April 4, 2018 at 21:46A simple, affordable and useful Wi-Fi lab. Do it yourself
If you are serious about Wi-Fi, then you definitely have your own laboratory equipment. In my opinion, one cannot do without it. If you are going to seriously engage in Wi-Fi, then sooner or later, you will need to acquire a laboratory. In this article I will tell you how to do this with minimal cost and for what tasks the laboratory may be necessary, using real examples.
Over 40% (according to statista.com) of corporate Wi-Fi is occupied by Cisco. You will probably need this particular iron. First you need to buy 2-3 access points of the second freshness. For example, AIR-CAP1702I-R-K9. These points are with support for 802.11ac, but not as expensive as fresh. For some tasks, even AIR-CAP1602I-R-K9 is suitable. I do not recommend taking older ones. Often, support for points requires fresh software that needs to be tested, and fresh software does not support old points. For example, at 8.6, even 1602 will not start. If there is enough money, then you can take fresh points with Mobility Express, such as 1852 or 2802. Then you may not need the controller for the first time, but the functionality of the real controller will still be richer, and later it will come in handy. You can understand the difference by reading the config guide for both.
You can buy from a familiar distributor at the maximum discount, or at an NFR price if you work in an integrator partner. Although the integrator’s leadership does not always like to approve the purchase of something “for themselves,” even at an NFR price. If you need to find iron at the lowest price and for cash, then your choice is Avito or ebay. There are very interesting offers. The regulatory domain of the access point does not matter, since on the controller you set the RU you need. When buying from us, in Russia, I advise you to record all the contacts of the seller, to make a screen of the announcement, since there is a low probability that some evil installers have stolen the points, it is. When we launched one large facility, 10 out of 200 access points were stolen and found at a nearby pawn shop through Avito.
So, you have purchased access points. If you bought stand-alone points, then transfer them to the controller ( CAPWAP ) mode (and vice versa) is a matter of ten minutes, skillfully. Googled on request type: Cisco 1702 lightweight to autonomous. If you already have free points, for example, from a spare part kit, you are in luck. You can immediately proceed to the next step - the controller.
Cisco has 2 main types of controllers, iron and virtual. Virtual works only in FlexConnect mode and this imposes a number of limitations, but in many cases it is enough. It has one indisputable advantage, it is shareware. More precisely, a fully functional demo license for almost 3 months is activated immediately after installation. 3 months is a sufficient period for testing. If you need to extend it, just reinstall the controller (saving the config) or even easier, roll back to the previously created snapshot of the virtual machine;) again, without forgetting to save the config. An iron controller of type 2504 can be bought inexpensively in the same places as the points. Now there are a lot of them in the market.
1. Server where the virtual machine will be spinning. For the tasks of the laboratory controller, any laptop with a 64-bit processor that supports VT-x is suitable. For example, I have this experienced Thinkpad X220 on i5. If you have a powerful blade with ESXi at work, it’s certainly appropriate to take advantage of its capabilities. In general, choose from the available.
2. Virtualization softwaresuch as VMware Workstation (a little paid) or VirtualBox (give away for nothing). Which one to choose is up to you. In my experience, an OVA template with a virtual controller was deployed and did not work on all versions of VirtualBox. Earned only on the older, 5.0.16 and then not immediately. At 5.1.8 did not work. On 5.2.6, a specific OVA with an 8.5 version of the controller does not start. It started up immediately on VMware Workstation and worked like a clock, so I can recommend it.
3. OVA packagewith an archive of everything you need, including the image of the controller. Officially downloads to cisco.com with access. For example, stable 8.0.152.0, is available for download just like that (if you are registered on cisco.com). If there is no access to the software of interest, but there is a partnership, then you can request it by friendship. If neither one nor the other, be smart.
I will not tell you in detail with pictures how to deploy OVA, this is done as usual. Open .ova, specify where to store the machine and go ...
Then everything will go automatically and soon you will see that the controller has started loading.
After loading, you will see the familiar dialogue of the first controller settings, for which you, of course, have prepared in advance. Just in case, in the spoiler, I recall the parameters that will be required. Of course, set your own values, and it is important to place the service port on a different subnet.
After which the controller will reboot and work.
The VMware console will have access to the console, through the browser, the specified Management Interface IP Address will have https access to WEB, which is more convenient. Also possible by ssh.
If you don’t have web access, you probably have a virtual adapter attached to the wrong network adapter.
Edit - Virtual Network Editor will solve this issue.
Further, everything is as usual with the controller, except that the access points must be switched to FlexConnect mode in order to work. And do not forget to activate the license, otherwise you will be wondering for a long time why the DTLS tunnel is not installed!
Checking non-standard solutions
For example, at one factory it was necessary to connect a number of network devices on a mobile crane, via Wi-Fi. As a client, the Cisco 1532E access point in WGB offline was used. This mode is good because it allows you to flexibly configure roaming parameters, and devices connected via WGB are visible by their MAC in the network. The customer wanted to ensure a short roaming time in this mode.
I transferred one point to stand-alone WGB mode and carried it on a long cord in the office, moving between the two control points hanging on the ceiling. The laptop was connected to the point by the same cord, therefore, in the logs, as the point was moved, similar records appeared that clearly made it possible to judge the roaming time.
In this example, 353-265 = 88ms was spent on scanning, selecting, and switching.
Different versions of the experiment showed a time of up to 200ms, which suited everyone.
Perhaps, to analyze the roaming time, it would be more correct to use a packet interceptor, listen to the air from two adapters and analyze later, but at that time it seemed sufficient.
Checking fresh software for stability
There is a useful rule: the best enemy of the good. If your software is up-to-date, recommended as stable and its capabilities are enough for you, there is no need to change it. If you need new features, such as AVC on FlexConnect, then you probably have to update the software. If you serve a large network, with hundreds or thousands of APs, then the risk that something will go wrong on fresh software is there. To do this, it is useful to have a laboratory where you can run the necessary software for a week and test it. How much does 1 hour of network downtime cost in your enterprise? How much does a lab kit cost? Compare these prices and decide for yourself.
Checking downtime for some commands
If you are setting up a live network, this is much more interesting, you just need to be more careful and know the result of your actions in advance. If a simple live network creates problems, it is best to try teams that require points to reload in advance.
For example, there is such a convenient thing as the RF Profile, in which the data rate, working MCS, the parameters of automatic radio control, as well as a few other useful parameters like RxSOP are changed. This profile is hung on a group of points, setting them all at once. It should be remembered that if you change an existing profile that is already in operation, then the result will not follow. No changes will be made. You need to fasten another profile to the group of points, the points will reboot with its settings, then screw the original one that you changed, and then, after rebooting again, the points will work on the new settings. How much time it will take you can find out by conducting an experiment in the office, and then agree on a short break with the customer.
Encourage intractable Wi-Fi neighbors
Let's say your office network is built on UniFi. The neighboring premises are rented by another company, and its admin, not knowing that in the 2.4 GHz band, only three disjoint channels, tuned a point adjacent to yours to the 3rd channel, and even took 40MHz! Or even the admin didn’t do it, but the curve firmware itself chose the 3rd channel. At the same time, people through this third channel download torrents constantly. Your colleagues started complaining that Wi-Fi is worse. What to do? Ideally, transfer all (equipment) and all (customers) to 5 GHz and forget about this terrible time when your spectrum analyzer showed these pictures
in real life so far. 2.4 GHz in the Russian Federation is still popular, thanks to manufacturers of budget Chinese smartphones.
So, the transfer will not work, you need to communicate with a neighboring office. Most likely, if you clearly explain why they need to change the settings, the issue will be resolved quickly. If no persuasion helps, or there are a lot of neighboring offices and it’s not clear who is the source of your worries (although you can find it with some free Wi-Fi Analyzer on your smartphone), then you can use heavy artillery. In the Monitor - Rogues section, find the point you are interested in and select Contain in Update Status.
In this case, the controller will carefully warn you that this may be illegal. Essentially, you initiate a DoS attack on a neighbor’s network by sending frames from your 802.11 de-authentication points on behalf of the neighbor’s point to its clients. And all, if you hear this point at least at the level of -70dBm and clicked the Apply button, while choosing the maximum number of APs to contain the rogue, then all of its clients simply stop working.
People do not understand what is happening, as it is physically chopped off and it is impossible to connect. They try to change the settings, this does not help. If at the same time (after a couple of days) you notice that the channel is changed, and successfully, then the status of Contain is removed and everyone is happy. If not, then decide for yourself. In my experience, once in a couple of weeks it was discovered that people set up a new access point, the SSID remained the same, but the channel was again set up crookedly.
If anyone knows what this could legally threaten in the Russian Federation, I will be glad to hear your comments. It is also curious what evidence could be accepted. You can find out that you are dignified, but you need to have a serious infrastructure that will see what is happening and say about it in this way: Warning: Our AP with Base Radio MAC f4: ea: 67: 00: 01: 08 is under attack (contained ) by another AP on radio type 802.11b / g.
If someone has such an infrastructure, it is highly unlikely that he will make such gross configuration errors. If you have Omnipeek-type software for intercepting 802.11 frames and an adapter that can work in promiscuous mode, it will help to detect such a problem. On your favorite Kali Linux, you already know how to catch frames and what to do. Thus, if suddenly on your network people suddenly stopped connecting to Wi-Fi, at all, look for software to intercept, and before that, check whether you are interfering with your neighbors.
If you doubted whether to ask the authorities (or yourself) to allocate funds for the purchase of three access points in order to assemble a very useful Wi-Fi laboratory, I hope your doubts are dispelled.
Over 40% (according to statista.com) of corporate Wi-Fi is occupied by Cisco. You will probably need this particular iron. First you need to buy 2-3 access points of the second freshness. For example, AIR-CAP1702I-R-K9. These points are with support for 802.11ac, but not as expensive as fresh. For some tasks, even AIR-CAP1602I-R-K9 is suitable. I do not recommend taking older ones. Often, support for points requires fresh software that needs to be tested, and fresh software does not support old points. For example, at 8.6, even 1602 will not start. If there is enough money, then you can take fresh points with Mobility Express, such as 1852 or 2802. Then you may not need the controller for the first time, but the functionality of the real controller will still be richer, and later it will come in handy. You can understand the difference by reading the config guide for both.
Where can I buy?
You can buy from a familiar distributor at the maximum discount, or at an NFR price if you work in an integrator partner. Although the integrator’s leadership does not always like to approve the purchase of something “for themselves,” even at an NFR price. If you need to find iron at the lowest price and for cash, then your choice is Avito or ebay. There are very interesting offers. The regulatory domain of the access point does not matter, since on the controller you set the RU you need. When buying from us, in Russia, I advise you to record all the contacts of the seller, to make a screen of the announcement, since there is a low probability that some evil installers have stolen the points, it is. When we launched one large facility, 10 out of 200 access points were stolen and found at a nearby pawn shop through Avito.
So, you have purchased access points. If you bought stand-alone points, then transfer them to the controller ( CAPWAP ) mode (and vice versa) is a matter of ten minutes, skillfully. Googled on request type: Cisco 1702 lightweight to autonomous. If you already have free points, for example, from a spare part kit, you are in luck. You can immediately proceed to the next step - the controller.
Cisco has 2 main types of controllers, iron and virtual. Virtual works only in FlexConnect mode and this imposes a number of limitations, but in many cases it is enough. It has one indisputable advantage, it is shareware. More precisely, a fully functional demo license for almost 3 months is activated immediately after installation. 3 months is a sufficient period for testing. If you need to extend it, just reinstall the controller (saving the config) or even easier, roll back to the previously created snapshot of the virtual machine;) again, without forgetting to save the config. An iron controller of type 2504 can be bought inexpensively in the same places as the points. Now there are a lot of them in the market.
To install the virtual controller you will need:
1. Server where the virtual machine will be spinning. For the tasks of the laboratory controller, any laptop with a 64-bit processor that supports VT-x is suitable. For example, I have this experienced Thinkpad X220 on i5. If you have a powerful blade with ESXi at work, it’s certainly appropriate to take advantage of its capabilities. In general, choose from the available.
2. Virtualization softwaresuch as VMware Workstation (a little paid) or VirtualBox (give away for nothing). Which one to choose is up to you. In my experience, an OVA template with a virtual controller was deployed and did not work on all versions of VirtualBox. Earned only on the older, 5.0.16 and then not immediately. At 5.1.8 did not work. On 5.2.6, a specific OVA with an 8.5 version of the controller does not start. It started up immediately on VMware Workstation and worked like a clock, so I can recommend it.
3. OVA packagewith an archive of everything you need, including the image of the controller. Officially downloads to cisco.com with access. For example, stable 8.0.152.0, is available for download just like that (if you are registered on cisco.com). If there is no access to the software of interest, but there is a partnership, then you can request it by friendship. If neither one nor the other, be smart.
I will not tell you in detail with pictures how to deploy OVA, this is done as usual. Open .ova, specify where to store the machine and go ...
Then everything will go automatically and soon you will see that the controller has started loading.
After loading, you will see the familiar dialogue of the first controller settings, for which you, of course, have prepared in advance. Just in case, in the spoiler, I recall the parameters that will be required. Of course, set your own values, and it is important to place the service port on a different subnet.
Options
System Name [Cisco_2c:4d:2f] (31 characters max): vWLC
Enter Administrative User Name (24 characters max): wlcadmin
Enter Administrative Password (3 to 24 characters): ********
Re-enter Administrative Password : ********
Service Interface IP Address Configuration [static][DHCP]: static 172.16.0.8
Management Interface IP Address: 10.8.8.2
Management Interface Netmask: 255.255.255.0
Management Interface Default Router: 10.8.8.1
Management Interface VLAN Identifier (0 = untagged): 0
Management Interface DHCP Server IP Address: 10.8.8.1
Enable HA [yes][NO]: NO
Virtual Gateway IP Address: 198.51.100.108
Mobility/RF Group Name: LAB
Network Name (SSID): TEST
Configure DHCP Bridging Mode [yes][NO]: no
Allow Static IP Addresses [YES][no]: no
Configure a RADIUS Server now? [YES][no]: no
Warning! The default WLAN security policy requires a RADIUS server.
Please see documentation for more details.
Enter Country Code list (enter 'help' for a list of countries) [RU]: RU
Enable 802.11b Network [YES][no]:
Enable 802.11a Network [YES][no]:
Enable Auto-RF [YES][no]: yes
Configure a NTP server now? [YES][no]: 10.8.8.1
Configure the system time now? [YES][no]: no
Warning! No AP will come up unless the time is set.
Please see documentation for more details.
Configuration correct? If yes, system will save it and reset. [yes][NO]: yes
Configuration saved!
Resetting system with new configuration...After which the controller will reboot and work.
The VMware console will have access to the console, through the browser, the specified Management Interface IP Address will have https access to WEB, which is more convenient. Also possible by ssh.
If you don’t have web access, you probably have a virtual adapter attached to the wrong network adapter.
Edit - Virtual Network Editor will solve this issue.
Further, everything is as usual with the controller, except that the access points must be switched to FlexConnect mode in order to work. And do not forget to activate the license, otherwise you will be wondering for a long time why the DTLS tunnel is not installed!
Some examples of why the lab is useful
Checking non-standard solutions
For example, at one factory it was necessary to connect a number of network devices on a mobile crane, via Wi-Fi. As a client, the Cisco 1532E access point in WGB offline was used. This mode is good because it allows you to flexibly configure roaming parameters, and devices connected via WGB are visible by their MAC in the network. The customer wanted to ensure a short roaming time in this mode.
I transferred one point to stand-alone WGB mode and carried it on a long cord in the office, moving between the two control points hanging on the ceiling. The laptop was connected to the point by the same cord, therefore, in the logs, as the point was moved, similar records appeared that clearly made it possible to judge the roaming time.
broad gull
*Mar 1 01:39:34.265: %DOT11-4-UPLINK_DOWN: Interface Dot11Radio1, parent lost: Too many retries
*Mar 1 01:39:34.265: E76D58EB-1 Uplink: Lost AP, Too many retries
*Mar 1 01:39:34.265: E76D597D-1 Uplink: Setting No. of retries in channel scan to 2
*Mar 1 01:39:34.265: E76D5985-1 Uplink: Wait for driver to stop
*Mar 1 01:39:34.265: E76D5FBB-1 Uplink: Enabling active scan
*Mar 1 01:39:34.265: E76D5FCA-1 Uplink: Not busy, scan all channels
*Mar 1 01:39:34.265: E76D5FD2-1 Uplink: Scanning
*Mar 1 01:39:34.313: E76E2161-1 Uplink: Rcvd response from 003a.7db3.c54f channel 161 538
*Mar 1 01:39:34.325: E76E231F-1 Uplink: An AP responded, try to assoc to the best one
*Mar 1 01:39:34.341: E76E82D7-1 Uplink: dot11_uplink_scan_done: rsnie_accept returns 0x0 key_mgmt 0xFAC02 encrypt_type 0x200
*Mar 1 01:39:34.341: E76E82ED-1 Uplink: ssid GMXM-C auth open
*Mar 1 01:39:34.341: E76E82F4-1 Uplink: try 003a.7db3.c54f, enc 200 key 4, priv 1, eap 0
*Mar 1 01:39:34.341: E76E82FE-1 Uplink: Authenticating
*Mar 1 01:39:34.341: E76E855C-1 Uplink: Associating
*Mar 1 01:39:34.341: E76E8DEB-1 Uplink: EAP authenticating
*Mar 1 01:39:34.353: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio1, Associated To AP GMXM-1702i-1 003a.7db3.c54f [None WPAv2 PSK]
*Mar 1 01:39:34.353: E76EB2C7-1 Uplink: DoneIn this example, 353-265 = 88ms was spent on scanning, selecting, and switching.
Different versions of the experiment showed a time of up to 200ms, which suited everyone.
Perhaps, to analyze the roaming time, it would be more correct to use a packet interceptor, listen to the air from two adapters and analyze later, but at that time it seemed sufficient.
Checking fresh software for stability
There is a useful rule: the best enemy of the good. If your software is up-to-date, recommended as stable and its capabilities are enough for you, there is no need to change it. If you need new features, such as AVC on FlexConnect, then you probably have to update the software. If you serve a large network, with hundreds or thousands of APs, then the risk that something will go wrong on fresh software is there. To do this, it is useful to have a laboratory where you can run the necessary software for a week and test it. How much does 1 hour of network downtime cost in your enterprise? How much does a lab kit cost? Compare these prices and decide for yourself.
Checking downtime for some commands
If you are setting up a live network, this is much more interesting, you just need to be more careful and know the result of your actions in advance. If a simple live network creates problems, it is best to try teams that require points to reload in advance.
For example, there is such a convenient thing as the RF Profile, in which the data rate, working MCS, the parameters of automatic radio control, as well as a few other useful parameters like RxSOP are changed. This profile is hung on a group of points, setting them all at once. It should be remembered that if you change an existing profile that is already in operation, then the result will not follow. No changes will be made. You need to fasten another profile to the group of points, the points will reboot with its settings, then screw the original one that you changed, and then, after rebooting again, the points will work on the new settings. How much time it will take you can find out by conducting an experiment in the office, and then agree on a short break with the customer.
Encourage intractable Wi-Fi neighbors
Let's say your office network is built on UniFi. The neighboring premises are rented by another company, and its admin, not knowing that in the 2.4 GHz band, only three disjoint channels, tuned a point adjacent to yours to the 3rd channel, and even took 40MHz! Or even the admin didn’t do it, but the curve firmware itself chose the 3rd channel. At the same time, people through this third channel download torrents constantly. Your colleagues started complaining that Wi-Fi is worse. What to do? Ideally, transfer all (equipment) and all (customers) to 5 GHz and forget about this terrible time when your spectrum analyzer showed these pictures
in real life so far. 2.4 GHz in the Russian Federation is still popular, thanks to manufacturers of budget Chinese smartphones.
So, the transfer will not work, you need to communicate with a neighboring office. Most likely, if you clearly explain why they need to change the settings, the issue will be resolved quickly. If no persuasion helps, or there are a lot of neighboring offices and it’s not clear who is the source of your worries (although you can find it with some free Wi-Fi Analyzer on your smartphone), then you can use heavy artillery. In the Monitor - Rogues section, find the point you are interested in and select Contain in Update Status.
In this case, the controller will carefully warn you that this may be illegal. Essentially, you initiate a DoS attack on a neighbor’s network by sending frames from your 802.11 de-authentication points on behalf of the neighbor’s point to its clients. And all, if you hear this point at least at the level of -70dBm and clicked the Apply button, while choosing the maximum number of APs to contain the rogue, then all of its clients simply stop working.
People do not understand what is happening, as it is physically chopped off and it is impossible to connect. They try to change the settings, this does not help. If at the same time (after a couple of days) you notice that the channel is changed, and successfully, then the status of Contain is removed and everyone is happy. If not, then decide for yourself. In my experience, once in a couple of weeks it was discovered that people set up a new access point, the SSID remained the same, but the channel was again set up crookedly.
If anyone knows what this could legally threaten in the Russian Federation, I will be glad to hear your comments. It is also curious what evidence could be accepted. You can find out that you are dignified, but you need to have a serious infrastructure that will see what is happening and say about it in this way: Warning: Our AP with Base Radio MAC f4: ea: 67: 00: 01: 08 is under attack (contained ) by another AP on radio type 802.11b / g.
If someone has such an infrastructure, it is highly unlikely that he will make such gross configuration errors. If you have Omnipeek-type software for intercepting 802.11 frames and an adapter that can work in promiscuous mode, it will help to detect such a problem. On your favorite Kali Linux, you already know how to catch frames and what to do. Thus, if suddenly on your network people suddenly stopped connecting to Wi-Fi, at all, look for software to intercept, and before that, check whether you are interfering with your neighbors.
If you doubted whether to ask the authorities (or yourself) to allocate funds for the purchase of three access points in order to assemble a very useful Wi-Fi laboratory, I hope your doubts are dispelled.