •In IEEE 802.11-1997 standard included a WEP shared key exchange authentication mechanism called “Shared Key” where 4 authentication frame exchange. •When more complex authentication like 802.1X/EAP in place, Open System is used first & then complex method followed by Association frames. ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Open Authentication Authentication frame field values & usages Table below summarizes the authentication frame field values & usages. Authentication algorithm Authentication transaction sequence no. Status code Challenge text Open System 1 Reserved Not present Open System 2 Status Not present Shared Key 1 Reserved Not present Shared Key 2 Status Present Shared Key 3 Reserved Present Shared Key 4 Status Not present •The initial purpose of the authentication frame is to validate the device type (verify that the requesting station has proper 802.11 capability to join the cell). •This exchanged is based on simple two-frame (Auth Request & Auth Response) called Open System. ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Open Authentication Authentication details – Open System ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Open Authentication Authentication details – Open System – 1 First Authentication Frame (Authentication Request, frame 247) •Authentication Algorithm Number is 0 (indicate Open System). •Auth Seq Number is 1 indicate this is the first Authentication Frame in the given exchange. •Status code is Reserved for the first frame (refer the table above) ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Open Authentication Authentication details – Open System – 2 Second Auth Frame (Auth Response, frame 249) •Auth Seq Number is 2 indicating this is Auth Response frame. •Status code is 0 indicating successful Open System Authentication. ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Open Authentication Authentication details – Open System – 3 ... •Even in a 802.1X/EAP Authentication, Always Open System Authentication occur first •Then followed by EAP Authentication & 4 Way handshake prior to encrypt data. • •Here is 802.11r FT Association where 802.1X frame exchange after the Open System Authentication & Association completes. ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Open Authentication •To join and use a wireless network, wireless clients must first discover a basic service set (BSS) and then request permission to associate with it. At that point, clients should be authenticated by some means before they can become functioning members of a wireless LAN. •The sections that follow explain four types of client authentication you will likely encounter on the CCNP and CCIE Enterprise ENCOR 350-401 exam and in common use. •With each type, you will begin by creating a new WLAN on the wireless LAN controller, assigning a controller interface, and enabling the WLAN. Because wireless security is configured on a per-WLAN basis, all of the configuration tasks related to this chapter occur in the WLAN > Edit Security tab. ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Open Authentication Open Authentication •Recall that a wireless client device must send 802.11 authentication request and association request frames to an AP when it asks to join a wireless network. •The original 802.11 standard offered only two choices to authenticate a client: Open Authentication and WEP. •Open Authentication offers open access to a WLAN. The only requirement is that a client must use an 802.11 authentication request before it attempts to associate with an AP. No other credentials are needed. •You have probably seen a WLAN with Open Authentication when you have visited a public location. •If any client screening is used at all, it comes in the form of Web Authentication. ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Open Authentication Creating a WLAN with Open Authentication •Create a new WLAN and map it to the correct VLAN. •Go to the General tab and enter the SSID string, apply the appropriate controller interface, and change the status to Enabled. •Next, select the Security tab to configure the WLAN security and user authentication parameters. Select the Layer 2 tab and then use the Layer 2 Security drop-down menu to select None for Open Authentication, as shown in Figure 20-2. •When you are finished configuring the WLAN, click the Apply button. ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Open Authentication Creating a WLAN with Open Authentication (Cont.) You can verify the WLAN and its security settings from the WLANs > Edit General tab, as shown in Figure 20-3 or from the list of WLANs, as shown in Figure 20-4. In both figures, the Security Policies field is shown as None. You can also verify that the WLAN status is enabled and active. ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Authenticating with Pre-Shared Key •To secure wireless connections on a WLAN, you can leverage one of the Wi-Fi Protected Access (WPA) versions: WPA (also known as WPA1), WPA2, or WPA3. •Each version is certified by the Wi-Fi Alliance so that wireless clients and APs using the same version are known to be compatible. •The WPA versions also specify encryption and data integrity methods to protect data passing over the wireless connections. •All three WPA versions support two client authentication modes, Pre-Shared Key (PSK) or 802.1x, depending on the scale of the deployment. ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Authenticating with Pre-Shared Key Wi-Fi Protected Access PSK Beyond authentication, the Wi-Fi Protected Access also specify encryption and data integrity methods to protect data in the wireless connections. There are following WPA versions: •WPA (also known as WPA1, did not need new HW) •WPA2 •WPA3 All three WPA versions support two client authentication modes, Pre-Shared Key (PSK) or 802.1x, depending on the scale of the deployment. These are also known as personal mode and enterprise mode, respectively. Personal mode: • A key string must be shared or configured on every client and AP before the clients can connect to the wireless network. •The pre-shared key is normally kept confidential so that unauthorized users have no knowledge of it. •Clients and APs work through a four-way handshake procedure that uses the pre-shared key string to construct and exchange encryption key material that can be openly exchanged. When that process is successful, the AP can authenticate the client, and the two can secure data frames that are sent over the air. ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Authenticating with Pre-Shared Key Simultaneous Authentication of Equals (SAE) With WPA-Personal and WPA2-Personal modes, a malicious user can eavesdrop and capture the four-way handshake between a client and an AP. A dictionary attack can be used to automate the guessing of the pre-shared key. If successful, the malicious user can then decrypt the wireless data or even join the network, posing as a legitimate user. WPA3-Personal avoids such an attack by strengthening the key exchange between clients and APs through a method known as Simultaneous Authentication of Equals (SAE). Rather than a client authenticating against a server or AP, the client and AP can initiate the authentication process equally and even simultaneously. Even if a password or key is compromised, WPA3-Personal offers forward secrecy, which prevents attackers from being able to use a key to unencrypt data that has already been transmitted over the air. The personal mode of any WPA version is usually easy to deploy in a small environment. ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Authenticating with Pre-Shared Key Configuring PSK You can configure WPA2 or WPA3 personal mode and the pre-shared key with these steps: Step 1. Navigate to WLANs, select Create New or select the WLAN ID of an existing WLAN to edit. Make sure the parameters on the General tab are set appropriately. Step 2. Next, select the Security > Layer 2 tab. In the Layer 2 Security drop-down menu, select the appropriate WPA version for the WLAN. In Figure 20-5, WPA+WPA2 has been selected for the WLAN named devices. Step 3. Under WPA+WPA2 Parameters, the WPA version has been narrowed to only WPA2 by unchecking the box next to WPA and checking both WPA2 Policy and WPA2 Encryption AES. ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Authenticating with Pre-Shared Key Verifying PSK You can verify the WLAN and its security settings from the WLANs > Edit General tab, as shown in Figure 20-6 or from the list of WLANs, as shown in Figure 20-7. In both figures, the Security Policies field is shown as [WPA2][Auth(PSK)]. You can also verify that the WLAN status is enabled and active. ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Authenticating with EAP •Rather than build additional authentication methods into the 802.11 standard, Extensible Authentication Protocol (EAP) offers a more flexible and scalable authentication framework. •EAP is extensible and does not consist of any one authentication method. Instead, EAP defines a set of common functions that actual authentication methods can use to authenticate users. •It can integrate with the IEEE 802.1x port-based access control standard. When 802.1x is enabled, it limits access to a network medium until a client authenticates. This means that a wireless client might be able to associate with an AP but will not be able to pass data to any other part of the network until it successfully authenticates. ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Authenticating with EAP 802.1x Client Authentication Roles With Open Authentication and PSK authentication, wireless clients are authenticated locally at the AP without further intervention. The scenario changes with 802.1x; the client uses Open Authentication to associate with the AP, and then the actual client authentication process occurs at a dedicated authentication server. Figure 20-8 shows the three-party 802.1x arrangement, which consists of the following entities: •Supplicant - The client device that is requesting access. •Authenticator - The network device that provides access to the network (usually a wireless LAN controller [WLC]). •Authentication server (AS) - The device that takes user or client credentials and permits or denies network access based on a user database and policies (usually a RADIUS server). The controller becomes a middleman in the client authentication process, controlling user access with 802.1x and communicating with the authentication server using the EAP framework. ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Authenticating with EAP Configuring EAP-Based Authentication with External RADIUS Servers Cisco WLCs can use either external RADIUS servers located somewhere on the wired network or a local EAP server located on the WLC. You should begin by configuring one or more external RADIUS servers on the controller. Navigate to Security > AAA > RADIUS > Authentication. •Click the New button to define a new server or select the Server Index number to edit an existing server definition. •Enter the server’s IP address and the shared secret key that the controller will use to communicate with the server. ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Authenticating with EAP Configuring EAP-Based Authentication with External RADIUS Servers (Cont.) •Make sure that the RADIUS port number is correct. •The server status should be Enabled, as selected from the drop-down menu. You can disable a server to take it out of service if needed. •To authenticate wireless clients, check the Enable box next to Network User. Click the Apply button to apply the new settings. ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Authenticating with EAP Configuring EAP-Based Authentication with External RADIUS Servers (Cont.) Next, you need to enable 802.1x authentication on the WLAN. Navigate to WLANs and select a new or existing WLAN to edit. Figure 20-10 illustrates the settings that are needed on the WLAN named staff_eap. ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Authenticating with EAP Configuring EAP-Based Authentication with External RADIUS Servers (Cont.) By default, a controller uses the global list of RADIUS servers in the order you have defined under Security > AAA > RADIUS > Authentication. You can override that list on the AAA Servers tab, where you can define which RADIUS servers will be used for 802.1x authentication. ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Authenticating with EAP Configuring EAP-Based Authentication with Local EAP •If your environment is small or you do not have a RADIUS server in production, you can use an authentication server that is built in to the WLC. This is called Local EAP, and it supports LEAP, EAP-FAST, PEAP, and EAP-TLS. •Define and enable the local EAP service on the controller. Navigate to Security > Local EAP > Profiles and click the New button. Enter a name for the Local EAP profile, which will be used to define the authentication server methods. • In Figure 20-12, a new profile called MyLocalEAP has been defined. ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Authenticating with EAP Configuring EAP-Based Authentication with Local EAP (Cont.) Now you should see the new profile listed, along with the authentication methods it supports, as shown in Figure 20-13. From this list, you can check or uncheck the boxes to enable or disable each method. Select the profile name to edit its parameters. In Figure 20-14, the profile named MyLocalEAP has been configured to use PEAP. Click the Apply button to activate your changes. ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Authenticating with EAP Configure WLAN to Local EAP Next, you need to configure the WLAN to use the Local EAP server rather than a regular external RADIUS server. Navigate to WLANs, select the WLAN ID, and then select the Security > Layer 2 tab and enable WPA2, AES, and 802.1x as before. If you have defined any RADIUS servers in the global list under Security > AAA > RADIUS > Authentication or any specific RADIUS servers in the WLAN configuration, the controller will use those first. Local EAP will then be used as a backup method. ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Authenticating with EAP Verifying Configuration Because the Local EAP server is local to the controller, you will have to maintain a local database of users or define one or more LDAP servers on the controller. You can create users by navigating to Security > AAA > Local Net Users. In Figure 20-16, a user named testuser has been defined and authorized for access to the staff_eap WLAN. You can verify the WLAN and its security settings from the list of WLANs by selecting WLANs > WLAN, as shown in Figure 20-17. ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Authenticating with WebAuth •You might have noticed that none of the authentication methods described so far involve direct interaction with the end user. •Web Authentication (WebAuth) is different because it presents the end user with content to read and interact with before granting access to the network. •WebAuth can be used as an additional layer in concert with Open Authentication, PSK-based authentication, and EAP-based authentication. ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Authenticating with WebAuth Local Web Authentication ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Authenticating with WebAuth Configure WebAuth on WLAN In Figure 20-18, the WLAN is named webauth, the SSID is Guest_webauth, and Open Authentication will be used because the None method has been selected. ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Authenticating with WebAuth Configure WebAuth on WLAN (Cont.) •Next, select the Security > Layer 3 tab and choose the Layer 3 Security type Web Policy, as shown in Figure 20-19. •When the Authentication radio button is selected (the default), Web Authentication will be performed locally on the WLC by prompting the user for credentials that will be checked against RADIUS, LDAP, or local EAP servers. •In the figure, Passthrough has been selected, which will display web content such as an acceptable use policy to the user and prompt for acceptance. •Through the other radio buttons, WebAuth can redirect the user to an external web server for content and interaction. Click the Apply button to apply the changes to the WLAN configuration. ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Authenticating with WebAuth Configure WebAuth on WLAN (Cont.) ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Authenticating with WebAuth Verifying WebAuth on a WLAN You can verify the WebAuth security settings from the list of WLANs by selecting WLANs > WLAN. In Figure 20-22, WLAN 4 with SSID Guest_webauth is shown to use the Web-Passthrough security policy. You can also verify that the WLAN status is enabled and active. Chapter 21: Troubleshooting Wireless Connectivity •Instructor Materials CCNP Enterprise: Core Networking ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Troubleshooting Client Connectivity from WLC •Most of your time managing and monitoring a wireless network will be spent in the wireless LAN controller GUI. • •You can access a wealth of troubleshooting information from the controller, if you know the client’s MAC address. • ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Troubleshooting Client Connectivity from WLC Troubleshooting Client Connectivity from WLC •When one or more network users report that they are having problems, your first course of action should be to gather more information, ask questions, and try to notice patterns or similarities in the answers you receive. • •Information from the user such as, “I cannot connect” or “The Wi-Fi is down” might mean that the user’s device cannot associate, cannot get an IP address, or cannot authenticate. • •If you get reports from many people in the same area, perhaps an AP is misconfigured or malfunctioning. • •Reports from many areas or from a single service set identifier (SSID) may indicate problems with a controller configuration. • • • ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Troubleshooting Client Connectivity from WLC Conditions for a Successful Wireless Association •If you receive a report of only one wireless user having problems, it might not make sense to spend time troubleshooting a controller, where many users are supported. Instead, you should focus on that one user’s client device and its interaction with an AP. • • Figure 21-1 illustrates the following conditions that must be met for a successful association: •The client is within RF range of an AP and asks to associate. •The client authenticates. •The client requests and receives an IP address. Figure 21-1 Conditions for a Successful Wireless Association ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Troubleshooting Client Connectivity from WLC Cisco WLC GUI •Cisco WLCs have two main GUI presentations, one for monitoring and one for more advanced configuration and monitoring. • •When you open a browser to the WLC management address, you see the default screen that is shown in Figure 21-2. • •The default screen displays network summary dashboard information on the right portion and monitoring tools in the list on the left. • • Figure 21-2 The Initial Default WLC Display ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Troubleshooting Client Connectivity from WLC Searching for a Client in the WLC GUI •If you know a specific wireless client’s MAC address, you can enter it into the search bar at the top right of the screen. • •For example, in Figure 21-3, 78:4b:87:7b:af:96 is the target of the search. Because that MAC address is known to the controller, a match is shown with a client icon below the search bar. • • Figure 21-3 Searching for a Client in the WLC GUI ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Troubleshooting Client Connectivity from WLC Client Search Results •The resulting details about the client are displayed in the Client View screen, shown in Figure 21-4. • •From this output, you can see many details about the client device listed in the left portion of the screen, and you can see connectivity and application information displayed on the right. • • Figure 21-4 Client Search Results ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Troubleshooting Client Connectivity from WLC Checking the Client’s Connection Status •Before a controller will permit a client to fully associate with a basic service set (BSS), the client must progress through a sequence of states. Each state refers to a policy that the client must meet before moving on to the next state: 1.Start - Client activity has just begun. 2.Association - The client has requested 802.11 authentication and association with an AP. 3.Authentication - The client must pass a Layer 2 Pre-Shared Key (PSK) or 802.1x authentication policy. 4.DHCP - The WLC is waiting to learn the client’s IP address from a Dynamic Host Configuration Protocol (DHCP) server. 5.Online - The client has passed Layer 2 and Layer 3 policies, successfully associated, and can pass traffic. • • ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Troubleshooting Client Connectivity from WLC Checking the Client’s Association and Signal Status •Information such as the wireless client’s username (if known), hostname, wireless MAC address, wireless connection uptime, and the SSID used can be viewed in the left portion of the Client View screen. • •In Figure 21-4, the username is not known because the client does not authenticate itself with a username. • • • Figure 21-4 Client Search Results ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Troubleshooting Client Connectivity from WLC WLC Information About a Poorly Performing Client •In Figure 21-5 the AP is receiving the client’s signal strength at −76 dBm and the SNR at 18 dB (both rather low values), causing the current data rate to fall to 29 Mbps. A quick look at the Connection Score value reveals a low 20%. • •It is safe to assume that the client has moved too far away from the AP where it is associated, causing the signal strength to become too low to support faster performance. • • • • • Figure 21-5 WLC Information About a Poorly Performing Client ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Troubleshooting Client Connectivity from WLC WLC Information About a Poorly Performing Client •Clicking on the Connection Score value displays further details in a popup window, as shown in Figure 21-6. • •The 20% value is the result of the client’s current data rate (29 Mbps) divided by the lower of the AP or client maximum data rate (144 Mbps). • •The Client Actual Rate and Connection Score values are indicators of current performance, and the other graphs show what is possible on the AP and the client. • • • • • Figure 21-6 Displaying Detailed Client Performance Information ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Troubleshooting Client Connectivity from WLC Checking the Client’s Mobility State •The WLC Client Search information includes a handy end-to-end graphical representation of a client’s wireless connection. •When you scroll down below the General and Connectivity sections, you see a topology diagram like the one shown in Figure 21-7. •The WLC’s name, management IP address, and model are displayed. Following the connection toward the right, you can see the AP name, IP address, and model where the client is associated. Moving further to the right, you can see that the client is associated to the AP. The client device is displayed with identifying information such as the device name, device type, VLAN number, and IP address. Figure 21-7 Displaying the Client Mobility State ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Troubleshooting Client Connectivity from WLC Checking the Client’s Wireless Policies •By scrolling further down in the Client Search information, you can verify information about network, QoS, security, and other policies that affect the client, as shown in Figure 21-8. • •You can quickly learn the client’s IP address, VLAN number, QoS policy level used by the WLAN, security policy (WPA2), encryption cipher (CCMP AES), and authentication type (PSK with no EAP). • • • • • Figure 21-8 Displaying the Wireless Policies Used by a Client ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Troubleshooting Client Connectivity from WLC Testing a Wireless Client •When you search for a specific client, the information displayed is of a static nature because it is obtained as a snapshot at the time of the search. The client search will need to be refreshed to get up-to-date data. You can also obtain dynamic data by testing a client in real time. •By scrolling to the bottom of the client search information, you can see the Client Test section, which offers links to four client testing tools: •Ping Test: The WLC sends five ICMP echo packets to the client’s IP address and measures the response time, as shown in Figure 21-9. • • • • • • • • Figure 21-9 Testing Ping Response Times Between the WLC and Client ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Troubleshooting Client Connectivity from WLC Testing a Wireless Client (Cont.) •Connection: The WLC debugs the client for up to three minutes and checks each policy step as the client attempts to join the wireless network. • • • • • • • • • Figure 21-10 shows a client that has successfully joined, and Figure 21-11 shows a client that failed Layer 2 authentication with a pre-shared key because its key did not match the key configured on the WLC. Figure 21-10 Performing a Connection Test on a Successful Wireless Client Figure 21-11 Performing a Connection Test on a Failed Wireless Client ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Troubleshooting Client Connectivity from WLC Testing a Wireless Client (Cont.) •Event Log: The WLC collects and displays a log of events as the client attempts to join the wireless network, as shown in Figure 21-12. • •This information is very complex and detailed and is usually more suited for Cisco TAC engineers. • • • • • • • • Figure 21-12 Collecting an Event Log of a Client Join Attempt ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Troubleshooting Client Connectivity from WLC Testing a Wireless Client (Cont.) •Packet Capture: The WLC enables a wireless packet capture at the AP where the client attempts to join, as shown in Figure 21-13. • •The captured data is saved to a specified FTP server, where it can be downloaded and analyzed using a packet analysis tool like Wireshark or LiveAction Omnipeek. • • • • • • • • Figure 21-13 Performing a Packet Capture of a Wireless Client ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Troubleshooting Connectivity at the AP •In cases where you get reports from multiple users who are all having problems in the same general area, you might need to focus your efforts on an AP. •The problem could be as simple as a defective radio, where no clients are receiving a signal. In that case, you might have to go onsite to confirm that the transmitter is not working correctly. ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Troubleshooting Connectivity Problems at the AP Troubleshooting Connectivity Problems at the AP •The split-MAC architecture creates several different points where you can troubleshoot. Successfully operating the lightweight AP and providing a working BSS require the following: •The AP must have connectivity to its access layer switch. •The AP must have connectivity to its WLC, unless it is operating in FlexConnect mode. ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Troubleshooting Connectivity Problems at the AP Displaying Information About an AP •First, verify the connectivity between an AP and a controller. • •The easiest approach is to simply look for the AP in the list of live APs that have joined the controller. If you know which controller the AP should join, open a management session to it. Enter the AP’s name in the search bar. • •If the search reveals a live AP that is joined to the controller, information is displayed in the Access Point View screen, as shown in Figure 21-14. • Figure 21-14 Displaying Information About an AP ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Troubleshooting Connectivity Problems at the AP Displaying Information About an AP (Cont.) •In Figure 21-14 the AP is named T2412-ap4, has an IP address and a valid CDP entry that shows the switch name and port number where it is connected. The AP has a live Ethernet connection with a switch and has working Power over Ethernet (PoE). • •In the right portion of the Access Point View screen, you can verify parameters related to the AP’s wireless performance and RF conditions. • • Figure 21-14 Displaying Information About an AP ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Troubleshooting Connectivity Problems at the AP Performance Summary Information •Another important indicator is the noise level on a channel. Ideally, the noise level should be as low as possible, usually around −90 or −100 dBm, so that 802.11 signals can be received intelligibly and accurately. • •Figure 21-15 lists the 5 GHz channel 161 as having a high noise level of −80 dBm—something that is not normal or ideal. • Figure 21-15 Performance Summary Information ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Troubleshooting Connectivity Problems at the AP Performance Summary Information (Cont.) •The channel information also shows an index of air quality. This is a measure of how competing and interfering devices affect the airtime quality or performance on a channel, presented as a number from 0 (worst) to 100 (best). • •The AP shows the air quality of channel 11 as 97, which is very good. However, channel 161 is 59, which is of concern. •You can scroll further down in the Access Point View screen to see detailed information about the AP including a list of clients it is supporting, RF troubleshooting information, clean air assessments, and a tool to reboot the AP. • Figure 21-15 Performance Summary Information ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Troubleshooting Connectivity Problems at the AP Displaying Information About RF Interferers •In Figure 21-16, the RF Troubleshoot tab has been selected to display interferer data for the channels in the 5 GHz band. • •There are no interfering neighbor or rogue APs, but there is a clean air interferer in channel 161 - the channel that the AP is using. • Figure 21-16 Displaying Information About RF Interferers ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Troubleshooting Connectivity Problems at the AP Displaying Information About Clean Air •Select the Clean Air tab to see more details about the interfering devices that have been detected. • •In Figure 21-17, the Active Interferers table lists one continuous transmitter device with a severity level of 45, a duty cycle of 100%, and an RSSI value of −78 dBm. • •The severity level indicates how badly the interferer is affecting the channel. The duty cycle represents the percentage of time the device is actually transmitting. • Figure 21-17 Displaying Information ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Troubleshooting Connectivity Problems at the AP Displaying Information About Clean Air (Cont.) •The two bar graphs represent the percentage of time the device is using the channel and the received signal strength level of the device. •If users are complaining about problems when they are around this AP, you should focus your efforts on tracking down the continuously transmitting device. •The best outcome is if the device can be disabled or moved to an unused channel. If not, you will likely have to reconfigure the AP to use a different channel to move away from the interference. • Figure 21-17 Displaying Information